Locator/ID Separation Protocol (LISP) Control-Plane
draft-ietf-lisp-rfc6833bis-25

Document Type Active Internet-Draft (lisp WG)
Last updated 2019-06-16
Replaces draft-farinacci-lisp-rfc6833bis
Stream IETF
Intended RFC status Proposed Standard
Formats plain text xml pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Luigi Iannone
Shepherd write-up Show (last changed 2018-07-27)
IESG IESG state IESG Evaluation - Defer::AD Followup
Consensus Boilerplate Yes
Telechat date
Has 2 DISCUSSes. Needs one more YES or NO OBJECTION position to pass.
Responsible AD Deborah Brungard
Send notices to Luigi Iannone <ggx@gigix.net>
IANA IANA review state Version Changed - Review Needed
IANA action state None
Network Working Group                                       D. Farinacci
Internet-Draft                                               lispers.net
Obsoletes: 6830, 6833 (if approved)                             F. Maino
Intended status: Standards Track                           Cisco Systems
Expires: December 18, 2019                                     V. Fuller
                                             vaf.net Internet Consulting
                                                       A. Cabellos (Ed.)
                                                       UPC/BarcelonaTech
                                                           June 16, 2019

          Locator/ID Separation Protocol (LISP) Control-Plane
                     draft-ietf-lisp-rfc6833bis-25

Abstract

   This document describes the Control-Plane and Mapping Service for the
   Locator/ID Separation Protocol (LISP), implemented by two new types
   of LISP-speaking devices -- the LISP Map-Resolver and LISP Map-Server
   -- that provides a simplified "front end" for one or more Endpoint ID
   to Routing Locator mapping databases.

   By using this Control-Plane service interface and communicating with
   Map-Resolvers and Map-Servers, LISP Ingress Tunnel Routers (ITRs) and
   Egress Tunnel Routers (ETRs) are not dependent on the details of
   mapping database systems, which facilitates modularity with different
   database designs.  Since these devices implement the "edge" of the
   LISP Control-Plane infrastructure, connecting EID addressable nodes
   of a LISP site, their implementation and operational complexity
   reduces the overall cost and effort of deploying LISP.

   This document obsoletes RFC 6830 and RFC 6833.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

Farinacci, et al.       Expires December 18, 2019               [Page 1]
Internet-Draft             LISP Control-Plane                  June 2019

   This Internet-Draft will expire on December 18, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Scope of Applicability  . . . . . . . . . . . . . . . . .   4
   2.  Requirements Notation . . . . . . . . . . . . . . . . . . . .   5
   3.  Definition of Terms . . . . . . . . . . . . . . . . . . . . .   5
   4.  Basic Overview  . . . . . . . . . . . . . . . . . . . . . . .   6
   5.  LISP IPv4 and IPv6 Control-Plane Packet Formats . . . . . . .   8
     5.1.  LISP Control Packet Type Allocations  . . . . . . . . . .  11
     5.2.  Map-Request Message Format  . . . . . . . . . . . . . . .  12
     5.3.  EID-to-RLOC UDP Map-Request Message . . . . . . . . . . .  14
     5.4.  Map-Reply Message Format  . . . . . . . . . . . . . . . .  17
     5.5.  EID-to-RLOC UDP Map-Reply Message . . . . . . . . . . . .  21
     5.6.  Map-Register Message Format . . . . . . . . . . . . . . .  24
     5.7.  Map-Notify/Map-Notify-Ack Message Format  . . . . . . . .  28
     5.8.  Encapsulated Control Message Format . . . . . . . . . . .  30
   6.  Changing the Contents of EID-to-RLOC Mappings . . . . . . . .  32
     6.1.  Solicit-Map-Request (SMR) . . . . . . . . . . . . . . . .  32
   7.  Routing Locator Reachability  . . . . . . . . . . . . . . . .  33
     7.1.  RLOC-Probing Algorithm  . . . . . . . . . . . . . . . . .  35
   8.  Interactions with Other LISP Components . . . . . . . . . . .  36
     8.1.  ITR EID-to-RLOC Mapping Resolution  . . . . . . . . . . .  36
     8.2.  EID-Prefix Configuration and ETR Registration . . . . . .  37
     8.3.  Map-Server Processing . . . . . . . . . . . . . . . . . .  39
     8.4.  Map-Resolver Processing . . . . . . . . . . . . . . . . .  40
       8.4.1.  Anycast Operation . . . . . . . . . . . . . . . . . .  40
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  40
   10. Privacy Considerations  . . . . . . . . . . . . . . . . . . .  42
   11. Changes since RFC 6833  . . . . . . . . . . . . . . . . . . .  43
   12. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  43
     12.1.  LISP UDP Port Numbers  . . . . . . . . . . . . . . . . .  44

Farinacci, et al.       Expires December 18, 2019               [Page 2]
Internet-Draft             LISP Control-Plane                  June 2019

     12.2.  LISP Packet Type Codes . . . . . . . . . . . . . . . . .  44
     12.3.  LISP ACT and Flag Fields . . . . . . . . . . . . . . . .  44
     12.4.  LISP Address Type Codes  . . . . . . . . . . . . . . . .  45
     12.5.  LISP Algorithm ID Numbers  . . . . . . . . . . . . . . .  45
     12.6.  LISP Bit Flags . . . . . . . . . . . . . . . . . . . . .  46
   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .  49
     13.1.  Normative References . . . . . . . . . . . . . . . . . .  49
     13.2.  Informative References . . . . . . . . . . . . . . . . .  50
   Appendix A.  Acknowledgments  . . . . . . . . . . . . . . . . . .  55
   Appendix B.  Document Change Log  . . . . . . . . . . . . . . . .  55
     B.1.  Changes to draft-ietf-lisp-rfc6833bis-25  . . . . . . . .  55
     B.2.  Changes to draft-ietf-lisp-rfc6833bis-24  . . . . . . . .  55
     B.3.  Changes to draft-ietf-lisp-rfc6833bis-23  . . . . . . . .  56
     B.4.  Changes to draft-ietf-lisp-rfc6833bis-22  . . . . . . . .  56
     B.5.  Changes to draft-ietf-lisp-rfc6833bis-21  . . . . . . . .  56
     B.6.  Changes to draft-ietf-lisp-rfc6833bis-20  . . . . . . . .  56
     B.7.  Changes to draft-ietf-lisp-rfc6833bis-19  . . . . . . . .  56
     B.8.  Changes to draft-ietf-lisp-rfc6833bis-18  . . . . . . . .  57
     B.9.  Changes to draft-ietf-lisp-rfc6833bis-17  . . . . . . . .  57
     B.10. Changes to draft-ietf-lisp-rfc6833bis-16  . . . . . . . .  57
     B.11. Changes to draft-ietf-lisp-rfc6833bis-15  . . . . . . . .  57
     B.12. Changes to draft-ietf-lisp-rfc6833bis-14  . . . . . . . .  57
     B.13. Changes to draft-ietf-lisp-rfc6833bis-13  . . . . . . . .  58
     B.14. Changes to draft-ietf-lisp-rfc6833bis-12  . . . . . . . .  58
     B.15. Changes to draft-ietf-lisp-rfc6833bis-11  . . . . . . . .  58
     B.16. Changes to draft-ietf-lisp-rfc6833bis-10  . . . . . . . .  58
     B.17. Changes to draft-ietf-lisp-rfc6833bis-09  . . . . . . . .  58
     B.18. Changes to draft-ietf-lisp-rfc6833bis-08  . . . . . . . .  58
     B.19. Changes to draft-ietf-lisp-rfc6833bis-07  . . . . . . . .  59
     B.20. Changes to draft-ietf-lisp-rfc6833bis-06  . . . . . . . .  59
     B.21. Changes to draft-ietf-lisp-rfc6833bis-05  . . . . . . . .  60
     B.22. Changes to draft-ietf-lisp-rfc6833bis-04  . . . . . . . .  60
     B.23. Changes to draft-ietf-lisp-rfc6833bis-03  . . . . . . . .  60
     B.24. Changes to draft-ietf-lisp-rfc6833bis-02  . . . . . . . .  60
     B.25. Changes to draft-ietf-lisp-rfc6833bis-01  . . . . . . . .  60
     B.26. Changes to draft-ietf-lisp-rfc6833bis-00  . . . . . . . .  61
     B.27. Changes to draft-farinacci-lisp-rfc6833bis-00 . . . . . .  61
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  62

1.  Introduction

   The Locator/ID Separation Protocol [I-D.ietf-lisp-rfc6830bis] (see
   also [I-D.ietf-lisp-introduction]) specifies an architecture and
   mechanism for dynamic tunneling by logically separating the addresses
   currently used by IP in two separate name spaces: Endpoint IDs
   (EIDs), used within sites; and Routing Locators (RLOCs), used on the
   transit networks that make up the Internet infrastructure.  To
   achieve this separation, LISP defines protocol mechanisms for mapping

Farinacci, et al.       Expires December 18, 2019               [Page 3]
Internet-Draft             LISP Control-Plane                  June 2019

   from EIDs to RLOCs.  In addition, LISP assumes the existence of a
   database to store and propagate those mappings across mapping system
   nodes.  Several such databases have been proposed; among them are the
   Content distribution Overlay Network Service for LISP-NERD (a Not-so-
   novel EID-to-RLOC Database) [RFC6837], LISP Alternative Logical
   Topology (LISP-ALT) [RFC6836], and LISP Delegated Database Tree
   (LISP-DDT) [RFC8111].

   The LISP Mapping Service defines two new types of LISP-speaking
   devices: the Map-Resolver, which accepts Map-Requests from an Ingress
   Tunnel Router (ITR) and "resolves" the EID-to-RLOC mapping using a
   mapping database; and the Map-Server, which learns authoritative EID-
   to-RLOC mappings from an Egress Tunnel Router (ETR) and publishes
   them in a database.

   This LISP Control-Plane Mapping Service can be used by many different
   encapsulation-based or translation-based Data-Planes which include
   but are not limited to the ones defined in LISP RFC 6830bis
   [I-D.ietf-lisp-rfc6830bis], LISP-GPE [I-D.ietf-lisp-gpe], VXLAN
   [RFC7348], VXLAN-GPE [I-D.ietf-nvo3-vxlan-gpe], GRE [RFC2890], GTP
   [GTP-3GPP], ILA [I-D.herbert-intarea-ila], and Segment Routing (SRv6)
   [RFC8402].

   Conceptually, LISP Map-Servers share some of the same basic
   configuration and maintenance properties as Domain Name System (DNS)
   [RFC1035] servers; likewise, Map-Resolvers are conceptually similar
   to DNS caching resolvers.  With this in mind, this specification
   borrows familiar terminology (resolver and server) from the DNS
   specifications.

   Note this document doesn't assume any particular database mapping
   infrastructure to illustrate certain aspects of Map-Server and Map-
   Resolver operation.  The Mapping Service interface can (and likely
   will) be used by ITRs and ETRs to access other mapping database
   systems as the LISP infrastructure evolves.

   LISP is not intended to address problems of connectivity and scaling
   on behalf of arbitrary communicating parties.  Relevant situations
   are described in the scoping section of the introduction to
   [I-D.ietf-lisp-rfc6830bis].

   This document obsoletes RFC 6830 and 6833.

1.1.  Scope of Applicability

   LISP was originally developed to address the Internet-wide route
   scaling problem [RFC4984].  While there are a number of approaches of
   interest for that problem, as LISP as been developed and refined, a

Farinacci, et al.       Expires December 18, 2019               [Page 4]
Internet-Draft             LISP Control-Plane                  June 2019

   large number of other LISP uses have been found and are being used.
   As such, the design and development of LISP has changed so as to
   focus on these use cases.  The common property of these uses is a
   large set of cooperating entities seeking to communicate over the
   public Internet or other large underlay IP infrastructures, while
   keeping the addressing and topology of the cooperating entities
   separate from the underlay and Internet topology, routing, and
   addressing.

2.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Definition of Terms

   Map-Server:   A network infrastructure component that learns of EID-
      Prefix mapping entries from an ETR, via the registration mechanism
      described below, or some other authoritative source if one exists.
      A Map-Server publishes these EID-Prefixes in a mapping database.

   Map-Request:   A LISP Map-Request is a Control-Plane message to query
      the mapping system to resolve an EID.  A LISP Map-Request can also
      be sent to an RLOC to test for reachability and to exchange
      security keys between an encapsulator and a decapsulator.  This
      type of Map-Request is also known as an RLOC-Probe Request.

   Map-Reply:   A LISP Map-Reply is a Control-Plane message returned in
      response to a Map-Request sent to the mapping system when
      resolving an EID.  A LISP Map-Reply can also be returned by a
      decapsulator in response to a Map-Request sent by an encapsulator
      to test for reachability.  This type of Map-Reply is known as a
      RLOC-Probe Reply.

   Encapsulated Map-Request:   A LISP Map-Request carried within an
      Encapsulated Control Message (ECM), which has an additional LISP
      header prepended.  Sent to UDP destination port 4342.  The "outer"
      addresses are routable IP addresses, also known as RLOCs.  Used by
      an ITR when sending to a Map-Resolver and by a Map-Server when
      forwarding a Map-Request to an ETR.

   Map-Resolver:   A network infrastructure component that accepts LISP
      Encapsulated (ECM) Map-Requests, typically from an ITR, and
      determines whether or not the destination IP address is part of
      the EID namespace; if it is not, a Negative Map-Reply is returned.

Farinacci, et al.       Expires December 18, 2019               [Page 5]
Internet-Draft             LISP Control-Plane                  June 2019

      Otherwise, the Map-Resolver finds the appropriate EID-to-RLOC
      mapping by consulting a mapping database system.

   Negative Map-Reply:   A LISP Map-Reply that contains an empty
      Locator-Set. Returned in response to a Map-Request if the
      destination EID is not registered in the mapping system, is policy
      denied or fails authentication.

   Map-Register message:   A LISP message sent by an ETR to a Map-Server
      to register its associated EID-Prefixes.  In addition to the set
      of EID-Prefixes to register, the message includes one or more
      RLOCs to reach ETR(s).  The Map-Server uses these RLOCs when
      forwarding Map-Requests (re-formatted as Encapsulated Map-
      Requests).  An ETR MAY request that the Map-Server answer Map-
      Requests on its behalf by setting the "proxy Map-Reply" flag
      (P-bit) in the message.

   Map-Notify message:   A LISP message sent by a Map-Server to an ETR
      to confirm that a Map-Register has been received and processed.
      An ETR requests that a Map-Notify be returned by setting the
      "want-map-notify" flag (M-bit) in the Map-Register message.
      Unlike a Map-Reply, a Map-Notify uses UDP port 4342 for both
      source and destination.  Map-Notify messages are also sent to ITRs
      by Map-Servers when there are RLOC-set changes.

   For definitions of other terms, notably Ingress Tunnel Router (ITR),
   Egress Tunnel Router (ETR), and Re-encapsulating Tunnel Router (RTR),
   refer to the LISP Data-Plane specification
   [I-D.ietf-lisp-rfc6830bis].

4.  Basic Overview

   A Map-Server is a device that publishes EID-Prefixes in a LISP
   mapping database on behalf of a set of ETRs.  When it receives a Map
   Request (typically from an ITR), it consults the mapping database to
   find an ETR that can answer with the set of RLOCs for an EID-Prefix.
   To publish its EID-Prefixes, an ETR periodically sends Map-Register
   messages to the Map-Server.  A Map-Register message contains a list
   of EID-Prefixes plus a set of RLOCs that can be used to reach the
   ETRs.

   When LISP-ALT [RFC6836] is used as the mapping database, a Map-Server
   connects to the ALT network and acts as a "last-hop" ALT-Router.
   Intermediate ALT-Routers forward Map-Requests to the Map-Server that
   advertises a particular EID-Prefix, and the Map-Server forwards them
   to the owning ETR, which responds with Map-Reply messages.

Farinacci, et al.       Expires December 18, 2019               [Page 6]
Internet-Draft             LISP Control-Plane                  June 2019

   When LISP-DDT [RFC8111] is used as the mapping database, a Map-Server
   sends the final Map-Referral messages from the Delegated Database
   Tree.

   A Map-Resolver receives Encapsulated Map-Requests from its client
   ITRs and uses a mapping database system to find the appropriate ETR
   to answer those requests.  On a LISP-ALT network, a Map-Resolver acts
   as a "first-hop" ALT-Router.  It has Generic Routing Encapsulation
   (GRE) tunnels configured to other ALT-Routers and uses BGP to learn
   paths to ETRs for different prefixes in the LISP-ALT database.  The
   Map-Resolver uses this path information to forward Map-Requests over
   the ALT to the correct ETRs.  On a LISP-DDT network [RFC8111], a Map-
   Resolver maintains a referral-cache and acts as a "first-hop" DDT-
   node.  The Map-Resolver uses the referral information to forward Map-
   Requests.

   Note that while it is conceivable that a Map-Resolver could cache
   responses to improve performance, issues surrounding cache management
   will need to be resolved so that doing so will be reliable and
   practical.  As initially deployed, Map-Resolvers will operate only in
   a non-caching mode, decapsulating and forwarding Encapsulated Map
   Requests received from ITRs.  Any specification of caching
   functionality is out of scope for this document.

   Note that a single device can implement the functions of both a Map-
   Server and a Map-Resolver, and in many cases the functions will be
   co-located in that way.  Also, there can be ALT-only nodes and DDT-
   only nodes, when LISP-ALT and LISP-DDT are used, respectively, to
   connecting Map-Resolvers and Map-Servers together to make up the
   Mapping System.

Farinacci, et al.       Expires December 18, 2019               [Page 7]
Internet-Draft             LISP Control-Plane                  June 2019

5.  LISP IPv4 and IPv6 Control-Plane Packet Formats

   The following UDP packet formats are used by the LISP control plane.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |Version|  IHL  |Type of Service|          Total Length         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |         Identification        |Flags|      Fragment Offset    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |  Time to Live | Protocol = 17 |         Header Checksum       |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                    Source Routing Locator                     |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                 Destination Routing Locator                   |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     / |           Source Port         |         Dest Port             |
   UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     \ |           UDP Length          |        UDP Checksum           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       |                         LISP Message                          |
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       IPv4 UDP LISP Control Message

Farinacci, et al.       Expires December 18, 2019               [Page 8]
Internet-Draft             LISP Control-Plane                  June 2019

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |Version| Traffic Class |           Flow Label                  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |         Payload Length        | Next Header=17|   Hop Limit   |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                                                               +
       |                                                               |
       +                     Source Routing Locator                    +
       |                                                               |
       +                                                               +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                                                               +
       |                                                               |
       +                  Destination Routing Locator                  +
       |                                                               |
       +                                                               +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     / |           Source Port         |         Dest Port             |
   UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     \ |           UDP Length          |        UDP Checksum           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       |                         LISP Message                          |
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       IPv6 UDP LISP Control Message

   When a UDP Map-Request, Map-Register, or Map-Notify (when used as a
   notification message) are sent, the UDP source port is chosen by the
   sender and the destination UDP port number is set to 4342.  When a
   UDP Map-Reply, Map-Notify (when used as an acknowledgement to a Map-
   Register), or Map-Notify-Ack are sent, the source UDP port number is
   set to 4342 and the destination UDP port number is copied from the
   source port of either the Map-Request or the invoking data packet.
   Implementations MUST be prepared to accept packets when either the
   source port or destination UDP port is set to 4342 due to NATs
   changing port number values.

   The 'UDP Length' field will reflect the length of the UDP header and
   the LISP Message payload.  LISP is expected to be deployed by
   cooperating entities communicating over underlays.  Deployers are

Farinacci, et al.       Expires December 18, 2019               [Page 9]
Internet-Draft             LISP Control-Plane                  June 2019

   expected to set the MTU according to the specific deployment
   guidelines to prevent fragmentation of either the inner packet or the
   outer encapsulated packet.  For deployments not aware of the underlay
   restrictions on path MTU, the message size MUST be limited to 576
   bytes for IPv4 or 1280 bytes for IPv6 as outlined in [RFC8085].

   The UDP checksum is computed and set to non-zero for all messages
   sent to or from port 4342.  It MUST be checked on receipt, and if the
   checksum fails, the control message MUST be dropped [RFC1071].

   The format of control messages includes the UDP header so the
   checksum and length fields can be used to protect and delimit message
   boundaries.

Farinacci, et al.       Expires December 18, 2019              [Page 10]
Internet-Draft             LISP Control-Plane                  June 2019

5.1.  LISP Control Packet Type Allocations

   This section defines the LISP control message formats and summarizes
   for IANA the LISP Type codes assigned by this document.  For
   completeness, the summary below includes the LISP Shared Extension
   Message assigned by [I-D.ietf-lisp-rfc8113bis].  Message type
   definitions are:

       Reserved:                          0     b'0000'
       LISP Map-Request:                  1     b'0001'
       LISP Map-Reply:                    2     b'0010'
       LISP Map-Register:                 3     b'0011'
       LISP Map-Notify:                   4     b'0100'
       LISP Map-Notify-Ack:               5     b'0101'
       LISP Map-Referral:                 6     b'0110'
       Unassigned                         7     b'0111'
       LISP Encapsulated Control Message: 8     b'1000'
       Unassigned                         9-14  b'1001'- b'1110'
       LISP Shared Extension Message:     15    b'1111'

   Protocol designers experimenting with new message formats are
   recommended to use the LISP Shared Extension Message Type described
   in [I-D.ietf-lisp-rfc8113bis].

   All LISP Control-Plane messages use Address Family Identifiers (AFI)
   [AFI] or LISP Canonical Address Format (LCAF) [RFC8060] formats to
   encode either fixed or variable length addresses.  This includes
   explicit fields in each control message or part of EID-records or
   RLOC-records in commonly formatted messages.

   The LISP control-plane describes how other data-planes can encode
   messages to support the Soliciting of Map-Requests as well as RLOC-
   probing procedures.

Farinacci, et al.       Expires December 18, 2019              [Page 11]
Internet-Draft             LISP Control-Plane                  June 2019

5.2.  Map-Request Message Format

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |Type=1 |A|M|P|S|p|s|R|R|  Rsvd   |L|D|   IRC   | Record Count  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Nonce . . .                           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         . . . Nonce                           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |         Source-EID-AFI        |   Source EID Address  ...     |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |         ITR-RLOC-AFI 1        |    ITR-RLOC Address 1  ...    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                              ...                              |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |         ITR-RLOC-AFI n        |    ITR-RLOC Address n  ...    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     / |   Reserved    | EID mask-len  |        EID-Prefix-AFI         |
   Rec +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     \ |                       EID-Prefix  ...                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                   Map-Reply Record  ...                       |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Packet field descriptions:

   Type:   1 (Map-Request)

   A: This is an authoritative bit, which is set to 0 for UDP-based Map-
      Requests sent by an ITR.  It is set to 1 when an ITR wants the
      destination site to return the Map-Reply rather than the mapping
      database system returning a Map-Reply.

   M: This is the map-data-present bit.  When set, it indicates that a
      Map-Reply Record segment is included in the Map-Request.

   P: This is the probe-bit, which indicates that a Map-Request SHOULD
      be treated as a Locator reachability probe.  The receiver SHOULD
      respond with a Map-Reply with the probe-bit set, indicating that
      the Map-Reply is a Locator reachability probe reply, with the
      nonce copied from the Map-Request.  See RLOC-Probing Section 7.1
      for more details.  This RLOC-probe Map-Request MUST NOT be sent to
      the mapping system.  If a Map-Resolver or Map-Server receives a
      Map-Request with the probe-bit set, it MUST drop the message.

Farinacci, et al.       Expires December 18, 2019              [Page 12]
Internet-Draft             LISP Control-Plane                  June 2019

   S: This is the Solicit-Map-Request (SMR) bit.  See Solicit-Map-
      Request (SMRs) Section 6.1 for details.

   p: This is the PITR bit.  This bit is set to 1 when a PITR sends a
      Map-Request.

   s: This is the SMR-invoked bit.  This bit is set to 1 when an xTR is
      sending a Map-Request in response to a received SMR-based Map-
      Request.

   R: This reserved and unassigned bit MUST be set to 0 on transmit and
      MUST be ignored on receipt.

   Rsvd:  This field MUST be set to 0 on transmit and MUST be ignored on
      receipt.

   L: This is the local-xtr bit.  It is used by an xTR in a LISP site to
      tell other xTRs in the same site that it is part of the RLOC-set
      for the LISP site.  The L-bit is set to 1 when the RLOC is the
      sender's IP address.

   D: This is the dont-map-reply bit.  It is used in the SMR procedure
      described in Section 6.1.  When an xTR sends an SMR Map-Request
      message, it doesn't need a Map-Reply returned.  When this bit is
      set, the receiver of the Map-Request does not return a Map-Reply.

   IRC:  This 5-bit field is the ITR-RLOC Count, which encodes the
      additional number of ('ITR-RLOC-AFI', 'ITR-RLOC Address') fields
      present in this message.  At least one (ITR-RLOC-AFI, ITR-RLOC-
      Address) pair MUST be encoded.  Multiple 'ITR-RLOC Address' fields
      are used, so a Map-Replier can select which destination address to
      use for a Map-Reply.  The IRC value ranges from 0 to 31.  For a
      value of 0, there is 1 ITR-RLOC address encoded; for a value of 1,
      there are 2 ITR-RLOC addresses encoded, and so on up to 31, which
      encodes a total of 32 ITR-RLOC addresses.

   Record Count:  This is the number of records in this Map-Request
      message.  A record is comprised of the portion of the packet that
      is labeled 'Rec' above and occurs the number of times equal to
      Record Count.  For this version of the protocol, a receiver MUST
      accept and process Map-Requests that contain one or more records,
      but a sender MUST only send Map-Requests containing one record.

   Nonce:  This is an 8-octet random value created by the sender of the
      Map-Request.  This nonce will be returned in the Map-Reply.  The
      nonce is used as an index to identify the corresponding Map-
      Request when a Map-Reply message is received.  The nonce MUST be
      generated by a properly seeded pseudo-random (or strong random)

Farinacci, et al.       Expires December 18, 2019              [Page 13]
Internet-Draft             LISP Control-Plane                  June 2019

      source.  See [RFC4086] for advice on generating security-sensitive
      random data.

   Source-EID-AFI:  This is the address family of the 'Source EID
      Address' field.

   Source EID Address:  This is the EID of the source host that
      originated the packet that caused the Map-Request.  When Map-
      Requests are used for refreshing a Map-Cache entry or for RLOC-
      Probing, an AFI value 0 is used and this field is of zero length.

   ITR-RLOC-AFI:  This is the address family of the 'ITR-RLOC Address'
      field that follows this field.

   ITR-RLOC Address:  This is used to give the ETR the option of
      selecting the destination address from any address family for the
      Map-Reply message.  This address MUST be a routable RLOC address
      of the sender of the Map-Request message.

   EID mask-len:  This is the mask length for the EID-Prefix.

   EID-Prefix-AFI:  This is the address family of the EID-Prefix
      according to [AFI] and [RFC8060].

   EID-Prefix:  This prefix address length is 4 octets for an IPv4
      address family and 16 octets for an IPv6 address family when the
      EID-Prefix-AFI is 1 or 2, respectively.  For other AFIs [AFI], the
      address length varies and for the LCAF AFI the format is defined
      in [RFC8060].  When a Map-Request is sent by an ITR because a data
      packet is received for a destination where there is no mapping
      entry, the EID-Prefix is set to the destination IP address of the
      data packet, and the 'EID mask-len' is set to 32 or 128 for IPv4
      or IPv6, respectively.  When an xTR wants to query a site about
      the status of a mapping it already has cached, the EID-Prefix used
      in the Map-Request has the same mask-length as the EID-Prefix
      returned from the site when it sent a Map-Reply message.

   Map-Reply Record:  When the M-bit is set, this field is the size of a
      single "Record" in the Map-Reply format.  This Map-Reply record
      contains the EID-to-RLOC mapping entry associated with the Source
      EID.  This allows the ETR that will receive this Map-Request to
      cache the data if it chooses to do so.

5.3.  EID-to-RLOC UDP Map-Request Message

   A Map-Request is sent from an ITR when it needs a mapping for an EID,
   wants to test an RLOC for reachability, or wants to refresh a mapping
   before TTL expiration.  For the initial case, the destination IP

Farinacci, et al.       Expires December 18, 2019              [Page 14]
Internet-Draft             LISP Control-Plane                  June 2019

   address used for the Map-Request is the data packet's destination
   address (i.e., the destination EID) that had a mapping cache lookup
   failure.  For the latter two cases, the destination IP address used
   for the Map-Request is one of the RLOC addresses from the Locator-Set
   of the Map-Cache entry.  The source address is either an IPv4 or IPv6
   RLOC address, depending on whether the Map-Request is using an IPv4
   or IPv6 header, respectively.  In all cases, the UDP source port
   number for the Map-Request message is a 16-bit value selected by the
   ITR/PITR, and the UDP destination port number is set to the well-
   known destination port number 4342.  A successful Map-Reply, which is
   one that has a nonce that matches an outstanding Map-Request nonce,
   will update the cached set of RLOCs associated with the EID-Prefix
   range.

   One or more Map-Request ('ITR-RLOC-AFI', 'ITR-RLOC-Address') fields
   MUST be filled in by the ITR.  The number of fields (minus 1) encoded
   MUST be placed in the 'IRC' field.  The ITR MAY include all locally
   configured Locators in this list or just provide one locator address
   from each address family it supports.  If the ITR erroneously
   provides no ITR-RLOC addresses, the Map-Replier MUST drop the Map-
   Request.

   Map-Requests can also be LISP encapsulated using UDP destination
   port 4342 with a LISP Type value set to "Encapsulated Control
   Message", when sent from an ITR to a Map-Resolver.  Likewise, Map-
   Requests are LISP encapsulated the same way from a Map-Server to an
   ETR.  Details on Encapsulated Map-Requests and Map-Resolvers can be
   found in Section 5.8.

   Map-Requests MUST be rate-limited to 1 per second per EID-prefix.
   After 10 retransmits without receiving the corresponding Map-Reply
   must wait 30 seconds.

   An ITR that is configured with mapping database information (i.e., it
   is also an ETR) MAY optionally include those mappings in a Map-
   Request.  When an ETR configured to accept and verify such
   "piggybacked" mapping data receives such a Map-Request and it does
   not have this mapping in the Map-Cache, it MAY originate a "verifying
   Map-Request", addressed to the map-requesting ITR and the ETR MAY add
   a Map-Cache entry.  If the ETR (when it is an xTR co-located as an
   ITR) has a Map-Cache entry that matches the "piggybacked" EID and the
   RLOC is in the Locator-Set for the entry, then it MAY send the
   "verifying Map-Request" directly to the originating Map-Request
   source.  If the RLOC is not in the Locator-Set, then the ETR MUST
   send the "verifying Map-Request" to the "piggybacked" EID.  Doing
   this forces the "verifying Map-Request" to go through the mapping
   database system to reach the authoritative source of information

Farinacci, et al.       Expires December 18, 2019              [Page 15]
Internet-Draft             LISP Control-Plane                  June 2019

   about that EID, guarding against RLOC-spoofing in the "piggybacked"
   mapping data.

Farinacci, et al.       Expires December 18, 2019              [Page 16]
Internet-Draft             LISP Control-Plane                  June 2019

5.4.  Map-Reply Message Format

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |Type=2 |P|E|S|          Reserved               | Record Count  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Nonce . . .                           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         . . . Nonce                           |
   +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   |                          Record TTL                           |
   |   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   R   | Locator Count | EID mask-len  | ACT |A|      Reserved         |
   e   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   c   | Rsvd  |  Map-Version Number   |       EID-Prefix-AFI          |
   o   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   r   |                          EID-Prefix                           |
   d   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  /|    Priority   |    Weight     |  M Priority   |   M Weight    |
   | L +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | o |        Unused Flags     |L|p|R|           Loc-AFI             |
   | c +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  \|                             Locator                           |
   +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Packet field descriptions:

   Type:   2 (Map-Reply)

   P: This is the probe-bit, which indicates that the Map-Reply is in
      response to a Locator reachability probe Map-Request.  The 'Nonce'
      field MUST contain a copy of the nonce value from the original
      Map-Request.  See RLOC-probing Section 7.1 for more details.  When
      the probe-bit is set to 1 in a Map-Reply message, the A-bit in
      each EID-record included in the message MUST be set to 1.

   E: This bit indicates that the ETR that sends this Map-Reply message
      is advertising that the site is enabled for the Echo-Nonce Locator
      reachability algorithm.  See Echo-Nonce [I-D.ietf-lisp-rfc6830bis]
      for more details.

   S: This is the Security bit.  When set to 1, the following
      authentication information will be appended to the end of the Map-
      Reply.  The details of signing a Map-Reply message can be found in
      [I-D.ietf-lisp-sec].

Farinacci, et al.       Expires December 18, 2019              [Page 17]
Internet-Draft             LISP Control-Plane                  June 2019

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    AD Type    |       Authentication Data Content . . .       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Reserved:  This unassigned field MUST be set to 0 on transmit and
      MUST be ignored on receipt.

   Record Count:  This is the number of records in this reply message.
      A record is comprised of that portion of the packet labeled
      'Record' above and occurs the number of times equal to Record
      Count.

   Nonce:  This 64-bit value from the Map-Request is echoed in this
      'Nonce' field of the Map-Reply.

   Record TTL:  This is the time in minutes the recipient of the Map-
      Reply will store the mapping.  If the TTL is 0, the entry MUST be
      removed from the cache immediately.  If the value is 0xffffffff,
      the recipient can decide locally how long to store the mapping.

   Locator Count:  This is the number of Locator entries.  A Locator
      entry comprises what is labeled above as 'Loc'.  The Locator count
      can be 0, indicating that there are no Locators for the EID-
      Prefix.

   EID mask-len:  This is the mask length for the EID-Prefix.

   ACT:  This 3-bit field describes Negative Map-Reply actions.  In any
      other message type, these bits are set to 0 and ignored on
      receipt.  These bits are used only when the 'Locator Count' field
      is set to 0.  The action bits are encoded only in Map-Reply
      messages.  They are used to tell an ITR or PITR why a empty
      locator-set was returned from the mapping system and how it stores
      the map-cache entry.

      (0) No-Action:  The Map-Cache is kept alive, and no packet
          encapsulation occurs.

      (1) Natively-Forward:  The packet is not encapsulated or dropped
          but natively forwarded.

      (2) Send-Map-Request:  The Map-Cache entry is created and flagged
          that any packet matching this entry invokes sending a Map-
          Request.

Farinacci, et al.       Expires December 18, 2019              [Page 18]
Internet-Draft             LISP Control-Plane                  June 2019

      (3) Drop/No-Reason:  A packet that matches this Map-Cache entry is
          dropped.  An ICMP Destination Unreachable message SHOULD be
          sent.

      (4) Drop/Policy-Denied:  A packet that matches this Map-Cache
          entry is dropped.  The reason for the Drop action is that a
          Map-Request for the target-EID is being policy denied by
          either an xTR or the mapping system.

      (5) Drop/Authentication-Failure:  A packet that matches this Map-
          Cache entry is dropped.  The reason for the Drop action is
          that a Map-Request for the target-EID fails an authentication
          verification-check by either an xTR or the mapping system.

   A: The Authoritative bit, when set to 1, is always set to 1 by an
      ETR.  When a Map-Server is proxy Map-Replying for a LISP site, the
      Authoritative bit is set to 0.  This indicates to requesting ITRs
      that the Map-Reply was not originated by a LISP node managed at
      the site that owns the EID-Prefix.

   Map-Version Number:  When this 12-bit value is non-zero, the Map-
      Reply sender is informing the ITR what the version number is for
      the EID record contained in the Map-Reply.  The ETR can allocate
      this number internally but MUST coordinate this value with other
      ETRs for the site.  When this value is 0, there is no versioning
      information conveyed.  The Map-Version Number can be included in
      Map-Request and Map-Register messages.  See Map-Versioning
      [I-D.ietf-lisp-6834bis] for more details.

   EID-Prefix-AFI:  Address family of the EID-Prefix according to [AFI]
      and [RFC8060].

   EID-Prefix:  This prefix is 4 octets for an IPv4 address family and
      16 octets for an IPv6 address family.

   Priority:  Each RLOC is assigned a unicast Priority.  Lower values
      are more preferable.  When multiple RLOCs have the same Priority,
      they may be used in a load-split fashion.  A value of 255 means
      the RLOC MUST NOT be used for unicast forwarding.

   Weight:  When priorities are the same for multiple RLOCs, the Weight
      indicates how to balance unicast traffic between them.  Weight is
      encoded as a relative weight of total unicast packets that match
      the mapping entry.  For example, if there are 4 Locators in a
      Locator-Set, where the Weights assigned are 30, 20, 20, and 10,
      the first Locator will get 37.5% of the traffic, the 2nd and 3rd
      Locators will get 25% of the traffic, and the 4th Locator will get
      12.5% of the traffic.  If all Weights for a Locator-Set are equal,

Farinacci, et al.       Expires December 18, 2019              [Page 19]
Internet-Draft             LISP Control-Plane                  June 2019

      the receiver of the Map-Reply will decide how to load-split the
      traffic.  See RLOC-hashing [I-D.ietf-lisp-rfc6830bis] for a
      suggested hash algorithm to distribute the load across Locators
      with the same Priority and equal Weight values.

   M Priority:  Each RLOC is assigned a multicast Priority used by an
      ETR in a receiver multicast site to select an ITR in a source
      multicast site for building multicast distribution trees.  A value
      of 255 means the RLOC MUST NOT be used for joining a multicast
      distribution tree.  For more details, see [RFC6831].

   M Weight:  When priorities are the same for multiple RLOCs, the
      Weight indicates how to balance building multicast distribution
      trees across multiple ITRs.  The Weight is encoded as a relative
      weight (similar to the unicast Weights) of the total number of
      trees built to the source site identified by the EID-Prefix.  If
      all Weights for a Locator-Set are equal, the receiver of the Map-
      Reply will decide how to distribute multicast state across ITRs.
      For more details, see [RFC6831].

   Unused Flags:  These are set to 0 when sending and ignored on
      receipt.

   L: When this bit is set, the Locator is flagged as a local Locator to
      the ETR that is sending the Map-Reply.  When a Map-Server is doing
      proxy Map-Replying for a LISP site, the L-bit is set to 0 for all
      Locators in this Locator-Set.

   p: When this bit is set, an ETR informs the RLOC-Probing ITR that the
      locator address for which this bit is set is the one being RLOC-
      probed and may be different from the source address of the Map-
      Reply.  An ITR that RLOC-probes a particular Locator MUST use this
      Locator for retrieving the data structure used to store the fact
      that the Locator is reachable.  The p-bit is set for a single
      Locator in the same Locator-Set. If an implementation sets more
      than one p-bit erroneously, the receiver of the Map-Reply MUST
      select the first set p-bit Locator.  The p-bit MUST NOT be set for
      Locator-Set records sent in Map-Request and Map-Register messages.

   R: This is set when the sender of a Map-Reply has a route to the
      Locator in the Locator data record.  This receiver may find this
      useful to know if the Locator is up but not necessarily reachable
      from the receiver's point of view.  See also EID-Reachability
      Section 7.1 for another way the R-bit may be used.

   Locator:  This is an IPv4 or IPv6 address (as encoded by the 'Loc-
      AFI' field) assigned to an ETR and used by an ITR as a destination
      RLOC address in the outer header of a LISP encapsualted packet.

Farinacci, et al.       Expires December 18, 2019              [Page 20]
Internet-Draft             LISP Control-Plane                  June 2019

      Note that the destination RLOC address of a LISP encapsulated
      packet MAY be an anycast address.  A source RLOC of a LISP
      encapsulated packet can be an anycast address as well.  The source
      or destination RLOC MUST NOT be the broadcast address
      (255.255.255.255 or any subnet broadcast address known to the
      router) and MUST NOT be a link-local multicast address.  The
      source RLOC MUST NOT be a multicast address.  The destination RLOC
      SHOULD be a multicast address if it is being mapped from a
      multicast destination EID.

   Map-Reply MUST be rate-limited, it is RECOMMENDED that a Map-Reply
   for the same destination RLOC be sent no more than one packets per 3
   seconds.

   The Record format, as defined here, is used both in the Map-Reply and
   Map-Register messages, this includes all the field definitions.

5.5.  EID-to-RLOC UDP Map-Reply Message

   A Map-Reply returns an EID-Prefix with a mask-length that is less
   than or equal to the EID being requested.  The EID being requested is
   either from the destination field of an IP header of a Data-Probe or
   the EID record of a Map-Request.  The RLOCs in the Map-Reply are
   routable IP addresses of all ETRs for the LISP site.  Each RLOC
   conveys status reachability but does not convey path reachability
   from a requester's perspective.  Separate testing of path
   reachability is required.  See RLOC-reachability Section 7.1 for
   details.

   Note that a Map-Reply MAY contain different EID-Prefix granularity
   (prefix + mask-length) than the Map-Request that triggers it.  This
   might occur if a Map-Request were for a prefix that had been returned
   by an earlier Map-Reply.  In such a case, the requester updates its
   cache with the new prefix information and granularity.  For example,
   a requester with two cached EID-Prefixes that are covered by a Map-
   Reply containing one less-specific prefix replaces the entry with the
   less-specific EID-Prefix.  Note that the reverse, replacement of one
   less-specific prefix with multiple more-specific prefixes, can also
   occur, not by removing the less-specific prefix but rather by adding
   the more-specific prefixes that, during a lookup, will override the
   less-specific prefix.

   When an EID moves out of a LISP site [I-D.ietf-lisp-eid-mobility],
   the database mapping system may have overlapping EID-prefixes.  Or
   when a LISP site is configured with multiple sets of ETRs that
   support different EID-prefix mask-lengths, the database mapping
   system may have overlapping EID-prefixes.  When overlapping EID-
   prefixes exist, a Map-Request with an EID that best matches any EID-

Farinacci, et al.       Expires December 18, 2019              [Page 21]
Internet-Draft             LISP Control-Plane                  June 2019

   Prefix MUST be returned in a single Map-Reply message.  For instance,
   if an ETR had database mapping entries for EID-Prefixes:

     2001:db8::/16
     2001:db8:1::/24
     2001:db8:1:1::/32
     2001:db8:1:2::/32

   A Map-Request for EID 2001:db8:1:1::1 would cause a Map-Reply with a
   record count of 1 to be returned with a mapping record EID-Prefix of
   2001:db8:1:1::/32.

   A Map-Request for EID 2001:db8:1:5::5 would cause a Map-Reply with a
   record count of 3 to be returned with mapping records for EID-
   Prefixes 2001:db8:1::/24, 2001:db8:1:1::/32, 2001:db8:1:2::/32,
   filling out the /24 with more-specifics that exist in the mapping
   system.

   Note that not all overlapping EID-Prefixes need to be returned but
   only the more-specific entries (note that in the second example above
   2001:db8::/16 was not returned for requesting EID 2001:db8:1:5::5)
   for the matching EID-Prefix of the requesting EID.  When more than
   one EID-Prefix is returned, all SHOULD use the same Time to Live
   value so they can all time out at the same time.  When a more-
   specific EID-Prefix is received later, its Time to Live value in the
   Map-Reply record can be stored even when other less-specific entries
   exist.  When a less-specific EID-Prefix is received later, its Map-
   Cache expiration time SHOULD be set to the minimum expiration time of
   any more-specific EID-Prefix in the Map-Cache.  This is done so the
   integrity of the EID-Prefix set is wholly maintained and so no more-
   specific entries are removed from the Map-Cache while keeping less-
   specific entries.

   For scalability, it is expected that aggregation of EID addresses
   into EID-Prefixes will allow one Map-Reply to satisfy a mapping for
   the EID addresses in the prefix range, thereby reducing the number of
   Map-Request messages.

   Map-Reply records can have an empty Locator-Set.  A Negative Map-
   Reply is a Map-Reply with an empty Locator-Set.  Negative Map-Replies
   convey special actions by the sender to the ITR or PITR that have
   solicited the Map-Reply.  There are two primary applications for
   Negative Map-Replies.  The first is for a Map-Resolver to instruct an
   ITR or PITR when a destination is for a LISP site versus a non-LISP
   site, and the other is to source quench Map-Requests that are sent
   for non-allocated EIDs.

Farinacci, et al.       Expires December 18, 2019              [Page 22]
Internet-Draft             LISP Control-Plane                  June 2019

   For each Map-Reply record, the list of Locators in a Locator-Set MUST
   appear in the same order for each ETR that originates a Map-Reply
   message.  The Locator-Set MUST be sorted in order of ascending IP
   address where an IPv4 locator address is considered numerically 'less
   than' an IPv6 locator address.

   When sending a Map-Reply message, the destination address is copied
   from one of the 'ITR-RLOC' fields from the Map-Request.  The ETR can
   choose a locator address from one of the address families it
   supports.  For Data-Probes, the destination address of the Map-Reply
   is copied from the source address of the Data-Probe message that is
   invoking the reply.  The source address of the Map-Reply is one of
   the local IP addresses chosen, to allow Unicast Reverse Path
   Forwarding (uRPF) checks to succeed in the upstream service provider.
   The destination port of a Map-Reply message is copied from the source
   port of the Map-Request or Data-Probe, and the source port of the
   Map-Reply message is set to the well-known UDP port 4342.

Farinacci, et al.       Expires December 18, 2019              [Page 23]
Internet-Draft             LISP Control-Plane                  June 2019

5.6.  Map-Register Message Format

   This section specifies the encoding format for the Map-Register
   message.  The message is sent in UDP with a destination UDP port of
   4342 and a randomly selected UDP source port number.

   The fields below are used in multiple control messages.  They are
   defined for Map-Register, Map-Notify and Map-Notify-Ack message
   types.

   The Map-Register message format is:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |Type=3 |P|S|I|        Reserved       |E|T|a|R|M| Record Count  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Nonce . . .                           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         . . . Nonce                           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Key ID     | Algorithm ID  |  Authentication Data Length   |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       ~                     Authentication Data                       ~
   +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   |                          Record TTL                           |
   |   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   R   | Locator Count | EID mask-len  | ACT |A|      Reserved         |
   e   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   c   | Rsvd  |  Map-Version Number   |        EID-Prefix-AFI         |
   o   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   r   |                          EID-Prefix                           |
   d   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  /|    Priority   |    Weight     |  M Priority   |   M Weight    |
   | L +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | o |        Unused Flags     |L|p|R|           Loc-AFI             |
   | c +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  \|                             Locator                           |
   +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Packet field descriptions:

   Type:   3 (Map-Register)

   P: This is the proxy Map-Reply bit.  When set to 1, an ETR sends a
      Map-Register message requesting the Map-Server to proxy a Map-
      Reply.  The Map-Server will send non-authoritative Map-Replies on
      behalf of the ETR.

Farinacci, et al.       Expires December 18, 2019              [Page 24]
Internet-Draft             LISP Control-Plane                  June 2019

   S: This is the security-capable bit.  When set, the procedures from
      [I-D.ietf-lisp-sec] are supported.

   I: This bit is set to 1 to indicate that a 128 bit xTR-ID and a 64
      bit Site-ID fields are present at the end of the Map-Register
      message.  If an xTR is configured with an xTR-ID and Site-ID, it
      MUST set the I bit to 1 and include its xTR-ID and Site-ID in the
      Map-Register messages it generates.  The combination of Site-ID
      plus xTR-ID uniquely identifies an xTR in a LISP domain and serves
      to track its last seen nonce.

   Reserved:  This unassigned field MUST be set to 0 on transmit and
      MUST be ignored on receipt.

   E: This is the Map-Register EID-notify bit.  This is used by a First-
      Hop-Router (FHR) which discovers a dynamic-EID.  This EID-notify
      based Map-Register is sent by the FHR to the same site xTR that
      propogates the Map-Register to the mapping system.  The site xTR
      keeps state to later Map-Notify the FHR after the EID has moves
      away.  See [I-D.ietf-lisp-eid-mobility] for a detailed use-case.

   T: This is the use-TTL for timeout bit.  When set to 1, the xTR wants
      the Map-Server to time out registrations based on the value in the
      "Record TTL" field of this message.  Otherwise, the default
      timeout described in Section 8.2 is used.

   a: This is the merge-request bit.  When set to 1, the xTR requests to
      merge RLOC-records from different xTRs registering the same EID-
      record.  See signal-free multicast [RFC8378] for one use case
      example.

   R: This reserved and unassigned bit MUST be set to 0 on transmit and
      MUST be ignored on receipt.

   M: This is the want-map-notify bit.  When set to 1, an ETR is
      requesting a Map-Notify message to be returned in response to
      sending a Map-Register message.  The Map-Notify message sent by a
      Map-Server is used to acknowledge receipt of a Map-Register
      message.

   Record Count:  This is the number of records in this Map-Register
      message.  A record is comprised of that portion of the packet
      labeled 'Record' above and occurs the number of times equal to
      Record Count.

   Nonce:  This 8-octet 'Nonce' field is incremented each time a Map-
      Register message is sent.  When a Map-Register acknowledgement is
      requested, the nonce is returned by Map-Servers in Map-Notify

Farinacci, et al.       Expires December 18, 2019              [Page 25]
Internet-Draft             LISP Control-Plane                  June 2019

      messages.  Since the entire Map-Register message is authenticated,
      the 'Nonce' field serves to protect against Map-Register replay
      attacks.  An ETR that registers to the mapping system SHOULD store
      the last nonce sent in persistent storage so when it restarts it
      can continue using an incrementing nonce.  If the the ETR cannot
      support saving the nonce, then when it restarts it MUST use a new
      authentication key to register to the mapping system.  A Map-
      Server MUST track and save in persistent storage the last nonce
      received for each ETR xTR-ID and key pair.  If a Map-Register is
      received with a nonce value that is not greater than the saved
      nonce, it drops the Map-Register message and logs the fact a
      replay attack could have occurred.

   Key ID:  A key-id value that identifies a pre-shared secret between
      an ETR and a Map-Server.  Per-message keys are derived from the
      pre-shared secret to authenticate the origin and protect the
      integrity of the Map-Register.  The Key ID allows to rotate
      between multiple pre-shared secrets in a non disruptive way.  The
      pre-shared secret MUST be unique per each LISP "Site-ID"

   Algorithm ID:  This field identifies the Key Derivation Function
      (KDF) and Message Authentication Code (MAC) algorithms used to
      derive the key and to compute the Authentication Data of a Map-
      Register.  This 8-bit field identifies the KDF and MAC algorithm
      pair.  See Section 12.5 for codepoint assignments.

   Authentication Data Length:  This is the length in octets of the
      'Authentication Data' field that follows this field.  The length
      of the 'Authentication Data' field is dependent on the MAC
      algorithm used.  The length field allows a device that doesn't
      know the MAC algorithm to correctly parse the packet.

   Authentication Data:  This is the output of the MAC algorithm placed
      in this field after the MAC computation.  The MAC output is
      computed as follows:

      1:  The KDF algorithm is identified by the field 'Algorithm ID'
          according to the table in Section 12.5.  Implementations of
          this specification SHOULD include support for HMAC-SHA256-
          128+HKDF-SHA256 [RFC4868].

      2:  The MAC algorithm is identified by the field 'Algorithm ID'
          according to the table in Section 12.5.

Farinacci, et al.       Expires December 18, 2019              [Page 26]
Internet-Draft             LISP Control-Plane                  June 2019

      3:  The pre-shared secret used to derive the per-message key is
          represented by PSK[Key ID], that is the pre-shared secret
          identified by the 'Key ID'.

      4:  The derived per-message key is computed as: per-msg-
          key=KDF(nonce+s+PSK[Key ID]).  Where the nonce is the value in
          the Nonce field of the Map-Register and 's' is a string equal
          to "Map-Register Authentication".

      5:  The MAC output is computed using the MAC algorithm and the
          per-msg-key over the entire Map-Register payload (from and
          including the LISP message type field through the end of the
          last RLOC record) with the authenticated data field preset to
          0.

   The definition of the rest of the Map-Register can be found in EID-
   record description in Section 5.4.  When the I-bit is set, the
   following fields are added to the end of the Map-Register message:

   xTR-ID:  xTR-ID is a 128 bit field at the end of the Map-Register
      message, starting after the final Record in the message.  The xTR-
      ID is used to uniquely identify a xTR.  The same xTR-ID value MUST
      NOT be used in two different xTRs.

   Site-ID:  Site-ID is a 64 bit field at the end of the Map- Register
      message, following the xTR-ID.  Site-ID is used to uniquely
      identify to which site the xTR that sent the message belongs.

Farinacci, et al.       Expires December 18, 2019              [Page 27]
Internet-Draft             LISP Control-Plane                  June 2019

5.7.  Map-Notify/Map-Notify-Ack Message Format

   This section specifies the encoding format for the Map-Notify and
   Map-Notify-Ack messages.  The messages are sent inside a UDP packet
   with source and destination UDP ports equal to 4342.

   The Map-Notify and Map-Notify-Ack message formats are:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |Type=4/5|             Reserved                 | Record Count  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Nonce . . .                           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         . . . Nonce                           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Key ID     | Algorithm ID  |  Authentication Data Length   |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       ~                     Authentication Data                       ~
   +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   |                          Record TTL                           |
   |   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   R   | Locator Count | EID mask-len  | ACT |A|      Reserved         |
   e   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   c   | Rsvd  |  Map-Version Number   |         EID-Prefix-AFI        |
   o   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   r   |                          EID-Prefix                           |
   d   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  /|    Priority   |    Weight     |  M Priority   |   M Weight    |
   | L +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | o |        Unused Flags     |L|p|R|           Loc-AFI             |
   | c +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  \|                             Locator                           |
   +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Packet field descriptions:

   Type:   4/5 (Map-Notify/Map-Notify-Ack)

   The Map-Notify message has the same contents as a Map-Register
   message.  See the Map-Register section for field descriptions and the
   Map-Reply section for EID-record and RLOC-record descriptions.

   The fields of the Map-Notify are copied from the corresponding Map-
   Register to acknowledge its correct processing.  In the Map-Notfiy,
   the 'Authentication Data' field is recomputed according to the
   procedure defined in the previous section.  For an unsolicited Map-

Farinacci, et al.       Expires December 18, 2019              [Page 28]
Internet-Draft             LISP Control-Plane                  June 2019

   Notify, the fields of a Map-Notify used for publish/subscribe are
   specified in [I-D.ietf-lisp-pubsub].

   After sending a Map-Register, if a Map-Notify is not received after 1
   second the transmitter MUST re-transmit the original Map-Register
   with an exponential backoff, the maximum backoff is 1 minute.

   The Map-Notify-Ack message has the same contents as a Map-Notify
   message.  It is used to acknowledge the receipt of a Map-Notify
   (solicited or unsolicited) and for the sender to stop retransmitting
   a Map-Notify with the same nonce.  The fields of the Map-Notify-Ack
   are copied from the corresponding Map-Notify message to acknowledge
   its correct processing.

   A Map-Server sends an unsolicited Map-Notify message (one that is not
   used as an acknowledgment to a Map-Register message) that follows the
   Congestion Control And Relability Guideline sections of [RFC8085].  A
   Map-Notify is retransmitted until a Map-Notify-Ack is received by the
   Map-Server with the same nonce used in the Map-Notify message.  If a
   Map-Notify-Ack is never received by the Map-Server, it issues a log
   message.  An implementation SHOULD retransmit up to 3 times at 3
   second retransmission intervals, after which time the retransmission
   interval is exponentially backed-off for another 3 retransmission
   attempts.  After this time, an xTR can only get the RLOC-set change
   by later querying the mapping system or by RLOC-probing one of the
   RLOCs of the existing cached RLOC-set to get the new RLOC-set.

Farinacci, et al.       Expires December 18, 2019              [Page 29]
Internet-Draft             LISP Control-Plane                  June 2019

5.8.  Encapsulated Control Message Format

   An Encapsulated Control Message (ECM) is used to encapsulate control
   packets sent between xTRs and the mapping database system.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     / |                       IPv4 or IPv6 Header                     |
   OH  |                      (uses RLOC addresses)                    |
     \ |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     / |       Source Port = xxxx      |       Dest Port = 4342        |
   UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     \ |           UDP Length          |        UDP Checksum           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  LISP |Type=8 |S|D|E|M|            Reserved                           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     / |                       IPv4 or IPv6 Header                     |
   IH  |                  (uses RLOC or EID addresses)                 |
     \ |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     / |       Source Port = xxxx      |       Dest Port = yyyy        |
   UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     \ |           UDP Length          |        UDP Checksum           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   LCM |                      LISP Control Message                     |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Packet header descriptions:

   OH:   The outer IPv4 or IPv6 header, which uses RLOC addresses in the
         source and destination header address fields.

   UDP:  The outer UDP header with destination port 4342.  The source
         port is randomly allocated.  The checksum field MUST be non-
         zero.

   LISP: Type 8 is defined to be a "LISP Encapsulated Control Message",
         and what follows is either an IPv4 or IPv6 header as encoded by
         the first 4 bits after the 'Reserved' field.

   Type:   8 (Encapsulated Control Message (ECM))

   S:    This is the Security bit.  When set to 1, the field following
         the 'Reserved' field will have the following Authentication
         Data format and follow the procedures from [I-D.ietf-lisp-sec].

Farinacci, et al.       Expires December 18, 2019              [Page 30]
Internet-Draft             LISP Control-Plane                  June 2019

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    AD Type    |       Authentication Data Content . . .       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   D:    This is the DDT-bit.  When set to 1, the sender is requesting a
         Map-Referral message to be returned.  The details of this
         procedure are described in [RFC8111].

   E:    This is the to-ETR bit.  When set to 1, the Map-Server's
         intention is to forward the ECM to an authoritative ETR.

   M:    This is the to-MS bit.  When set to 1, a Map-Request is being
         sent to a co-located Map-Resolver and Map-Server where the
         message can be processed directly by the Map-Server versus the
         Map-Resolver using the LISP-DDT procedures in [RFC8111].

   IH:   The inner IPv4 or IPv6 header, which can use either RLOC or EID
         addresses in the header address fields.  When a Map-Request is
         encapsulated in this packet format, the destination address in
         this header is an EID.

   UDP:  The inner UDP header, where the port assignments depend on the
         control packet being encapsulated.  When the control packet is
         a Map-Request or Map-Register, the source port is selected by
         the ITR/PITR and the destination port is 4342.  When the
         control packet is a Map-Reply, the source port is 4342 and the
         destination port is assigned from the source port of the
         invoking Map-Request.  Port number 4341 MUST NOT be assigned to
         either port.  The checksum field MUST be non-zero.

   LCM:  The format is one of the control message formats described in
         this section.  Map-Request messages are allowed to be Control-
         Plane (ECM) encapsulated.  When Map-Requests are sent for RLOC-
         Probing purposes (i.e. the probe-bit is set), they MUST NOT be
         sent inside Encapsulated Control Messages.  PIM Join/Prune
         messages [RFC6831] are also allowed to be Control-Plane (ECM)
         encapsulated.

Farinacci, et al.       Expires December 18, 2019              [Page 31]
Internet-Draft             LISP Control-Plane                  June 2019

6.  Changing the Contents of EID-to-RLOC Mappings

   In the LISP architecture ITRs/PITRs use a local Map-Cache to store
   EID-to-RLOC mappings for forwarding.  When an ETR updates a mapping a
   mechanism is required to inform ITRs/PITRs that are using such
   mappings.

   The LISP Data-Plane defines several mechanism to update mappings
   [I-D.ietf-lisp-rfc6830bis].  This document specifies the Solicit-Map
   Request (SMR), a Control-Plane push-based mechanism.  An additional
   Control-Plane mechanism based on the Publish/subscribe paradigm is
   specified in [I-D.ietf-lisp-pubsub].

6.1.  Solicit-Map-Request (SMR)

   Soliciting a Map-Request is a selective way for ETRs, at the site
   where mappings change, to control the rate they receive requests for
   Map-Reply messages.  SMRs are also used to tell remote ITRs to update
   the mappings they have cached.

   Since ETRs are not required to keep track of remote ITRs that have
   cached their mappings, they do not know which ITRs need to have their
   mappings updated.  As a result, an ETR will solicit Map-Requests
   (called an SMR message) to those sites to which it has been sending
   LISP encapsulated data packets for the last minute.  In particular,
   an ETR will send an SMR to an ITR to which it has recently sent
   encapsulated data.  This can only occur when both ITR and ETR
   functionality reside in the same router.

   An SMR message is simply a bit set in a Map-Request message.  An ITR
   or PITR will send a Map-Request when they receive an SMR message.
   Both the SMR sender and the SMR responder MUST rate-limit these
   messages.  It is RECOMMENDED that the SMR sender rate-limits Map-
   Request for the same destination RLOC to no more than one packet per
   3 seconds.  It is RECOMMENDED that the SMR responder rate-limits Map-
   Request for the same EID-Prefix to no more than once per 3 seconds.

   The following procedure shows how an SMR exchange occurs when a site
   is doing Locator-Set compaction for an EID-to-RLOC mapping:

   1.  When the database mappings in an ETR change, the ETRs at the site
       begin to send Map-Requests with the SMR bit set for each Locator
       in each Map-Cache entry the ETR (when it is an xTR co-located as
       an ITR) caches.

   2.  A remote ITR that receives the SMR message will schedule sending
       a Map-Request message to the source locator address of the SMR
       message or to the mapping database system.  A newly allocated

Farinacci, et al.       Expires December 18, 2019              [Page 32]
Internet-Draft             LISP Control-Plane                  June 2019

       random nonce is selected, and the EID-Prefix used is the one
       copied from the SMR message.  If the source Locator is the only
       Locator in the cached Locator-Set, the remote ITR SHOULD send a
       Map-Request to the database mapping system just in case the
       single Locator has changed and may no longer be reachable to
       accept the Map-Request.

   3.  The remote ITR MUST rate-limit the Map-Request until it gets a
       Map-Reply while continuing to use the cached mapping.  When
       Map-Versioning as described in [I-D.ietf-lisp-6834bis] is used,
       an SMR sender can detect if an ITR is using the most up-to-date
       database mapping.

   4.  The site sending SMR messages will reply to the Map-Request with
       a Map-Reply message that has a nonce from the SMR-invoked Map-
       Request.  This is important to avoid Map-Reply implosion.

   5.  The ETRs at the site with the changed mapping record the fact
       that the site that sent the Map-Request has received the new
       mapping data in the Map-Cache entry for the remote site so the
       Locator-Status-Bits are reflective of the new mapping for packets
       going to the remote site.  The ETR then stops sending SMR
       messages.

   For security reasons, an ITR MUST NOT process unsolicited Map-
   Replies.  To avoid Map-Cache entry corruption by a third party, a
   sender of an SMR-based Map-Request MUST be verified.  If an ITR
   receives an SMR-based Map-Request and the source is not in the
   Locator-Set for the stored Map-Cache entry, then the responding Map-
   Request MUST be sent with an EID destination to the mapping database
   system.  Since the mapping database system is a more secure way to
   reach an authoritative ETR, it will deliver the Map-Request to the
   authoritative source of the mapping data.

   When an ITR receives an SMR-based Map-Request for which it does not
   have a cached mapping for the EID in the SMR message, it SHOULD NOT
   send an SMR-invoked Map-Request.  This scenario can occur when an ETR
   sends SMR messages to all Locators in the Locator-Set it has stored
   in its Map-Cache but the remote ITRs that receive the SMR may not be
   sending packets to the site.  There is no point in updating the ITRs
   until they need to send, in which case they will send Map-Requests to
   obtain a Map-Cache entry.

7.  Routing Locator Reachability

   This document defines several Control-Plane mechanisms for
   determining RLOC reachability.  Please note that additional Data-

Farinacci, et al.       Expires December 18, 2019              [Page 33]
Internet-Draft             LISP Control-Plane                  June 2019

   Plane reachability mechanisms are defined in
   [I-D.ietf-lisp-rfc6830bis].

   1.  An ITR may receive an ICMP Network Unreachable or Host
       Unreachable message for an RLOC it is using.  This indicates that
       the RLOC is likely down.  Note that trusting ICMP messages may
       not be desirable, but neither is ignoring them completely.
       Implementations are encouraged to follow current best practices
       in treating these conditions [I-D.ietf-opsec-icmp-filtering].

   2.  When an ITR participates in the routing protocol that operates in
       the underlay routing system, it can determine that an RLOC is
       down when no Routing Information Base (RIB) entry exists that
       matches the RLOC IP address.

   3.  An ITR may receive an ICMP Port Unreachable message from a
       destination host.  This occurs if an ITR attempts to use
       interworking [RFC6832] and LISP-encapsulated data is sent to a
       non-LISP-capable site.

   4.  An ITR may receive a Map-Reply from an ETR in response to a
       previously sent Map-Request.  The RLOC source of the Map-Reply is
       likely up, since the ETR was able to send the Map-Reply to the
       ITR.

   5.  An ITR/ETR pair can use the 'RLOC-Probing' mechanism described
       below.

   When ITRs receive ICMP Network Unreachable or Host Unreachable
   messages as a method to determine unreachability, they will refrain
   from using Locators that are described in Locator lists of Map-
   Replies.  However, using this approach is unreliable because many
   network operators turn off generation of ICMP Destination Unreachable
   messages.

   If an ITR does receive an ICMP Network Unreachable or Host
   Unreachable message, it MAY originate its own ICMP Destination
   Unreachable message destined for the host that originated the data
   packet the ITR encapsulated.

   Also, BGP-enabled ITRs can unilaterally examine the RIB to see if a
   locator address from a Locator-Set in a mapping entry matches a
   prefix.  If it does not find one and BGP is running in the Default-
   Free Zone (DFZ), it can decide to not use the Locator even though the
   Locator-Status-Bits indicate that the Locator is up.  In this case,
   the path from the ITR to the ETR that is assigned the Locator is not
   available.  More details are in [I-D.meyer-loc-id-implications].

Farinacci, et al.       Expires December 18, 2019              [Page 34]
Internet-Draft             LISP Control-Plane                  June 2019

   Optionally, an ITR can send a Map-Request to a Locator, and if a Map-
   Reply is returned, reachability of the Locator has been determined.
   Obviously, sending such probes increases the number of control
   messages originated by Tunnel Routers for active flows, so Locators
   are assumed to be reachable when they are advertised.

   This assumption does create a dependency: Locator unreachability is
   detected by the receipt of ICMP Host Unreachable messages.  When a
   Locator has been determined to be unreachable, it is not used for
   active traffic; this is the same as if it were listed in a Map-Reply
   with Priority 255.

   The ITR can test the reachability of the unreachable Locator by
   sending periodic Requests.  Both Requests and Replies MUST be rate-
   limited.  Locator reachability testing is never done with data
   packets, since that increases the risk of packet loss for end-to-end
   sessions.

7.1.  RLOC-Probing Algorithm

   RLOC-Probing is a method that an ITR or PITR can use to determine the
   reachability status of one or more Locators that it has cached in a
   Map-Cache entry.  The probe-bit of the Map-Request and Map-Reply
   messages is used for RLOC-Probing.

   RLOC-Probing is done in the control plane on a timer basis, where an
   ITR or PITR will originate a Map-Request destined to a locator
   address from one of its own locator addresses.  A Map-Request used as
   an RLOC-probe is NOT encapsulated and NOT sent to a Map-Server or to
   the mapping database system as one would when soliciting mapping
   data.  The EID record encoded in the Map-Request is the EID-Prefix of
   the Map-Cache entry cached by the ITR or PITR.  The ITR MAY include a
   mapping data record for its own database mapping information that
   contains the local EID-Prefixes and RLOCs for its site.  RLOC-probes
   are sent periodically using a jittered timer interval.

   When an ETR receives a Map-Request message with the probe-bit set, it
   returns a Map-Reply with the probe-bit set.  The source address of
   the Map-Reply is set to the IP address of the outgoing interface the
   Map-Reply destination address routes to.  The Map-Reply SHOULD
   contain mapping data for the EID-Prefix contained in the Map-Request.
   This provides the opportunity for the ITR or PITR that sent the RLOC-
   probe to get mapping updates if there were changes to the ETR's
   database mapping entries.

   There are advantages and disadvantages of RLOC-Probing.  The main
   benefit of RLOC-Probing is that it can handle many failure scenarios
   allowing the ITR to determine when the path to a specific Locator is

Farinacci, et al.       Expires December 18, 2019              [Page 35]
Internet-Draft             LISP Control-Plane                  June 2019

   reachable or has become unreachable, thus providing a robust
   mechanism for switching to using another Locator from the cached
   Locator.  RLOC-Probing can also provide rough Round-Trip Time (RTT)
   estimates between a pair of Locators, which can be useful for network
   management purposes as well as for selecting low delay paths.  The
   major disadvantage of RLOC-Probing is in the number of control
   messages required and the amount of bandwidth used to obtain those
   benefits, especially if the requirement for failure detection times
   is very small.

8.  Interactions with Other LISP Components

8.1.  ITR EID-to-RLOC Mapping Resolution

   An ITR is configured with one or more Map-Resolver addresses.  These
   addresses are "Locators" (or RLOCs) and MUST be routable on the
   underlying core network; they MUST NOT need to be resolved through
   LISP EID-to-RLOC mapping, as that would introduce a circular
   dependency.  When using a Map-Resolver, an ITR does not need to
   connect to any other database mapping system.  In particular, the ITR
   need not connect to the LISP-ALT infrastructure or implement the BGP
   and GRE protocols that it uses.

   An ITR sends an Encapsulated Map-Request to a configured Map-Resolver
   when it needs an EID-to-RLOC mapping that is not found in its local
   Map-Cache.  Using the Map-Resolver greatly reduces both the
   complexity of the ITR implementation and the costs associated with
   its operation.

   In response to an Encapsulated Map-Request, the ITR can expect one of
   the following:

   o  An immediate Negative Map-Reply (with action code of "Natively-
      Forward", 15-minute Time to Live (TTL)) from the Map-Resolver if
      the Map-Resolver can determine that the requested EID does not
      exist.  The ITR saves the EID-Prefix returned in the Map-Reply in
      its cache, marks it as non-LISP-capable, and knows not to attempt
      LISP encapsulation for destinations matching it.

   o  A Negative Map-Reply, with action code of "Natively-Forward", from
      a Map-Server that is authoritative (within the LISP deployment
      Section 1.1) for an EID-Prefix that matches the requested EID but
      that does not have an actively registered, more-specific EID-
      prefix.  In this case, the requested EID is said to match a "hole"
      in the authoritative EID-Prefix.  If the requested EID matches a
      more-specific EID-Prefix that has been delegated by the Map-Server
      but for which no ETRs are currently registered, a 1-minute TTL is
      returned.  If the requested EID matches a non-delegated part of

Farinacci, et al.       Expires December 18, 2019              [Page 36]
Internet-Draft             LISP Control-Plane                  June 2019

      the authoritative EID-Prefix, then it is not a LISP EID and a
      15-minute TTL is returned.  See Section 8.2 for discussion of
      aggregate EID-Prefixes and details of Map-Server EID-Prefix
      matching.

   o  A LISP Map-Reply from the ETR that owns the EID-to-RLOC mapping or
      possibly from a Map-Server answering on behalf of the ETR.  See
      Section 8.4 for more details on Map-Resolver message processing.

   Note that an ITR may be configured to both use a Map-Resolver and to
   participate in a LISP-ALT logical network.  In such a situation, the
   ITR SHOULD send Map-Requests through the ALT network for any EID-
   Prefix learned via ALT BGP.  Such a configuration is expected to be
   very rare, since there is little benefit to using a Map-Resolver if
   an ITR is already using LISP-ALT.  There would be, for example, no
   need for such an ITR to send a Map-Request to a possibly non-existent
   EID (and rely on Negative Map-Replies) if it can consult the ALT
   database to verify that an EID-Prefix is present before sending that
   Map-Request.

8.2.  EID-Prefix Configuration and ETR Registration

   An ETR publishes its EID-Prefixes on a Map-Server by sending LISP
   Map-Register messages.  A Map-Register message includes
   authentication data, so prior to sending a Map-Register message, the
   ETR and Map-Server MUST be configured with a pre-shared secret used
   to derive Map-Register authentication keys.  A Map-Server's
   configuration SHOULD also include a list of the EID-Prefixes for
   which each ETR is authoritative.  Upon receipt of a Map-Register from
   an ETR, a Map-Server accepts only EID-Prefixes that are configured
   for that ETR.  Failure to implement such a check would leave the
   mapping system vulnerable to trivial EID-Prefix hijacking attacks.

   In addition to the set of EID-Prefixes defined for each ETR that may
   register, a Map-Server is typically also configured with one or more
   aggregate prefixes that define the part of the EID numbering space
   assigned to it.  When LISP-ALT is the database in use, aggregate EID-
   Prefixes are implemented as discard routes and advertised into ALT
   BGP.  The existence of aggregate EID-Prefixes in a Map-Server's
   database means that it may receive Map Requests for EID-Prefixes that
   match an aggregate but do not match a registered prefix; Section 8.3
   describes how this is handled.

   Map-Register messages are sent periodically from an ETR to a Map-
   Server with a suggested interval between messages of one minute.  A
   Map-Server SHOULD time out and remove an ETR's registration if it has
   not received a valid Map-Register message within the past
   three minutes.  When first contacting a Map-Server after restart or

Farinacci, et al.       Expires December 18, 2019              [Page 37]
Internet-Draft             LISP Control-Plane                  June 2019

   changes to its EID-to-RLOC database mappings, an ETR MAY initially
   send Map-Register messages at an increased frequency, up to one every
   20 seconds.  This "quick registration" period is limited to
   five minutes in duration.

   An ETR MAY request that a Map-Server explicitly acknowledge receipt
   and processing of a Map-Register message by setting the "want-map-
   notify" (M-bit) flag.  A Map-Server that receives a Map-Register with
   this flag set will respond with a Map-Notify message.  Typical use of
   this flag by an ETR would be to set it for Map-Register messages sent
   during the initial "quick registration" with a Map-Server but then
   set it only occasionally during steady-state maintenance of its
   association with that Map-Server.  Note that the Map-Notify message
   is sent to UDP destination port 4342, not to the source port
   specified in the original Map-Register message.

   Note that a one-minute minimum registration interval during
   maintenance of an ETR-Map-Server association places a lower bound on
   how quickly and how frequently a mapping database entry can be
   updated.  This may have implications for what sorts of mobility can
   be supported directly by the mapping system; shorter registration
   intervals or other mechanisms might be needed to support faster
   mobility in some cases.  For a discussion on one way that faster
   mobility may be implemented for individual devices, please see
   [I-D.ietf-lisp-mn].

   An ETR MAY also request, by setting the "proxy Map-Reply" flag
   (P-bit) in the Map-Register message, that a Map-Server answer Map-
   Requests instead of forwarding them to the ETR.  See Section 7.1 for
   details on how the Map-Server sets certain flags (such as those
   indicating whether the message is authoritative and how returned
   Locators SHOULD be treated) when sending a Map-Reply on behalf of an
   ETR.  When an ETR requests proxy reply service, it SHOULD include all
   RLOCs for all ETRs for the EID-Prefix being registered, along with
   the routable flag ("R-bit") setting for each RLOC.  The Map-Server
   includes all of this information in Map-Reply messages that it sends
   on behalf of the ETR.  This differs from a non-proxy registration,
   since the latter need only provide one or more RLOCs for a Map-Server
   to use for forwarding Map-Requests; the registration information is
   not used in Map-Replies, so it being incomplete is not incorrect.

   An ETR that uses a Map-Server to publish its EID-to-RLOC mappings
   does not need to participate further in the mapping database
   protocol(s).  When using a LISP-ALT mapping database, for example,
   this means that the ETR does not need to implement GRE or BGP, which
   greatly simplifies its configuration and reduces its cost of
   operation.

Farinacci, et al.       Expires December 18, 2019              [Page 38]
Internet-Draft             LISP Control-Plane                  June 2019

   Note that use of a Map-Server does not preclude an ETR from also
   connecting to the mapping database (i.e., it could also connect to
   the LISP-ALT network), but doing so doesn't seem particularly useful,
   as the whole purpose of using a Map-Server is to avoid the complexity
   of the mapping database protocols.

8.3.  Map-Server Processing

   Once a Map-Server has EID-Prefixes registered by its client ETRs, it
   can accept and process Map-Requests for them.

   In response to a Map-Request, the Map-Server first checks to see if
   the destination EID matches a configured EID-Prefix.  If there is no
   match, the Map-Server returns a Negative Map-Reply with action code
   "Natively-Forward" and a 15-minute TTL.  This can occur if a Map
   Request is received for a configured aggregate EID-Prefix for which
   no more-specific EID-Prefix exists; it indicates the presence of a
   non-LISP "hole" in the aggregate EID-Prefix.

   Next, the Map-Server checks to see if any ETRs have registered the
   matching EID-Prefix.  If none are found, then the Map-Server returns
   a Negative Map-Reply with action code "Natively-Forward" and a
   1-minute TTL.

   If the EID-prefix is either registered or not registered to the
   mapping system and there is a policy in the Map-Server to have the
   requestor drop packets for the matching EID-prefix, then a Drop/
   Policy-Denied action is returned.  If the EID-prefix is registered or
   not registered and there is a authentication failure, then a Drop/
   Authentication- failure action is returned.  If either of these
   actions result as a temporary state in policy or authentication then
   a Send-Map-Request action with 1-minute TTL MAY be returned to allow
   the requestor to retry the Map-Request.

   If any of the registered ETRs for the EID-Prefix have requested proxy
   reply service, then the Map-Server answers the request instead of
   forwarding it.  It returns a Map-Reply with the EID-Prefix, RLOCs,
   and other information learned through the registration process.

   If none of the ETRs have requested proxy reply service, then the Map-
   Server re-encapsulates and forwards the resulting Encapsulated Map-
   Request to one of the registered ETRs.  It does not otherwise alter
   the Map-Request, so any Map-Reply sent by the ETR is returned to the
   RLOC in the Map-Request, not to the Map-Server.  Unless also acting
   as a Map-Resolver, a Map-Server should never receive Map-Replies; any
   such messages SHOULD be discarded without response, perhaps
   accompanied by the logging of a diagnostic message if the rate of
   Map-Replies is suggestive of malicious traffic.

Farinacci, et al.       Expires December 18, 2019              [Page 39]
Internet-Draft             LISP Control-Plane                  June 2019

8.4.  Map-Resolver Processing

   Upon receipt of an Encapsulated Map-Request, a Map-Resolver
   decapsulates the enclosed message and then searches for the requested
   EID in its local database of mapping entries (statically configured
   or learned from associated ETRs if the Map-Resolver is also a Map-
   Server offering proxy reply service).  If it finds a matching entry,
   it returns a LISP Map-Reply with the known mapping.

   If the Map-Resolver does not have the mapping entry and if it can
   determine that the EID is not in the mapping database (for example,
   if LISP-ALT is used, the Map-Resolver will have an ALT forwarding
   table that covers the full EID space), it immediately returns a
   negative LISP Map-Reply, with action code "Natively-Forward" and a
   15-minute TTL.  To minimize the number of negative cache entries
   needed by an ITR, the Map-Resolver SHOULD return the least-specific
   prefix that both matches the original query and does not match any
   EID-Prefix known to exist in the LISP-capable infrastructure.

   If the Map-Resolver does not have sufficient information to know
   whether the EID exists, it needs to forward the Map-Request to
   another device that has more information about the EID being
   requested.  To do this, it forwards the unencapsulated Map-Request,
   with the original ITR RLOC as the source, to the mapping database
   system.  Using LISP-ALT, the Map-Resolver is connected to the ALT
   network and sends the Map-Request to the next ALT hop learned from
   its ALT BGP neighbors.  The Map-Resolver does not send any response
   to the ITR; since the source RLOC is that of the ITR, the ETR or Map-
   Server that receives the Map-Request over the ALT and responds will
   do so directly to the ITR.

8.4.1.  Anycast Operation

   A Map-Resolver can be set up to use "anycast", where the same address
   is assigned to multiple Map-Resolvers and is propagated through IGP
   routing, to facilitate the use of a topologically close Map-Resolver
   by each ITR.

   ETRs MAY have anycast RLOC addresses which are registered as part of
   their RLOC-set to the mapping system.  However, registrations MUST
   use their unique RLOC addresses or distinct authentication keys to
   identify security associations with the Map-Servers.

9.  Security Considerations

   A LISP threat analysis can be found in [RFC7835].  In what follows we
   highlight security considerations that apply when LISP is deployed in

Farinacci, et al.       Expires December 18, 2019              [Page 40]
Internet-Draft             LISP Control-Plane                  June 2019

   environments such as those specified in Section 1.1, where the
   following assumptions hold:

   1.  The Mapping System is secure and trusted, and for the purpose of
       this security considerations the Mapping System is considered as
       one trusted element.

   2.  The ETRs have a pre-configured trust relationship with the
       Mapping System, which includes some form of shared secret, and
       the Mapping System is aware of which EIDs an ETR can advertise.
       How those keys and mappings gets established is out of the scope
       of this document.

   3.  LISP-SEC [I-D.ietf-lisp-sec] MUST be implemented.  Network
       operartors should carefully weight how the LISP-SEC threat model
       applies to their particular use case or deployment.  If they
       decide to ignore a particular recommendation, they should make
       sure the risk associated with the corresponding threats is well
       understood.

   The Map-Request/Map-Reply message exchange can be exploited by an
   attacker to mount DoS and/or amplification attacks.  Attackers can
   send Map-Requests at high rates to overload LISP nodes and increase
   the state maintained by such nodes or consume CPU cycles.  Such
   threats can be mitigated by systematically applying filters and rate
   limiters.

   The Map-Request/Map-Reply message exchange to inject forged mappings
   directly in the ITR EID-to-RLOC map-cache.  This can lead to traffic
   being redirected to the attacker, see further details in [RFC7835].
   In addition, valid ETRs in the system can perform overclaiming
   attacks.  In this case, attackers can claim to own an EID-prefix that
   is larger than the prefix owned by the ETR.  Such attacks can be
   addressed by using LISP-SEC [I-D.ietf-lisp-sec].  The LISP-SEC
   protocol defines a mechanism for providing origin authentication,
   integrity, anti-replay, protection, and prevention of 'man-in-the-
   middle' and 'prefix overclaiming' attacks on the Map-Request/Map-
   Reply exchange.  In addition and while beyond the scope of securing
   an individual Map-Server or Map-Resolver, it should be noted that
   LISP-SEC can be complemented by additional security mechanisms
   defined by the Mapping System Infrastructure.  For instance, BGP-
   based LISP-ALT [RFC6836] can take advantage of standards work on
   adding security to BGP while LISP-DDT [RFC8111] defines its own
   additional security mechanisms.

   To publish an authoritative EID-to-RLOC mapping with a Map-Server
   using the Map-Register message, an ETR includes authentication data
   that is a MAC of the entire message using a key derived from the pre-

Farinacci, et al.       Expires December 18, 2019              [Page 41]
Internet-Draft             LISP Control-Plane                  June 2019

   shared secret.  An implementation MUST support HMAC-SHA256-128+HKDF-
   SHA256 [RFC4868].  The Map-Register message includes protection for
   replay attacks by a man-in-the-middle.  However, a compromised ETR
   can overclaim the prefix it owns and successfully register it on its
   corresponding Map-Server.  To mitigate this and as noted in
   Section 8.2, a Map-Server MUST verify that all EID-Prefixes
   registered by an ETR match the configuration stored on the Map-
   Server.

   Deployments concerned about manipulations of Map-Request and Map-
   Reply messages, and malicious ETR EID prefix overclaiming MUST drop
   LISP Control Plane messages that do not contain LISP-SEC material
   (S-bit, EID-AD, OTK-AD, PKT-AD).

   Encrypting control messages via DTLS [RFC6347] or LISP-crypto
   [RFC8061] SHOULD be used to support privacy to prevent eavesdroping
   and packet tampering for messages exchanged between xTRs, xTRs and
   the mapping system, and nodes that make up the mapping system.

10.  Privacy Considerations

   As noted by [RFC6973] privacy is a complex issue that greatly depends
   on the specific protocol use-case and deployment.  As noted in
   section 1.1 of [I-D.ietf-lisp-rfc6830bis] LISP focuses on use-cases
   where entities communicate over the public Internet while keeping
   separate addressing and topology.  In what follows we detail the
   privacy threats introduced by the LISP Control Plane, the analysis is
   based on the guidelines detailed in [RFC6973].

   LISP can use long-lived identifiers (EIDs) that survive mobility
   events.  Such identifiers bind to the RLOCs of the nodes, which
   represents the topological location with respect to the specific LISP
   deployments.  In addition, EID-to-RLOC mappings are typically
   considered public information within the LISP deployment when
   control-plane messages are not encrypted, and can be eavesdropped
   while Map-Request messages are sent to the corresponding Map-
   Resolvers or Map-Register messages to Map-Servers.

   In this context, attackers can correlate the EID with the RLOC and
   track the corresponding user topological location and/or mobility.
   This can be achieved by off-path attackers, if they are
   authenticated, by querying the mapping system.  Deployments concerned
   about this threat can use access control-lists or stronger
   authentication mechanisms [I-D.ietf-lisp-ecdsa-auth] in the mapping
   system to make sure that only authorized users can access this
   information (data minimization).  Use of ephemeral EIDs
   [I-D.ietf-lisp-eid-anonymity] to achieve anonymity is another
   mechanism to lessen persistency and identity tracking.

Farinacci, et al.       Expires December 18, 2019              [Page 42]
Internet-Draft             LISP Control-Plane                  June 2019

11.  Changes since RFC 6833

   For implementation considerations, the following changes have been
   made to this document since RFC 6833 was published:

   o  A Map-Notify-Ack message is added in this document to provide
      reliability for Map-Notify messages.  Any receiver of a Map-Notify
      message must respond with a Map-Notify-Ack message.  Map-Servers
      who are senders of Map-Notify messages, must queue the Map-Notify
      contents until they receive a Map-Notify-Ack with the nonce used
      in the Map-Notify message.  Note that implementations for Map-
      Notify-Ack support already exist and predate this document.

   o  This document is incorporating the codepoint for the Map-Referral
      message from the LISP-DDT specification [RFC8111] to indicate that
      a Map-Server must send the final Map-Referral message when it
      participates in the LISP-DDT mapping system procedures.

   o  The "m", "I", "L", and "D" bits are added to the Map-Request
      message.  See Section 5.3 for details.

   o  The "S", "I", "E", "T", "a", and "m" bits are added to the Map-
      Register message.  See Section 5.6 for details.

   o  The 16-bit Key-ID field of the Map-Register message has been split
      into a 8-bit Key-ID field and a 8-bit Algorithm-ID field.

   o  This document adds two new Action values that are in an EID-record
      that appear in Map-Reply, Map-Register, Map-Notify, and Map-
      Notify-Ack messages.  The Drop/Policy-Denied and Drop/Auth-Failure
      are the descriptions for the two new action values.  See
      Section 5.4 for details.

12.  IANA Considerations

   This section provides guidance to the Internet Assigned Numbers
   Authority (IANA) regarding registration of values related to this
   LISP Control-Plane specification, in accordance with BCP 26
   [RFC8126].

   There are three namespaces (listed in the sub-sections below) in LISP
   that have been registered.

   o  LISP IANA registry allocations should not be made for purposes
      unrelated to LISP routing or transport protocols.

Farinacci, et al.       Expires December 18, 2019              [Page 43]
Internet-Draft             LISP Control-Plane                  June 2019

   o  The following policies are used here with the meanings defined in
      BCP 26: "Specification Required", "IETF Review", "Experimental
      Use", and "First Come First Served".

12.1.  LISP UDP Port Numbers

   The IANA registry has allocated UDP port number 4342 for the LISP
   Control-Plane.  IANA has updated the description for UDP port 4342 as
   follows:

        Keyword           Port    Transport Layer   Description
        -------           ----    ---------------   -----------
        lisp-control      4342    udp               LISP Control Packets

12.2.  LISP Packet Type Codes

   It is being requested that the IANA be authoritative for LISP Packet
   Type definitions and it is requested to replace the [RFC6830]
   registry message references with the RFC number assigned to this
   document.

   Based on deployment experience of [RFC6830], the Map-Notify-Ack
   message, message type 5, was added by this document.  This document
   requests IANA to add it to the LISP Packet Type Registry.

         Name                 Number          Defined in
         ----                 ------          -----------
         LISP Map-Notify-Ack  5               RFC6833bis

12.3.  LISP ACT and Flag Fields

   New ACT values can be allocated through IETF review or IESG approval.
   Four values have already been allocated by [RFC6830], IANA is
   requested to replace the [RFC6830] reference for this registry with
   the RFC number assigned to this document and the [RFC6830].  Action
   values references with the RFC number assigned to this document.
   This specification changes the name of ACT type 3 value from "Drop"
   to "Drop/No-Reason" as well as adding two new ACT values, the "Drop/
   Policy-Denied" (type 4) and "Drop/Authentication-Failure" (type 5).

Farinacci, et al.       Expires December 18, 2019              [Page 44]
Internet-Draft             LISP Control-Plane                  June 2019

   +-------+--------------------+-------------------------+------------+
   | Value | Action             | Description             | Raeference |
   +-------+--------------------+-------------------------+------------+
   | 4     | Drop/Policy-Denied | A packet matching this  | RFC6833bis |
   |       |                    | Map-Cache entry is      |            |
   |       |                    | dropped because the     |            |
   |       |                    | target EWID is policy-  |            |
   |       |                    | denied by the xTR or    |            |
   |       |                    | the mapping system.     |            |
   | 5     | Drop/Auth-Failure  | Packet matching the     | RFC6833bis |
   |       |                    | Map-Cache entry is      |            |
   |       |                    | dropped beacuse the     |            |
   |       |                    | Map-Request for the     |            |
   |       |                    | target EID fails an     |            |
   |       |                    | authentication check by |            |
   |       |                    | the xTR or the mapping  |            |
   |       |                    | system.                 |            |
   +-------+--------------------+-------------------------+------------+

                       LISP Map-Reply Action Values

   In addition, LISP has a number of flag fields and reserved fields,
   such as the LISP header flags field [I-D.ietf-lisp-rfc6830bis].  New
   bits for flags in these fields can be implemented after IETF review
   or IESG approval, but these need not be managed by IANA.

12.4.  LISP Address Type Codes

   LISP Canonical Address Format (LCAF) [RFC8060] is an 8-bit field that
   defines LISP-specific encodings for AFI value 16387.  LCAF encodings
   are used for specific use-cases where different address types for
   EID-records and RLOC-records are required.

   The IANA registry "LISP Canonical Address Format (LCAF) Types" is
   used for LCAF types.  The registry for LCAF types use the
   Specification Required policy [RFC8126].  Initial values for the
   registry as well as further information can be found in [RFC8060].

   Therefore, there is no longer a need for the "LISP Address Type
   Codes" registry requested by [RFC6830].  This document requests to
   remove it.

12.5.  LISP Algorithm ID Numbers

   In [RFC6830], a request for a "LISP Key ID Numbers" registry was
   submitted.  This document renames the registry to "LISP Algorithm ID
   Numbers" and requests the IANA to make the name change.

Farinacci, et al.       Expires December 18, 2019              [Page 45]
Internet-Draft             LISP Control-Plane                  June 2019

   The following Algorithm ID values are defined by this specification
   as used in any packet type that references a 'Algorithm ID' field:

      Name                        Number    MAC        KDF
      -------------------------------------------------------
      None                          0       None       None
      HMAC-SHA-1-96-None            1     [RFC2404]    None
      HMAC-SHA-256-128-None                     2         [RFC4868]    None
          HMAC-SHA256-128+HKDF-SHA2562  3     [RFC4868] [RFC4868]

   Number values are in the range of 0 to 255.  The allocation of values
   is on a first come first served basis.

12.6.  LISP Bit Flags

   This document asks IANA to create a registry for allocation of bits
   in several headers of the LISP control plane, namely in the Map-
   Request, Map-Reply, Map-Register, Encapsulated Control Message (ECM)
   messages.  Bit allocations are also requested for EID-records and
   RLOC-records.  The registry created should be named "LISP Control
   Plane Header Bits".  A sub-registry needs to be created per each
   message and record.  The name of each sub-registry is indicated
   below, along with its format and allocation of bits defined in this
   document.  Any additional bits allocation, requires a specification,
   according with [RFC8126] policies.

   Sub-Registry: Map-Request Header Bits [Section 5.2]:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Type=1 |A|M|P|S|p|s|R|R|  Rsvd   |L|D|   IRC   | Record Count  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Farinacci, et al.       Expires December 18, 2019              [Page 46]
Internet-Draft             LISP Control-Plane                  June 2019

   +----------+---------------+------------+---------------------------+
   | Spec     | IANA Name     | Bit        | Description               |
   | Name     |               | Position   |                           |
   +----------+---------------+------------+---------------------------+
   | A        | map-request-A | 4          | Authoritative Bit         |
   | M        | map-request-M | 5          | Map Data Present Bit      |
   | P        | map-request-P | 6          | RLOC-Probe Request Bit    |
   | S        | map-request-S | 7          | Solicit Map-Request (SMR) |
   |          |               |            | Bit                       |
   | p        | map-request-p | 8          | Proxy-ITR Bit             |
   | s        | map-request-s | 9          | Solicit Map-Request       |
   |          |               |            | Invoked Bit               |
   | L        | map-request-L | 17         | Local xTR Bit             |
   | D        | map-request-D | 18         | Don't Map-Reply Bit       |
   +----------+---------------+------------+---------------------------+

                       LISP Map-Request Header Bits

   Sub-Registry: Map-Reply Header Bits [Section 5.4]:

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |Type=2 |P|E|S|          Reserved               | Record Count  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    +-----------+-------------+--------------+------------------------+
    | Spec Name | IANA Name   | Bit Position | Description            |
    +-----------+-------------+--------------+------------------------+
    | P         | map-reply-P | 4            | RLOC-Probe Bit         |
    | E         | map-reply-E | 5            | Echo Nonce Capable Bit |
    | S         | map-reply-S | 6            | Security Bit           |
    +-----------+-------------+--------------+------------------------+

                        LISP Map-Reply Header Bits

   Sub-Registry: Map-Register Header Bits [Section 5.6]:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Type=3 |P|S|I|        Reserved       |E|T|a|R|M| Record Count  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Farinacci, et al.       Expires December 18, 2019              [Page 47]
Internet-Draft             LISP Control-Plane                  June 2019

   +-----------+----------------+--------------+----------------------+
   | Spec Name | IANA Name      | Bit Position | Description          |
   +-----------+----------------+--------------+----------------------+
   | P         | map-register-P | 4            | Proxy Map-Reply Bit  |
   | S         | map-register-S | 5            | LISP-SEC Capable Bit |
   | I         | map-register-I | 6            | xTR-ID present flag  |
   +-----------+----------------+--------------+----------------------+

                       LISP Map-Register Header Bits

   Sub-Registry: Encapsulated Control Message (ECM) Header Bits
   [Section 5.8]:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Type=8 |S|D|E|M|            Reserved                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   +-----------+-----------+--------------+----------------------------+
   | Spec Name | IANA Name | Bit Position | Description                |
   +-----------+-----------+--------------+----------------------------+
   | S         | ecm-S     | 4            | Security Bit               |
   | D         | ecm-D     | 5            | LISP-DDT Bit               |
   | E         | ecm-E     | 6            | Forward to ETR Bit         |
   | M         | ecm-M     | 7            | Destined to Map-Server Bit |
   +-----------+-----------+--------------+----------------------------+

            LISP Encapsulated Control Message (ECM) Header Bits

   Sub-Registry: EID-Record Header Bits [Section 5.4]:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Locator Count | EID mask-len  | ACT |A|      Reserved         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      +-----------+--------------+--------------+-------------------+
      | Spec Name | IANA Name    | Bit Position | Description       |
      +-----------+--------------+--------------+-------------------+
      | A         | eid-record-A | 19           | Authoritative Bit |
      +-----------+--------------+--------------+-------------------+

                        LISP EID-Record Header Bits

   Sub-Registry: RLOC-Record Header Bits [Section 5.4]:

Farinacci, et al.       Expires December 18, 2019              [Page 48]
Internet-Draft             LISP Control-Plane                  June 2019

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |        Unused Flags     |L|p|R|           Loc-AFI             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    +-----------+---------------+--------------+----------------------+
    | Spec Name | IANA Name     | Bit Position | Description          |
    +-----------+---------------+--------------+----------------------+
    | L         | rloc-record-L | 13           | Local RLOC Bit       |
    | p         | rloc-record-p | 19           | RLOC-Probe Reply Bit |
    | R         | rloc-record-R | 19           | RLOC Reachable Bit   |
    +-----------+---------------+--------------+----------------------+

                       LISP RLOC-Record Header Bits

13.  References

13.1.  Normative References

   [I-D.ietf-lisp-6834bis]
              Iannone, L., Saucez, D., and O. Bonaventure, "Locator/ID
              Separation Protocol (LISP) Map-Versioning", draft-ietf-
              lisp-6834bis-03 (work in progress), February 2019.

   [I-D.ietf-lisp-rfc6830bis]
              Farinacci, D., Fuller, V., Meyer, D., Lewis, D., and A.
              Cabellos-Aparicio, "The Locator/ID Separation Protocol
              (LISP)", draft-ietf-lisp-rfc6830bis-26 (work in progress),
              November 2018.

   [I-D.ietf-lisp-rfc8113bis]
              Boucadair, M. and C. Jacquenet, "Locator/ID Separation
              Protocol (LISP): Shared Extension Message & IANA Registry
              for Packet Type Allocations", draft-ietf-lisp-
              rfc8113bis-03 (work in progress), January 2019.

   [I-D.ietf-lisp-sec]
              Maino, F., Ermagan, V., Cabellos-Aparicio, A., and D.
              Saucez, "LISP-Security (LISP-SEC)", draft-ietf-lisp-sec-18
              (work in progress), June 2019.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

Farinacci, et al.       Expires December 18, 2019              [Page 49]
Internet-Draft             LISP Control-Plane                  June 2019

   [RFC2404]  Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within
              ESP and AH", RFC 2404, DOI 10.17487/RFC2404, November
              1998, <https://www.rfc-editor.org/info/rfc2404>.

   [RFC4086]  Eastlake 3rd, D., Schiller, J., and S. Crocker,
              "Randomness Requirements for Security", BCP 106, RFC 4086,
              DOI 10.17487/RFC4086, June 2005,
              <https://www.rfc-editor.org/info/rfc4086>.

   [RFC4868]  Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
              384, and HMAC-SHA-512 with IPsec", RFC 4868,
              DOI 10.17487/RFC4868, May 2007,
              <https://www.rfc-editor.org/info/rfc4868>.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
              January 2012, <https://www.rfc-editor.org/info/rfc6347>.

   [RFC8085]  Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage
              Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085,
              March 2017, <https://www.rfc-editor.org/info/rfc8085>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

13.2.  Informative References

   [AFI]      "Address Family Identifier (AFIs)", ADDRESS FAMILY
              NUMBERS http://www.iana.org/assignments/address-family-
              numbers/address-family-numbers.xhtml?, Febuary 2007.

   [GTP-3GPP]
              "General Packet Radio System (GPRS) Tunnelling Protocol
              User Plane (GTPv1-U)", TS.29.281
              https://portal.3gpp.org/desktopmodules/Specifications/
              SpecificationDetails.aspx?specificationId=1699, January
              2015.

   [I-D.herbert-intarea-ila]
              Herbert, T. and P. Lapukhov, "Identifier-locator
              addressing for IPv6", draft-herbert-intarea-ila-01 (work
              in progress), March 2018.

Farinacci, et al.       Expires December 18, 2019              [Page 50]
Internet-Draft             LISP Control-Plane                  June 2019

   [I-D.ietf-lisp-ecdsa-auth]
              Farinacci, D. and E. Nordmark, "LISP Control-Plane ECDSA
              Authentication and Authorization", draft-ietf-lisp-ecdsa-
              auth-01 (work in progress), March 2019.

   [I-D.ietf-lisp-eid-anonymity]
              Farinacci, D., Pillay-Esnault, P., and W. Haddad, "LISP
              EID Anonymity", draft-ietf-lisp-eid-anonymity-06 (work in
              progress), April 2019.

   [I-D.ietf-lisp-eid-mobility]
              Portoles-Comeras, M., Ashtaputre, V., Moreno, V., Maino,
              F., and D. Farinacci, "LISP L2/L3 EID Mobility Using a
              Unified Control Plane", draft-ietf-lisp-eid-mobility-04
              (work in progress), May 2019.

   [I-D.ietf-lisp-gpe]
              Maino, F., Lemon, J., Agarwal, P., Lewis, D., and M.
              Smith, "LISP Generic Protocol Extension", draft-ietf-lisp-
              gpe-06 (work in progress), September 2018.

   [I-D.ietf-lisp-introduction]
              Cabellos-Aparicio, A. and D. Saucez, "An Architectural
              Introduction to the Locator/ID Separation Protocol
              (LISP)", draft-ietf-lisp-introduction-13 (work in
              progress), April 2015.

   [I-D.ietf-lisp-mn]
              Farinacci, D., Lewis, D., Meyer, D., and C. White, "LISP
              Mobile Node", draft-ietf-lisp-mn-05 (work in progress),
              March 2019.

   [I-D.ietf-lisp-pubsub]
              Rodriguez-Natal, A., Ermagan, V., Leong, J., Maino, F.,
              Cabellos-Aparicio, A., Barkai, S., Farinacci, D.,
              Boucadair, M., Jacquenet, C., and S. Secci, "Publish/
              Subscribe Functionality for LISP", draft-ietf-lisp-
              pubsub-03 (work in progress), March 2019.

   [I-D.ietf-nvo3-vxlan-gpe]
              Maino, F., Kreeger, L., and U. Elzur, "Generic Protocol
              Extension for VXLAN", draft-ietf-nvo3-vxlan-gpe-07 (work
              in progress), April 2019.

   [I-D.ietf-opsec-icmp-filtering]
              Gont, F., Gont, G., and C. Pignataro, "Recommendations for
              filtering ICMP messages", draft-ietf-opsec-icmp-
              filtering-04 (work in progress), July 2013.

Farinacci, et al.       Expires December 18, 2019              [Page 51]
Internet-Draft             LISP Control-Plane                  June 2019

   [I-D.meyer-loc-id-implications]
              Meyer, D. and D. Lewis, "Architectural Implications of
              Locator/ID Separation", draft-meyer-loc-id-implications-01
              (work in progress), January 2009.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <https://www.rfc-editor.org/info/rfc1035>.

   [RFC1071]  Braden, R., Borman, D., and C. Partridge, "Computing the
              Internet checksum", RFC 1071, DOI 10.17487/RFC1071,
              September 1988, <https://www.rfc-editor.org/info/rfc1071>.

   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
              Hashing for Message Authentication", RFC 2104,
              DOI 10.17487/RFC2104, February 1997,
              <https://www.rfc-editor.org/info/rfc2104>.

   [RFC2890]  Dommety, G., "Key and Sequence Number Extensions to GRE",
              RFC 2890, DOI 10.17487/RFC2890, September 2000,
              <https://www.rfc-editor.org/info/rfc2890>.

   [RFC4984]  Meyer, D., Ed., Zhang, L., Ed., and K. Fall, Ed., "Report
              from the IAB Workshop on Routing and Addressing",
              RFC 4984, DOI 10.17487/RFC4984, September 2007,
              <https://www.rfc-editor.org/info/rfc4984>.

   [RFC6234]  Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
              (SHA and SHA-based HMAC and HKDF)", RFC 6234,
              DOI 10.17487/RFC6234, May 2011,
              <https://www.rfc-editor.org/info/rfc6234>.

   [RFC6830]  Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The
              Locator/ID Separation Protocol (LISP)", RFC 6830,
              DOI 10.17487/RFC6830, January 2013,
              <https://www.rfc-editor.org/info/rfc6830>.

   [RFC6831]  Farinacci, D., Meyer, D., Zwiebel, J., and S. Venaas, "The
              Locator/ID Separation Protocol (LISP) for Multicast
              Environments", RFC 6831, DOI 10.17487/RFC6831, January
              2013, <https://www.rfc-editor.org/info/rfc6831>.

   [RFC6832]  Lewis, D., Meyer, D., Farinacci, D., and V. Fuller,
              "Interworking between Locator/ID Separation Protocol
              (LISP) and Non-LISP Sites", RFC 6832,
              DOI 10.17487/RFC6832, January 2013,
              <https://www.rfc-editor.org/info/rfc6832>.

Farinacci, et al.       Expires December 18, 2019              [Page 52]
Internet-Draft             LISP Control-Plane                  June 2019

   [RFC6836]  Fuller, V., Farinacci, D., Meyer, D., and D. Lewis,
              "Locator/ID Separation Protocol Alternative Logical
              Topology (LISP+ALT)", RFC 6836, DOI 10.17487/RFC6836,
              January 2013, <https://www.rfc-editor.org/info/rfc6836>.

   [RFC6837]  Lear, E., "NERD: A Not-so-novel Endpoint ID (EID) to
              Routing Locator (RLOC) Database", RFC 6837,
              DOI 10.17487/RFC6837, January 2013,
              <https://www.rfc-editor.org/info/rfc6837>.

   [RFC6973]  Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
              Morris, J., Hansen, M., and R. Smith, "Privacy
              Considerations for Internet Protocols", RFC 6973,
              DOI 10.17487/RFC6973, July 2013,
              <https://www.rfc-editor.org/info/rfc6973>.

   [RFC7348]  Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger,
              L., Sridhar, T., Bursell, M., and C. Wright, "Virtual
              eXtensible Local Area Network (VXLAN): A Framework for
              Overlaying Virtualized Layer 2 Networks over Layer 3
              Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014,
              <https://www.rfc-editor.org/info/rfc7348>.

   [RFC7835]  Saucez, D., Iannone, L., and O. Bonaventure, "Locator/ID
              Separation Protocol (LISP) Threat Analysis", RFC 7835,
              DOI 10.17487/RFC7835, April 2016,
              <https://www.rfc-editor.org/info/rfc7835>.

   [RFC8060]  Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical
              Address Format (LCAF)", RFC 8060, DOI 10.17487/RFC8060,
              February 2017, <https://www.rfc-editor.org/info/rfc8060>.

   [RFC8061]  Farinacci, D. and B. Weis, "Locator/ID Separation Protocol
              (LISP) Data-Plane Confidentiality", RFC 8061,
              DOI 10.17487/RFC8061, February 2017,
              <https://www.rfc-editor.org/info/rfc8061>.

   [RFC8111]  Fuller, V., Lewis, D., Ermagan, V., Jain, A., and A.
              Smirnov, "Locator/ID Separation Protocol Delegated
              Database Tree (LISP-DDT)", RFC 8111, DOI 10.17487/RFC8111,
              May 2017, <https://www.rfc-editor.org/info/rfc8111>.

   [RFC8378]  Moreno, V. and D. Farinacci, "Signal-Free Locator/ID
              Separation Protocol (LISP) Multicast", RFC 8378,
              DOI 10.17487/RFC8378, May 2018,
              <https://www.rfc-editor.org/info/rfc8378>.

Farinacci, et al.       Expires December 18, 2019              [Page 53]
Internet-Draft             LISP Control-Plane                  June 2019

   [RFC8402]  Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L.,
              Decraene, B., Litkowski, S., and R. Shakir, "Segment
              Routing Architecture", RFC 8402, DOI 10.17487/RFC8402,
              July 2018, <https://www.rfc-editor.org/info/rfc8402>.

Farinacci, et al.       Expires December 18, 2019              [Page 54]
Internet-Draft             LISP Control-Plane                  June 2019

Appendix A.  Acknowledgments

   The original authors would like to thank Greg Schudel, Darrel Lewis,
   John Zwiebel, Andrew Partan, Dave Meyer, Isidor Kouvelas, Jesper
   Skriver, Fabio Maino, and members of the lisp@ietf.org mailing list
   for their feedback and helpful suggestions.

   Special thanks are due to Noel Chiappa for his extensive work and
   thought about caching in Map-Resolvers.

   The current authors would like to give a sincere thank you to the
   people who help put LISP on standards track in the IETF.  They
   include Joel Halpern, Luigi Iannone, Deborah Brungard, Fabio Maino,
   Scott Bradner, Kyle Rose, Takeshi Takahashi, Sarah Banks, Pete
   Resnick, Colin Perkins, Mirja Kuhlewind, Francis Dupont, Benjamin
   Kaduk, Eric Rescorla, Alvaro Retana, Alexey Melnikov, Alissa Cooper,
   Suresh Krishnan, Alberto Rodriguez-Natal, Vina Ermagen, Mohamed
   Boucadair, Brian Trammell, Sabrina Tanamal, and John Drake.  The
   contributions they offered greatly added to the security, scale, and
   robustness of the LISP architecture and protocols.

Appendix B.  Document Change Log

   [RFC Editor: Please delete this section on publication as RFC.]

B.1.  Changes to draft-ietf-lisp-rfc6833bis-25

   o  Posted June 2019.

   o  Added change requested by Mirja describing Record Count in an EID-
      record.

   o  Fixed Requirements Notation section per Pete.

   o  Added KDF for shared-secret

   o  Specified several rate-limiters for control messages

B.2.  Changes to draft-ietf-lisp-rfc6833bis-24

   o  Posted February 2019.

   o  Added suggested text from Albert that Benjamin Kaduk agreed with.

   o  Added suggested editorial comments from Alvaro's rewview.

   o  Ran document through IDnits.  Fixed bugs found.

Farinacci, et al.       Expires December 18, 2019              [Page 55]
Internet-Draft             LISP Control-Plane                  June 2019

B.3.  Changes to draft-ietf-lisp-rfc6833bis-23

   o  Posted December 2018.

   o  Added to Security Considerations section that deployments that
      care about prefix over claiming should use LISP-SEC.

   o  Added to Security Considerations section that DTLS or LISP-crypto
      be used for control-plane privacy.

   o  Make LISP-SEC a normative reference.

   o  Make it more clear where field descriptions are spec'ed when
      referencing to the same fields in other packet types.

B.4.  Changes to draft-ietf-lisp-rfc6833bis-22

   o  Posted week after IETF November 2018.

   o  No longer need to use IPSEC for replay attacks.

B.5.  Changes to draft-ietf-lisp-rfc6833bis-21

   o  Posted early November 2018.

   o  Added I-bit back in because its necessary to use for Map-Register
      replay attack scenarios.  The Map-Server tracks the nonce per xTR-
      ID to detect duplicate or replayed Map-Register messages.

B.6.  Changes to draft-ietf-lisp-rfc6833bis-20

   o  Posted late October 2018.

   o  Changed description about "reserved" bits to state "reserved and
      unassigned".

   o  Make it more clear how Map-Register nonce processing is performed
      in an ETR and Map-Server.

B.7.  Changes to draft-ietf-lisp-rfc6833bis-19

   o  Posted mid October 2018.

   o  Added Fabio text to the Security Considerations section.

Farinacci, et al.       Expires December 18, 2019              [Page 56]
Internet-Draft             LISP Control-Plane                  June 2019

B.8.  Changes to draft-ietf-lisp-rfc6833bis-18

   o  Posted mid October 2018.

   o  Fixed comments from Eric after more email clarity.

B.9.  Changes to draft-ietf-lisp-rfc6833bis-17

   o  Posted early October 2018.

   o  Changes to reflect comments from Sep 27th Telechat.

   o  Added all flag bit definitions as request for allocation in IANA
      Considersations section.

   o  Added an applicability statement in section 1 to address security
      concerns from Telechat.

   o  Moved m-bit description and IANA request to draft-ietf-lisp-mn.

   o  Moved I-bit description and IANA request to draft-ietf-lisp-
      pubsub.

B.10.  Changes to draft-ietf-lisp-rfc6833bis-16

   o  Posted Late-September 2018.

   o  Re-wrote Security Considerations section.  Thanks Albert.

   o  Added Alvaro text to be more clear about IANA actions.

B.11.  Changes to draft-ietf-lisp-rfc6833bis-15

   o  Posted mid-September 2018.

   o  Changes to reflect comments from Colin and Mirja.

B.12.  Changes to draft-ietf-lisp-rfc6833bis-14

   o  Posted September 2018.

   o  Changes to reflect comments from Genart, RTGarea, and Secdir
      reviews.

Farinacci, et al.       Expires December 18, 2019              [Page 57]
Internet-Draft             LISP Control-Plane                  June 2019

B.13.  Changes to draft-ietf-lisp-rfc6833bis-13

   o  Posted August 2018.

   o  Final editorial changes before RFC submission for Proposed
      Standard.

   o  Added section "Changes since RFC 6833" so implementators are
      informed of any changes since the last RFC publication.

B.14.  Changes to draft-ietf-lisp-rfc6833bis-12

   o  Posted late July 2018.

   o  Moved RFC6830bis and RFC6834bis to Normative References.

B.15.  Changes to draft-ietf-lisp-rfc6833bis-11

   o  Posted July 2018.

   o  Fixed Luigi editorial comments to ready draft for RFC status and
      ran through IDNITs again.

B.16.  Changes to draft-ietf-lisp-rfc6833bis-10

   o  Posted after LISP WG at IETF week March.

   o  Move AD field encoding after S-bit in the ECM packet format
      description section.

   o  Say more about when the new Drop actions should be sent.

B.17.  Changes to draft-ietf-lisp-rfc6833bis-09

   o  Posted March IETF week 2018.

   o  Fixed editorial comments submitted by document shepherd Luigi
      Iannone.

B.18.  Changes to draft-ietf-lisp-rfc6833bis-08

   o  Posted March 2018.

   o  Added RLOC-probing algorithm.

   o  Added Solicit-Map Request algorithm.

Farinacci, et al.       Expires December 18, 2019              [Page 58]
Internet-Draft             LISP Control-Plane                  June 2019

   o  Added several mechanisms (from 6830bis) regarding Routing Locator
      Reachability.

   o  Added port 4342 to IANA Considerations section.

B.19.  Changes to draft-ietf-lisp-rfc6833bis-07

   o  Posted December 2017.

   o  Make it more clear in a couple of places that RLOCs are used to
      locate ETRs more so than for Map-Server Map-Request forwarding.

   o  Make it clear that "encapsualted" for a control message is an ECM
      based message.

   o  Make it more clear what messages use source-port 4342 and which
      ones use destinatino-port 4342.

   o  Don't make DDT references when the mapping transport system can be
      of any type and the referneced text is general to it.

   o  Generalize text when referring to the format of an EID-prefix.
      Can use othe AFIs then IPv4 and IPv6.

   o  Many editorial changes to clarify text.

   o  Changed some "must", "should", and "may" to capitalized.

   o  Added definitions for Map-Request and Map-Reply messages.

   o  Ran document through IDNITs.

B.20.  Changes to draft-ietf-lisp-rfc6833bis-06

   o  Posted October 2017.

   o  Spec the I-bit to include the xTR-ID in a Map-Request message to
      be consistent with the Map-Register message and to anticipate the
      introduction of pubsub functionality to allow Map-Requests to
      subscribe to RLOC-set changes.

   o  Updated references for individual submissions that became working
      group documents.

   o  Updated references for working group documents that became RFCs.

Farinacci, et al.       Expires December 18, 2019              [Page 59]
Internet-Draft             LISP Control-Plane                  June 2019

B.21.  Changes to draft-ietf-lisp-rfc6833bis-05

   o  Posted May 2017.

   o  Update IANA Considerations section based on new requests from this
      document and changes from what was requested in [RFC6830].

B.22.  Changes to draft-ietf-lisp-rfc6833bis-04

   o  Posted May 2017.

   o  Clarify how the Key-ID field is used in Map-Register and Map-
      Notify messages.  Break the 16-bit field into a 8-bit Key-ID field
      and a 8-bit Algorithm-ID field.

   o  Move the Control-Plane codepoints from the IANA Considerations
      section of RFC6830bis to the IANA Considerations section of this
      document.

   o  In the "LISP Control Packet Type Allocations" section, indicate
      how message Types are IANA allocated and how experimental RFC8113
      sub-types should be requested.

B.23.  Changes to draft-ietf-lisp-rfc6833bis-03

   o  Posted April 2017.

   o  Add types 9-14 and specify they are not assigned.

   o  Add the "LISP Shared Extension Message" type and point to RFC8113.

B.24.  Changes to draft-ietf-lisp-rfc6833bis-02

   o  Posted April 2017.

   o  Clarify that the LISP Control-Plane document defines how the LISP
      Data-Plane uses Map-Requests with either the SMR-bit set or the
      P-bit set supporting mapping updates and RLOC-probing.  Indicating
      that other Data-Planes can use the same mechanisms or their own
      defined mechanisms to achieve the same functionality.

B.25.  Changes to draft-ietf-lisp-rfc6833bis-01

   o  Posted March 2017.

   o  Include references to new RFCs published.

   o  Remove references to self.

Farinacci, et al.       Expires December 18, 2019              [Page 60]
Internet-Draft             LISP Control-Plane                  June 2019

   o  Change references from RFC6830 to RFC6830bis.

   o  Add two new action/reasons to a Map-Reply has posted to the LISP
      WG mailing list.

   o  In intro section, add refernece to I-D.ietf-lisp-introduction.

   o  Removed Open Issues section and references to "experimental".

B.26.  Changes to draft-ietf-lisp-rfc6833bis-00

   o  Posted December 2016.

   o  Created working group document from draft-farinacci-lisp
      -rfc6833-00 individual submission.  No other changes made.

B.27.  Changes to draft-farinacci-lisp-rfc6833bis-00

   o  Posted November 2016.

   o  This is the initial draft to turn RFC 6833 into RFC 6833bis.

   o  The document name has changed from the "Locator/ID Separation
      Protocol (LISP) Map-Server Interface" to the "Locator/ID
      Separation Protocol (LISP) Control-Plane".

   o  The fundamental change was to move the Control-Plane messages from
      RFC 6830 to this document in an effort so any IETF developed or
      industry created Data-Plane could use the LISP mapping system and
      Control-Plane.

   o  Update Control-Plane messages to incorporate what has been
      implemented in products during the early phase of LISP development
      but wasn't able to make it into RFC6830 and RFC6833 to make the
      Experimental RFC deadline.

   o  Indicate there may be nodes in the mapping system that are not MRs
      or MSs, that is a ALT-node or a DDT-node.

   o  Include LISP-DDT in Map-Resolver section and explain how they
      maintain a referral-cache.

   o  Removed open issue about additional state in Map-Servers.  With
      [RFC8111], Map-Servers have the same registration state and can
      give Map-Resolvers complete information in ms-ack Map-Referral
      messages.

   o  Make reference to the LISP Threats Analysis RFC [RFC7835].

Farinacci, et al.       Expires December 18, 2019              [Page 61]
Internet-Draft             LISP Control-Plane                  June 2019

Authors' Addresses

   Dino Farinacci
   lispers.net

   EMail: farinacci@gmail.com

   Fabio Maino
   Cisco Systems

   EMail: fmaino@cisco.com

   Vince Fuller
   vaf.net Internet Consulting

   EMail: vaf@vaf.net

   Albert Cabellos
   UPC/BarcelonaTech
   Campus Nord, C. Jordi Girona 1-3
   Barcelona, Catalunya
   Spain

   EMail: acabello@ac.upc.edu

Farinacci, et al.       Expires December 18, 2019              [Page 62]