Network Working Group                                       D. Farinacci
Internet-Draft                                                 V. Fuller
Intended status: Experimental                                   D. Meyer
Expires: May 16, 2008                                              Cisco
                                                       November 13, 2007

                  LISP Alternative Topology (LISP-ALT)

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on May 16, 2008.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Farinacci, et al.         Expires May 16, 2008                  [Page 1]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007


   This document describes a method of building an alternative, logical
   topology for managing Endpoint Identifier to Routing Locator mappings
   using the Locator/ID Separation Protocol.  The logical network is
   built as an overlay on the public Internet using existing
   technologies and tools, specifically the Border Gateway Protocol and
   the Generic Routing Encapsulation.  An important design goal for
   LISP-ALT is to allow for the relatively easy deployment of an
   efficient mapping system while minimizing changes to existing
   hardware and software.

Table of Contents

   1.  Requirements Notation  . . . . . . . . . . . . . . . . . . . .  3
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Definition of Terms  . . . . . . . . . . . . . . . . . . . . .  5
   4.  The LISP 1.5 model . . . . . . . . . . . . . . . . . . . . . .  7
   5.  LISP-ALT: Basic Overview . . . . . . . . . . . . . . . . . . .  8
     5.1.  EID Assignment - Hierarchy and Topology  . . . . . . . . .  8
     5.2.  LISP-ALT Router  . . . . . . . . . . . . . . . . . . . . .  9
     5.3.  Use of GRE tunnels between LISP-ALT Routers  . . . . . . .  9
   6.  How LISP-ALT uses BGP  . . . . . . . . . . . . . . . . . . . . 10
     6.1.  Sub-Address Family Identifier (SAFI) for LISP-ALT  . . . . 10
     6.2.  Autonomous System Numbers (ASNs) in LISP-ALT . . . . . . . 11
   7.  EID-Prefix Aggregation . . . . . . . . . . . . . . . . . . . . 12
   8.  Connecting sites to the LAT  . . . . . . . . . . . . . . . . . 13
     8.1.  ETRs originating information into the LAT network  . . . . 13
     8.2.  ITRs Receiving Information from the LAT  . . . . . . . . . 13
   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 15
   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 16
     10.1. Apparent LISP-ALT Vunerabilities . . . . . . . . . . . . . 16
     10.2. Survey of LISP-ALT Security Mechanisms . . . . . . . . . . 17
     10.3. Leveraging Internet BGP Security mechanisms  . . . . . . . 17
   11. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 18
   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
     12.1. Normative References . . . . . . . . . . . . . . . . . . . 19
     12.2. Informative References . . . . . . . . . . . . . . . . . . 19
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
   Intellectual Property and Copyright Statements . . . . . . . . . . 21

Farinacci, et al.         Expires May 16, 2008                  [Page 2]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

1.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

Farinacci, et al.         Expires May 16, 2008                  [Page 3]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

2.  Introduction

   This document describes a method of building an alternative logical
   topology for managing Endpoint Identifier to Routing Locator mappings
   using the Locator/ID Separation Protocol [LISP].  This logical
   topology uses existing technology and tools, specifically the Border
   Gateway Protocol [RFC4271] and its multi-protocol extension
   [RFC2858], along with the Generic Routing Encapsulation [RFC2784]
   protocol to construct an overlay network of devices that advertise
   EID-prefixes only.  These Endpoint Identifier Prefix Aggregators hold
   hierarchically-assigned pieces of the Endpoint Identifier space
   (i.e., prefixes) and their next hops toward the network element which
   is authoritative for Endpoint Identifier-to-Routing Locator mapping
   for that prefix.  Tunnel routers can use this overlay to make queries
   against and respond to mapping requests made against the distributed
   Endpoint Identifier-to-Routing Locator mapping database.  Note the
   database is distributed (as in [LISP]c and is stored in the ETRs.

   Note that an important design goal of LISP-ALT is to minimize the
   number of changes to existing hardware and/or software that are
   required to deploy the mapping system.  It is envisioned that in most
   cases existing technology can be used to implement and deploy LISP-
   ALT.  Since the deployment of LISP-ALT adds new devices to the
   network, existing devices not need changes or upgrades.  They can
   function as they are to realize an underlying and robust physical

   The remainder of this document is organized as follows: Section 3
   provides the definitions of terms used in this document.  Section 4
   outlines the basic LISP 1.5 model.  Section 5 provides a basic
   overview of the LISP Alternate Topology (or LAT) architecture, and
   Section 6 describes how LAT uses BGP to propagate Endpoint Identifier
   reachability over the overlay network.  Section 7 describes the
   construction of the LAT aggregation hierarchy, and Section 8
   discusses how the elements of the LAT topology are connected to form
   the overlay network.

Farinacci, et al.         Expires May 16, 2008                  [Page 4]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

3.  Definition of Terms

   LISP-ALT operates on two name spaces and introduces a new network
   element, the EID Prefix Aggregators (see below).  This section
   provides high-level definitions of the LISP-ALT name spaces, network
   elements, and message types.

   The LISP Alternative Topology (LAT):  The virtual overlay network
      made up of Generic Routing Encapsulation (GRE) tunnels between EID
      Prefix Aggregators.  The Border Gateway Protocol (BGP) runs
      between LISP-ALT routers and is used to carry reachability
      information for EID prefixes.

   Legacy Internet:  The portion of the Internet which does not run LISP
      and does not participate in LISP-ALT.

   LISP-ALT Router:  The devices which run on the LAT.  The LAT is a
      static topology built with GRE tunnels.  LISP-ALT routers are
      deployed in a hierarchy which matches the EID prefix allocation
      hierarchy.  LISP-ALT routers at each level in the this hierarchy
      are responsible for aggregating all EID prefixes learned from
      LISP-ALT routers logically "below" them and advertising summary
      prefixes to the LISP-ALT routers logically "above" them.  All
      prefix learning and propagation between levels is done using BGP.
      LISP-ALT routers at the lowest level, or "edge", of the LAT learn
      EID prefixes either over a BGP or LISP TCP session to ETRs.  See
      Section 6 for details on how BGP is configured between the
      different network elements.

      The primary function of the LISP-ALT routers is to provide a
      lightweight forwarding infrastructure for LISP control-plane
      messages (Map-Request and Map-Reply), and to transport data
      packets when the packet has the same destination address in both
      the inner (encapsulating) destination and outer destination
      addresses ((i.e., a Data Probe packet).

    Endpoint ID (EID):  A 32- or 128-bit value used in the source and
      destination fields of the first (most inner) LISP header of a
      packet.  A packet that is emitted by a system contains EIDs in its
      headers and LISP headers are prepended only when the packet
      reaches an Ingress Tunnel Router (ITR) on the data path to the
      destination EID.

      In LISP-ALT, EID-prefixes MUST BE assigned in a hierarchical
      manner (in power-of-two) such that they can be aggregated by LISP-
      ALT routers.  In addition, a site may have site-local structure in
      how EIDs are topologically organized (subnetting) for routing
      within the site; this structure is not visible to the global

Farinacci, et al.         Expires May 16, 2008                  [Page 5]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

      routing system.

   EID-Prefix Aggregate:  A set of EID-prefixes said to be aggregatable
      in the [RFC4632] sense.  That is, an EID-Prefix aggregate is
      defined to be a single contiguous power-of-two EID-prefix block.
      Such a block is characterized by a prefix and a length.

   Routing Locator (RLOC):  An IP address of an egress tunnel router
      (ETR).  It is the output of a EID-to-RLOC mapping lookup.  An EID
      maps to one or more RLOCs.  Typically, RLOCs are numbered from
      topologically-aggregatable blocks that are assigned to a site at
      each point to which it attaches to the global Internet; where the
      topology is defined by the connectivity of provider networks,
      RLOCs can be thought of as Provider Aggregatable (PA) addresses.
      Note that in LISP-ALT, RLOCs are not carried by the LISP-ALT

    EID-to-RLOC Mapping:  A binding between an EID and the RLOC-set that
      can be used to reach the EID.  We use the term "mapping" in this
      document to refer to a EID-to-RLOC mapping.

    EID Prefix Reachability:  An EID prefix is said to be "reachable" if
      one or more of its locators are reachable.  That is, an EID prefix
      is reachable if the ETR (or its proxy) that is authoritative for a
      given EID-to-RLOC mapping is reachable.

    Default Mapping:  A Default Mapping is a mapping entry for EID-
      prefix  It maps to a locator-set used for all EIDs in
      the Internet.  If there is a more specific EID-prefix in the
      mapping cache it overrides the Default Mapping entry.  The Default
      Mapping route can be learned by configuration or from a Map-Reply

    Default Route:  A Default Route in the context of LISP-ALT is a EID-
      prefix value of which is advertised by BGP on top of the
      LAT.  The Default Route is used to realize a path for Data Probe
      and Map-Request packets.

Farinacci, et al.         Expires May 16, 2008                  [Page 6]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

4.  The LISP 1.5 model

   As documented in [LISP], the LISP 1.5 model uses the same basic
   query/response protocol machinery as LISP 1.0.  In particular, LISP-
   ALT provides two mechanisms for an ITR to obtain EID-to-RLOC mappings
   (both of these techniques are described in more detail in
   Section 8.2):

   Data Probe:  An ITR may send the first few data packets into the LAT
      to minimize packet loss and to probe for the mapping; the
      authoritative ETR will respond to the ITR with a Map-Reply message
      when it receives the data packet over the LAT.  Note that in this
      case, the inner Destination Address (DA), which is an EID, is
      copied to the outer DA and is routed over the LAT.

   Map-Request:  An ITR may also send a Map-Request message into the LAT
      to request the mapping.  As in the Data Probe case, the
      authoritative ETR will respond to the ITR with a Map-Reply
      message.  In this case, the DA of the Map-Request MUST be an
      EID.See [LISP] for the format of Map-Request and Map-Reply

   Like LISP 1.0, EIDs are routable and can be used, unaltered, as the
   source and destination addresses in IP datagrams.  Unlike in LISP
   1.0, LISP 1.5 EIDs are not routed on the public Internet; instead,
   they are only routable over a separate, virtual topology referred to
   as the LISP Alternative Virtual Network.  This network is built as an
   overlay on the public Internet using GRE tunnels to interconnect
   LISP-ALT routers.  BGP is run over these tunnels to propagate the
   information needed to route Data Probes and Map-Request/Replies.
   Importantly, while the ETRs are the source(s) of the unaggregated EID
   prefix data, LISP-ALT uses existing BGP mechanisms to aggressively
   aggregate this information.  Note that ETRs are not required to
   participate (or prevented from participating) in the LISP-ALT; they
   may choose communicate their mappings to their serving LISP-ALT
   router(s) at subscription time via configuration.  ITRs are also not
   required to (nor prevented from) participate in LISP-ALT.

Farinacci, et al.         Expires May 16, 2008                  [Page 7]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

5.  LISP-ALT: Basic Overview

   LISP-ALT is a hybrid push/pull architecture.  Aggregated EID prefixes
   are "pushed" among the LISP-ALT routers and, optionally, out to ITRs
   (which may elect to receive the aggregated information, as opposed to
   simply using a default mapping).  Specific EID-to-RLOC mappings are
   "pulled" by ITRs when they either send explicit LISP requests or data
   packets on the alternate topology that result in triggered replies
   being generated by ETRs.

   The basic idea embodied in LISP-ALT is to use BGP, running over a GRE
   overlay, to build the LAT reachability required to route Data Probes,
   Map-Requests, and Map-Replies over the alternate topology.  The LAT
   RIB (BGP RIB) is comprised of EID prefixes (and associated next
   hops).  The LISP-ALT routers talk eBGP to each other in order to
   propagate EID prefix update information, which is learned either over
   eBGP connections from the authoritative ETR, or by configuration.
   ITRs may also eBGP peer with one or more LISP-ALT routers in order to
   route Data Probe packets or Map-Requests (more likely, an ITR will
   have a default mapping pointing at one or more LISP-ALT routers).

   In summary, the LISP-ALT uses BGP to propagate EID-prefix update
   information used by ITRs and ETRs to forward Map-Requests, Map-
   Replies, and Data Probes.  This reachability is carried as IPv4 or
   IPv6 NLRI without modification (since the EID space has the same
   syntax as IPv4 or IPv6).  LISP-ALT routers eBGP peer with one
   another, forming the LAT.  An LISP-ALT router near the edge learns
   EID prefixes which are originated by authoritative ETRs, which either
   eBGP peer with them or by configuration.  LISP-ALT routers aggregate
   EID prefixes, and forward Data Probes, Map-Requests, and Map-Replies.

5.1.  EID Assignment - Hierarchy and Topology

   EID-prefixes will be allocated to a LISP site by Internet Registries.
   Multiple allocations may not be in power-of-2 blocks.  But when they
   are, they will be aggregated into one announcement EID-prefix.  The
   LAT topology will be setup in a tree-like structure hierarchy so
   merge points in the tree can have proxy aggregation occur.  By doing
   this the LISP-ALT nodes higher in the hierarchy can carry less EID-

   Since the LAT will not need to change due to subscription or policy
   reasons, the topology can remain relatively static and aggregation
   can be sustained.

   Note: As the prototype develops, we will produce documented usage
   guides on how best to build the LAT topology.

Farinacci, et al.         Expires May 16, 2008                  [Page 8]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

5.2.  LISP-ALT Router

   A LISP-ALT Router has the following functionality:

   1.  It can run at a minimum the eBGP part of the BGP protocol.

   2.  It can support a separate RIB which uses next-hop GRE tunnel
       interfaces for forwarding Data Probes and Map-Requests.

   3.  It can also act as an ITR, as in a proxy-ITR capacity to support
       non-LISP sites.

   4.  It can also act as an ETR, or an recursive or re-encapsulating
       ITR to reduce mapping tables in site-based LISP routers.

   An ITR or an ETR can talk to a LISP-ALT router without using a GRE
   tunnel and a BGP peering connection.  A LISP TCP connection can be
   established between the LISP-ALT router and either the ITR or ETR for
   reliably passing Data Probe or Map-Request packets.  TBD, but its
   just a BGP speaker in the LAT overlay.

5.3.  Use of GRE tunnels between LISP-ALT Routers

   By using GRE between LISP-ALT routers and running an eBGP connection
   among them over the GRE tunnel interface makes each LISP-ALT hop an
   AS-hop.  By doing this each LISP-ALT router is using eBGP as a
   Distance Vector protocol using an AS-path solely as a shortest-path
   determination and loop-avoidance mechanism.  All next-hops are on
   tunnel interfaces so there is no IGP required resolve next-hops into
   real next-hops because they are already resolved by the GRE tunnel

   This reduces Operational Expense (OPEX) because less protocols need
   to be used on the overlay topology.  Also, no coordination of tunnel
   IP addresses are required since they are used locally by each LISP-
   ALT device.  So any addressing scheme (even using private addressing)
   can be used for tunnel addressing.

   In the case in which a single routing domain wants redundancy, there
   is no requirement for the two or more LISP-ALT routers inside of the
   domain need to peer with each other.  The redundancy only need to be
   present on peering connections across routing domains.  This will
   allow a lighter weight deployment and maintenance system for running

Farinacci, et al.         Expires May 16, 2008                  [Page 9]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

6.  How LISP-ALT uses BGP

   As described in Section 8.2, an ITR may send either a Map-Request or
   a data probe to find a given EID-to-RLOC mapping.  The LAT provides
   the infrastructure that allows these requests to reach the
   authoritative ETR, and possibly for the reply to find its way back to
   the requesting ITR (the ETR might choose to send the Map-Reply to the
   requesting ITR's source-RLOC, bypassing the LAT).

   The LISP-ALT routers propagate mapping information for use by ITRs
   (when making Map-Requests or sending Data Probes), and ETRs (if the
   ETR is configured to send Map-Replies back to the requesting ITR over
   the LAT) using eBGP [RFC4271]. eBGP is run on the inter-LISP-ALT
   router links, and and possibly between an edge LISP-ALT router and an
   ETR or between an edge LISP-ALT router and an ITR.  The LAT eBGP RIB
   consists of aggregated EID prefixes and their next hops towards the
   authoritative ETR for that EID prefix.

   ITRs and ETRs may choose not to run an eBGP instance with a LISP-ALT
   router.  Each case is considered below.

   ITR:  An ITR will, whether it runs BGP with a LISP-ALT router or not,
      will send either a Data Probe or a Map-Request a LISP-ALT router.

   ETR:  If an ETR runs BGP with a LISP-ALT router, it simply announces
      its EID-prefix to its connected LISP-ALT routers.  If the ETR is
      not running BGP (i.e., it communicates with the LAT over a LISP
      TCP connection), then the LISP-ALT router the ETR has a connection
      with must route Map-Requests and Data Probes to the ETR as well as
      get configured to advertise the ETR's EID-prefixes.  Note that in
      either case, the ETR may send the Map-Reply message back to the
      ITR's source-EID on the LAT or to the ITR's source-RLOC (i.e., on
      the underlying topology).

   Finally, note that LISP-ALT requires no modification to the BGP
   protocol, and is designed to be deployable without additional
   protocol machinery.

6.1.  Sub-Address Family Identifier (SAFI) for LISP-ALT

   As defined by this document, LISP-ALT may be implemented using BGP
   without modification.  Given the fundamental operational difference
   propagating global Internet routing information (the current,
   dominant use of BGP) and managing the global EID-to-RLOC database
   (the use of BGP proposed by this document), it may be desirable to
   assign a new SAFI [RFC2858] to prevent operational confusion and
   difficulties, including the inadvertent leaking of information from
   one domain to the other.  At present, this document does not require

Farinacci, et al.         Expires May 16, 2008                 [Page 10]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

   the assignment of a new SAFI but the authors anticipate that
   experimentation may suggest the need for one in the future.

6.2.   Autonomous System Numbers (ASNs) in LISP-ALT

   The primary use of BGP today is to define the global Internet routing
   topology in terms of its participants, known as Autonomous Systems.
   LISP-ALT specifies the use of BGP to create a global EID-to-RLOC
   mapping database which, while related to the global routing database,
   serves a very different purpose and is organized into a very
   different hierarchy.  Because LISP-ALT does use BGP, however, it uses
   ASNs in the paths that are propagated among LISP-ALT routers.  To
   avoid confusion, it needs to be stressed that that these LISP-ALT
   ASNs use a new numbering space that is unrelated to the ASNs used by
   the global routing system.  Exactly how this new space will be
   assigned and managed will be determined during experimental
   deployment of LISP-ALT.

Farinacci, et al.         Expires May 16, 2008                 [Page 11]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

7.  EID-Prefix Aggregation

   The LAT peering topology should be arranged in a tree-like fashion
   (with some meshiness), both with redundancy to deal with crashes.  We
   assume that as long as the routers are up and running that the
   underlying topology will provide alternative routes to the BGP
   connection stay up between the LISP-ALT routers.

Farinacci, et al.         Expires May 16, 2008                 [Page 12]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

8.  Connecting sites to the LAT

8.1.  ETRs originating information into the LAT network

   ETRs have two ways of originating EID information into the LAT:

   Configuration:  A LISP-ALT router may be configured with the EID-
      prefix of the authoritative ETR, which is connected to the LISP-
      ALT router via a LISP TCP connection [LISP].  This TCP connection
      may be used to route Map-Requests to the ETR (if necessary), and
      for the ETR to respond with Map-Replies.  Of course, the LISP-ALT
      router could also serve as a proxy for its TCP-connected ETRs.
      Finally, depending on configuration and which prefixes an ETR is
      authoritative for, an ETR may need to connect to more than one
      LISP-ALT router to have all of its prefixes routed via the LAT.

   eBGP:  ETRs may originate information by participating in the LAT via
      eBGP.  In this case, The ETR advertises reachability for its EID
      prefixes over this eBGP connection to the LISP-ALT routers.  The
      LISP-ALT routers propagate and aggregate this information into the
      LAT.  That is, here the ETR is simply a peer of a LISP-ALT router
      at the edge of the LAT.  A LISP-ALT router should aggregate the
      received EID-prefixes (where possible).

8.2.  ITRs Receiving Information from the LAT

   In order to source Map-Requests to the LAT and receive Map-Replies
   from the LAT, or to route a Data Probe packet over the LAT, each ITR
   participating in the LAT establishes a connection to one or more
   LISP-ALT routers.  These connections can be either eBGP or TCP (as
   described above).

   In the case in which the ITR is running eBGP, the peer LISP-ALT
   routers use these connections to advertise highly aggregated EID-
   prefixes to the peer ITRs.  The ITR then installs the received
   prefixes into a forwarding table that is used to to send LISP Map-
   Requests to the appropriate LISP-ALT router.  In most cases, a LISP-
   ALT router will send a default mapping to its client ITRs so that
   they can send request for any EID prefix into the LAT.

   In the case in which the ITR is connected to some set of LISP-ALT
   routers without eBGP (i.e., over a LISP TCP connection), the ITR
   sends Map-Requests to any of its connected LISP-ALT routers, and
   receives Map-Replies from the LISP-ALT router that has the "shortest
   path" to the authoritative ETR.

   An ITR may also chose to send the first few data packets over the
   LAT, in order to minimize packet loss and reduce mapping latency.  In

Farinacci, et al.         Expires May 16, 2008                 [Page 13]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

   this case, the data packet serves as a mapping probe (Data Probe),
   and the ETR which receives the data packet (over the LAT) responds
   with a Map-Reply that is either routed back over the LAT, or send to
   the ITR's source-RLOC over the underlying topology.

   In general, an ITR will establish connections only to LISP-ALT
   routers at the "edge" of the LAT (typically two for redundancy) but
   there may also be situations where an ITR would connect to other
   LISP-ALT routers to receive alternate shorter path information about
   a portion of the LAT topology of interest to it.  This can be
   accomplished by establishing a GRE tunnel between the ITR and the set
   of LISP-ALT routers the ITR is interested in.  This is a purely local
   policy issue between the ITR and the LISP-ALT routers in question.

Farinacci, et al.         Expires May 16, 2008                 [Page 14]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

9.  IANA Considerations

   This document makes no request of the IANA.

Farinacci, et al.         Expires May 16, 2008                 [Page 15]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

10.  Security Considerations

   LISP-ALT shares many of the security characteristics of BGP.  Its
   security mechanisms are comprised of existing technologies in wide
   operational use today.  Securing LISP-ALT is much simpler than
   securing BGP.

   Compared to BGP, LISP-ALT routers are not topologically bound,
   allowing them to be put in locations away from the vulnerable AS
   border (unlike eBGP speakers).

10.1.  Apparent LISP-ALT Vunerabilities

   This section briefly lists of the apparent vulnerabilities of LISP-

   Mapping Integrity:  Can you insert bogus mappings to black-hole
      (create a DoS) or intercept LISP data-plane packets?

   LISP-ALT router Availability:  Can you DoS the LISP-ALT routers that
      a given ETR connects to?  Without access to its mappings, a site
      is essentially unavailable.

   ITR Mapping/Resources:  Can you force an ITR or LISP-ALT router to
      drop legitimate mapping requests by flooding it with random
      destinations that it will have to query for.  Further study is
      required to see the impact of admission control on the overlay

   EID Map-Request Exploits for Reconnaissance:  Can you learn about a
      LISP destination sites' TE policy by sending legitimate mapping
      requests messages and then observing the RLOC mapping replies?  Is
      this information useful in attacking or subverting peer
      relationships?  Note that LISP 1.0 has a similar data-plane
      reconnaissance issue.

   Scaling of LISP-ALT router (LAT) Resources:  The overall capacity of
      the LAT may be a subset of the available bandwidth of the

   UDP Map-Reply from ETR:  If Map-Replies packets are sent directly
      from the ETR to the ITR's RLOC, the ITR's RLOC may be vulnerable
      to various types of DoS attacks.

Farinacci, et al.         Expires May 16, 2008                 [Page 16]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

10.2.  Survey of LISP-ALT Security Mechanisms

   Explicit peering:  The devices themselves can both prioritize
      incoming packets as well as potentially do key checks in hardware
      to protect the control plane.

   Use of TCP to connect elements:  This makes it difficult for third
      parties to inject packets.

   Use of HMAC Protected TCP Connections:  HMAC is used to verify
      message integrity and authenticity, making it nearly impossible
      for third party devices to either insert or modify messages.

   Message Sequence Numbers and Nonce Values in Messages:  This allows
      for devices to verify that the mapping-reply packet was in
      response to the mapping-request that they sent.

10.3.  Leveraging Internet BGP Security mechanisms

   LISP-ALT's use of BGP allows for the LAT easily take advantage of BGP
   security features designed for the Legacy Internet BGP.

   For example, should either sBGP [I-D.murphy-bgp-secr] or soBGP
   [I-D.white-sobgparchitecture] become widely deployed it expected that
   LISP-ALT could use these mechanisms to provide authentication of EID-
   to-RLOC mappings, and EID origination.

Farinacci, et al.         Expires May 16, 2008                 [Page 17]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

11.  Acknowledgments

   Many of the ideas described in this document developed during
   detailed discussions with Scott Brim and Darrel Lewis, who made many
   insightful comments on earlier versions of this document.

Farinacci, et al.         Expires May 16, 2008                 [Page 18]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

12.  References

12.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2784]  Farinacci, D., Li, T., Hanks, S., Meyer, D., and P.
              Traina, "Generic Routing Encapsulation (GRE)", RFC 2784,
              March 2000.

   [RFC2858]  Bates, T., Rekhter, Y., Chandra, R., and D. Katz,
              "Multiprotocol Extensions for BGP-4", RFC 2858, June 2000.

   [RFC4271]  Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
              Protocol 4 (BGP-4)", RFC 4271, January 2006.

   [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
              (CIDR): The Internet Address Assignment and Aggregation
              Plan", BCP 122, RFC 4632, August 2006.

12.2.  Informative References

              Murphy, S., "BGP Security Analysis",
              draft-murphy-bgp-secr-04 (work in progress),
              November 2001.

              White, R., "Architecture and Deployment Considerations for
              Secure Origin BGP (soBGP)",
              draft-white-sobgparchitecture-00 (work in progress),
              May 2004.

   [LISP]     Farinacci, D., Oran, D., Fuller, V., and D. Meyer,
              "Locator/ID Separation Protocol (LISP)",
              draft-farinacci-lisp-05.txt (work in progress),
              November 2007.

Farinacci, et al.         Expires May 16, 2008                 [Page 19]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

Authors' Addresses

   Dino Farinacci
   Tasman Drive
   San Jose, CA  95134


   Vince Fuller
   Tasman Drive
   San Jose, CA  95134


   Dave Meyer
   Tasman Drive
   San Jose, CA  95134


Farinacci, et al.         Expires May 16, 2008                 [Page 20]

Internet-Draft    LISP Alternative Topology (LISP-ALT)     November 2007

Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at


   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).

Farinacci, et al.         Expires May 16, 2008                 [Page 21]