Network Working Group                                           D. Meyer
Internet-Draft                                                  D. Lewis
Intended status: Informational                                     Cisco
Expires: July 27, 2009                                  January 23, 2009


          Architectural Implications of Locator/ID Separation
                 draft-meyer-loc-id-implications-01.txt

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on July 27, 2009.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Abstract

   Recent work on Locator/ID Separation has focused primarily on the
   control plane protocols concerned with finding Identifier-to-Locator



Meyer & Lewis             Expires July 27, 2009                 [Page 1]


Internet-Draft          Loc/ID Split Implications           January 2009


   mappings.  However, experience gained with a trial deployment of a
   system designed to implement Locator/ID Separation has revealed two
   general classes of problems that must be resolved after the mapping
   is found: The Locator Path Liveness Problem and the State
   Synchronization Problem.  These problems have implications for the
   data plane as well as the control plane.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  The Problem Space  . . . . . . . . . . . . . . . . . . . . . .  4
   3.  The Locator Path Liveness Problem  . . . . . . . . . . . . . .  4
     3.1.  The Multi-Exit Problem . . . . . . . . . . . . . . . . . .  7
     3.2.  Complexity . . . . . . . . . . . . . . . . . . . . . . . .  7
       3.2.1.  Complexity of Host-Based Probing . . . . . . . . . . .  7
       3.2.2.  Complexity of Network-Based Probing  . . . . . . . . .  8
     3.3.  Possible Optimizations . . . . . . . . . . . . . . . . . .  8
     3.4.  Security Issues  . . . . . . . . . . . . . . . . . . . . . 10
   4.  Site-Based State Synchronization . . . . . . . . . . . . . . . 11
     4.1.  Complexity . . . . . . . . . . . . . . . . . . . . . . . . 11
   5.  Conclusions  . . . . . . . . . . . . . . . . . . . . . . . . . 12
   6.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 12
   7.  IANA Considersations . . . . . . . . . . . . . . . . . . . . . 12
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 12
     8.2.  Informative References . . . . . . . . . . . . . . . . . . 14
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14























Meyer & Lewis             Expires July 27, 2009                 [Page 2]


Internet-Draft          Loc/ID Split Implications           January 2009


1.  Introduction

   Locator/ID Separation (hereafter Loc/ID split) has been proposed as
   an architectural enhancement to the Internet architecture to
   facilitate, among other things, scaling of the global routing system
   [RFC1498][Chiappa99][Fuller06][RFC4984].  The basic idea is that the
   current number space (the IPv4/IPv6 address space) is overloaded with
   both location and identity semantics.  One consequence of this
   overloading is that it is difficult to assign routing locators
   (RLOCs) in a way that is congruent with the underlying network
   topology; this makes aggregation difficult, if not impossible.  This
   property is sometimes referred to as Rekhter's Law, and is frequently
   formulated as follows:

     "Addressing can follow topology or topology can follow
      addressing. Choose one."

   Endpoint Identifiers (EIDs), on the other hand, are typically
   assigned without regard to the underlying network topology (for
   example, Host Identity Tags [RFC4423]).  This makes it difficult for
   a single numbering space to efficiently serve both routing locator
   and endpoint identifier roles.

   Locator/Identity Separation can be used to decouple the allocation of
   of EIDs from RLOCs, enabling the RLOC space to be aggregated
   aggressively (by aligning RLOC allocations with the underlying
   network topology).  The positive effect of such aggregation would be
   to control the growth of global routing state.  Note that aggregation
   in the EID space may also an issue, but as of this writing hasn't
   been explored extensively.

   Recent work on Locator/ID Separation has focused almost exclusively
   on control plane protocols for finding Identifier-to-Locator mappings
   (for example, [I-D.fuller-lisp-alt][I-D.jen-apt]
   [I-D.lear-lisp-nerd]).  However, experience gained with a trial
   deployment of a system designed to implement Locator/ID Separation
   has revealed two general classes of problems that must be resolved
   after the mapping is found: The Locator Path Liveness Problem and the
   State Synchronization Problem.  These problems have implications for
   the data plane as well as the control plane.

   This document focuses on the Locator Path Liveness and State
   Synchronization problems, and is organized as follows: Section 2
   provides an overview of the problem space.  Section 3 discusses the
   Locator Path Liveness problem, and Section 4 discusses the State
   Synchronization problem.  Finally, Section 5 provides a few
   conclusions.




Meyer & Lewis             Expires July 27, 2009                 [Page 3]


Internet-Draft          Loc/ID Split Implications           January 2009


2.  The Problem Space

   Decoupling Location and Identity has profound implications both the
   control and data planes.  In particular, decoupling location from
   identity leads to the two difficult problems: first, given a set of
   source locators and a set of destination locators, it must be
   possible to determine if a particular destination locator is
   reachable.  We refer to this general problem as the Locator Path
   Liveness Problem.  The Locator Path Liveness Problem is exhibited in
   host-based architectures such as SHIM6 [I-D.ietf-shim6-proto]) and
   HIP (Section 1.2 of [OPENHIP] describes an architecture in which "the
   failure detection daemon (reapd) is designed to be reused across HIP
   and shim6"), and network-based architectures such as RANGER
   [I-D.templin-ranger], eFIT [EFIT] and [LISP]).  The "Hybrid
   Rewriting" class of architectures such as GSE [ODell97] exhibit a
   variant on the problem.  Locator Liveness is discussed in detail in
   Section 3.

   The second problem discussed in this document is that mapping state
   may need to be shared among network elements; this is as opposed to
   the determining if the locator itself is up or down.  This is
   referred to as the Site-Based State Synchronization Problem, and is
   specific to network-based architectures.  The Site-Based State
   Synchronization problem is discussed in Section 4.


3.  The Locator Path Liveness Problem

   The Locator Path Liveness Problem has been studied in various
   contexts [IANNONE08] [BARRE08] [OLIVA08] [OPENHIP]
   [I-D.ietf-shim6-failure-detection], and can be stated as
   follows:

      Given a set of source locators and a set of destination
      locators, can bi-directional connectivity be
      determined between the <source locator,destination
      locator> address pairs?

   A simple example illustrates the problem.  Consider the scenario
   depicted in Figure 1.  Here a site S0 is multihomed to provider A and
   provider B. Further, suppose that S0 has a Provider Assigned (PA)
   locator from provider A (call it La) and a PA locator, Lb, from
   provider B. Suppose that provider A peers with provider B. In this
   case, S0 might "advertise" that its EID-prefixes can be reached
   through nodes La and Lb (either via DNS, explicit protocol message
   such as a Map-Reply message [LISP], or other method) to its
   correspondent sites.




Meyer & Lewis             Expires July 27, 2009                 [Page 4]


Internet-Draft          Loc/ID Split Implications           January 2009


   Now, suppose that a correspondent site S1 is connected to provider C,
   and that S0 has told S1 that it can reach S0 on either La or Lb.
   Suppose further that S1 chooses La to reach S0, so that packets
   sourced from S1 destined for S0 traverse the path S1->C->B->A->S0.
   Note that if connectivity between provider B and provider A is
   disrupted, either for business or technical reasons, La will not be
   reachable from S1.  In this case, S1 must detect that La is no longer
   reachable and use Lb to restore connectivity (in the event that S1
   wants to restore connectivity; in today's Internet, S0 would continue
   to be unreachable).

                                          S1
                                           |
                                           |
                                           C
                                           |
                                           |
                         A-----------------B
                          \  peering link /
                           \             /
                            \           /
                             \         /
                              \       /
                              La    Lb
                                \  /
                                 S0

                      Figure 1: Reachability Failure

   The Locator Path Liveness problem arises in subtly different ways,
   depending on the contents of the mapping database (i.e., EIDs, RLOCs,
   or some combination of these), who queries the database (host or
   network element), and how knowledge is distributed between hosts and
   routing elements.  Note that in general, Locator Path Liveness must
   be tested in the data plane (although an implementation might take
   advantage of various "hints; see Section 3.3).

   Host-Based Architectures:  In host-based architectures (e.g., SHIM6
      [I-D.ietf-shim6-proto]), the problem arises because queries to the
      database (DNS in this case) return "addresses" that can be thought
      of as a concatenation of the RLOC and EID.  Because a host is
      anticipated to have multiple such "addresses" (at least in the
      SHIM6 case), it must choose a working <source,destination> pair
      from among its potential source addresses and its correspondent
      destination addresses.  REAP [I-D.ietf-shim6-failure-detection] is
      a probe-based reachability protocol that is designed to address
      this problem.




Meyer & Lewis             Expires July 27, 2009                 [Page 5]


Internet-Draft          Loc/ID Split Implications           January 2009


   Hybrid Network-Based Rewriting Architectures:  In hybrid network-
      based rewriting architectures (such as GSE [ODell97]), the problem
      arises because there is a knowledge asymmetry between the host and
      routing.  Specifically, while the host is responsible for
      selecting the destination Routing Goop (RG) (i.e., the ingress
      point to the destination domain, essentially the destination
      RLOC), it is routing that selects the source RG.  So while the IGP
      routing in a domain can be intelligent about egress points from
      the domain, it is the destination address, chosen by the host,
      that selects the ingress point in the destination domain.

      This asymmetry gives rise to the following problem: Hosts will
      likely want information, at some granularity, about which
      <source,destination> pairs currently work.  However, the host has
      no information about how many RGs are available to the site or if
      they are currently reachable.  So the host cannot test the set of
      <source,destination> pairs for active paths.  On the other hand,
      the routing system can't either, unless it snoops on TCP
      connections (which doesn't deal with asymmetric paths, UDP flows,
      or unidirectional flows).  Section 4.2 of [Zhang06] discusses this
      issue from a slightly different point of view.

      It is worth noting that unlike most "modern" descriptions of how
      GSE uses the DNS [Zhang06], the original GSE design
      [ODell97][ODell08] envisioned that the DNS would have a new
      resource record type, the RG record, to carry a site's RGs.  Hosts
      would only have AAAA records.  The idea was that for a given
      destination domain, a host in the source domain would compute the
      Cartesian Product {RGs}x{A4s}.  Thus alternate path sensing would
      become a a matter of local policy, and not hard-wired by the
      destination domain (or whoever happens to be authoritative for the
      destination domain's names).  Notice, however that even with the
      introduction of the RG resource record, the knowledge asymmetry
      remains.

   Network-Based Map-and-Encap Archtectures:  In the case of map-and-
      encap network-based architectures, the problem arises because the
      mapping element (e.g., Ingress Tunnel Router, or ITR) must choose
      among the RLOCs it has learned for a given EID-prefix.  Thus an
      ITR can choose among the RLOCs associated with a given EID prefix,
      and a host may choose among multiple EIDs.  However, a host cannot
      choose among the possible RLOCs; it simply has no access to that
      information (and even if it could, it would have no way to use
      that information).  Hence if the ITR chooses a RLOC that is not
      reachable, traffic to the destination site will be blackholed, and
      the host is left with no recourse.





Meyer & Lewis             Expires July 27, 2009                 [Page 6]


Internet-Draft          Loc/ID Split Implications           January 2009


3.1.  The Multi-Exit Problem

   The Multi-Exit Problem (MEP) arises when a site has two or more ITRs
   and there is a difference in destination RLOC reachability between
   the ITRs.  For example, a site might have two ITRs, one which has
   connectivity to the destination RLOC, and one which doesn't.  In this
   case, the host's packet will be carried by the site's internal
   routing (Interior Gateway Protocol, or IGP) to one of the exit
   points, as expected.  However, since the IGP has no knowledge of
   locator liveness, and the host has limited ability to choose its exit
   (which may in any event be overridden by site routing), packets may
   be routed to a ITR that can not deliver them to the destination even
   though some ITR at the site can successfully deliver such packets.

   As illustrated by the example above, the MEP arises because neither
   party (i.e., the host or the site's routing infrastructure) has both
   the knowledge or control necessary to detect the problem and route
   the packet accordingly.  Note that while the MEP can arise without
   Locator/ID separation (for example, in the case in which site's
   border routers are taking default from their upstreams), the MEP can
   arise even when the site's routers have complete routing (e.g., a
   copy of the DFZ BGP table).

3.2.  Complexity

   The complexity of testing Locator Path Liveness in the data plane
   (i.e., probing) is roughly O(M*N), where there are M source addresses
   and N destination addresses.  The following sections more closely
   analyze the complexity of host-based and network-based liveness
   probing.  Note that the complexity described here is "worst-case".
   It is anticipated that implementations will develop heuristics such
   as those described in Section 3.3 to efficiently deal with Locator
   Path Liveness.

3.2.1.  Complexity of Host-Based Probing

   Host-based implementations must keep per-correspondent host liveness
   state.  The complexity of probing in a host-based implementation can
   be thought of as follows:

       Let C   = the number of correspondent hosts
       Let D_i = the number of destination locators for host C_i
       Let S   = the number of source locators

       Then the complexity of host-based probing, P_host, is

       O(P_host), where P_host = S*sum(D_i), i = 0...C-1




Meyer & Lewis             Expires July 27, 2009                 [Page 7]


Internet-Draft          Loc/ID Split Implications           January 2009


3.2.2.  Complexity of Network-Based Probing

   Network-based implementations must keep per-destination egress point
   liveness.  The complexity of probing in a network-based
   implementation can be thought of as follows:

       Let N   = the number of EID-prefixes in a network element's
                 cache
       Let L_i = the number of locators for EID-prefix N_i
       Let M   = the number of source locators

       Then the complexity of network-based probing, P_network,  can
       be described as

       O(P_network), where P_network = M*sum(L_i), i = 0...N-1

   Note that a network-based probing scheme might have an advantage here
   because a single EID-prefix may cover many correspondent hosts.  That
   is, sum(L_i), i = 0...N-1 < sum(D_i), i = 0...C-1

3.3.  Possible Optimizations

   The previous sections analyzed the complexity of explicitly probing
   to assess Locator Path Liveness.  To mitigate this complexity, an
   implementation might rely on the various "hints" to assess Locator
   Path Liveness.  The following sections, while not intended to be an
   exhaustive survey, outline some of the Locator Path Liveness hints an
   implementation may utilize.

   Data Traffic:  When data is received, an implementation might assume
      that the source of that traffic is reachable, and as such probing
      might not be needed.  Of course, this is, at best, a
      unidirectional "hint" that an implementation might use to
      determine locator liveness.  Only a complete round trip, wherein
      the distant site says something back to the local site which the
      local site originally sent to the distant site, can one then
      guarantee that the distant site can hear the local site.

      A variation on this theme is to "piggyback" liveness testing on
      user data traffic, by adding a Solicit-User-Probe-Reply bit, that
      tells the far end to send back the next user data packet(s) with
      the outbound nonce, and a User-Probe-Reply bit set.  Of course,
      this optimization depends on the existence of some traffic (even
      if not for the same connection) going between pairs of border
      elements.  That is, if a particular pair has only traffic in one
      direction, this method fails.  In addition, it requires extra
      processing on user data packets, extra overhead in the packets (a
      field, some bits), and extra protocol complication.  Of course,



Meyer & Lewis             Expires July 27, 2009                 [Page 8]


Internet-Draft          Loc/ID Split Implications           January 2009


      such piggybacking only provides the view from remote domain, not
      whether the locator is actually reachable from the recipient of
      the "User-Probe-Bit".

   Protocol Control Messages:  If a protocol control message is received
      (for example, a Map-Reply), an implementation may conclude that
      the source of that is reachable.  Again, in the best case, this is
      only a hint, because receipt of the control message proves only
      unidirectional connectivity.

   Piggybacking Liveness Indications:  A network-based architecture
      might piggyback indication of intra-domain locator liveness on
      other data and/or protocol messages.  An example of this approach
      is LISP's use of loc-reach bits to indicate which Egress Tunnel
      Routers in a domain are up from the domain's perspective.

   Existence of the Locator in underlying routing:  A device which is
      responsible for locator liveness can utilize underlying routing to
      determine if the locator is at all available.  If the network
      prefix (or a covering aggregate) for the destination locator is
      NOT found in underlying routing, then the path will not be
      available.  This is at best a negative detection, it can show when
      a path is not available, but liveness of a particular locator.  A
      given locator may still be unavailable and this not be shown in
      routing, due to data plane filtering, or the reachability being
      hidden by aggregation of the particular locator prefix.

   Positive Feedback From Other Protocols:  An implementation may be
      able to deduce some forms of reachability from other protocols.
      For example, TCP might indicate to the IP layer that it believes
      that there is bidirectional connectivity between a given address
      pair.  This might be signaled to the source when it receives a
      SYN-ACK from the destination RLOC.  As pointed out in
      [I-D.ietf-shim6-failure-detection], this is similar to how IPv6
      Neighbor Unreachability Detection, which can be avoided when upper
      layers provide information about bidirectional connectivity
      [RFC4861].

      If an implementation has access to higher layer protocols such as
      BGP, it might get a hint as to the reachability of a given
      locator.  In the case of BGP, an implementation might conclude
      that the locator is reachable if there is a covering prefix in the
      BGP Routing Information Base (RIB).  Again, this is a hint,
      because the correspondent host may be down.







Meyer & Lewis             Expires July 27, 2009                 [Page 9]


Internet-Draft          Loc/ID Split Implications           January 2009


   Timeouts:  An implementation may be able to deduce some forms of
      Unreachability from timeouts of other protocols.For example, TCP
      might indicate that there is a lack of connectivity because it is
      not getting ACKs.Of course, this signal is overloaded: there may
      simply be congestion.

   ICMP Messages:  While ICMP is an available signalling protocol, due
      to its lack of security (in particular, ease of spoofing
      [I-D.ietf-tcpm-icmp-attacks]) and the fact that common policy is
      to block or rate limited ICMP, its utility has been somewhat
      marginalized (see Section 3.4).  As such, ICMP may be used as a
      hint but beyond that, an implementation can not rely on ICMP as a
      signalling mechanism.

   QQQ: Again, when do I know a locator is up?  If I probe and the
   response is positive, does that mean its up (i.e., it can go down in
   the interim, so what is the time granularity, and what effect does
   that have on efficiency?

   In general, depending on end-to-end liveness indications are
   applicable only to host-based solutions (e.g.,
   [I-D.ietf-shim6-proto]).  A network-based implementation may rely on
   higher layer protocols to indicate liveness (for example, an
   implementation may be able deduce a limited form of reachability from
   the existence of a BGP route covering the destination RLOC), but
   these too can only be used as hints.  In the general case, however,
   an architecture that implements Loc/ID split (either host-based or
   network-based) will need to test Locator Path Liveness in the data
   plane

3.4.  Security Issues

   Mere inspection of insecure traffic may lead to false negative
   detection because of the insertion of malicious traffic.  For
   instance, packets that masquerade as coming from a site may tamper
   with the loc-reach-bits, making the site's locators appear
   unreachable when in fact they are reachable [LISP].

   ICMP Messages:  ICMP messages are easily spoofable
      [I-D.ietf-tcpm-icmp-attacks], so they may be exploited to provide
      false negatives.  However, they are also rate limited and often
      outright disabled, leaving a site sending data to a remote RLOC
      under the impression that the RLOC is reachable (a false positive
      side effect of such filtering).







Meyer & Lewis             Expires July 27, 2009                [Page 10]


Internet-Draft          Loc/ID Split Implications           January 2009


   Existence of the Locator in the BGP RIB:  This vulnerability is
      shared by non-Loc/ID split architectures (need reference to
      Pakistani-youtube example as a way compromised routing can break
      path liveness).

   Aside from the ability to mislead a poorly implemented probing
   mechanism with data spoofing, probing creates a fundamentally
   unscalable relationship between site pairs (see Section 3.2).  This
   leads to both implicit (unscalable) and explicit (vulnerable to probe
   floods) Denial of Service vulnerability in the systems receiving
   probe requests.

   Finally, note that in the case of network-based Loc/ID separation
   architectures, the RLOCs of border elements represent reachability on
   behalf of entire site.  As a result, failure to detect path liveness
   can disrupt connectivity to the entire site.  On the other hand, in
   host-based Loc/ID separation architectures, only individual hosts are
   compromised.


4.  Site-Based State Synchronization

   The Site-Based State Synchronization problem is specific to network-
   based Loc/ID split architectures.  There are two kinds of state
   synchronization that might need to be performed: mapping state
   synchronization and locator liveness synchronization.

   The Site-Based State Synchronization problem can most easily be
   demonstrated by a simple example.  Consider the following case: A
   site has two ITRs; one ITR is on the active path and the other ITR is
   on a backup path.  In this case, all traffic egressing from the site
   traverses the ITR on the active path, and as a result that ITR is
   caching the mapping state for all of the active flows.  The ITR on
   the backup path has no mapping state.  Now, when the ITR on the
   active path fails, traffic is naturally shifted to the ITR on the
   backup path.  If the now active ITR hasn't synchronized its state
   with the previously active ITR(s), then the newly active ITR has to
   reconstruct the mapping state for the flows that were traversing the
   failed ITR.  In particular, the failure, which is local to the site,
   requires the now active ITR to go off-site to reconstruct the state.

4.1.  Complexity

   TBD







Meyer & Lewis             Expires July 27, 2009                [Page 11]


Internet-Draft          Loc/ID Split Implications           January 2009


5.  Conclusions

   Architectures that implement Locator/ID Separation, either host or
   network based, need to evaluate carefully the complexity inherent in
   determining Locator Path Liveness.  The complexity of mapping state
   synchronization is an additional concern for network-based
   architectures.


6.  Acknowledgments

   Shane Amante, Scott Brim, Noel Chiappa, John Day, Dino Farinacci,
   Vince Fuller, Mike O'Dell, Andrew Partan, and John Zwiebel provided
   insightful comments on early versions of this document.  A special
   thanks goes to Mary Nickum for her attention to detail and effort in
   editing this document.


7.  IANA Considersations

   This document creates no new requirements on IANA namespaces
   [RFC2434].


8.  References

8.1.  Normative References

   [Chiappa99]
              Chiappa, N., "Endpoints and Endpoint Names: A Proposed
              Enhancement to the Internet Architecture", xxx 1999,
              <http://ana.lcs.mit.edu/~jnc//tech/endpoints.txt>.

   [EFIT]     Massey, D., "A Proposal for Scalable Internet Routing &
              Addressing", Feb 2007, <http://www.watersprings.org/pub/
              id/draft-wang-ietf-efit-00.txt>.

   [Fuller06]
              Fuller, V., "Scaling issues with ipv6 routing+
              multihoming", Oct 2006, <http://www.iab.org/about/
              workshops/routingandaddressing/vaf-iab-raws.pdf>.

   [I-D.fuller-lisp-alt]
              Farinacci, D., "LISP Alternative Topology (LISP+ALT)",
              draft-fuller-lisp-alt-02 (work in progress), April 2008.

   [I-D.ietf-shim6-failure-detection]
              Arkko, J. and I. Beijnum, "Failure Detection and Locator



Meyer & Lewis             Expires July 27, 2009                [Page 12]


Internet-Draft          Loc/ID Split Implications           January 2009


              Pair Exploration Protocol for IPv6  Multihoming",
              draft-ietf-shim6-failure-detection-13 (work in progress),
              June 2008.

   [I-D.ietf-shim6-proto]
              Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming
              Shim Protocol for IPv6", draft-ietf-shim6-proto-10 (work
              in progress), February 2008.

   [I-D.ietf-tcpm-icmp-attacks]
              Gont, F., "ICMP attacks against TCP",
              draft-ietf-tcpm-icmp-attacks-03 (work in progress),
              March 2008.

   [I-D.jen-apt]
              Jen, D., Meisel, M., Massey, D., Wang, L., Zhang, B., and
              L. Zhang, "APT: A Practical Transit Mapping Service",
              draft-jen-apt-01 (work in progress), November 2007.

   [I-D.lear-lisp-nerd]
              Lear, E., "NERD: A Not-so-novel EID to RLOC Database",
              draft-lear-lisp-nerd-04 (work in progress), April 2008.

   [I-D.templin-ranger]
              Templin, F., "Routing and Addressing in Next-Generation
              EnteRprises (RANGER)", draft-templin-ranger-00 (work in
              progress), October 2008.

   [LISP]     Farinacci, D., Fuller, V., Oran, D., and D. Meyer,
              "Locator/ID Separation Protocol (LISP)",
              draft-farinacci-lisp-11 (work in progress), Jan 2009.

   [ODell08]  Odell, M., "GSE - An Alternate Addressing Architecture for
              IPv6 (Private Communication)", Dec 2008.

   [ODell97]  Odell, M., "GSE - An Alternate Addressing Architecture for
              IPv6", Oct 2006, <http://www.watersprings.org/pub/id/
              draft-ietf-ipngwg-gseaddr-00.txt>.

   [OPENHIP]  Ahrenholz, J. and T. Henderson, "shim6 manual (html
              version)", 2007, <http://www.openhip.org/docs/shim6.html>.

   [RFC1498]  Saltzer, J., "On the Naming and Binding of Network
              Destinations", RFC 1498, August 1993.

   [RFC2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 2434,
              October 1998.



Meyer & Lewis             Expires July 27, 2009                [Page 13]


Internet-Draft          Loc/ID Split Implications           January 2009


   [RFC4423]  Moskowitz, R. and P. Nikander, "Host Identity Protocol
              (HIP) Architecture", RFC 4423, May 2006.

   [RFC4861]  Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
              "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
              September 2007.

   [RFC4984]  Meyer, D., Zhang, L., and K. Fall, "Report from the IAB
              Workshop on Routing and Addressing", RFC 4984,
              September 2007.

   [Zhang06]  Zhang, L., "An Overview of Multihoming and Open Issues in
              GSE", Sept 2006,
              <http://www.cs.ucla.edu/~lixia/0609GSE_Overview.pdf>.

8.2.  Informative References

   [BARRE08]  Barre, S. and O. Bonaventure, "Improved Path Exploration
              in shim6-based Multihoming", 2008.

   [IANNONE08]
              Iannone, L., Saucez, D., and O. Bonaventure, "Implementing
              the Locator/ID Separation Protocol: Design and
              Experience", 2008.

   [OLIVA08]  de la Oliva, A., Bagnulo, M., Garcia-Martinez, A., and I.
              Soto, "Performance Analysis of the REAchability Protocol
              for IPv6 Multihoming", 2008.


Authors' Addresses

   David Meyer
   Cisco

   Email: dmm@1-4-5.net


   Darrel Lewis
   Cisco

   Email: darlewis@cisco.com









Meyer & Lewis             Expires July 27, 2009                [Page 14]