[Search] [txt|html|xml|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00                                                            
Network Working Group                                        V.M. Moreno
Internet-Draft                                             Cisco Systems
Intended status: Experimental                               29 July 2021
Expires: 30 January 2022


                LISP Based Multi-AS Backbone Federation
                     draft-moreno-lisp-multi-as-00

Abstract

   As multiple organizations interconnect their networks through peering
   agreements, it is desirable to preserve the services enabled by a
   LISP overlay over such interconnection of independent networks.  This
   specification documents the requirements imposed by the deployment
   scenario in which multiple organizations federate their backbones
   with the objective of running a LISP overlay to enable services such
   as mobility or VPNs.  The requirements for policies, enforcement and
   authoritative control of network assets are captured from the
   perspective of the operator.

Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].


Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 30 January 2022.







Moreno                   Expires 30 January 2022                [Page 1]


Internet-Draft                LISP Multi-as                    July 2021


Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Definition of Terms . . . . . . . . . . . . . . . . . . . . .   4
   3.  Problem statement and Requirements  . . . . . . . . . . . . .   4
   4.  Multi-organizational federated LISP Overlay Network . . . . .   8
   5.  Policies and enforcement  . . . . . . . . . . . . . . . . . .   9
     5.1.  Peering Agreement enforcement Policies  . . . . . . . . .   9
       5.1.1.  RLOC alignment to AS_Paths  . . . . . . . . . . . . .  10
     5.2.  Sender/Ingress Policies . . . . . . . . . . . . . . . . .  10
       5.2.1.  Application preference policies . . . . . . . . . . .  11
   6.  Multi-homing  . . . . . . . . . . . . . . . . . . . . . . . .  11
   7.  Regionalization . . . . . . . . . . . . . . . . . . . . . . .  12
   8.  Host Roaming and EID preservation . . . . . . . . . . . . . .  12
   9.  Uberlay Deployment  . . . . . . . . . . . . . . . . . . . . .  13
   10. ICAO use cases  . . . . . . . . . . . . . . . . . . . . . . .  13
     10.1.  Air Traffic Control  . . . . . . . . . . . . . . . . . .  13
     10.2.  Airline Operation Control  . . . . . . . . . . . . . . .  13
     10.3.  Multi-link . . . . . . . . . . . . . . . . . . . . . . .  14
     10.4.  Path Preference  . . . . . . . . . . . . . . . . . . . .  14
   11. Policy enforcement and Trust  . . . . . . . . . . . . . . . .  14
     11.1.  Consensus mechanisms and enforceable evidence (data
            plane) . . . . . . . . . . . . . . . . . . . . . . . . .  14
     11.2.  Topological enforcement (RTRs) . . . . . . . . . . . . .  15
   12. Security Considerations . . . . . . . . . . . . . . . . . . .  15
   13. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  15
   14. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  15
   15. References  . . . . . . . . . . . . . . . . . . . . . . . . .  15
     15.1.  Normative References . . . . . . . . . . . . . . . . . .  15
     15.2.  Informative References . . . . . . . . . . . . . . . . .  16
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  17






Moreno                   Expires 30 January 2022                [Page 2]


Internet-Draft                LISP Multi-as                    July 2021


1.  Introduction

   Multiple organizations often collaborate and interconnect their
   networks in order to form a larger network that can provide broader
   coverage and connectivity.  When these networks are interconnected
   the organizations enter peering agreements that specify the terms
   under which the connectivity is provided.  Part of such peering
   agreements include the specification of the IP prefixes for which a
   particular organization will agree to provide service.  Traditionally
   these inter-organizational peerings have been implemented using BGP
   and constraining the distribution of routes between the Autonomous
   Systems of the different organizations in order to enforce the
   conditions set in the peering agreements.  This is a tried and proven
   mechanism to integrate networks, but it is not easily extensible to
   include some of the services that overlay networks enable.  One
   example of an overlay service that is not easily ported into the
   native IP routing stack is mobility.  In order to support these
   services, a model for a multi-organizational federated overlay
   network is of interest.  In such a model the multiple organizations
   will peer with each other to provide underlay connectivity and will
   participate in a common overlay network for which the control plane
   will be federated in order to allow the different organizations to
   define and enforce the policies necessary to conform to their peering
   agreements.

   In this model, organizations will be in control of a set of xTRs, a
   series of Map Servers/Resolvers and a portion of the underlay
   topology.  Organizations will be able to author and enforce policies
   governing the reachability of EID prefixes that are registered to
   their Map Servers, as well as the policies that govern when their
   underlay may be used as a transit network for traffic flows between
   end-points registered to other organizations.  The policies enforced
   reflect the peering agreements that may exist between the different
   organizations.

   An important aspect of the peering relationships is the use of
   network resources provided by the portions of the underlay topology
   that are in control of each organization.  The federation mechanisms
   must therefore be aware of the underlay topology.

   These types of networks are found primarily in operations involving
   multiple governments or service providers.  Accountability, policy
   enforcement and autonomy are critical requirements for such
   organizations.  There is a high interest in the creation of a
   federated network, yet the trust levels between organizations are
   low.  Additionally, this federation must function strictly amongst
   peers, without the participation of an intermediary organization or
   any hierarchy amongst the peers.



Moreno                   Expires 30 January 2022                [Page 3]


Internet-Draft                LISP Multi-as                    July 2021


2.  Definition of Terms

   LISP related terms, notably Map-Request, Map-Reply, Ingress Tunnel
   Router (ITR), Egress Tunnel Router (ETR), Map-Server (MS) and Map-
   Resolver (MR) are defined in the LISP specification [RFC6830].

   Terms defining interactions with the LISP Mapping System are defined
   in [RFC6833].

   Terms related to the procedures for signal free multicast are defined
   in [RFC8378].

   The following terms are here defined to facilitate the descriptions
   and discussions within this particular document.

   Organization - An administrative domain which is part of the
   federation.  An organization controls a series of xTRs, Map-Servers/
   Resolvers (MS/MR), portions of the underlay topology, and is
   authoritative for the EIDs registered with its MS/MRs.

   Underlay-AS - The autonomous system which includes all routers,
   control plane and RLOC prefixes for an organization.  Underlay-AS
   will connect to each other at specific BGP peering points at which
   only underlay routing information is exchanged.

   Federated Overlay - The overlay network established collaboratively
   between multiple organizations over a multitude of interconnected
   Underlay-ASs.


3.  Problem statement and Requirements

   The objective is the creation of a cross organizational overlay
   network that would leverage a multi-as underlay to provide a common
   backbone across the different organizations.  The organizations
   should be able to define and enforce policies and agreements around
   the connectivity that will be provided for EID prefixes.  These
   policies are relevant to the use of links and routers in the underlay
   within the boundaries of the different ASs, but are instantiated and
   enforced in the overlay, where the EIDs reside.  Agreements around
   RLOC prefix reachability in the underlay should also be possible.
   All LISP services such as mobility, multi-homing, segmentation,
   Explicit Locator Paths, Signal Free Multicast, etc. should be
   available in this multi-AS backbone.  At the same time, in order to
   maintain control and administrative delineation between the
   organizations, each organization will own and operate a set of MS/MRs
   that participate in the multi-organization LISP Mapping System.




Moreno                   Expires 30 January 2022                [Page 4]


Internet-Draft                LISP Multi-as                    July 2021


   The following reference topology may be used to illustrate possible
   multi-AS underlay connectivity scenarios over which a LISP overlay is
   to be deployed as well as the types of policies, peering agreements
   and transit scenarios that may need to be supported.

           +------------------+               +-------------------+
           |                  |               |                   |
           |    +------+      |               |         +------+  |
           |    |MSMR D|      |               |         |MSMR E|  |
           |    +------+      |               |         +------+  |
           |               +--+-+           +-+--+                |
        +--+--+            |ASBR+-----------+ASBR|             +--+--+
EID-D   |XTR D|            +--+-+           +-+--+             |XTR E|   EID-E
        +--+--+               |               |                +--+--+
           |                  |               |                   |
           | AS-D     +----+  |               |   +----+    AS-E  |
           +----------+ASBR+--+               +---+ASBR+----------+
                      +--+-+                      +--+-+
                         |                           |
                         |                           |
                         |                           |
                      +--+-+                      +--+-+
           +----------+ASBR+--+               +---+ASBR+----------+
           |          +----+  |               |   +----+          |
           |                  |               |                   |
           |    +------+      |               |         +------+  |
           |    |MSMR A|      |               |         |MSMR B|  |
           |    +------+   +--+-+           +-+--+      +------+  |
        +--+--+            |ASBR+-----------+ASBR|             +--+--+
EID-A   |XTR A|            +--+-+           +-+--+             |XTR B|   EID-B
        +--+--+               |               |                +--+--+
           |                  |               |                   |
           | AS-A     +----+  |               |   +----+    AS-B  |
           +----------+ASBR+--+               +---+ASBR+----------+
                      +-+--+                      +--+-+
                        |                            |
                      +-+--+                      +--+-+
               +------+ASBR+----------------------+ASBR+---+
               |      +----+                      +----+   |
               |                  +------+                 |
               |                  |MSMR C|                 |
               |                  +------+                 |
               |                                           |
               | AS-C             +-----+                  |
               +------------------+XTR|C+------------------+
                                  +-----+

                                   EID-C



Moreno                   Expires 30 January 2022                [Page 5]


Internet-Draft                LISP Multi-as                    July 2021


               Figure 1. Multi-AS backbone with LISP overlay

   Figure 1 shows 5 organizations with a partial connectivity mesh in
   the underlay.  Each organization is represented by one AS.  The AS-
   border routers are underlay routers interconnecting the ASs with EBGP
   and have no awareness of the overlay.  From an overlay perspective,
   all organizations are actually part of the same overlay network,
   however the ownership and control of XTR and MS/MR resources is
   scoped by organization within the confines of each AS.

   From the perspective of the connectivity that could be established
   between EID-A and EID-B in the topology of Figure 1, these are some
   of the possible scenarios that could be encountered:

   *  No transit: EID-B is allowed in AS-A and B, but not allowed in AS-
      C, D or E.  The only possible path is the direct peering point
      between AS-A and B

   *  Single AS transit: EID-B is allowed in AS-A, B and C.  EID-B is
      not allowed elsewhere.  AS-C is a possible path for the flow
      between EID-A and EID-B, AS-C would serve as a transit AS for this
      connection.  AS-A would have two possibe paths over which to
      establish the connection with EID-B, the decision on which path to
      use would be based on a local policy at AS-A that would factor the
      terms given to A to use the different ASs in the available paths.

   *  Multi-AS transit: EID-B is allowed in AS-A, B, D and E.  The path
      that traverses AS-D and AS-E is a viable path for the session
      between EID-A and EID-B.  A local ingress policy at AS-A may
      determine if this path is to be used vs. other paths such as the
      direct peering or going over AS-C.  It is important to note that
      for the D,E path to be viable, both AS-D and AS-E must have an
      agreement in which they commit to transporting data for EID-B.  If
      either one of these ASs does not have this agreement, the path
      would not be viable and should not be used.

   The solution provided must allow the evaluation of the viability of
   different paths based on the peering agreements between
   organizations, which would allow or deny specific prefixes from being
   serviced by certain ASs.

   When multiple viable paths are available, the solution should permit
   the definition and enforcement of policies that can be used by the
   ingress AS to select the preferred path for the forwarding of a
   certain flow.  The terms of service over different paths may differ,
   leading to preferences in using the services of one AS over another.





Moreno                   Expires 30 January 2022                [Page 6]


Internet-Draft                LISP Multi-as                    July 2021


   EIDs must be able to move from one AS to another.  All EIDs connected
   to an AS must be registered with the MSMR in that AS and fold under
   the authority of that AS's MSMR.  This is required in order to
   maintain accountability aligned with the AS providing service to a
   particular EID.

   Each organization owns and controls fully all network elements in
   their AS, this includes XTRs, ASBRs, MSMRs as well as any underlay
   routers within the AS.

   The following is a summary list of requirements pertinent to this
   environment:

   *  Organizations should be able to interconnect their backbone
      networks at agreed upon peering points and form a multi-AS
      federated underlay.

   *  Organizations should be able to participate in a common LISP
      overlay over the top of the multi-AS federated underlay.

   *  Ideally the organizations will be able to tunnel traffic directly
      between XTRs belonging to different organizations without
      requiring the deployment of RTRs at the boundaries of the domains.

   *  Peering agreements can be enforced in the underlay control plane
      to influence the multi-AS routing structure in the underlay RLOC
      space.

   *  It must be possible to define and enforce peering agreements and
      policies relevant to EID-prefixes.

   *  All peering and policy is to be negotiated in a federated manner.
      There should not be a need for an intermediary organization that
      brokers connectivity or policy between members of the federation.

   *  An organization should be able to restrict which flows use their
      network resources (underlay)

   *  Policies may allow or deny connectivity to specific prefixes over
      portions of the topology belonging to a particular organization.

   *  Policies may allow or deny transit services to specific prefixes
      over portions of the topology belonging to a particular
      organization.

   *  Organizations may structure their presence in the federation
      regionally.  Thus an organization may have multiple instances
      participate in the federation. e.g.  Org-A-East and Org-A-West.



Moreno                   Expires 30 January 2022                [Page 7]


Internet-Draft                LISP Multi-as                    July 2021


   *  An organization is responsible, accountable and authoritative for
      any host connected to its network (XTRs).  Thus, a roaming host
      must register to the Mapping System for the organization it is
      connected to.

   *  A roaming host should be able to keep its EID constant as it
      roams.

   *  A host may connect to more than one AS.  The host may use
      dedicated EIDs per interface or may use a single EID across all
      interfaces, both cases must be considered.

   *  An organization should own and control the XTRs in their network.

   *  An organization should own and control all routes in its Underlay-
      AS.

   *  Each organization should own and control their own set of MS/MRs.

   *  Each organization should be able to define and enforce
      reachability policies for the EIDs attached to it on the MS/MRs it
      owns/controls.

   *  An organization presented with multiple possible paths to reach a
      particular remote destination should be able to define a
      preference policy amongst the different paths.

   The following sections discuss some of these requirements in more
   detail.

4.  Multi-organizational federated LISP Overlay Network

   In a multi-organizational network, the underlay is a collection of
   interconnected independent networks, each of which is owned and
   operated by a different organization.  The different networks are
   interconnected at EBGP peering points.  Given the use of Location-
   Identity separation, the peering policies enforced by EBGP at these
   peering points will be effective on the RLOCs used in the underlay
   only.  All peering policies for the EID prefixes must be handled in
   the overlay control plane, which may be, in this case, a federation
   of MS/MRs.










Moreno                   Expires 30 January 2022                [Page 8]


Internet-Draft                LISP Multi-as                    July 2021


   Over the top of this underlay, an overlay network is deployed, to
   include XTRs and MS/MRs.  Each organization will be in control of the
   XTRs that are directly connected to their underlay network.
   Furthermore, each organization will have its own set of MS/MRs that
   it will own and control.  One could think of this as a single overlay
   network in which different portions of the network are owned and
   controlled by different organizations.

   The MS/MRs of the different organizations will federate with each
   other without an intermediary and they will handle the resolution of
   EID to RLOC mappings within and across organizations.  The MS/MRs of
   each organization are authoritative for the EID-RLOC mapping
   information for EIDs directly connected to their network, but also
   for the enforcement of policies governing the handling of EID traffic
   that may use the organization's network as a transit network.

5.  Policies and enforcement

   The policies to be enforced will derive mainly from the peering
   agreements between organizations.  These are the policies related to
   the handling of connectivity for EID prefixes and whether specific
   prefixes may be serviced by a specific AS or not.  Although the EIDs
   are handled in the overlay control plane, the enforcement of the
   policies must correlate to the use of the resources in the underlay
   topology in the different ASs.  For instance, if an AS does not
   permit forwarding of traffic for a specific EID prefix, any tunnels
   established to send traffic to that prefix may not traverse any links
   in the underlay that belong to the AS that does not permit the
   prefix.

5.1.  Peering Agreement enforcement Policies

   Based on their peering agreements, organizations may or may not allow
   the servicing of traffic for specific EID-prefixes.  Traditionally
   this has been enforced by including or excluding the advertisment of
   routes into the specific ASs.  In the demand model used in LISP, the
   equivalent would be to provide or withold a valid mapping for the
   destination from a map-response.  Thus, the MS/MRs for all
   organizations in the possible underlay AS_Paths to be used must be
   involved in the process of responding to a Map Request.  This is so
   that the policy can be enforced by the MS/MRs that are authoritative
   for the resources in each AS.  Thus, if any of the ASs a tunnel would
   traverse does not permit the EID in question, the entire path is
   unusable.  It is key to preserve information on richness of paths in
   the underlay.  It may also be necessary to include mechanisms to
   correlate the AS_Path topology in the underlay to the resolution of
   mappings in the underlay.




Moreno                   Expires 30 January 2022                [Page 9]


Internet-Draft                LISP Multi-as                    July 2021


5.1.1.  RLOC alignment to AS_Paths

   In order to share underlay information with the LISP control plane,
   XTRs could provide a dedicated RLOC for each peer-AS with which its
   underlay network AS has a peering relationship.  Thus, if an AS has N
   peering points to N different ASs then there should be N RLOCs
   representing each XTR in the AS.  Each distinct RLOC should only be
   advertised to the peer AS for which it was instantiated.  These
   advertisements are managed by EBGP at the peering points between the
   different networks.  This way, the different RLOCs are representative
   of the different paths through which an AS may be reached, more
   importantly, each RLOC will be mapped unequivocaly to an AS_PATH as
   the RLOC is advertised across the different peering points.  We refer
   to this notion of an RLOC that is only reachable via a particular AS
   as an "AS-aligned-RLOC".  The AS-aligned-RLOC concept allows the
   forwarding over a specific AS_PATH by simply encapsulating traffic to
   a particular RLOC.

   Sending traffic to an EID destination by encapsulating to a
   particular RLOC will result in the tunnel following a certain AS_PATH
   as the specific RLOC should only be allowed in specific ASs.

5.2.  Sender/Ingress Policies

   In a scenarion in which multiple AS_Paths may be followed to arrive
   at the ETR for a particular EID, a sender should be able to select a
   preferred path over which to send traffic for a specific location.
   The selection criteria is based on a subjective score given to each
   peer service based on negotiated peering agreements.  For instance, a
   particular organization may have secured a better rate or
   preferential treatment for certain type of traffic over specific
   providers in the federation.  When faced with multiple options to
   transport traffic to such destinations, there will be a preferred set
   of providers to use.  Each provider is represented by an AS number
   and for each AS the operator sending the traffic may assign a
   preference score.  Since the AS-PATH to the different RLOCs is
   registered in the LISP Mapping Database, it is possible to calculate
   a score of preference for different paths.  The MS/MR sending the
   Map-Response to the requesting ITR will be able to set the LISP
   priorities and weights in the RLOC set of the mappings for these
   destinations and prioritize the use of paths with better negotiated
   terms over paths with a less beneficial agreement.  The
   implementation of a preference score for the different ASs may open
   interesting applications such as the ability to calculate aggregate
   scores for the evaluation of composite paths to different
   destinations.





Moreno                   Expires 30 January 2022               [Page 10]


Internet-Draft                LISP Multi-as                    July 2021


5.2.1.  Application preference policies

   In certain operations (e.g.  ICAO ATN) application preferences may be
   expressed in which a certain application should use a particular CSP
   (AS).  This is a clear example of an ingress policy in which the last
   AS in the path must be the provider with the radio service preferred
   for the application.  As discussed in Section 6 the traffic will be
   identified with an extended-EID in the form of a tuple of a DSCP
   value and an IPv6 address, where the DSCP value represents the
   specific application and the IPv6 address would represent the
   aircraft.  An alternative to this encoding is to simply provide a
   dedicated IPv6 address to each application on the aircraft.  The
   addressing could be structured hierarchically where the aircraft uses
   a covering prefix and the applications are represented by subnets of
   that covering prefix.

6.  Multi-homing

   A host may be connected to more than one AS.  This is known as multi-
   homing.  In the Civil Aviation use case, an aircraft will connect
   simultaneously to multiple radio services, each radio service
   ultimately connects the aircraft to a separate Conectivity Service
   Provider (CSP) backbone.  Each CSP backbone is an Autonomous System
   in the reference model that we have provided.

   The host will connect to different services using different
   interfaces, however it is expected that the host will use a single IP
   address for all interfaces.  This results in an EID that is multi-
   homed.  In the Civil Aviation use case, the EID is an IPv6 prefix
   that uniquely identifies the aircraft.  It has been suggested that
   different addresses may be used on different interfaces.
   Nevertheless, the solution must accommodate both scenarios.

   In a multi-homed scenario, the complete RLOC set for an EID is
   registered to different Map-Servers.  Thus, the RLOC set is merged to
   a complete set upon resolution of the mapping.

   In the Civil Aviation application different applications running on
   the aircraft may be identified with different DSCP values.  There may
   be policy expressing a preference for the use of specific radio
   services for specific applications.  Thus, a DSCP+IPv6 tuple would
   identify traffic for a particular application and this traffic should
   be routed to the AS of the preferred radio service.








Moreno                   Expires 30 January 2022               [Page 11]


Internet-Draft                LISP Multi-as                    July 2021


7.  Regionalization

   An organization, or Connectivity Service Provider (CSP), may be
   organized in regions.  Thus an organization may be in charge of
   multiple ASs, where each AS is a regional network.  The solution
   should allow organizations to articulate intra and inter-regional
   policies in addition to any inter-organizational policies.  Some
   examples of the types of connections expected to utilize these
   regional networks are included in Section 10.

8.  Host Roaming and EID preservation

   EIDs are expected to constantly roam and attach to different
   Connectivity Service Providers (CSPs).  This behavior is combined
   with the multi-homing behavior described in Section 6, so these are
   multi-homed, roaming EIDs.  When EIDs roam, they are expected to
   register with the Map Servers of the organization they are connecting
   to.  Since these EIDs may be multi-homed, they may be registered in
   multiple Map Servers at the time of roaming and the mobility updates
   may also need to be sent back to multiple map-servers.

   In a single AS LISP network, EIDs would not move their registration
   from one Map Server to another, but the EIDs would remain under the
   authority of one Map Server.  There are however a few factors driving
   the requirement for the EIDs to be re-homed to the Map-Server of the
   CSP they are connecting to.  The following list enumerates some of
   those drivers:

   *  Resiliency and survivability.  A problem in one CSP should not
      impact aircraft connected to other CSPs

   *  Latency.  Minimize RTT of signaling

   *  Authority assignment.  CSPs must be able to autonomously render
      and assure services, service levels and the enforcement of
      policies

   *  Accountability and Audit.  CSPs are accountable for all
      communications of connected devices and must be able to show
      complete Audit logs

   *  Trust.  Limited across CSPs, governments and other stakeholders









Moreno                   Expires 30 January 2022               [Page 12]


Internet-Draft                LISP Multi-as                    July 2021


9.  Uberlay Deployment

   This set of requirements originally emerged in the context of an
   Uberlay based LISP design for the International Civil Aviation
   Organization (ICAO).  The base proposal is to have a site-overlay
   deployed for each Connectivity Service Provider and interconnect all
   those site overlays via the Uberlay.  The Uberlay would basically be
   an overlay network running over a multi-AS federated underlay.  As
   the design progressed, the requirements for the enforcement of
   peering agreements that would have normally been implemented in BGP
   became evident.  The need for the LISP enabled services remains key,
   but the requirement for the enforcement of peering agreements is also
   critical.  As these requirements are satisfied, it is important that
   the solution proposed also works in the context of an Uberlay
   deployment.  The federation of the underlay is applicable within and
   outside the scope of an Uberlay deployment.

10.  ICAO use cases

   These use cases are in reference to the solution described in the
   Ground Based LISP draft.  Please refer to [I-D.haindl-lisp-gb-atn]
   for details and terminology.

10.1.  Air Traffic Control

   Air Traffic Control (ATC) communications are Regional, but cross-
   CSPs.

   A dedicated IP address for ATC (ATC-EID) has been proposed.

   Policy: maintain the ATC EIDs local to the region, all CSPs involved
   must be updated

10.2.  Airline Operation Control

   Airline Operation Control (AOC) communications may traverse CSPs,
   often an Airline will work with a single global CSP.

   A dedicated IP address for AOC (AOC-EID) has been proposed.

   Policy: Maintain authority @ connecting CSP's.  This involves Mapping
   System Registrations, Access Control and Accountability.

   Path preferences are expressed by aircraft and rendered by CSPs as
   described in Section 6.






Moreno                   Expires 30 January 2022               [Page 13]


Internet-Draft                LISP Multi-as                    July 2021


10.3.  Multi-link

   Aircraft connects to more than one CSP.

   Aircraft sends communication preferences to A/G-Rs (A/G Interface)
   per GB-LISP

   Mappings are registered with matching Priorities and Weights

   Aircraft signals whether it is leaving a link or adding new links

   RTRs register the separate Aircraft mappings in the different Uberlay
   Map Servers

   Federated MS must merge the mappings for the aircraft

10.4.  Path Preference

   Some policies may dictate path restrictions based on Aircraft or
   Airline preferences as well as CSP peering agreements.  These (x)EID/
   Application level policies must be enforceable in the Uberlay and
   will result in tunnels that traverse specific ASs.

11.  Policy enforcement and Trust

11.1.  Consensus mechanisms and enforceable evidence (data plane)

   A malicious organization could override the Map-Reply information
   received from another organization and violate the restrictions that
   peering agreements may have imposed on certain flows.  In order to
   avoid the possibility of such malicious behavior, a consensus
   mechanism involving the affected organization must be put in place.
   Furthermore, once consensus is achieved, there must be data plane
   mechanisms that would prevent unauthorized traffic from being sent
   over a particular underlay-AS.  The means to achieve consensus and
   data plane verification are likely cryptographic.  This is an area
   clearly open to contributions.  The mechanisms we seek should provide
   the underlay/RLOC layer enforceable information relevant to the EID
   space.  In other words, the model should enable the enforcement of
   EID centered policies in the underlay without the need for
   decapsulation of the traffic.  In order to do so, one option is to
   create trusted metadata that can be used by the underlay to verify
   the validity of a flow.  The metadata would be created
   cryptographically when consensus between the organizations is being
   calculated.






Moreno                   Expires 30 January 2022               [Page 14]


Internet-Draft                LISP Multi-as                    July 2021


11.2.  Topological enforcement (RTRs)

   Another approach to enforcing the EID restrictions posed by peering
   agreements is to deploy RTRs at the AS Border-Routers and treat the
   overlay as an ELP.  This would allow the decapsulation of traffic and
   the inspection of the EIDs in flight to check whether they are
   permitted by the peering agreement.  Although this makes the
   enforcement of policy straightforward, it would require additional
   logic for the signaling across organizations.  Future revisions of
   this document will explore this option should the workgroup not find
   adequate consensus mechanisms with enforceable data plane metadata.

12.  Security Considerations


13.  IANA Considerations

   This document has no IANA implications

14.  Acknowledgements

   The authors want to thank the members of the ICAO mobility Workgroup
   for the countless hours of discussion around their requirements.

15.  References

15.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3618]  Fenner, B., Ed. and D. Meyer, Ed., "Multicast Source
              Discovery Protocol (MSDP)", RFC 3618,
              DOI 10.17487/RFC3618, October 2003,
              <https://www.rfc-editor.org/info/rfc3618>.

   [RFC4601]  Fenner, B., Handley, M., Holbrook, H., and I. Kouvelas,
              "Protocol Independent Multicast - Sparse Mode (PIM-SM):
              Protocol Specification (Revised)", RFC 4601,
              DOI 10.17487/RFC4601, August 2006,
              <https://www.rfc-editor.org/info/rfc4601>.

   [RFC4607]  Holbrook, H. and B. Cain, "Source-Specific Multicast for
              IP", RFC 4607, DOI 10.17487/RFC4607, August 2006,
              <https://www.rfc-editor.org/info/rfc4607>.




Moreno                   Expires 30 January 2022               [Page 15]


Internet-Draft                LISP Multi-as                    July 2021


15.2.  Informative References

   [I-D.haindl-lisp-gb-atn]
              Haindl, B., Lindner, M., Rahman, R., Comeras, M. P.,
              Moreno, V., Maino, F., and B. Venkatachalapathy, "Ground-
              Based LISP for the Aeronautical Telecommunications
              Network", Work in Progress, Internet-Draft, draft-haindl-
              lisp-gb-atn-06, 6 March 2021,
              <https://www.ietf.org/archive/id/draft-haindl-lisp-gb-atn-
              06.txt>.

   [RFC6407]  Weis, B., Rowles, S., and T. Hardjono, "The Group Domain
              of Interpretation", RFC 6407, DOI 10.17487/RFC6407,
              October 2011, <https://www.rfc-editor.org/info/rfc6407>.

   [RFC6830]  Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The
              Locator/ID Separation Protocol (LISP)", RFC 6830,
              DOI 10.17487/RFC6830, January 2013,
              <https://www.rfc-editor.org/info/rfc6830>.

   [RFC6831]  Farinacci, D., Meyer, D., Zwiebel, J., and S. Venaas, "The
              Locator/ID Separation Protocol (LISP) for Multicast
              Environments", RFC 6831, DOI 10.17487/RFC6831, January
              2013, <https://www.rfc-editor.org/info/rfc6831>.

   [RFC6833]  Fuller, V. and D. Farinacci, "Locator/ID Separation
              Protocol (LISP) Map-Server Interface", RFC 6833,
              DOI 10.17487/RFC6833, January 2013,
              <https://www.rfc-editor.org/info/rfc6833>.

   [RFC7348]  Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger,
              L., Sridhar, T., Bursell, M., and C. Wright, "Virtual
              eXtensible Local Area Network (VXLAN): A Framework for
              Overlaying Virtualized Layer 2 Networks over Layer 3
              Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014,
              <https://www.rfc-editor.org/info/rfc7348>.

   [RFC8060]  Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical
              Address Format (LCAF)", RFC 8060, DOI 10.17487/RFC8060,
              February 2017, <https://www.rfc-editor.org/info/rfc8060>.

   [RFC8061]  Farinacci, D. and B. Weis, "Locator/ID Separation Protocol
              (LISP) Data-Plane Confidentiality", RFC 8061,
              DOI 10.17487/RFC8061, February 2017,
              <https://www.rfc-editor.org/info/rfc8061>.






Moreno                   Expires 30 January 2022               [Page 16]


Internet-Draft                LISP Multi-as                    July 2021


   [RFC8111]  Fuller, V., Lewis, D., Ermagan, V., Jain, A., and A.
              Smirnov, "Locator/ID Separation Protocol Delegated
              Database Tree (LISP-DDT)", RFC 8111, DOI 10.17487/RFC8111,
              May 2017, <https://www.rfc-editor.org/info/rfc8111>.

   [RFC8378]  Moreno, V. and D. Farinacci, "Signal-Free Locator/ID
              Separation Protocol (LISP) Multicast", RFC 8378,
              DOI 10.17487/RFC8378, May 2018,
              <https://www.rfc-editor.org/info/rfc8378>.

Author's Address

   Victor Moreno
   Cisco Systems
   170 Tasman Drive
   San Jose, California 95134
   United States of America

   Email: vimoreno@cisco.com
































Moreno                   Expires 30 January 2022               [Page 17]