Network Working Group                                            S. Peng
Internet-Draft                                                   R. Zhao
Intended status: Standards Track                     Huawei Technologies
Expires: 1 October 2022                                    30 March 2022


             Tracing process in IPv6 VPN Tunneling Networks
                   draft-peng-6man-tracing-option-00

Abstract

   This document specifies the tracing process in IPv6 VPN tunneling
   networks for diagnostic purposes.  An IPv6 Tracing Option is
   specified to collect and carry the required key information in an
   effective manner to correctly construct ICMPv4 and ICMPv6 Time
   Exceeded messages at the corresponding nodes, i.e. CE and P nodes,
   respectively.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 1 October 2022.

Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.



Peng & Zhao              Expires 1 October 2022                 [Page 1]


Internet-Draft        Tracing in IPv6 VPN Tunneling           March 2022


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  Terminologies . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  IPv6 Tracing Option . . . . . . . . . . . . . . . . . . . . .   4
   5.  Tracing Process in different modes of the ingress PE  . . . .   5
     5.1.  Tracing Process in Uniform mode . . . . . . . . . . . . .   5
     5.2.  Tracing Process in Pipe mode  . . . . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   8
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   ICMPv6 (Internet Control Message Protocol) RFC 4443 [RFC4443] is used
   by IPv6 nodes to report errors encountered in processing packets and
   to perform other internet-layer functions, such as diagnostics
   (ICMPv6 "ping").  RFC 4443 [RFC4443] describes the format of a set of
   control messages used in ICMPv6, including the Time Exceeded Message.
   Every ICMPv6 message is preceded by an IPv6 header and zero or more
   IPv6 extension headers.  The ICMPv6 header is identified by a Next
   Header value of 58 in the immediately preceding header.

   If a router receives a packet with a Hop Limit of zero, or if a
   router decrements a packet's Hop Limit to zero, it MUST discard the
   packet and originate an ICMPv6 Time Exceeded message with Code 0 to
   the source of the packet.

   In the case of VPN, as shown in Figure 1, where CE1 and CE2 are IPv4,
   an IPv6 tunnel exists between PE1 and PE2, and all the nodes belong
   to a single network operator.  For diagnostic purposes, CE1 sends out
   an IPv4 packet with its TTL set to a value.  The IPv4 packet is
   encapsulated within the IPv6 tunnel at PE1.  The TTL of the IPv4
   packet will be copied, based on which a new value will be set as the
   Hop Limit in the outer IPv6 tunnel header.  The new Hop Limit value
   depends on the mode configured on PE1, i.e., Uniform mode or Pipe
   mode RFC 3443 [RFC3443].  If it is the Uniform mode, the Hop Limit
   will be the TTL value in the received packet minus one.  When an
   intermediate router P decrements the Hop Limit in the outer tunnel
   header to zero, an ICMPv6 Time Exceeded Message needs to be sent back
   to the source, which should be the CE1 via PE1.





Peng & Zhao              Expires 1 October 2022                 [Page 2]


Internet-Draft        Tracing in IPv6 VPN Tunneling           March 2022


   The Pipe mode can be used to detect the routing loop.  If it is the
   Pipe mode configured on PE1, the Hop Limit will be set to be the
   maximum value (e.g., 64).  In this case, when an intermediate router
   P decrements the Hop Limit in the outer tunnel header to zero, it
   means that the routing loop has happened, and this packet needs to be
   dropped.


            IPv4   |<========== IPv6 Tunnel =========>|   IPv4
        (CE1)-----(PE1)-------------(P)------------(PE2)-----(CE2)
                <--|              <--|
                ICMPv4            ICMPv6

           Figure 1. The tracing in IPv6 VPN tunneling networks



   In order to construct a correct ICMPv4 Time Exceeded Message at PE1
   and send it to CE1, a couple of key information is required:

   1) The IPv4 address of the access interface at the P node, which will
   be taken as the source address of the ICMPv4 Time Exceeded Message.

   2) The VPN information, which is used to identify the VPN, either
   using the VPN ID or the Access Interface ID at the PE1.

   However, currently this information is missing and there is still no
   appropriate way to collect and carry it to the right nodes.

   This document specifies the tracing process in IPv6 VPN tunneling
   networks.  An IPv6 Tracing Option is specified to collect and carry
   the required key information in an effective manner to correctly
   construct ICMPv4 and ICMPv6 Time Exceeded messages at the
   corresponding nodes, i.e. CE and P nodes, respectively.

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 RFC 2119 [RFC2119] RFC 8174 [RFC8174] when, and only when, they
   appear in all capitals, as shown here.

3.  Terminologies

   TTL: Time To Live

   ICMP: Internet Control Message Protocol



Peng & Zhao              Expires 1 October 2022                 [Page 3]


Internet-Draft        Tracing in IPv6 VPN Tunneling           March 2022


4.  IPv6 Tracing Option

   The tracing option has the following format.


                   Option    Option    Option
                   Type    Data Len   Data
                +--------+--------+--------+--------+
                |BBCTTTTT|00000110|Version |Flag|V|U|
                +--------+--------+--------+--------+
                |            Identifier             |
                +--------+--------+--------+--------+

      Option Type (see Section 4.2 of [RFC8200]):

      BB      00  Skip over this option and continue processing.

      C       0   Option data can not change en route to the packet's
                      final destination.

      TTTTT   TBD Option Type to be assigned from IANA.

      Length   6  8-bit unsigned integer indicates the length of the
                  option Data field of this option, in octets.
                  The value of Opt Data Len of the IPv6 Tracing option
                  SHOULD be set to 6.

      Version  n  8 bits. It indicates the version of this mechanism.

      Flag     n  8 bits, where:

      U        n  1 bit. U-Flag. If set by the ingress PE it indicates
                  that the Uniform mode is configured on the ingress PE.
                  Otherwise, the ingress PE is on the pipe mode.

      V        n  1 bit. V-Flag. If set by the ingress PE it indicates
                      that the carried following Identifier is a VPNID.
                  Otherwise, it is the Access Interface ID.

   Identifier  n  4 octets. It is used to identify the VPN, either using
                  the VPN ID or the Access Interface ID, as indicated
                  by the V flag.









Peng & Zhao              Expires 1 October 2022                 [Page 4]


Internet-Draft        Tracing in IPv6 VPN Tunneling           March 2022


5.  Tracing Process in different modes of the ingress PE

   The diagnostic IPv4 packet sent by CE is encapsulated within the IPv6
   tunnel at the ingress PE.  The TTL of the IPv4 packet is copied,
   based on which a new value is set as the Hop Limit in the outer IPv6
   tunnel header.

   The ingress PE can be configured in two modes, that is, Uniform mode
   and Pipe mode.  The new Hop Limit value depends on the mode
   configured on PE1.  If it is the Uniform mode, the Hop Limit will be
   the TTL value in the received packet minus one.  If it is the Pipe
   mode, the Hop Limit will be set to be the maximum value (e.g., 255).
   More details are described below.

5.1.  Tracing Process in Uniform mode

   When the ingress PE is configured in Uniform Mode, the inner and
   outer TTLs of the packets are synchronized at tunnel ingress (PE1)
   and egress (PE2).

   Figure 2 shows the tracing process in the Uniform Mode.  When an IP
   packet (shown as (1) in the figure and with TTL = n) reaches the
   ingress PE (PE1), it is encapsulated by the ingress PE into a newly
   created IPv6 header and an extension header (Hop-by-Hop Options
   Header or Destination Options Header RFC 8200 [RFC8200]) carrying the
   IPv6 Tracing Option defined in this document.  The Hop Limit is set
   to be n - 1, shown as (2) in the figure.

   When the Hop Limit becomes zero, the P node will check whether the
   IPv6 Tracing Option is carried.  If carried, the information in the
   IPv6 Tracing Option will trigger the following actions.

   If the U-flag is set, it means that the ingress PE is in the Uniform
   Mode, so an ICMPv6 packet (shown as (3) in the figure) will be sent
   back to the PE1.  The SA of the packet is the IPv6 address of the P
   node, while the DA is the IPv6 address of the PE1.  The ICMPv6 Error
   Message carries the IPv4 address of the input port interface of the
   packet entering the P node, which will be taken as the source address
   of the ICMPv4 message to be sent by the ingress PE towards CE1.

   When the packet (3) is received by PE1, the PE1 will construct an
   ICMPv4 packet (4) and send it to CE1.  At the PE1, the information in
   the carried IPv6 Tracing Option will be read and the VPN using which
   to continue to forwarding the packet to the corresponding CE will be
   identified using the V-Flag and the value of the Identifier in the
   IPv6 Tracing Option.





Peng & Zhao              Expires 1 October 2022                 [Page 5]


Internet-Draft        Tracing in IPv6 VPN Tunneling           March 2022


               |<============ Tunnel ===========>|

                    +---(n-2)-------(n-i)---+
                   /      (outer header)     \
                (n-1)                      (n-i-1)
                 /                             \
      >--(n)--Encap.................(n-1)......Decap--(n-i-2)-->
    (CE1)     (PE1)                  (P)       (PE2)         (CE2)

      (1)->          (2)->         <-(3)
   +------+       +-------+       +-------+
   |  SA  |\      |SA PE1 |\      | SA P  |
   +------+ \     +-------+ \     +-------+
   |  DA  |  \    |DA Out |  \    | DA PE1|
   +------+   \   +-------+   \   +-------+
   |TTL=n |    \  |HL=n-1 |    \  | HL=64 |
   +------+     \ +-------+     \ +-------+
   |  PL  |      \|Option |      \|ICMPv6 | => P's input inf IPv4 addr
   +------+       +-------+       +-------+
           \      |   SA  |       |SA PE1 |
            \     +-------+       +-------+
             \    |   DA  |       |DA Out |
              \   +-------+       +-------+
               \  |TTL=n-1|       |HL=n-i |
                \ +-------+       +-------+
                 \|   PL  |       |Option |
                  +-------+       +-------+
                           \      |   SA  |
                            \     +-------+
                             \    |   DA  |
                              \   +-------+
                               \  |TTL=n-1|
                                \ +-------+
                                 \|   PL  |
         <-(4)                    +-------+
       +--------+
       |SA P Inf|
       +--------+
       | DA CE1 |          SA - Source Address (Inner)
       +--------+          DA - Destination Address (Inner)
       | ICMPv4 |          PL - Payload
       +--------+          HL - Hop Limit
       |   SA   |          Out - Outer
       +--------+
       |   DA   |
       +--------+
       |TTL=n-1 |
       +--------+



Peng & Zhao              Expires 1 October 2022                 [Page 6]


Internet-Draft        Tracing in IPv6 VPN Tunneling           March 2022


       |   PL   |
       +--------+
           Figure 2. The tracing process in the Uniform Mode



5.2.  Tracing Process in Pipe mode

   When the ingress PE is configured in Pipe Mode, the inner and outer
   TTLs of the packets will not be synchronized at tunnel ingress (PE1)
   and egress (PE2).  The tunnel will be taken as one hop by the inner
   packet, as shown in Figure 3.

   The Hop Limit will be set to be the maximum value (e.g., 64) at the
   ingress PE.  Since it is set to the maximum value, in normal case,
   the Hop Limit will not become zero at any P node.  So the only reason
   when the Hop Limit becomes zero is that a routing loop is detected.
   In this case, the packet needs to be dropped.

   If the U-flag is not set, it means that the ingress PE is in the Pipe
   Mode, and the packet (i.e. (2) as shown in Figure 2) will be dropped
   when the Hop Limit becomes zero either at the P node (no ICMPv6
   packet (i.e. (3) as shown in Figure 2) ) or the PE1 node when the P
   node does not have the dropping capability.


               |<============ Tunnel ===========>|

                    +---(Max-1)---(Max-i)---+
                   /      (outer header)     \
                (Max)                     (Max-i-1)
                 /                             \
      >--(n)--Encap...........(n-1)...........Decap--(n-2)-->
    (CE1)     (PE1)             (P)           (PE2)        (CE2)

          Figure 3. The tracing process in the Pipe Mode



6.  IANA Considerations

   IANA is requested to allocate one new option type from "Destination
   Options and Hop-by-Hop Options" registry.








Peng & Zhao              Expires 1 October 2022                 [Page 7]


Internet-Draft        Tracing in IPv6 VPN Tunneling           March 2022


              +=======+=====================+===========+
              | Value | Name                | Reference |
              +=======+=====================+===========+
              | TBD1  | IPv6 Tracing Option | This ID   |
              +-------+---------------------+-----------+


7.  Acknowledgements

   The authors would like to thank the careful reviews and valuable
   comments from Stefano Previdi.

8.  Security Considerations

   TBD

9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3443]  Agarwal, P. and B. Akyol, "Time To Live (TTL) Processing
              in Multi-Protocol Label Switching (MPLS) Networks",
              RFC 3443, DOI 10.17487/RFC3443, January 2003,
              <https://www.rfc-editor.org/info/rfc3443>.

   [RFC4443]  Conta, A., Deering, S., and M. Gupta, Ed., "Internet
              Control Message Protocol (ICMPv6) for the Internet
              Protocol Version 6 (IPv6) Specification", STD 89,
              RFC 4443, DOI 10.17487/RFC4443, March 2006,
              <https://www.rfc-editor.org/info/rfc4443>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

9.2.  Informative References

   [RFC8200]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", STD 86, RFC 8200,
              DOI 10.17487/RFC8200, July 2017,
              <https://www.rfc-editor.org/info/rfc8200>.





Peng & Zhao              Expires 1 October 2022                 [Page 8]


Internet-Draft        Tracing in IPv6 VPN Tunneling           March 2022


Authors' Addresses

   Shuping Peng
   Huawei Technologies
   Beijing
   China
   Email: pengshuping@huawei.com


   Ranxiao Zhao
   Huawei Technologies
   Beijing
   China
   Email: zhaoranxiao@huawei.com





































Peng & Zhao              Expires 1 October 2022                 [Page 9]