1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
|
<pre>Independent Submission E. Lear
Request for Comments: 6837 Cisco Systems GmbH
Category: Experimental January 2013
ISSN: 2070-1721
<span class="h1">NERD:</span>
<span class="h1">A Not-so-novel Endpoint ID (EID) to Routing Locator (RLOC) Database</span>
Abstract
The Locator/ID Separation Protocol (LISP) is a protocol to
encapsulate IP packets in order to allow end sites to route to one
another without injecting routes from one end of the Internet to
another. This memo presents an experimental database and a
discussion of methods to transport the mapping of Endpoint IDs (EIDs)
to Routing Locators (RLOCs) to routers in a reliable, scalable, and
secure manner. Our analysis concludes that transport of all EID-to-
RLOC mappings scales well to at least 10^8 entries.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This is a contribution to the RFC Series, independently
of any other RFC stream. The RFC Editor has chosen to publish this
document at its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6837">http://www.rfc-editor.org/info/rfc6837</a>.
<span class="grey">Lear Experimental [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
<span class="grey">Lear Experimental [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-1.1">1.1</a>. Applicability . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-1.2">1.2</a>. Base Assumptions . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-1.3">1.3</a>. What is NERD? . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-1.4">1.4</a>. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-2">2</a>. Theory of Operation . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-2.1">2.1</a>. Database Updates . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-2.2">2.2</a>. Communications between ITR and ETR . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-2.3">2.3</a>. Who are database authorities? . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-3">3</a>. NERD Format . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-3.1">3.1</a>. NERD Record Format . . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-3.2">3.2</a>. Database Update Format . . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-4">4</a>. NERD Distribution Mechanism . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-4.1">4.1</a>. Initial Bootstrap . . . . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-4.2">4.2</a>. Retrieving Changes . . . . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-5">5</a>. Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-5.1">5.1</a>. Database Size . . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-5.2">5.2</a>. Router Throughput versus Time . . . . . . . . . . . . . . <a href="#page-16">16</a>
<a href="#section-5.3">5.3</a>. Number of Servers Required . . . . . . . . . . . . . . . . <a href="#page-16">16</a>
<a href="#section-5.4">5.4</a>. Security Considerations . . . . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-5.4.1">5.4.1</a>. Use of Public Key Infrastructures (PKIs) . . . . . . . <a href="#page-19">19</a>
<a href="#section-5.4.2">5.4.2</a>. Other Risks . . . . . . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-6">6</a>. Why not use XML? . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-7">7</a>. Other Distribution Mechanisms . . . . . . . . . . . . . . . . <a href="#page-22">22</a>
<a href="#section-7.1">7.1</a>. What about DNS as a mapping retrieval model? . . . . . . . <a href="#page-22">22</a>
<a href="#section-7.2">7.2</a>. Use of BGP and LISP+ALT . . . . . . . . . . . . . . . . . <a href="#page-24">24</a>
<a href="#section-7.3">7.3</a>. Perhaps use a hybrid model? . . . . . . . . . . . . . . . <a href="#page-24">24</a>
<a href="#section-8">8</a>. Deployment Issues . . . . . . . . . . . . . . . . . . . . . . <a href="#page-24">24</a>
<a href="#section-8.1">8.1</a>. HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-25">25</a>
<a href="#section-9">9</a>. Open Questions . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-25">25</a>
<a href="#section-10">10</a>. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-26">26</a>
<a href="#section-11">11</a>. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-12">12</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-12.1">12.1</a>. Normative References . . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-12.2">12.2</a>. Informative References . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#appendix-A">Appendix A</a>. Generating and Verifying the Database Signature
with OpenSSL . . . . . . . . . . . . . . . . . . . . <a href="#page-30">30</a>
<span class="grey">Lear Experimental [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The Locator/ID Separation Protocol (LISP) [<a href="./rfc6830" title=""The Locator/ID Separation Protocol (LISP)"">RFC6830</a>] separates an IP
address used by a host and local routing system from the Locators
advertised by BGP participants on the Internet in general, and in the
Default-Free Zone (DFZ) in particular. It accomplishes this by
establishing a mapping between globally unique Endpoint IDs (EIDs)
and Routing Locators (RLOCs). This reduces the amount of state
change that occurs on routers within the DFZ on the Internet, while
enabling end sites to be multihomed.
In some mapping distribution approaches to LISP, the mapping is
learned via data-triggered control messages between Ingress Tunnel
Routers (ITRs) and Egress Tunnel Routers (ETRs) through an alternate
routing topology [<a href="./rfc6836" title=""Locator/ID Separation Protocol Alternative Logical Topology (LISP+ALT)"">RFC6836</a>]. In other approaches of LISP, the mapping
from EIDs to RLOCs is instead learned through some other means. This
memo addresses different approaches to the problem, and specifies a
Not-so-novel EID-to-RLOC Database (NERD) and methods to both receive
the database and to receive updates.
NERD is offered primarily as a way to avoid dropping packets, the
underlying assumption being that dropping packets is bad for
applications and end users. Those who do not agree with this
underlying assumption may find that other approaches make more sense.
NERD is specified in such a way that the methods used to distribute
or retrieve it may vary over time. Multiple databases are supported
in order to allow for multiple data sources. An effort has been made
to divorce the database from access methods so that both can evolve
independently through experimentation and operational validation.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Applicability</span>
This memo is based on experiments performed in the 2007-2009 time
frame. At the time of its publication, the author is unaware of
operational use of NERD. Those wishing to pursue NERD should
consider the substantial amount of work left for the future. See
<a href="#section-10">Section 10</a> for more details.
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Base Assumptions</span>
In order to specify a mapping, it is important to understand how it
will be used, and the nature of the data being mapped. In the case
of LISP, the following assumptions are pertinent:
o The data contained within the mapping changes only on provisioning
or configuration operations, and is not intended to change when a
link either fails or is restored. Some other mechanism, such as
<span class="grey">Lear Experimental [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
the use of LISP Reachability Bits with mapping replies, handles
healing operations, particularly when a tail circuit within a
service provider's aggregate goes down. NERD can be used as a
verification method to ensure that whatever operational mapping
changes an ITR receives are authorized.
o While weight and priority are defined, these are not hop-by-hop
metrics. Hence, the information contained within the mapping does
not change based on where one sits within the topology.
o Because a purpose of LISP is to reduce control-plane overhead by
reducing "rate X state" complexity, updates to the mapping will be
relatively rare.
o Because NERD is designed to ease interdomain routing, its use is
intended within the inter-domain environment. That is, NERD is
best implemented at either the customer edge or provider edge, and
there will be on the order of as many ITRs and EID-Prefixes as
there are connections to Internet service providers by end
customers.
o As such, NERD cannot be the sole means to implement host mobility,
although NERD may be in used in conjunction with other mechanisms.
<span class="h3"><a class="selflink" id="section-1.3" href="#section-1.3">1.3</a>. What is NERD?</span>
NERD is a Not-so-novel EID-to-RLOC Database. It consists of the
following components:
1. a network database format;
2. a change distribution format;
3. a database retrieval/bootstrapping method; and
4. a change distribution method.
The network database format is compressible. However, at this time,
we specify no compression method. NERD will make use of potentially
several transport methods, but most notably HTTP [<a href="./rfc2616" title=""Hypertext Transfer Protocol -- HTTP/1.1"">RFC2616</a>]. HTTP has
restart and compression capabilities. It is also widely deployed.
There exist many methods to show differences between two versions of
a database or a file, UNIX's "diff" being the classic example. In
this case, because the data is well structured and easily keyed, we
can make use of a very simple format for version differences that
<span class="grey">Lear Experimental [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
simply provides a list of EID-to-RLOC mappings that have changed
using the same record format as the database, and a list of EIDs that
are to be removed.
<span class="h3"><a class="selflink" id="section-1.4" href="#section-1.4">1.4</a>. Glossary</span>
The reader is once again referred to [<a href="./rfc6830" title=""The Locator/ID Separation Protocol (LISP)"">RFC6830</a>] for a general glossary
of terms related to LISP. The following terms are specific to this
memo.
Base Distribution URI: An Absolute-URI as defined in <a href="./rfc3986#section-4.3">Section 4.3 of
[RFC3986]</a> from which other references are relative. The base
distribution URI is used to construct a URI to an EID-to-RLOC
mapping database. If more than one NERD is known, then there will
be one or more base distribution URIs associated with each
(although each such base distribution URI may have the same
value).
EID Database Authority: The authority that will sign database files
and updates. It is the source of both.
The Authority: Shorthand for the EID Database Authority.
NERD: Not-so-novel EID-to-RLOC Database.
AFI Address Family Identifier.
Pull Model: An architecture where clients pull only the information
they need at any given time, such as when a packet arrives for
forwarding.
Push Model: An architecture in which clients receive an entire
dataset, containing data they may or may not require, such as
mappings for EIDs that no host served is attempting to send to.
Hybrid Model: An architecture in which some information is pushed
toward the receiver from a source and some information is pulled
by the receiver.
<span class="grey">Lear Experimental [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Theory of Operation</span>
Operational functions are split into two components: database updates
and state exchange between ITR and ETR during a communication.
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Database Updates</span>
What follows is a summary of how NERDs are generated and updated.
Specifics can be found in <a href="#section-3">Section 3</a>. The general way in which NERD
works is as follows:
1. A NERD is generated by an authority that allocates Provider-
Independent (PI) addresses (e.g., IANA or a Regional Internet
Registry (RIR)) that are used by sites as EIDs. As part of this
process, the authority generates a digest for the database and
signs it with a private key whose public key is part of an X.509
certificate. [<a href="#ref-ITU.X509.2000">ITU.X509.2000</a>] That signature along with a copy of
the authority's public key is included in the NERD.
2. The NERD is distributed to a group of well-known servers.
3. ITRs retrieve an initial copy of the NERD via HTTP when they come
into service.
4. ITRs are preconfigured with a group of certificates whose private
keys are used by database authorities to sign the NERD. This
list of certificates should be configurable by administrators.
5. ITRs next verify both the validity of the public key and the
signed digest. If either fail validation, the ITR attempts to
retrieve the NERD from a different source. The process iterates
until either a valid database is found or the list of sources is
exhausted.
6. Once a valid NERD is retrieved, the ITR installs it into both
non-volatile and local memory.
7. At some point, the authority updates the NERD and increments the
database version counter. At the same time, it generates a list
of changes, which it also signs, as it does with the original
database.
8. Periodically, ITRs will poll from their list of servers to
determine if a new version of the database exists. When a new
version is found, an ITR will attempt to retrieve a change file,
using its list of preconfigured servers.
<span class="grey">Lear Experimental [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
9. The ITR validates a change file just as it does the original
database. Assuming the change file passes validation, the ITR
installs new entries, overwrites existing ones, and removes empty
entries, based on the content of the change file.
As time goes on, it is quite possible that an ITR may probe a list of
configured peers for a database or change file copy. It is equally
possible that peers might advertise to each other the version number
of their database. Such methods are not explored in depth in this
memo but are mentioned for future consideration.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Communications between ITR and ETR</span>
[<a id="ref-RFC6830">RFC6830</a>] describes the basic approach to what happens when a packet
arrives at an ITR, and what communications between the ITR and ETR
take place. NERD provides an optimistic approach to establishing
communications with an ETR that is responsible for a given EID-
Prefix. State must be kept, however, on an ITR to determine whether
that ETR is in fact reachable. It is expected that this is a common
requirement across LISP mapping systems, and will be handled in the
core LISP architecture.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Who are database authorities?</span>
This memo does not specify who the database authority is. That is
because there are several possible operational models. In each case,
the number of database authorities is meant to be small so that ITRs
need only keep a small list of authorities, similar to the way a name
server might cache a list of root servers.
o A single database authority exists. In this case, all entries in
the database are registered to a single entity, and that entity
distributes the database. Because the EID space is provider-
independent address space, there is no architectural requirement
that address space be hierarchically distributed to anyone, as
there is with provider-assigned address space. Hence, there is a
natural affinity between the IANA function and the database
authority function.
o Each region runs a database authority. In this case, provider-
independent address space is allocated to either RIRs or to
affiliates of such organizations of network operations guilds
(NOGs). The benefit of this approach is that there is no single
organization that controls the database. It allows one database
authority to back up another. One could envision as many as ten
database authorities in this scenario. One drawback to this
<span class="grey">Lear Experimental [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
approach, however, is that any reference to a region imposes a
notion of locality, thus potentially diminishing the split between
Locator and identifier.
o Each country runs a database authority. This could occur should
countries decide to regulate this function. While limiting the
scope of any single database authority as the previous scenario
describes, this approach would introduce some overhead as the list
of database authorities would grow to as many as 200, and possibly
more if jurisdictions within countries attempted to regulate the
function. There are two drawbacks to this approach. First, as
distribution of EIDs is driven to more local jurisdictions, an
EID-Prefix is tied even more tightly to a location. Second, a
large number of database authorities will demand some sort of
discovery mechanism.
o Independent operators manage database authorities. This has the
appeals of being location independent and enabling competition for
good performance. This method has the drawback of potentially
requiring a discovery mechanism.
The latter two approaches are not mutually exclusive. While this
specification allows for multiple databases, discovery mechanisms are
left as future work.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. NERD Format</span>
The NERD consists of a header that contains a database version and a
signature that is generated by ignoring the signature field and
setting the authentication block length to 0 (NULL). The
authentication block itself consists of a signature and a certificate
whose private-key counterpart was used to generate the signature.
Records are kept sorted in numeric order with AFI plus EID as primary
key and prefix length as secondary. This is so that after a database
update it should be possible to reconstruct the database to verify
the digest signature, which may be retrieved separately from the
database for verification purposes.
<span class="grey">Lear Experimental [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Schema Vers=1 | DB Code | Database Name Size |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Database Version |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Old Database Version or 0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Database Name |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PKCS#7 Block Size | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| PKCS#7 Block Containing Certificate and Signature |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Database Header
The 'DB Code' field indicates 0 if what follows is an entire database
or 1 if what follows is an update. The 'Database Version' field
holds the database file version, which is incremented each time the
complete database is generated by the authority. In the case of an
update, the field indicates the new database file version, and the
old database file version is indicated in the 'Old Database Version'
field. The database file version is used by routers to determine
whether or not they have the most current database.
The 'Database Name' field holds a DNS-ID, as specified in [<a href="./rfc6125" title=""Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)"">RFC6125</a>].
This is the name that will appear in the Subject field of the
certificate used to verify the database. The purpose of the database
name is to allow for more than one database. Such databases would be
merged by the router. It is important that an EID-to-RLOC mapping be
listed in no more than one database, lest inconsistencies arise.
However, it may be possible to transition a mapping from one database
to another. During the transition period, the mappings would be
identical. When they are not, the resultant behavior will be
undefined. The database name is padded with NULLs to the nearest
fourth byte.
The PKCS#7 [<a href="./rfc2315" title=""PKCS #7: Cryptographic Message Syntax Version 1.5"">RFC2315</a>] authentication block contains a DER-encoded
[<a href="#ref-ITU.X509.2000">ITU.X509.2000</a>] signature and associated public key. For the
purposes of this experiment, all implementations will support the RSA
encryption signature algorithm and SHA1 digest algorithm, and the
standard attributes are expected to be present.
<span class="grey">Lear Experimental [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
N.B., it has been suggested that the Cryptographic Message Syntax
(CMS) [<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>] be used instead of PKCS#7. At the time this
experiment was performed, CMS was not yet widely deployed. However,
it is certainly the correct direction and should be strongly
considered in future related work.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. NERD Record Format</span>
As distributed over the network, NERD records appear as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Num. RLOCs | EID Pref. Len | EID AFI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Endpoint identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Priority 1 | Weight 1 | AFI 1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Routing Locator 1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Priority 2 | Weight 2 | AFI 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Routing Locator 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Priority 3 | Weight 3 | AFI 3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Routing Locator 3... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
EID AFI is the AFI of the EID. Priority N, Weight N, and AFI N are
associated with Routing Locator N. There will always be at least one
RLOC. The minimum record size for IPv4 is 16 bytes. Each additional
IPv4 RLOC increases the record size by 8 bytes. The purpose of this
format is to keep the database compact, but somewhat easily read.
The meaning of weight and priority are described in [<a href="./rfc6830" title=""The Locator/ID Separation Protocol (LISP)"">RFC6830</a>]. The
format of the AFI is specified by IANA in the "Address Family
Numbers" registry, with the exception of how IPv6 EID-Prefixes are
stored.
NERD assumes that EIDs stored in the database are prefixes, and
therefore are accompanied with prefix lengths. In order to reduce
storage and transmission amounts for IPv6, only the necessary number
of bytes of an EID as specified by the prefix length are kept in the
record, rounded to the nearest 4-byte (word) boundary. For instance,
if the prefix length is /49, the nearest 4-byte word boundary would
require that 8 bytes are stored. IPv6 RLOCs are represented as
normal 128-bit IPv6 addresses.
<span class="grey">Lear Experimental [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Database Update Format</span>
A database update contains a set of changes to an existing database.
Each {AFI, EID, mask-length} tuple may have zero or more RLOCs
associated with it. In the case where there are no RLOCs, the EID
entry is removed from the database. Records that contain EIDs and
prefix lengths that were not previously listed are simply added.
Otherwise, the old record for the EID and prefix length is replaced
by the more current information. The record format used by the
database update is the same as described in <a href="#section-3.1">Section 3.1</a>.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. NERD Distribution Mechanism</span>
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Initial Bootstrap</span>
Bootstrap occurs when a router needs to retrieve the entire database.
It knows it needs to retrieve the entire database because either it
has none or it has an update too substantial to process, as might be
the case if a router has been out of service for a substantially
lengthy period of time.
To bootstrap, the ITR appends the database name plus "/current/
entiredb" to a base distribution URI and retrieves the file via HTTP.
More formally (using ABNF from [<a href="./rfc5234" title=""Augmented BNF for Syntax Specifications: ABNF"">RFC5234</a>]):
entire-db = base-uri dbname "/current/entiredb"
base-uri = uri ; from <a href="./rfc3986">RFC 3986</a>
dbname = DNS-ID ; from <a href="./rfc6125">RFC 6125</a>
For example, if the base distribution URI is
"http://www.example.com/eiddb/", and assuming a database name of
"nerd.arin.net", the ITR would request
"http://www.example.com/eiddb/nerd.arin.net/current/entiredb".
Routers check the signature on the database prior to installing it,
and they check that the database schema matches a schema they
understand. Once a router has a valid database, it stores that
database in some sort of non-volatile memory (e.g., disk, flash
memory, etc).
N.B., the host component for such URIs should not resolve to a LISP
EID, lest a circular dependency be created.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Retrieving Changes</span>
In order to retrieve a set of database changes, an ITR will have
previously retrieved the entire database. Hence, it knows the
current version of the database it has. Its first step for
retrieving changes is to retrieve the current version number of the
<span class="grey">Lear Experimental [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
database. It does so by appending "/current/version" to the base
distribution URI and database name and retrieving the file. Its
format is text, and it contains the integer value of the current
database version.
Once an ITR has retrieved the current version, it compares the
version of its local copy. If there is no difference, then the
router is up to date and need take no further actions until it next
checks.
If the versions differ, the router next sends a request for the
appropriate change file by appending "current/changes/" and the
textual representation of the version of its local copy of the
database to the base distribution URI. More formally:
db-version = base-uri dbname "/current/version"
db-curupdate = base-uri dbname "/current/changes/" old-version
old-version = 1*DIGIT
For example, if the current version of the database is 1105503, the
router's version is 1105500, and the base URI and database name are
the same as above, the router would first request
"http://www.example.com/eiddb/nerd.arin.net/current/version" to
determine that it is out of date, and also to learn the current
version. It would then attempt to retrieve
"http://www.example.com/eiddb/nerd.arin.net/current/changes/1105500".
The server may not have that change file, either because there are
too many versions between what the router has and what is current or
because no such change file was generated. If the server has changes
from the router's version to any later version, the server issues an
HTTP redirect to that change file, and the router retrieves and
processes it. More formally:
db-incupdate = base-uri dbname "/" newer-version
"/changes/" old-version
newer-version = 1*DIGIT
For example:
"http://www.example.com/eiddb/nerd.arin.net/1105450/changes/1105401"
would update a router from version 1105401 to 1105450. Once it has
done so, the router should then repeat the process until it has
brought itself up to date.
<span class="grey">Lear Experimental [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
This begs the question: how does a router know to retrieve version
1105450 in our example above? It cannot. A redirect must be given
by the server to that URI when the router attempts to retrieve
differences from the current version, say, 1105503.
While it is unlikely that database versions would wrap, as they
consist of 32-bit integers, should the event occur, ITRs should
attempt first to retrieve a change file when their current version
number is within 10,000 of 2^32 and they see a version available that
is less than 10,000. Barring the availability of a change file, the
ITR can still assume that the database version has wrapped and
retrieve a new copy. It may be safer in future work to include
additional wrap information or a larger field to avoid having to use
any heuristics.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Analysis</span>
We will start our analysis by looking at how much data will be
transferred to a router during bootstrap conditions. We will then
look at the bandwidth required. Next, we will turn our concerns to
servers. Finally, we will ponder the effect of providing only
changes.
In the analysis below, we treat the overhead of the database header
as insignificant (because it is). The analysis should be similar,
whether a single database or multiple databases are employed, as we
would assume that no entry would appear more than once.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Database Size</span>
By its very nature, the information to be transported is relatively
static and is specifically designed to be topologically insensitive.
That is, every ITR is intended to have the same set of RLOCs for a
given EID. While some processing power will be necessary to install
a table, the amount required should be far less than that of a
routing information database because the level of entropy is intended
to be lower.
For purposes of this analysis, we will assume that the world has
migrated to IPv6, as this increases the size of the database, which
would be our primary concern. However, to mitigate the size
increase, we have limited the size of the prefix transmitted. For
purposes of this analysis, we shall assume an average prefix length
of 64 bits.
<span class="grey">Lear Experimental [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
Based on that assumption, <a href="#section-3.1">Section 3.1</a> states that mapping information
for each EID/prefix includes a group of RLOCs, each with an
associated priority and weight, and that a minimum record size with
IPv6 EIDs with at least one RLOC is 30 bytes uncompressed. Each
additional IPv6 RLOC costs 20 bytes.
+-----------+--------+--------+---------+
| 10^n EIDs | 2 RLOC | 4 RLOC | 8 RLOC |
+-----------+--------+--------+---------+
| 4 | 500 KB | 900 KB | 1.70 MB |
| 5 | 5.0 MB | 9.0 MB | 17.0 MB |
| 6 | 50 MB | 90 MB | 170 MB |
| 7 | 500 MB | 900 MB | 1.70 GB |
| 8 | 5.0 GB | 9.0 GB | 17.0 GB |
+-----------+--------+--------+---------+
Table 1: Database size for IPv6 routes with average prefix length of
64 bits
Entries in the above table are derived as follows:
E * (30 + 20 * (R - 1 ))
where E = number of EIDs (10^n), R = number of RLOCs per EID.
Our scaling target is to accommodate 10^8 multihomed systems, which
is one order of magnitude greater than what is discussed in [<a href="#ref-CARP07" title=""IETF Plenary Presentation: Routing and Addressing: Where we are today"">CARP07</a>].
At 10^8 entries, a device could be expected to use between 5 and 17
GB of RAM for the mapping. No matter the method of distribution, any
router that sits in the core of the Internet would require near this
amount of memory in order to perform the ITR function. Large-
enterprise ETRs would be similarly strained, simply due to the
diversity of sites that communicate with one another. The good news
is that this is not our starting point, but rather our scaling
target, a number that we intend to reach by the year 2050. Our
starting point is more likely in the neighborhood of 10^4 or 10^5
EIDs, thus requiring between 500 KB and 17 MB.
<span class="grey">Lear Experimental [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Router Throughput versus Time</span>
+-------------------+---------+---------+----------+--------+
| Table Size (10^n) | 1 MB/s | 10 MB/s | 100 MB/s | 1 GB/s |
+-------------------+---------+---------+----------+--------+
| 6 | 8 | 0.8 | 0.08 | 0.008 |
| 7 | 80 | 8 | 0.8 | 0.08 |
| 8 | 800 | 80 | 8 | 0.8 |
| 9 | 8,000 | 800 | 80 | 8 |
| 10 | 80,000 | 8,000 | 800 | 80 |
| 11 | 800,000 | 80,000 | 8,000 | 800 |
+-------------------+---------+---------+----------+--------+
Table 2: Number of seconds to process NERD
The length of time it takes to receive the database is significant in
models where the device acquires the entire table. During this
period of time, either the router will be unable to route packets
using LISP or it must use some sort of query mechanism for specific
EIDs as it populates the rest of its table through the transfer.
Table 2 shows us that at our scaling target, the length of time it
would take for a router using 1 MB/s of bandwidth is about 80
seconds. We can measure the processing rate in small numbers of
hours for any transfer speed greater than that. The fastest
processing time shows us as taking 8 seconds to process an entire
table of 10^9 bytes and 80 seconds for 10^10 bytes.
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. Number of Servers Required</span>
As easy as it may be for a router to retrieve, the aggregate
information may be difficult for servers to transmit, assuming the
information is transmitted in aggregate (we'll revisit that
assumption later).
+----------------+------------+-----------+------------+------------+
| # Simultaneous | 10 Servers | 100 | 1,000 | 10,000 |
| Requests | | Servers | Servers | Servers |
+----------------+------------+-----------+------------+------------+
| 100 | 720 | 72 | 72 | 72 |
| 1,000 | 7,200 | 720 | 72 | 72 |
| 10,000 | 72,000 | 7,200 | 720 | 72 |
| 100,000 | 720,000 | 72,000 | 7,200 | 720 |
| 1,000,000 | 7,200,000 | 720,000 | 72,000 | 7,200 |
| 10,000,000 | 72,000,000 | 7,200,000 | 720,000 | 72,000 |
+----------------+------------+-----------+------------+------------+
Table 3: Retrieval time per number of servers in seconds
<span class="grey">Lear Experimental [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
This assumes an average of 10^8 entries with 4 RLOCs per EID and that
each server has access to 1 GB/s, 100% efficient use of that
bandwidth, and no compression.
Entries in the above table were generated using the following method:
For 10^8 entries with four RLOCs per EID, the table size is 9.0 GB,
per our previous table. Assume 1 GB/s transfer rates and 100%
utilization. Protocol overhead is ignored for this exercise. Hence,
a single transfer X takes 48 seconds and can get no faster.
With this in mind, each entry is as follows:
max(1X,N*X/S)
where N = number of transfers,
X = 72 seconds, and
S = number of servers.
If we have a distribution model in which every device must retrieve
the mapping information upon start, Table 3 shows the length of time
in seconds it will take for a given number of servers to complete a
transfer to a given number of devices. This table says, as an
example, that it would take 72,000 seconds (20 hours) for 1,000,000
ITRs to simultaneously retrieve the database from 1,000 servers,
assuming equal load distribution. Should a cold-start scenario
occur, this number should be of some concern. Hence, it is important
to take some measures both to avoid such a scenario and to ease the
load should it occur. The primary defense should be for ITRs to
first attempt to retrieve their databases from their peers or
upstream providers. Secondary defenses could include data sanity
checks within ITRs, with agreed norms for how much the database
should change in any given update or over any given period of time.
As we will see below, dissemination of changes is considerably less
volume.
+----------------+-------------+---------------+----------------+
| % Daily Change | 100 Servers | 1,000 Servers | 10,000 Servers |
+----------------+-------------+---------------+----------------+
| 0.1% | 300 | 30 | 3 |
| 0.5% | 1,500 | 150 | 15 |
| 1% | 3,000 | 300 | 30 |
| 5% | 15,000 | 1,500 | 150 |
| 10% | 30,000 | 3,000 | 300 |
+----------------+-------------+---------------+----------------+
Table 4: Transfer times for hourly updates, shown in seconds
<span class="grey">Lear Experimental [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
Assuming 10 million routers and a database size of 9 GB, resulting
transfer times for hourly updates are shown in seconds, given number
of servers and daily rate of change. Note that when insufficient
resources are devoted to servers, an unsustainable situation arises
where updates for the next batch would begin prior to the completion
of the current batch.
This table shows us that with 10,000 servers the average transfer
time with 1 GB/s links for 10,000,000 routers will be 300 seconds
with 10% daily change spread over 24 hourly updates. For a 0.1%
daily change, that number is 3 seconds for a database of size 9.0 GB.
The amount of change goes to the purpose of LISP. If its purpose is
to provide effective multihoming support to end customers, then we
might anticipate relatively few changes. If, on the other hand,
service providers attempt to make use of LISP to provide some form of
traffic engineering, we can expect the same data to change more
often. We cannot conclude much in this regard without additional
operational experience. The one thing we can say is that different
applications of LISP may require new and different distribution
mechanisms. Such optimization is left for another day.
<span class="h3"><a class="selflink" id="section-5.4" href="#section-5.4">5.4</a>. Security Considerations</span>
If an attacker can forge an update or tamper with the database, he
can in effect redirect traffic to end sites. Hence, integrity and
authenticity of the NERD is critical. In addition, a means is
required to determine whether a source is authorized to modify a
given database. No data privacy is required. Quite to the contrary,
this information will be necessary for any ITR.
The first question one must ask is who to trust to provide the ITR a
mapping. Ultimately, the owner of the EID-Prefix is most
authoritative for the mapping to RLOCs. However, were all owners to
sign all such mappings, ITRs would need to know which owner is
authorized to modify which mapping, creating a problem of O(N^2)
complexity.
We can reduce this problem substantially by investing some trust in a
small number of entities that are allowed to sign entries. If an
authority manages EIDs much the same way a domain name registrar
handles domains, then the owner of the EID would choose a database
authority she or he trusts, and ITRs must trust each such authority
in order to map the EIDs listed by that authority to RLOCs. This
reduces the amount of management complexity on the ETR to retaining
knowledge of O(# authorities), but does require that each authority
establish procedures for authenticating the owner of an EID. Those
procedures needn't be the same.
<span class="grey">Lear Experimental [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
There are two classic methods to ensure integrity of data:
o secure transport of the source of the data to the consumer, such
as Transport Layer Security (TLS) [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>]; and
o provide object-level security.
These methods are not mutually exclusive, although one can argue
about the need for the former, given the latter.
In the case of TLS, when it is properly implemented, the objects
being transported cannot easily be modified by interlopers or so-
called men in the middle. When data objects are distributed to
multiple servers, each of those servers must be trusted. As we have
seen above, we could have quite a large number of servers, thus
providing an attacker a large number of targets. We conclude that
some form of object-level security is required.
Object-level security involves an authority signing an object in a
way that can easily be verified by a consumer, e.g., a router. In
this case, we would want the mapping table and any incremental update
to be signed by the originator of the update. This implies that we
cannot simply make use of a tool like CVS [<a href="#ref-CVS" title=""CVS: Concurrent Versions System"">CVS</a>]. Instead, the
originator will want to generate diffs, sign them, and make them
available either directly or through some sort of content
distribution or peer to peer network.
<span class="h4"><a class="selflink" id="section-5.4.1" href="#section-5.4.1">5.4.1</a>. Use of Public Key Infrastructures (PKIs)</span>
X.509 provides a certificate hierarchy that has scaled to the size of
the Internet. The system is most manageable when there are few
certificates to manage. The model proposed in this memo makes use of
one current certificate per database authority. The two pieces of
information necessary to verify a signature, therefore, are as
follows:
o the certificate of the database authority, which can be provided
along with the database; and
o the certificate authority's certificate.
The latter two pieces of information must be very well known and must
be configured on each ITR. It is expected that both would change
very rarely, and it would not be unreasonable for such updates to
occur as part of a normal OS release process.
<span class="grey">Lear Experimental [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
The tools for both signing and verifying are readily available.
OpenSSL (<a href="http://www.openssl.org">http://www.openssl.org</a>) provides tools and libraries for
both signing and verifying. Other tools commonly exist.
Use of PKIs is not without implementation complexity, operational
complexity, or risk. The following risks and mitigations are
identified with NERD's use of PKIs:
The private key of a NERD authority is exposed:
In this case, an attacker could sign a false database update,
either redirecting traffic or otherwise causing havoc. The NERD
administrator must revoke its existing key and issue a new one.
The certificate is added to a certificate revocation list (CRL),
which may be distributed with both this and other databases, as
well as through other channels. Because this event is expected to
be rare, and the number of database authorities is expected to be
small, a CRL will be small. When a router receives a revocation,
it checks it against its existing databases, and attempts to
update the one that is revoked. This implies that prior to
issuing the revocation, the database authority would sign an
update with the new key. Routers would discard updates they have
already received that were signed after the revocation was
generated. If a router cannot confirm whether the authority's
certificate was revoked before or after a particular update, it
will retrieve a fresh new copy of the database with a valid
signature.
The private key associated with a CA in the chain of trust of the
Authority's certificate is compromised:
In this case, it becomes possible for an attacker to masquerade as
the database authority. To ameliorate damage, the database
authority revokes its certificate and get a new certificate issued
from a CA that is not compromised. Once it has done so, the
previous procedure is followed. The compromised certificate can
be removed during the normal OS upgrade cycle. In the case of the
root authority, the situation could be more serious. Updates to
the OS in the ITR need to be validated prior to installation. One
possible method of doing this is provided in [<a href="./rfc4108" title=""Using Cryptographic Message Syntax (CMS) to Protect Firmware Packages"">RFC4108</a>]. Trust
anchors are assumed to be updated as part of an OS update;
implementors should consider using a key other than the trust
anchor for validating OS updates.
<span class="grey">Lear Experimental [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
An algorithm used if either the certificate or the signature is
cracked:
This is a catastrophic failure and the above forms of attack
become possible. The only mitigation is to make use of a new
algorithm. In theory, this should be possible, but in practice it
has proved very difficult. For this reason, additional work is
recommended to make alternative algorithms available.
The NERD authority loses its key or disappears:
In this case, nobody can update the existing database. There are
few programmatic mitigations. If the database authority places
its private keys and suitable amounts of information in escrow,
under agreed upon circumstances (for example, no updates for three
days), the escrow agent would release the information to a party
competent of generating a database update.
<span class="h4"><a class="selflink" id="section-5.4.2" href="#section-5.4.2">5.4.2</a>. Other Risks</span>
Because this specification does not require secure transport, if an
attacker prevents updates to an ITR for the purposes of having that
ITR continue to use a compromised ETR, the ITR could continue to use
an old version of the database without realizing a new version has
been made available. If one is worried about such an attack, a
secure channel (such as SSL) to a secure chain back to the database
authority should be used. It is possible that, after some
operational experience, later versions of this format will contain
additional semantics to address this attack. SSL would also prevent
attempts to spoof false database versions on the server.
As discussed above, substantial risk would be a cold-start scenario.
If an attacker found a bug in a common OS that allowed it to erase an
ITR's database, and was able to disseminate that bug, the collective
ability of ITRs to retrieve new copies of the database could be taxed
by collective demand. The remedy to this is for devices to share
copies of the database with their peers, thus making each potential
requester a potential service.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Why not use XML?</span>
Many objects these days are distributed as either XML pages or
something derived as XML [<a href="#ref-W3C.REC-xml11-20040204">W3C.REC-xml11-20040204</a>], such as SOAP
[<a href="#ref-W3C.REC-soap12-part1-20070427">W3C.REC-soap12-part1-20070427</a>] [<a href="#ref-W3C.REC-soap12-part2-20070427">W3C.REC-soap12-part2-20070427</a>]. Use
of such well-known standards allows for high-level tools and library
reuse. XML's strength is extensibility. Without a doubt XML would
be more extensible than a fixed field database. Why not, then, use
these standards in this case? The greatest concern the author had
was compactness of the data stream. In as much as this mechanism is
<span class="grey">Lear Experimental [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
used at all in the future, so long as that concern could be
addressed, and so long as signatures of the database can be verified,
XML probably should be considered.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Other Distribution Mechanisms</span>
We now consider various different mechanisms. The problem of
distributing changes in various databases is as old as databases.
The author is aware of two obvious approaches that have been well
used in the past. One approach would be the wide distribution of CVS
repositories. However, for reasons mentioned in <a href="#section-5.4">Section 5.4</a>, CVS is
insufficient to the task.
The other tried and true approach is the use of periodic updates in
the form of messages. The good old Network News Transfer Protocol
(NNTP) [<a href="./rfc3977" title=""Network News Transfer Protocol (NNTP)"">RFC3977</a>] itself provides two separate mechanisms (one push
and another pull) to provide a coherent update process. This was in
fact used to update molecular biology databases [<a href="#ref-gb91" title=""A mechanism for maintaining an up-to-date GenBank database via Usenet"">gb91</a>] in the early
1990s. Netnews offers a way to determine whether articles with
specified Article-Ids have been received. In the case where the
mapping file source of authority wishes to transmit updates, it can
sign a change file and then post it into the network. Routers merely
need to keep a record of article ids that it has received. Netnews
systems have years ago handled far greater volume of traffic than we
envision [<a href="#ref-Usenet" title=""Usenet"">Usenet</a>]. Initially this is probably overkill, but it may
not be so later in this process. Some consideration should be given
to a mechanism known to widely distribute vast amounts of data, as
instantaneously as either the sender or the receiver wishes.
To attain an additional level of hierarchy in the distribution
network, service providers could retrieve information to their own
local servers and configure their routers with the host portion of
the above URI.
Another possibility would be for providers to establish an agreement
on a small set of anycast addresses for use for this purpose. There
are limitations to the use of anycast, particularly with TCP. In the
midst of a routing flap, an anycast address can become all but
unusable. Careful study of such a use as well as appropriate use of
HTTP redirects is expected.
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. What about DNS as a mapping retrieval model?</span>
It has been proposed that a query/response mechanism be used for this
information and specifically that the Domain Name System (DNS)
[<a href="./rfc1034" title=""Domain names - concepts and facilities"">RFC1034</a>] be used. The previous models do not preclude DNS. DNS has
the advantage that the administrative lines are well drawn, and that
the ID-to-RLOC mapping is likely to appear very close to these
<span class="grey">Lear Experimental [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
boundaries. DNS also has the added benefit that an entire
distribution infrastructure already exists. There are, however, some
problems that could impact end hosts when intermediate routers make
queries, some of which were first pointed out in [<a href="./rfc1383" title=""An Experiment in DNS Based IP Routing"">RFC1383</a>]:
o Any query mechanism offers an opportunity for a resource attack if
an attacker can force the ITR to query for information. In this
case, all that would be necessary would be for a "botnet" (a group
of computers that have been compromised and used as vehicles to
attack others) to ping or otherwise contact via some normal
service hosts that sit behind the ETR. If the botnet hosts
themselves are behind ETRs, the victim's ITR will need to query
for each and every one of them, thus becoming part of a classic
reflector attack.
o Packets will be delayed at the very least, and probably dropped in
the process of a mapping query. This could be at the beginning of
a communication, but it will be impossible for a router to
conclude with certainty that this is the case.
o The DNS has a backoff algorithm that presumes that applications
are making queries prior to the beginning of a communication.
This is appropriate for end hosts who know in fact when a
communication begins. An end user may not enjoy that a router is
waiting seconds for a retry.
o While the administrative lines may appear to be correct, the
location of name servers may not be. If name servers sit within
PI address space, thus requiring LISP to reach, a circular
dependency is created. This is precisely where many enterprise
name servers sit. The LISP experiment should not predicate its
success on relocation of such name servers.
Nevertheless, DNS may be able to play a role in providing the
enterprise control over the mapping of its EIDs to RLOCs. Posit a
new DNS record "EID2RLOC". This record is used by the authority to
collect and aggregate mapping information so that it may be
distributed through one of the other mechanisms. As an example:
$ORIGIN 0.10.PI-SPACE.
128 EID2RLOC mask 23 priority 10 weight 5 172.16.5.60
EID2RLOC mask 23 priority 15 weight 5 192.168.1.5
In the above figure, network 10.0.128/23 would delegated to some end
system, say, EXAMPLE.COM. They would manage the above zone
information. This would allow a DNS mechanism to work, but it would
also allow someone to aggregate the information and distribute a
table.
<span class="grey">Lear Experimental [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. Use of BGP and LISP+ALT</span>
The Border Gateway Protocol (BGP) [<a href="./rfc4271" title=""A Border Gateway Protocol 4 (BGP-4)"">RFC4271</a>] is currently used to
distribute inter-domain routing throughout the Internet. Why not,
then, use BGP to distribute mapping entries, or provide a rendezvous
mechanism to initialize mapping entries? In fact, this is precisely
what LISP Alternative Topology (LISP+ALT) [<a href="./rfc6836" title=""Locator/ID Separation Protocol Alternative Logical Topology (LISP+ALT)"">RFC6836</a>] accomplishes,
using a completely separate topology from the normal DFZ. It does so
using existing code paths and expertise. The alternative topology
also provides an extremely accurate control path from ITRs to ETRs,
whereas NERD's operational model requires an optimistic assumption
and control-plane functionality to cycle through unresponsive ETRs in
an EID-Prefix's mapping entry. The memory-scaling characteristics of
LISP+ALT are extremely attractive because of expected strong
aggregation, whereas NERD makes almost no attempt at aggregation.
A number of key deployment issues are left open. The principle issue
is whether it is deemed acceptable for routers to drop packets
occasionally while mapping information is being gathered. This
should be the subject of future research for ALT, as it was a key
design goal of NERD to avoid such a situation.
<span class="h3"><a class="selflink" id="section-7.3" href="#section-7.3">7.3</a>. Perhaps use a hybrid model?</span>
Perhaps it would be useful to use both a prepopulated database such
as NERD and a query mechanism (perhaps LISP+ALT, LISP-CONS
[<a href="#ref-LISP-CONS">LISP-CONS</a>], or DNS) to determine an EID-to-RLOC mapping. One idea
would be to receive a subset of the mappings, say, by taking only the
NERD for certain regions. This alleviates the need to drop packets
for some subset of destinations under the assumption that one's
business is localized to a particular region. If one did not have a
local entry for a particular EID, one would then make a query.
One approach to using DNS to query live would be to periodically walk
"interesting" portions of the network, in search of relevant records,
and to cache them to non-volatile storage. While preventing resource
attacks, the walk itself could be viewed as an attack, if the
algorithm was not selective enough about what it thought was
interesting. A similar approach could be applied to LISP+ALT or
LISP-CONS by forcing a data-driven Map Reply for certain sites.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Deployment Issues</span>
While LISP and NERD are intended as experiments at this point, it is
already obvious one must give serious consideration to circular
dependencies with regard to the protocols used and the elements
within them.
<span class="grey">Lear Experimental [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. HTTP</span>
In as much as HTTP depends on DNS, either due to the authority
section of a URI or to the configured base distribution URI, these
same concerns apply. In addition, any HTTP server that itself makes
use of Provider-Independent addresses would be a poor choice to
distribute the database for these exact same reasons.
One issue with using HTTP is that it is possible that a middlebox of
some form, such as a cache, may intercept and process requests. In
some cases, this might be a good thing. For instance, if a cache
correctly returns a database, some amount of bandwidth is conserved.
On the other hand, if the cache itself fails to function properly for
whatever reason, end-to-end connectivity could be impaired. For
example, if the cache itself depended on the mapping being in place
and functional, a cold-start scenario might leave the cache
functioning improperly, in turn providing routers no means to update
their databases. Some care must be given to avoid such
circumstances.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Open Questions</span>
Do we need to discuss reachability in more detail? This was clearly
an issue at the IST-RING (Information Science Technologies - Routing
in Next Generation) workshop. There are two key issues. First, what
is the appropriate architectural separation between the data plane
and the control plane? Second, is there some specific way in which
NERD impacts the data plane?
Should we specify a (perhaps compressed) tarball that treads a middle
ground for the last question, where each update tarball contains both
a signature for the update and for the entire database, once the
update is applied?
Should we compress? In some initial testing of databases with 1, 5,
and 10 million IPv4 EIDs and a random distribution of IPv4 RLOCs, the
current format in this document compresses down by a factor of
between 35% and 36%, using Burrows-Wheeler block sorting text
compression algorithm (bzip2). The NERD used random EIDs with prefix
lengths varying from 19-29 bits, with probability weighted toward the
smaller masks. This only very roughly reflects reality. A better
test would be to start with the existing prefixes found in the DFZ.
<span class="grey">Lear Experimental [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Conclusions</span>
This memo has specified a database format, an update format, a URI
convention, an update method, and a validation method for EID-to-RLOC
mappings. We have shown that beyond the predictions of 10^8 EID-
prefix entries, the aggregate database size would likely be at most
17 GB. We have considered the amount of servers to distribute that
information, and we have demonstrated the limitations of a simple
content distribution network and other well-known mechanisms. The
effort required to retrieve a database change amounts to between 3
and 30 seconds of processing time per hour at today's gigabit speeds.
We conclude that there is no need for an off-box query mechanism
today and that there are distinct disadvantages for having such a
mechanism in the control plane.
Beyond this, we have examined alternatives that allow for hybrid
models that do use query mechanisms, should our operating assumptions
prove overly optimistic. Use of NERD today does not foreclose use of
such models in the future, and in fact both models can happily
coexist.
Since the first draft of this document in 2007, portions of this work
have been implemented. Future work should consider the size of
fields, such as the version field, as well as key roll-over and
revocation issues. As previously noted, CMS is now widely deployed.
Current work on DNS-based authentication of named entities [<a href="./rfc6698" title=""The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA"">RFC6698</a>]
may provide a means to test authorization of a NERD provider to carry
a specific prefix.
We leave to future work how the list of databases is distributed, how
BGP can play a role in distributing knowledge of the databases, and
how DNS can play a role in aggregating information into these
databases.
We also leave to future work whether HTTP is the best protocol for
the job, and whether the scheme described in this document is the
most efficient. One could easily envision that when applied in high-
delay or high-loss environments, a broadcast or multicast method may
prove more effective.
Speaking of multicast, we also leave to future work how multicast is
implemented, if at all, either in conjunction or as an extension to
this model.
Finally, perhaps the most interesting future work would be to
understand if and how NERD could be integrated with the LISP mapping
server [<a href="./rfc6833" title=""Locator/ID Separation Protocol (LISP) Map-Server Interface"">RFC6833</a>].
<span class="grey">Lear Experimental [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. Acknowledgments</span>
Dino Farinacci, Patrik Faltstrom, Dave Meyer, Joel Halpern, Jim
Schaad, Dave Thaler, Mohamed Boucadair, Robin Whittle, Max Pritikin,
Scott Brim, S. Moonesamy, and Stephen Farrel were very helpful with
their reviews of this work. Thanks also to the participants of the
Routing Research Group and the IST-RING workshop held in Madrid in
December of 2007 for their incisive comments. The astute will notice
a lengthy References section. This work stands on the shoulders of
many others' efforts.
<span class="h2"><a class="selflink" id="section-12" href="#section-12">12</a>. References</span>
<span class="h3"><a class="selflink" id="section-12.1" href="#section-12.1">12.1</a>. Normative References</span>
[<a id="ref-ITU.X509.2000">ITU.X509.2000</a>]
International Telecommunications Union, "Information
technology - Open Systems Interconnection - The Directory:
Public-key and attribute certificate frameworks",
ITU-T Recommendation X.509, ISO Standard 9594-8,
March 2000.
[<a id="ref-RFC3986">RFC3986</a>] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
<a href="./rfc3986">RFC 3986</a>, January 2005.
[<a id="ref-RFC5234">RFC5234</a>] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, <a href="./rfc5234">RFC 5234</a>, January 2008.
[<a id="ref-RFC6125">RFC6125</a>] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", <a href="./rfc6125">RFC 6125</a>, March 2011.
[<a id="ref-RFC6830">RFC6830</a>] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The
Locator/ID Separation Protocol (LISP)", <a href="./rfc6830">RFC 6830</a>,
January 2013.
<span class="h3"><a class="selflink" id="section-12.2" href="#section-12.2">12.2</a>. Informative References</span>
[<a id="ref-CARP07">CARP07</a>] Carpenter, B., "IETF Plenary Presentation: Routing and
Addressing: Where we are today", March 2007.
[<a id="ref-CVS">CVS</a>] Grune, R., Baalbergen, E., Waage, M., Berliner, B., and J.
Polk, "CVS: Concurrent Versions System", November 1985.
<span class="grey">Lear Experimental [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
[<a id="ref-LISP-CONS">LISP-CONS</a>]
Farinacci, D., Fuller, V., and D. Meyer, "LISP-CONS: A
Content distribution Overlay Network Service for LISP",
Work in Progress, April 2008.
[<a id="ref-RFC1034">RFC1034</a>] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, <a href="./rfc1034">RFC 1034</a>, November 1987.
[<a id="ref-RFC1383">RFC1383</a>] Huitema, C., "An Experiment in DNS Based IP Routing",
<a href="./rfc1383">RFC 1383</a>, December 1992.
[<a id="ref-RFC2315">RFC2315</a>] Kaliski, B., "PKCS #7: Cryptographic Message Syntax
Version 1.5", <a href="./rfc2315">RFC 2315</a>, March 1998.
[<a id="ref-RFC2616">RFC2616</a>] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", <a href="./rfc2616">RFC 2616</a>, June 1999.
[<a id="ref-RFC3977">RFC3977</a>] Feather, C., "Network News Transfer Protocol (NNTP)",
<a href="./rfc3977">RFC 3977</a>, October 2006.
[<a id="ref-RFC4108">RFC4108</a>] Housley, R., "Using Cryptographic Message Syntax (CMS) to
Protect Firmware Packages", <a href="./rfc4108">RFC 4108</a>, August 2005.
[<a id="ref-RFC4271">RFC4271</a>] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
Protocol 4 (BGP-4)", <a href="./rfc4271">RFC 4271</a>, January 2006.
[<a id="ref-RFC5246">RFC5246</a>] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", <a href="./rfc5246">RFC 5246</a>, August 2008.
[<a id="ref-RFC5652">RFC5652</a>] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
<a href="./rfc5652">RFC 5652</a>, September 2009.
[<a id="ref-RFC6698">RFC6698</a>] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
of Named Entities (DANE) Transport Layer Security (TLS)
Protocol: TLSA", <a href="./rfc6698">RFC 6698</a>, August 2012.
[<a id="ref-RFC6833">RFC6833</a>] Farinacci, D. and V. Fuller, "Locator/ID Separation
Protocol (LISP) Map-Server Interface", <a href="./rfc6833">RFC 6833</a>,
January 2013.
[<a id="ref-RFC6836">RFC6836</a>] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis,
"Locator/ID Separation Protocol Alternative Logical
Topology (LISP+ALT)", <a href="./rfc6836">RFC 6836</a>, January 2013.
[<a id="ref-Usenet">Usenet</a>] Wikipedia, "Usenet", January 2013,
<<a href="http://en.wikipedia.org/w/index.php?title=Usenet&oldid=531545312">http://en.wikipedia.org/w/index.php?</a>
<a href="http://en.wikipedia.org/w/index.php?title=Usenet&oldid=531545312">title=Usenet&oldid=531545312</a>>.
<span class="grey">Lear Experimental [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
[<a id="ref-W3C.REC-soap12-part1-20070427">W3C.REC-soap12-part1-20070427</a>]
Gudgin, M., Lafon, Y., Moreau, J., Hadley, M., Karmarkar,
A., Mendelsohn, N., and H. Nielsen, "SOAP Version 1.2 Part
1: Messaging Framework (Second Edition)", World Wide Web
Consortium Recommendation REC-soap12-part1-20070427,
April 2007,
<<a href="http://www.w3.org/TR/2007/REC-soap12-part1-20070427">http://www.w3.org/TR/2007/REC-soap12-part1-20070427</a>>.
[<a id="ref-W3C.REC-soap12-part2-20070427">W3C.REC-soap12-part2-20070427</a>]
Karmarkar, A., Hadley, M., Mendelsohn, N., Nielsen, H.,
Lafon, Y., Gudgin, M., and J. Moreau, "SOAP Version 1.2
Part 2: Adjuncts (Second Edition)", World Wide Web
Consortium Recommendation REC-soap12-part2-20070427,
April 2007,
<<a href="http://www.w3.org/TR/2007/REC-soap12-part2-20070427">http://www.w3.org/TR/2007/REC-soap12-part2-20070427</a>>.
[<a id="ref-W3C.REC-xml11-20040204">W3C.REC-xml11-20040204</a>]
Cowan, J., Maler, E., Sperberg-McQueen, C., Paoli, J.,
Bray, T., and F. Yergeau, "Extensible Markup Language
(XML) 1.1", World Wide Web Consortium First
Edition REC-xml11-20040204, February 2004,
<<a href="http://www.w3.org/TR/2004/REC-xml11-20040204">http://www.w3.org/TR/2004/REC-xml11-20040204</a>>.
[<a id="ref-gb91">gb91</a>] Smith, R., Gottesman, Y., Hobbs, B., Lear, E.,
Kristofferson, D., Benton, D., and P. Smith, "A mechanism
for maintaining an up-to-date GenBank database via
Usenet", Computer Applications in the
Biosciences (CABIOS), April 1991.
<span class="grey">Lear Experimental [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Generating and Verifying the Database Signature with</span>
OpenSSL
As previously mentioned, one goal of NERD was to use off-the-shelf
tools to both generate and retrieve the database. To many, PKI is
magic. This section is meant to provide at least some clarification
as to both the generation and verification process, complete with
command-line examples. Not included is how you get the entries
themselves. We'll assume they exist and that you're just trying to
sign the database.
To sign the database, to start with, you need a database file that
has a database header described in <a href="#section-3">Section 3</a>. Block size should be
zero, and there should be no PKCS#7 block at this point. You also
need a certificate and its private key with which you will sign the
database.
The OpenSSL "smime" command contains all the functions we need from
this point forth. To sign the database, issue the following command:
openssl smime -binary -sign -outform DER -signer yourcert.crt \
-inkey yourcert.key -in database-file -out signature
-binary states that no MIME canonicalization should be performed.
-sign indicates that you are signing the file that was given as the
argument to -in. The output format (-outform) is binary DER, and
your public certificate is provided with -signer along with your key
with -inkey. The signature itself is specified with -out.
The resulting file "signature" is then copied into to PKCS#7 block in
the database header, its size in bytes is recorded in the PKCS#7
block size field, and the resulting file is ready for distribution to
ITRs.
To verify a database file, first retrieve the PKCS#7 block from the
file by copying the appropriate number of bytes into another file,
say, "signature". Next, zero this field, and set the block size
field to 0. Next use the "smime" command to verify the signature as
follows:
openssl smime -binary -verify -inform DER -content database-file
-out /dev/null -in signature
OpenSSL will return "Verification OK" if the signature is correct.
OpenSSL provides sufficiently rich libraries to accomplish the above
within the C programming language with a single pass.
<span class="grey">Lear Experimental [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc6837">RFC 6837</a> NERD LISP EID Mapping Transport January 2013</span>
Author's Address
Eliot Lear
Cisco Systems GmbH
Richtistrasse 7
Wallisellen CH-8304
Switzerland
Phone: +41 44 878 9200
EMail: lear@cisco.com
Lear Experimental [Page 31]
</pre>
|
