| Internet-Draft | v6-LLDP | December 2019 |
| Richardson | Expires 20 June 2020 | [Page] |
This document describes a mechanism to encapsulate IPv6 packets over the Link-Local Discovery Protocol (LLDP). The LLDP is a single layer-two protocol and is never forwarded, which is a desireable property when building the IPv6-over-IPsec-over-IPv6-Link-Local tunnels that make up the ANIMA Autonomic Control Plane (ACP).¶
This unorthodox encapsulation avoids unwanted interactions between the ACP packets and native packet forwarding engines, as well as being safe for layer-2 switches which might otherwise have no IPv6 capabilities.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 20 June 2020.¶
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
The IEEE802.1AB Link Layer Discovery Protocol (LLDP) is a one-hop, vendor-neutral link-layer protocol used by end host network Things for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network.¶
Its Type-Length-Value (TLV) design allows for "vendor-specific" extensions to be defined. IANA has a registered IEEE 802 organizationally unique identifier (OUI) defined as documented in [RFC7042].¶
The creation and maintenance of the Autonomic Control Plane described in [I-D.ietf-anima-autonomic-control-plane] requires creation of hop-by-hop discovery of adjacent systems. There are Campus L2 systems that are not broadcast safe until they have been connected to their Software Defined Networking (SDN) controller. The use of the stable connectivity provided by [RFC8368] can provide the SDN connectivity required.¶
There is a bootstrap problem: the network may be unsafe for ACP discovery broadcasts until configured, and it can not be autonomically configured until the ACP discovery (and onboarding process) is done.¶
LLDP provides an out, as it is never forwarded to other ports, and it discovers all compliant layer-2 devices in a network, even if they do not normally do layer-3 forwarding.¶
Additional LLDP has the advantage that received LLDP frames are already configured in routing fabrics to be send up to the control plane processor, with information identifying which physical port it was received on. This is exactly the desired data flow for the [I-D.ietf-anima-autonomic-control-plane]: all traffic goes to the control processor.¶
This document provides a way to transmit the IPv6 Link-Layer packets that are needed for formation of the [I-D.ietf-anima-autonomic-control-plane]. Those packets types include: IPv6 Neighbor Discovery, GRASP DULL over IPv6 Link-Local, IPsec ESP and IKEv2 packets.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The LLDP vendor-specific frame has the following format:¶
+--------+--------+----------+---------+-------------- |TLV Type| len | OUI |subtype | IPv6 fragment | =127 | |= 00 00 5E| = TBD | |(7 bits)|(9 bits)|(3 octets)|(1 octet)|(1-255 octets) +--------+--------+----------+---------+--------------¶
where:¶
The vendor-specific frame has a limit of 255 octets, while IPv6 has a minimum MTU of 1280 bytes. An LLDP frame can contain more than one TLV, and ethernet accomodates up to 1500 bytes (often larger), so it should all fit. Two possible solutions are discussed here:¶
The second method seems more obvious but it is unclear if all LLDP subsystems would permit TLVs to be repeated, or if they would keep the TLVs in the correct order. While the IANA has only 253 available TLVs, and perhaps a request for 6 values might seem excessive, if this resource was depleted, a new OUI could be used.¶
An OUI specific to this effort could be allocated, or a vendor OUI could be used during prototyping.¶
The simplest encapsulation would put the entire IPv6 packet, including the IPv6 header in. This takes a bit more space, but provides the maximum flexibility.¶
This flexibility may come at a cost of creating a new attack surface for devices. Any L2 connected device may not inject IPv6 frames into the control plane of the adjacenty router.¶
The [I-D.ietf-anima-autonomic-control-plane] use case only sends IPv6 Link-Local packets. The IPv6 source and destination address are always directly related to the L2 Ethernet headers, with the use of SLAAC derived IIDs, and the prefix "fe80".¶
This proposal is to include only the fields: 1. Payload Length 2. Next Header¶
The Hop Limit is always 1 for Link-Local packets. The Flow Label is always 0.¶
Note that in the [I-D.ietf-anima-autonomic-control-plane] a mesh of IPsec tunnels is created on top of ESP packets over IPv6 Link-Local, and within that tunnel all of IPv6 can be sent.¶
The use hard coding of so many values significantly limits the attack surface possible.¶
An option similar to above, yet providing a bit more flexibility is to use [RFC8138] compression of packets as it done on low powered 802.15.4 networks.¶
This results in compression that is close to what option 2 provides, yet provides for a lot of flexibility.¶
This option requires more code, may be subject to new attacks on the decompression code, and expands the attack surface to all of IPv6, as well as the RFC8138 compression code.¶
Hello.¶