[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

revised requirements draft



[ post by non-subscriber.  with the massive amount of spam, it is easy to
  miss and therefore delete mis-posts.  so fix subscription addresses! ]

Hi all,

Thomas and Sean asked me to make some edits to the -02 requirements
draft, drawing on what consensus I could see from the list archives
(including Michael Py's rolling summary of issues, which was very
handy).

What follows below is a candidate -03 draft. Here's a summary of the
pertinent diffs; comments most welcome. Note that this draft has not
been sent to the rfc editor yet, so if people have comments I'll
harvest the diffs paragraph by paragraph and make changes appropriately.

|3.1.7 Impact on DNS
|
|   Multi-homing solutions either MUST be compatible with the observed
|   dynamics of the current DNS system, or the solutions MUST have
|   demonstrate that the modified name resolution system required to
|   support them are readily deployable.

New section, based on suggestions from Christian Huitema and RJ
Atkinson. Brian Carpenter included a requirement that a proposed
solution should include an analysis of its impact on the DNS, which
I omitted since it seems inherent in 3.1.7 that analysis is required.

|3.1.8 Packet Filtering
|
|   Multihoming solutions MUST NOT preclude filtering packets with forged
|   or otherwise inappropriate source IP addresses at the administrative
|   boundary of the multi-homed site.
|

 3.2.6 Cooperation between Transit Providers

    A multihoming strategy MAY require cooperation between a site and its
|   transit providers, but MUST NOT require cooperation (relating
|   specifically to the multi-homed site) directly between the transit
|   providers.

The phrase in brackets was added. This makes the grammar horrible; sorry
about that.

|3.2.7 Multiple Solutions

|   There MAY be more than one approach to multi-homing, provided all
|   approaches are orthogonal (e.g.  each approach addresses a distinct
|   segment or category within the site multi-homing problem.  Multiple
|   solutions will incur a greater management overhead within the IESG,
|   however, and the adopted solutions SHOULD attempt to cover as many
|   multi-homing scenarios as possible.

This covers, I think, the issue raised by Christian, and is based on his
text with suggestions from RJ Atkinson and Rob Rockell.

 4. Security Considerations

|   A multihomed site MUST NOT be more vulnerable to security breaches
|   than a traditionally IPv4-multihomed site.

This requirement has become weaker, but more reasonable (suggested by
Eliot Lear, Rob Rockell).

There was an additional requirement suggested by Christian about single
points of failure in topologies involving home agents, but I see he
offered to drop the requirement since it didn't stimulate a lot of
conversation.

The remaining contentious point that I can find is with section 3.1.2:

3.1.2 Load Sharing

   By multihoming, a site MUST be able to distribute both inbound and
   outbound traffic between multiple transit providers.  This
   requirement is for concurrent use of the multiple transit providers,
   not just the usage of one provider over one interval of time and
   another provider over a different interval.

I didn't see clear consensus on this point. My personal opinion is that
we should keep it, since it's an operational necessity in the current
network and I don't see how deployment of a new new multihoming
strategy could proceed without it.

Complete draft follows.


Joe


Site Multihoming in IPv6 (multi6)                               B. Black
Internet-Draft                                           Layer8 Networks
Expires: November 26, 2002                                       V. Gill
                                                         AOL Time Warner
                                                                J. Abley
                                                                     MFN
                                                            May 28, 2002


          Requirements for IPv6 Site-Multihoming Architectures
             draft-ietf-multi6-multihoming-requirements-03

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on November 26, 2002.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   Site-multihoming, i.e.  connecting to more than one IP service
   provider, is an essential component of service for many sites which
   are part of the Internet.  Existing IPv4 site-multihoming practices,
   described in a companion draft [1], provides a set of capabilities
   that must be accommodated by the adopted site-multihoming
   architecture in IPv6, and a set of limitations that must be overcome,
   relating in particular to scalability.

   This document outlines a set of requirements for a new IPv6 site-
   multihoming architecture.

1. Introduction

   Current IPv4 site-multihoming practices have been added on to the
   CIDR architecture [2], which assumes that routing table entries can
   be aggregated based upon a hierarchy of customers and service
   providers [1].

   However, it appears that this hierarchy is being supplanted by a
   dense mesh of interconnections [9].  Additionally, there has been an
   enormous growth in the number of multihomed sites.  For purposes of
   redundancy and load-sharing, the multihomed address blocks, which are
   almost always a longer prefix than the provider aggregate, are
   announced along with the larger, covering aggregate originated by the
   provider.  This contributes to the rapidly-increasing size of the
   global routing table.  This explosion places significant stress on
   the inter-provider routing system.

   Continued growth of both the Internet and the practice of site-
   multihoming will seriously exacerbate this stress.  The site-
   multihoming architecture for IPv6 should allow the routing system to
   scale more pleasantly.

2. Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [4].

   A "site" is an entity autonomously operating a network using IP and,
   in particular, determining the addressing plan and routing policy for
   that network.  This definition is intended to be equivalent to
   "enterprise" as defined in [3].

   A "transit provider" operates a site which directly provides
   connectivity to the Internet to one or more external sites.  The
   connectivity provided extends beyond the transit provider's own site.
   A transit provider's site is directly connected to the sites for
   which it provides transit.

   A "multihomed" site is one with more than one transit provider.
   "Site-multihoming" is the practice of arranging a site to be
   multihomed.

   The term "re-homing" denotes a transition of a site between two
   states of connectedness, due to a change in the connectivity between
   the site and its transit providers' sites.

3. Multihoming Requirements

3.1 Capabilities of IPv4 Multihoming

   The following capabilities of current IPv4 multihoming practices MUST
   be supported by an IPv6 multihoming architecture.  IPv4 multihoming
   is discussed in more detail in [1].

3.1.1 Redundancy

   By multihoming, a site MUST be able to insulate itself from certain
   failure modes within one or more transit providers, as well as
   failures in the network providing interconnection among one or more
   transit providers.

   Infrastructural commonalities below the IP layer may result in
   connectivity which is apparently diverse sharing single points of
   failure.  For example, two separate DS3 circuits ordered from
   different suppliers and connecting a site to independent transit
   providers may share a single conduit from the street into a building;
   in this case backhoe-fade of both circuits may be experienced due to
   a single incident in the street.  The two circuits are said to "share
   fate".

   The multihoming architecture MUST accommodate (in the general case,
   issues of shared fate notwithstanding) continuity of connectivity
   during the following failures:

   o  Physical failure, such as a fiber cut, or router failure,

   o  Logical link failure, such as a misbehaving router interface,

   o  Routing protocol failure, such as a BGP peer reset,

   o  Transit provider failure, such as a backbone-wide IGP failure, and

   o  Exchange failure, such as a BGP reset on an inter-provider
      peering.


3.1.2 Load Sharing

   By multihoming, a site MUST be able to distribute both inbound and
   outbound traffic between multiple transit providers.  This
   requirement is for concurrent use of the multiple transit providers,
   not just the usage of one provider over one interval of time and
   another provider over a different interval.

3.1.3 Performance

   By multihoming, a site MUST be able to protect itself from
   performance difficulties directly between the site's transit
   providers.

   For example, suppose site E obtains transit from transit providers T1
   and T2, and there is long-term congestion between T1 and T2.  The
   multihoming architecture MUST allow E to ensure that in normal
   operation none of its traffic is carried over the congested
   interconnection T1-T2.  The process by which this is achieved MAY be
   a manual one.

   A multihomed site MUST be able to distribute inbound traffic from
   particular multiple transit providers according to the particular
   address range within their site which is sourcing or sinking the
   traffic.

3.1.4 Policy

   A customer may choose to multihome for a variety of policy reasons
   beyond technical scope (e.g.  cost, acceptable use conditions, etc.)
   For example, customer C homed to ISP A may wish to shift traffic of a
   certain class or application, NNTP, for example, to ISP B as matter
   of policy.  A new IPv6 multihoming proposal MUST provide support for
   site-multihoming for external policy reasons.

3.1.5 Simplicity

   As any proposed multihoming solution must be deployed in real
   networks with real customers, simplicity is paramount.  The current
   multihoming solution is quite straightforward to deploy and maintain.
   A new IPv6 multihoming proposal MUST NOT be substantially more
   complex to deploy and operate than current IPv4 multihoming
   practices.

3.1.6 Transport-Layer Survivability

   Multihoming solutions MUST provide re-homing transparency for
   transport-layer sessions; i.e.  exchange of data between devices on
   the multihomed site and devices elsewhere on the Internet may proceed
   with no greater interruption than that associated with the transient
   packet loss during the re-homing event.

   New transport-layer sessions MUST be able to be created following a
   re-homing event.

   Transport-layer sessions include those involving transport-layer
   protocols such as TCP, UDP and SCTP over IP.  Applications which
   communicate over raw IP and other network-layer protocols MAY also
   enjoy re-homing transparency.

3.1.7 Impact on DNS

   Multi-homing solutions either MUST be compatible with the observed
   dynamics of the current DNS system, or the solutions MUST have
   demonstrate that the modified name resolution system required to
   support them are readily deployable.

3.1.8 Packet Filtering

   Multihoming solutions MUST NOT preclude filtering packets with forged
   or otherwise inappropriate source IP addresses at the administrative
   boundary of the multihomed site.

3.2 Additional Requirements

3.2.1 Scalability

   Current IPV4 multihoming practices contribute to the significant
   growth currently observed in the state held in the global inter-
   provider routing system; this is a concern both because of the
   hardware requirements it imposes and also because of the impact on
   the stability of the routing system.  This issue is discussed in
   great detail in [9].

   A new IPv6 multihoming architecture MUST scale to accommodate orders
   of magnitude more multihomed sites without imposing unreasonable
   requirements on the routing system.

3.2.2 Impact on Routers

   The solution MAY require changes to IPv6 router implementations, but
   these changes must be either minor, or in the form of logically
   separate functions added to existing functions.

   Such changes MUST NOT prevent normal single-homed operation, and
   routers implementing these changes must be able to interoperate fully
   with hosts and routers not implementing them.

3.2.3 Impact on Hosts

   The solution MUST NOT destroy IPv6 connectivity for a legacy host
   implementing RFC 2373 [5], RFC 2460 [7], RFC 2553 [8] and other basic
   IPv6 specifications current in November 2001.  That is to say, if a
   host can work in a single-homed site, it must still be able to work
   in a multihomed site, even if it cannot benefit from site-
   multihoming.

   It would be compatible with this requirement for such a host to lose
   connectivity if a site lost connectivity to one transit provider,
   despite the fact that other transit provider connections were still
   operational.

   If the solution requires changes to the host stack, these changes
   MUST be either minor, or in the form of logically separate functions
   added to existing functions.

   If the solution requires changes to the socket API and/or the
   transport layer, it MUST be possible to retain the original socket
   API and transport protocols in parallel, even if they cannot benefit
   from multihoming.

   The multihoming solution MAY allow host or application changes if
   that would enhance session survivability.

3.2.4 Interaction between Hosts and the Routing System

   The solution MAY involve interaction between a site's hosts and its
   routing system; such an interaction MUST be simple, scaleable and
   securable.

3.2.5 Operations and Management

   It MUST be posssible for staff responsible for the operation of a
   site to monitor and configure the site's multihoming system.

3.2.6 Cooperation between Transit Providers

   A multihoming strategy MAY require cooperation between a site and its
   transit providers, but MUST NOT require cooperation (relating
   specifically to the multihomed site) directly between the transit
   providers.

3.2.7 Multiple Solutions

   There MAY be more than one approach to multihoming, provided all
   approaches are orthogonal (e.g.  each approach addresses a distinct
   segment or category within the site multihoming problem.  Multiple
   solutions will incur a greater management overhead within the IESG,
   however, and the adopted solutions SHOULD attempt to cover as many
   multihoming scenarios as possible.

4. Security Considerations

   A multihomed site MUST NOT be more vulnerable to security breaches
   than a traditionally IPv4-multihomed site.

References

   [1]  Abley, J., Black, B. and V. Gill, "IPv4 Multihoming Motivation,
        Practices and Limitations (work-in-progress)", I-D draft-ietf-
        multi6-v4-multihoming-00, June 2001.

   [2]  Fuller, V., Li, T., Yu, J. and K. Varadhan, "Classless Inter-
        Domain Routing (CIDR): an Address Assignment and Aggregation
        Strategy", RFC 1519, September 1993.

   [3]  Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. and E.
        Lear, "Address Allocation for Private Internets", RFC 1918,
        February 1996.

   [4]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", RFC 2119, March 1997.

   [5]  Hinden, R. and S. Deering, "IP Version 6 Addressing
        Architecture", RFC 2373, July 1998.

   [6]  Hinden, R., O'Dell, M. and S. Deering, "An IPv6 Aggregatable
        Global Unicast Address Format", RFC 2374, July 1998.

   [7]  Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
        Specification", RFC 2460, December 1998.

   [8]  Gilligan, R., Thomson, S., Bound, J. and W. Stevens, "Basic
        Socket Interface Extensions for IPv6", RFC 2553, March 1999.

   [9]  Huston, G., "Analyzing the Internet's BGP Routing Table",
        January 2001.


Authors' Addresses

   Benjamin Black
   Layer8 Networks

   EMail: ben@layer8.net


   Vijay Gill
   AOL Time Warner

   EMail: vijaygill9@aol.com

   Joe Abley
   MFN
   10805 Old River Road
   Komoka, ON  N0L 1R0
   Canada

   Phone: +1 519 641 4368
   EMail: jabley@mfnx.net

Full Copyright Statement

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.