PIM Join Attributes for Locator/ID Separation Protocol (LISP) Environments

Introduction The construction of multicast distribution trees where the root and receivers are located in different LISP sites is defined in . Creation of (root-EID,G) state in the root site requires that unicast LISP-encapsulated Join/Prune messages be sent from an ETR on the receiver site to an ITR on the root site. The term "EID" is short for "Endpoint ID". specifies that (root-EID,G) data packets are to be LISP- encapsulated into (root-RLOC,G) multicast packets. However, a wide deployment of multicast connectivity between LISP sites is unlikely to happen any time soon. In fact, some implementations are initially focusing on unicast transport with head-end replication between root and receiver sites. The unicast LISP-encapsulated Join/Prune message specifies the (root-EID,G) state that needs to be established in the root site, but conveys nothing about the receiver's capability or desire to use multicast as the underlying transport. This document specifies a Join/Prune attribute that allows the receiver ETR to select the desired transport. The term "transport" in this document is intentionally somewhat vague. Currently, it is used just to indicate whether multicast or head-end replication is used; this means that the outer destination address is either a unicast or multicast address. Future documents may specify how other types of delivery, encapsulation, or underlay are used. Knowledge of the receiver ETR's RLOC address is essential to the control plane of the root ITR. The RLOC address determines the downstream destination for unicast head-end replication and identifies the receiver ETR that needs to be notified should the root ITR of the distribution tree move to another site. The root ITR can change when the source EID is roaming to another LISP site. Service providers may implement unicast reverse path forwarding (uRPF) policies requiring that the outer source address of the LISP- encapsulated Join/Prune message be the address of the receiver ETR's core-facing interface used to physically transmit the message. However, due to policy and load-balancing considerations, the outer source address may not be the RLOC on which the receiver site wishes to receive a particular flow. This document specifies a Join/Prune attribute that conveys the appropriate receiver ETR's RLOC address to the control plane of the root ITR. This document uses terminology defined in and , such as EID, RLOC, ITR, and ETR. The construction of multicast distribution trees where the root and receivers are located in different LISP sites is defined in .

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

PIM Join/Prune Attributes PIM Join/Prune attributes are defined in by introducing a new Encoded-Source type that, in addition to the Join/Prune source, can carry multiple Type-Length-Value (TLV) attributes. These attributes apply to the individual Join/Prune sources on which they are stored. The attributes defined in this document conform to the format of the encoding type defined in . The attributes would typically be the same for all the sources in the Join/Prune message. Hence, we RECOMMEND using the hierarchical Join/Prune attribute scheme defined in . This hierarchical system allows attributes to be conveyed in the Upstream Neighbor Address field, thus enabling the efficient application of a single attribute instance to all the sources in the Join/Prune message. LISP Tunnel Routers (xTRs) do not exchange PIM Hello Messages, and hence no Hello option is defined to negotiate support for these attributes. Systems that support unicast head-end replication are assumed to support these attributes.

The Transport Attribute It is essential that a mechanism be provided by which the desired transport can be conveyed by receiver sites. Root sites with multicast connectivity will want to leverage multicast replication. However, not all receiver sites can be expected to have multicast connectivity. It is thus desirable that root sites be prepared to support (root-EID,G) state with a mixture of multicast and unicast output state. This document specifies a Join/Prune attribute that allows the receiver to select the desired underlying transport.

Transport Attribute Format

F-bit: The Transitive bit. Specifies whether the attribute is transitive or non-transitive. MUST be set to zero. This attribute is ALWAYS non-transitive.
End-of-Attributes bit. Specifies whether this attribute is the last. Set to zero if there are more attributes. Set to 1 if this is the last attribute.
The Transport Attribute type is TBD.
Length: The length of the Transport Attribute value. MUST be set to 1.
Transport: The type of transport being requested. Set to 0 for multicast. Set to 1 for unicast. The values from 2 to 255 may be assigned in the future.

Using the Transport Attribute Hierarchical Join/Prune attribute instances SHOULD be used when the same Transport Attribute is to be applied to all the sources within the Join/Prune message or all the sources within a group set. The root ITR MUST accept Transport Attributes in the Upstream Neighbor Encoded-Unicast address, Encoded-Group addresses, and Encoded-Source addresses. There MUST NOT be more than one Transport Attribute within the same encoded address. If an encoded address has more than one instance of the attribute, the root ITR MUST discard all affected Join/Prune sources. The root ITR MUST also discard all affected Join/Prune sources if the Transport Attribute value is unknown.

When a receiver ETR requests unicast head-end replication for a given (root-EID,G) entry, the PIM control plane of the root ITR must maintain an outgoing interface list ("oif-list") entry for the receiver ETR and its corresponding RLOC address. This allows the root ITR to perform unicast LISP-encapsulation of multicast data packets to each and every receiver ETR that has requested unicast head-end replication. The PIM control plane of the root ITR could potentially determine the RLOC address of the receiver ETR from the outer source address field of the LISP-encapsulated Join/Prune message. However, receiver ETRs are subject to uRPF checks by the network providers on each core- facing interface. The outer source address must therefore be the RLOC of the core-facing interface used to physically transmit the LISP-encapsulated Join/Prune message. Due to policy and load- balancing considerations, that may not be the RLOC on which the receiver site wishes to receive a particular flow. This document specifies a Join/Prune attribute that conveys the appropriate receiver RLOC address to the PIM control plane of the root ITR. To support root-EID mobility, receiver ETRs must also be tracked by the LISP control plane of the root ITR, regardless of the underlying transport. When the root-EID moves to a new root ITR in a different LISP site, the receiver ETRs do not know the root-EID has moved and therefore do not know the RLOC of the new root ITR. This is true for both unicast and multicast transport modes. The new root ITR does not have any receiver ETR state. Therefore, it is the responsibility of the old root ITR to inform the receiver ETRs that the root-EID has moved. When the old root ITR detects that the root-EID has moved, it sends a LISP Solicit-Map-Request (SMR) message to each receiver ETR. The receiver ETRs do a mapping database lookup to retrieve the RLOC of the new root ITR. The old root ITR detects that the root-EID has moved when it receives a Map-Notify from the Map-Server. The transmission of the Map-Notify is triggered when the new root ITR registers the root-EID [EID-MOBILITY]. When a receiver ETR determines that the root ITR has changed, it will send a LISP- encapsulated PIM prune message to the old root xTR and a LISP- encapsulated PIM join message to the new root xTR.

When LISP based Multicast trees are constructed using IP Multicast in the underlay, the mapping between the overlay group address and the underlay group address becomes a crucial engineering decision: Three distinct types of overlay to underlay group mappings are possible:

Many to one mapping:: Many (root-EID, G) flows originating from an RLOC can be mapped to a single underlay multicast (root-RLOC, G-u) flow.
One to many mapping:: Conversely a single same overlay flow can be mapped to two or more flows, e.g., (root-RLOC, G-u1) and (root-RLOC, G-u2) to cater to the requirements of downstream xTR nodes.
One to one mapping:: Every (root-EID, G) flow is mapped to a unique (root-RLOC, G-u) flow.

Under certain conditions, different subsets of xTRs subscribing to the same overlay multicast stream may be constrained to use distinct underlay multicast mapping ranges. This introduces a trade-off between replication overhead and the flexibility of address range assignment, which may be necessary in specific use-cases like Proxy Tunnel Routers or when using nodes with limited hardware resources as explained below:

Inter-site Proxy Tunnel Routers (PxTR):: When multiple LISP sites are interconnected through a LISP-based transit, the site border node (PxTR) connects the site-facing interfaces with the external LISP core. In such cases, different ranges of multicast group addresses may be used for constructing (S-RLOC, G) trees within the LISP site and in the external LISP core. This distinction is desirable for various operational reasons.
Hardware resource restrictions:: Platform limitations may necessitate engineering decisions to restrict multicast address ranges in the underlay due to hardware resource constraints.

F bit: The Transitive bit. Specifies whether this attribute is transitive or non-transitive. MUST be set to zero. This attribute is ALWAYS non-transitive.
E bit: End-of-Attributes bit. Specifies whether this attribute is the last. Set to zero if there are more attributes. Set to 1 if this is the last attribute.
Type: The Receiver RLOC Attribute type is TBD[suggested: 6].
Length: The length in octets of the attribute value. MUST be set to the length in octets of the receiver RLOC address plus 1 octet to account for the Address Family field.
Addr Family: The PIM Address Family of the receiver RLOC as defined in .
Receiver RLOC: The RLOC address on which the receiver ETR wishes to receive the encapsulated flow. A unicast IP Receiver RLOC address is used for unicast-encapsulated flows. Alternately, a multicast IP Receiver RLOC address is used for for multicast-encapsulated flows. A multicast IP address MUST be used only when the underlay network of the LISP core supports IP Multicast transport.

When the ITR needs to track the list of ETRs from which the PIM joins are received, the ITR MUST use the source IP address field of the incoming PIM Join/Prune message. The source IP address of the PIM Join/Prune MUST be an ETR RLOC IP address.

Hierarchical Join/Prune attribute instances [RFC7887] SHOULD be used when the same Receiver RLOC Attribute is to be applied to all the sources within the message or all the sources within a group set. The root ITR MUST accept Transport Attributes in the Upstream Neighbor Encoded-Unicast address, Encoded-Group addresses, and Encoded-Source addresses. There MUST NOT be more than one Receiver RLOC Attribute within the same encoded address. If an encoded address has more than one instance of the attribute, the root ITR MUST discard all affected Join/Prune sources. The root ITR MUST also discard all affected Join/Prune sources if the address family is unknown or the address length is incorrect for the specified address family. When the ETR determines to use the multicast underlay:

It chooses an underlay multicast group that it can join. This is a matter of local decision, beyond the scope of this document.
It identifies the upstream LISP site where the underlay multicast tree needs to be rooted.
It constructs the PIM Join/Prune message as specified in RFC 8059 and RFC 9798. Only the Receiver RLOC attribute is encoded as above.

When the ITR receives a PIM Join/Prune message:

It allocates a new entry in the OutgoingInterfaceList for every unique underlay multicast mapping.
The ITR MAY apply local policy to perform any kind of rate-limiting on the number of copies it needs to make in the underlay. Such actions are beyond the scope of this document.

Acknowledgements Thanks to Amanda Baber for refining the text in the IANA section.

IANA Considerations Following the guidelines of , IANA is asked to update the references for the following registrations as follows: Two PIM Join attribute types need to be updated: value 5 for the Transport Attribute and value 6 for the Receiver RLOC Attribute earlier allocated through and are to be updated to be owned by this document. The "PIM Join/Prune Transport Types" registry exists for the Join/Prune Transport attribute. The registration policy is IETF Review , and the values are in the range 0-255. This document should be the updated reference for value 0 for multicast and value 1 for unicast. These values were earlier owned by and .

Security Considerations Security of Join/Prune attributes is only guaranteed by the security of the PIM packet. The attributes specified herein do not enhance or diminish the privacy or authenticity of a Join/Prune message. A site that legitimately or maliciously sends and delivers a Join/Prune message to another site will equally be able to append these and any other attributes it wishes. See [RFC5384] for general security considerations for Join/Prune attributes. An attack vector arises where an attacker sends numerous PIM Join messages with different group addresses. This could interfere with legitimate multicast traffic if the group addresses overlap. Additionally, resource exhaustion may occur if replication is requested for a large number of groups, potentially resulting in significant resource consumption. To mitigate these risks, PIM authentication mechanisms RFC 5796 could be employed to validate join requests. Furthermore, implementations may consider explicit tracking mechanisms to manage joins more effectively. Configurable controls could be introduced, allowing for a maximum permissible number of groups for each ETR RLOC used as the source of overlay joins. These controls would limit the impact of such attacks and ensure that resource allocation is managed appropriately.

Contributors TBD

tbd@tbd.com

Arista

kouvelas@arista.com

lispers.net

farinacci@gmail.com