From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc3746.txt | 2243 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2243 insertions(+) create mode 100644 doc/rfc/rfc3746.txt (limited to 'doc/rfc/rfc3746.txt') diff --git a/doc/rfc/rfc3746.txt b/doc/rfc/rfc3746.txt new file mode 100644 index 0000000..fa96ce3 --- /dev/null +++ b/doc/rfc/rfc3746.txt @@ -0,0 +1,2243 @@ + + + + + + +Network Working Group L. Yang +Request for Comments: 3746 Intel Corp. +Category: Informational R. Dantu + Univ. of North Texas + T. Anderson + Intel Corp. + R. Gopal + Nokia + April 2004 + + + Forwarding and Control Element Separation (ForCES) Framework + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2004). All Rights Reserved. + +Abstract + + This document defines the architectural framework for the ForCES + (Forwarding and Control Element Separation) network elements, and + identifies the associated entities and their interactions. + +Table of Contents + + 1. Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . 2 + 1.1. Conventions used in this document . . . . . . . . . . . . 2 + 1.2. Terminologies . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Introduction to Forwarding and Control Element Separation + (ForCES) . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 + 3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 8 + 3.1. Control Elements and Fr Reference Point . . . . . . . . . 10 + 3.2. Forwarding Elements and Fi reference point. . . . . . . . 11 + 3.3. CE Managers . . . . . . . . . . . . . . . . . . . . . . . 14 + 3.4. FE Managers . . . . . . . . . . . . . . . . . . . . . . . 14 + 4. Operational Phases . . . . . . . . . . . . . . . . . . . . . . 15 + 4.1. Pre-association Phase . . . . . . . . . . . . . . . . . . 15 + 4.1.1. Fl Reference Point . . . . . . . . . . . . . . . . 15 + 4.1.2. Ff Reference Point . . . . . . . . . . . . . . . . 16 + 4.1.3. Fc Reference Point . . . . . . . . . . . . . . . . 17 + 4.2. Post-association Phase and Fp reference point . . . . . . 17 + 4.2.1. Proximity and Interconnect between CEs and FEs . . 18 + + + +Yang, et al. Informational [Page 1] + +RFC 3746 ForCES Framework April 2004 + + + 4.2.2. Association Establishment. . . . . . . . . . . . . 18 + 4.2.3. Steady-state Communication . . . . . . . . . . . . 19 + 4.2.4. Data Packets across Fp reference point . . . . . . 21 + 4.2.5. Proxy FE . . . . . . . . . . . . . . . . . . . . . 22 + 4.3. Association Re-establishment. . . . . . . . . . . . . . . 22 + 4.3.1. CE graceful restart. . . . . . . . . . . . . . . . 23 + 4.3.2. FE restart . . . . . . . . . . . . . . . . . . . . 24 + 5. Applicability to RFC 1812. . . . . . . . . . . . . . . . . . . 25 + 5.1. General Router Requirements . . . . . . . . . . . . . . . 25 + 5.2. Link Layer. . . . . . . . . . . . . . . . . . . . . . . . 26 + 5.3. Internet Layer Protocols. . . . . . . . . . . . . . . . . 27 + 5.4. Internet Layer Forwarding . . . . . . . . . . . . . . . . 27 + 5.5. Transport Layer . . . . . . . . . . . . . . . . . . . . . 28 + 5.6. Application Layer -- Routing Protocols. . . . . . . . . . 29 + 5.7. Application Layer -- Network Management Protocol. . . . . 29 + 6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 + 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 30 + 8. Security Considerations. . . . . . . . . . . . . . . . . . . . 30 + 8.1. Analysis of Potential Threats Introduced by ForCES. . . . 31 + 8.1.1. "Join" or "Remove" Message Flooding on CEs . . . . 31 + 8.1.2. Impersonation Attack . . . . . . . . . . . . . . . 31 + 8.1.3. Replay Attack. . . . . . . . . . . . . . . . . . . 31 + 8.1.4. Attack during Fail Over. . . . . . . . . . . . . . 32 + 8.1.5. Data Integrity . . . . . . . . . . . . . . . . . . 32 + 8.1.6. Data Confidentiality . . . . . . . . . . . . . . . 32 + 8.1.7. Sharing security parameters. . . . . . . . . . . . 33 + 8.1.8. Denial of Service Attack via External Interface. . 33 + 8.2. Security Recommendations for ForCES . . . . . . . . . . . 33 + 8.2.1. Using TLS with ForCES. . . . . . . . . . . . . . . 34 + 8.2.2. Using IPsec with ForCES. . . . . . . . . . . . . . 35 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 37 + 9.1. Normative References. . . . . . . . . . . . . . . . . . . 37 + 9.2. Informative References. . . . . . . . . . . . . . . . . . 37 + 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 39 + 11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 40 + +1. Definitions + +1.1. Conventions used in this document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in BCP 14, RFC 2119 [1]. + + + + + + + + +Yang, et al. Informational [Page 2] + +RFC 3746 ForCES Framework April 2004 + + +1.2. Terminologies + + A set of terminology associated with the ForCES requirements is + defined in [4] and we only include the definitions that are most + relevant to this document here. + + Addressable Entity (AE) - An entity that is directly addressable + given some interconnect technology. For example, on IP networks, it + is a device to which we can communicate using an IP address; on a + switch fabric, it is a device to which we can communicate using a + switch fabric port number. + + Physical Forwarding Element (PFE) - An AE that includes hardware used + to provide per-packet processing and handling. This hardware may + consist of (but is not limited to) network processors, ASICs + (Application-Specific Integrated Circuits), or general purpose + processors, installed on line cards, daughter boards, mezzanine + cards, or in stand-alone boxes. + + PFE Partition - A logical partition of a PFE consisting of some + subset of each of the resources (e.g., ports, memory, forwarding + table entries) available on the PFE. This concept is analogous to + that of the resources assigned to a virtual switching element as + described in [9]. + + Physical Control Element (PCE) - An AE that includes hardware used to + provide control functionality. This hardware typically includes a + general purpose processor. + + PCE Partition - A logical partition of a PCE consisting of some + subset of each of the resources available on the PCE. + + Forwarding Element (FE) - A logical entity that implements the ForCES + Protocol. FEs use the underlying hardware to provide per-packet + processing and handling as directed by a CE via the ForCES Protocol. + FEs may happen to be a single blade (or PFE), a partition of a PFE, + or multiple PFEs. + + Control Element (CE) - A logical entity that implements the ForCES + Protocol and uses it to instruct one or more FEs on how to process + packets. CEs handle functionality such as the execution of control + and signaling protocols. CEs may consist of PCE partitions or whole + PCEs. + + ForCES Network Element (NE) - An entity composed of one or more CEs + and one or more FEs. An NE usually hides its internal organization + from external entities and represents a single point of management to + entities outside the NE. + + + +Yang, et al. Informational [Page 3] + +RFC 3746 ForCES Framework April 2004 + + + Pre-association Phase - The period of time during which an FE Manager + (see below) and a CE Manager (see below) are determining whether an + FE and a CE should be part of the same network element. It is + possible for some elements of the NE to be in pre-association phase + while other elements are in the post-association phase. + + Post-association Phase - The period of time during which an FE knows + which CE is to control it and vice versa, including the time during + which the CE and FE are establishing communication with one another. + + ForCES Protocol - While there may be multiple protocols used within + the overall ForCES architecture, the term "ForCES Protocol" refers + only to the ForCES post-association phase protocol (see below). + + ForCES Post-Association Phase Protocol - The protocol used for post- + association phase communication between CEs and FEs. This protocol + does not apply to CE-to-CE communication, FE-to-FE communication, or + to communication between FE and CE managers. The ForCES Protocol is + a master-slave protocol in which FEs are slaves and CEs are masters. + This protocol includes both the management of the communication + channel (e.g., connection establishment, heartbeats) and the control + messages themselves. This protocol could be a single protocol or + could consist of multiple protocols working together, and may be + unicast or multicast based. A separate protocol document will + specify this information. + + FE Manager - A logical entity that operates in the pre-association + phase and is responsible for determining to which CE(s) an FE should + communicate. This process is called CE discovery and may involve the + FE manager learning the capabilities of available CEs. An FE manager + may use anything from a static configuration to a pre-association + phase protocol (see below) to determine which CE(s) to use; however, + this is currently out of scope. Being a logical entity, an FE + manager might be physically combined with any of the other logical + entities mentioned in this section. + + CE Manager - A logical entity that operates in the pre-association + phase and is responsible for determining to which FE(s) a CE should + communicate. This process is called FE discovery and may involve the + CE manager learning the capabilities of available FEs. A CE manager + may use anything from a static configuration to a pre-association + phase protocol (see below) to determine which FE to use; however, + this is currently out of scope. Being a logical entity, a CE manager + might be physically combined with any of the other logical entities + mentioned in this section. + + + + + + +Yang, et al. Informational [Page 4] + +RFC 3746 ForCES Framework April 2004 + + + Pre-association Phase Protocol - A protocol between FE managers and + CE managers that is used to determine which CEs or FEs to use. A + pre-association phase protocol may include a CE and/or FE capability + discovery mechanism. Note that this capability discovery process is + wholly separate from (and does not replace) that used within the + ForCES Protocol. However, the two capability discovery mechanisms + may utilize the same FE model. + + FE Model - A model that describes the logical processing functions of + an FE. + + ForCES Protocol Element - An FE or CE. + + Intra-FE topology - Representation of how a single FE is realized by + combining possibly multiple logical functional blocks along multiple + data paths. This is defined by the FE model. + + FE Topology - Representation of how the multiple FEs in a single NE + are interconnected. Sometimes it is called inter-FE topology, to be + distinguished from intra-FE topology used by the FE model. + + Inter-FE topology - See FE Topology. + +2. Introduction to Forwarding and Control Element Separation (ForCES) + + An IP network element (NE) appears to external entities as a + monolithic piece of network equipment, e.g., a router, NAT, firewall, + or load balancer. Internally, however, an IP network element (NE) + (such as a router) is composed of numerous logically separated + entities that cooperate to provide a given functionality (such as + routing). Two types of network element components exist: control + element (CE) in control plane and forwarding element (FE) in + forwarding plane (or data plane). Forwarding elements are typically + ASIC, network-processor, or general-purpose processor-based devices + that handle data path operations for each packet. Control elements + are typically based on general-purpose processors that provide + control functionality, like routing and signaling protocols. + + ForCES aims to define a framework and associated protocol(s) to + standardize information exchange between the control and forwarding + plane. Having standard mechanisms allows CEs and FEs to become + physically separated standard components. This physical separation + accrues several benefits to the ForCES architecture. Separate + components would allow component vendors to specialize in one + component without having to become experts in all components. + Standard protocol also allows the CEs and FEs from different + component vendors to interoperate with each other and hence it + becomes possible for system vendors to integrate together the CEs and + + + +Yang, et al. Informational [Page 5] + +RFC 3746 ForCES Framework April 2004 + + + FEs from different component suppliers. This interoperability + translates into increased design choices and flexibility for the + system vendors. Overall, ForCES will enable rapid innovation in both + the control and forwarding planes while maintaining interoperability. + Scalability is also easily provided by this architecture in that + additional forwarding or control capacity can be added to existing + network elements without the need for forklift upgrades. + + ------------------------- ------------------------- + | Control Blade A | | Control Blade B | + | (CE) | | (CE) | + ------------------------- ------------------------- + ^ | ^ | + | | | | + | V | V + --------------------------------------------------------- + | Switch Fabric Backplane | + --------------------------------------------------------- + ^ | ^ | ^ | + | | | | . . . | | + | V | V | V + ------------ ------------ ------------ + |Router | |Router | |Router | + |Blade #1 | |Blade #2 | |Blade #N | + | (FE) | | (FE) | | (FE) | + ------------ ------------ ------------ + ^ | ^ | ^ | + | | | | . . . | | + | V | V | V + + Figure 1. A router configuration example with separate blades. + + One example of such physical separation is at the blade level. Figure + 1 shows such an example configuration of a router, with two control + blades and multiple forwarding blades, all interconnected into a + switch fabric backplane. In such a chassis configuration, the + control blades are the CEs while the router blades are the FEs, and + the switch fabric backplane provides the physical interconnect for + all the blades. Control blade A may be the primary CE while control + blade B may be the backup CE providing redundancy. It is also + possible to have a redundant switch fabric for high availability + support. Routers today with this kind of configuration use + proprietary interfaces for messaging between CEs and FEs. The goal + of ForCES is to replace such proprietary interfaces with a standard + protocol. With a standard protocol like ForCES implemented on all + blades, it becomes possible for control blades from vendor X and + forwarding blades from vendor Y to work seamlessly together in one + chassis. + + + +Yang, et al. Informational [Page 6] + +RFC 3746 ForCES Framework April 2004 + + + ------- ------- + | CE1 | | CE2 | + ------- ------- + ^ ^ + | | + V V + ============================================ Ethernet + ^ ^ . . . ^ + | | | + V V V + ------- ------- -------- + | FE#1| | FE#2| | FE#n | + ------- ------- -------- + ^ | ^ | ^ | + | | | | | | + | V | V | V + + Figure 2. A router configuration example with separate boxes. + + Another level of physical separation between the CEs and FEs can be + at the box level. In such a configuration, all the CEs and FEs are + physically separated boxes, interconnected with some kind of high + speed LAN connection (like Gigabit Ethernet). These separated CEs + and FEs are only one hop away from each other within a local area + network. The CEs and FEs communicate to each other by running + ForCES, and the collection of these CEs and FEs together become one + routing unit to the external world. Figure 2 shows such an example. + + In both examples shown here, the same physical interconnect is used + for both CE-to-FE and FE-to-FE communication. However, that does not + have to be the case. One reason to use different interconnects is + that the CE-to-FE interconnect does not have to be as fast as the + FE-to-FE interconnect, so the more faster and more expensive + connections can be saved for FE-to-FE. The separate interconnects + may also provide reliability and redundancy benefits for the NE. + + Some examples of control functions that can be implemented in the CE + include routing protocols like RIP, OSPF, and BGP, control and + signaling protocols like RSVP (Resource Reservation Protocol), LDP + (Label Distribution Protocol) for MPLS, etc. Examples of forwarding + functions in the FE include LPM (longest prefix match) forwarder, + classifiers, traffic shaper, meter, NAT (Network Address + Translators), etc. Figure 3 provides example functions in both CE + and FE. Any given NE may contain one or many of these CE and FE + functions in it. The diagram also shows that the ForCES Protocol is + used to transport both the control messages for ForCES itself and the + + + + + +Yang, et al. Informational [Page 7] + +RFC 3746 ForCES Framework April 2004 + + + data packets that are originated/destined from/to the control + functions in the CE (e.g., routing packets). Section 4.2.4 provides + more detail on this. + + ------------------------------------------------- + | | | | | | | + |OSPF |RIP |BGP |RSVP |LDP |. . . | + | | | | | | | + ------------------------------------------------- + | ForCES Interface | + ------------------------------------------------- + ^ ^ + ForCES | |data + control | |packets + messages| |(e.g., routing packets) + v v + ------------------------------------------------- + | ForCES Interface | + ------------------------------------------------- + | | | | | | | + |LPM Fwd|Meter |Shaper |NAT |Classi-|. . . | + | | | | |fier | | + ------------------------------------------------- + | FE resources | + ------------------------------------------------- + + Figure 3. Examples of CE and FE functions. + + A set of requirements for control and forwarding separation is + identified in [4]. This document describes a ForCES architecture + that satisfies the architectural requirements of [4] and defines a + framework for ForCES network elements and the associated entities to + facilitate protocol definition. Whenever necessary, this document + uses many examples to illustrate the issues and/or possible solutions + in ForCES. These examples are intended to be just examples, and + should not be taken as the only or definite ways of doing certain + things. It is expected that a separate document will be produced by + the ForCES working group to specify the ForCES Protocol. + +3. Architecture + + This section defines the ForCES architectural framework and the + associated logical components. This ForCES framework defines + components of ForCES NEs, including several ancillary components. + These components may be connected in different kinds of topologies + for flexible packet processing. + + + + + +Yang, et al. Informational [Page 8] + +RFC 3746 ForCES Framework April 2004 + + + --------------------------------------- + | ForCES Network Element | + -------------- Fc | -------------- -------------- | + | CE Manager |---------+-| CE 1 |------| CE 2 | | + -------------- | | | Fr | | | + | | -------------- -------------- | + | Fl | | | Fp / | + | | Fp| |----------| / | + | | | |/ | + | | | | | + | | | Fp /|----| | + | | | /--------/ | | + -------------- Ff | -------------- -------------- | + | FE Manager |---------+-| FE 1 | Fi | FE 2 | | + -------------- | | |------| | | + | -------------- -------------- | + | | | | | | | | | | + ----+--+--+--+----------+--+--+--+----- + | | | | | | | | + | | | | | | | | + Fi/f Fi/f + + Fp: CE-FE interface + Fi: FE-FE interface + Fr: CE-CE interface + Fc: Interface between the CE Manager and a CE + Ff: Interface between the FE Manager and an FE + Fl: Interface between the CE Manager and the FE Manager + Fi/f: FE external interface + + Figure 4. ForCES Architectural Diagram + + The diagram in Figure 4 shows the logical components of the ForCES + architecture and their relationships. There are two kinds of + components inside a ForCES network element: control element (CE) and + forwarding element (FE). The framework allows multiple instances of + CE and FE inside one NE. Each FE contains one or more physical media + interfaces for receiving and transmitting packets from/to the + external world. The aggregation of these FE interfaces becomes the + NE's external interfaces. In addition to the external interfaces, + there must also exist some kind of interconnect within the NE so that + the CE and FE can communicate with each other, and one FE can forward + packets to another FE. The diagram also shows two entities outside + of the ForCES NE: CE Manager and FE Manager. These two ancillary + entities provide configuration to the corresponding CE or FE in the + pre-association phase (see Section 4.1). + + + + + +Yang, et al. Informational [Page 9] + +RFC 3746 ForCES Framework April 2004 + + + For convenience, the logical interactions between these components + are labeled by reference points Fp, Fc, Ff, Fr, Fl, and Fi, as shown + in Figure 4. The FE external interfaces are labeled as Fi/f. More + detail is provided in Section 3 and 4 for each of these reference + points. All these reference points are important in understanding + the ForCES architecture, however, the ForCES Protocol is only defined + over one reference point -- Fp. + + The interface between two ForCES NEs is identical to the interface + between two conventional routers and these two NEs exchange the + protocol packets through the external interfaces at Fi/f. ForCES NEs + connect to existing routers transparently. + +3.1. Control Elements and Fr Reference Point + + It is not necessary to define any protocols across the Fr reference + point to enable control and forwarding separation for simple + configurations like single CE and multiple FEs. However, this + architecture permits multiple CEs to be present in a network element. + In cases where an implementation uses multiple CEs, the invariant + that the CEs and FEs together appear as a single NE must be + maintained. + + Multiple CEs may be used for redundancy, load sharing, distributed + control, or other purposes. Redundancy is the case where one or more + CEs are prepared to take over should an active CE fail. Load sharing + is the case where two or more CEs are concurrently active and any + request that can be serviced by one of the CEs can also be serviced + by any of the other CEs. For both redundancy and load sharing, the + CEs involved are equivalently capable. The only difference between + these two cases is in terms of how many active CEs there are + simultaneously. Distributed control is the case where two or more + CEs are concurrently active but certain requests can only be serviced + by certain CEs. + + When multiple CEs are employed in a ForCES NE, their internal + organization is considered an implementation issue that is beyond the + scope of ForCES. CEs are wholly responsible for coordinating amongst + themselves via the Fr reference point to provide consistency and + synchronization. However, ForCES does not define the implementation + or protocols used between CEs, nor does it define how to distribute + functionality among CEs. Nevertheless, ForCES will support + mechanisms for CE redundancy or fail over, and it is expected that + vendors will provide redundancy or fail over solutions within this + framework. + + + + + + +Yang, et al. Informational [Page 10] + +RFC 3746 ForCES Framework April 2004 + + +3.2. Forwarding Elements and Fi reference point + + An FE is a logical entity that implements the ForCES Protocol and + uses the underlying hardware to provide per-packet processing and + handling as directed by a CE. It is possible to partition one + physical FE into multiple logical FEs. It is also possible for one + FE to use multiple physical FEs. The mapping between physical FE(s) + and logical FE(s) is beyond the scope of ForCES. For example, a + logical partition of a physical FE can be created by assigning some + portion of each of the resources (e.g., ports, memory, forwarding + table entries) available on the ForCES physical FE to each of the + logical FEs. Such a concept of FE virtualization is analogous to a + virtual switching element as described in [9]. If FE virtualization + occurs only in the pre-association phase, it has no impact on ForCES. + However, if FE virtualization results in a resource change taken from + an existing FE (already participating in ForCES post-association + phase), the ForCES Protocol needs to be able to inform the CE of such + a change via asynchronous messages (see [4], Section 5, requirement + #6). + + FEs perform all packet processing functions as directed by CEs. FEs + have no initiative of their own. Instead, FEs are slaves and only do + as they are told. FEs may communicate with one or more CEs + concurrently across reference point Fp. FEs have no notion of CE + redundancy, load sharing, or distributed control. Instead, FEs + accept commands from any CE authorized to control them, and it is up + to the CEs to coordinate among themselves to achieve redundancy, load + sharing, or distributed control. The idea is to keep FEs as simple + and dumb as possible so that FEs can focus their resources on the + packet processing functions. Unless otherwise configured or + determined by a ForCEs Protocol exchange, each FE will process + authorized incoming commands directed at it as it receives them on a + first come first serve basis. + + For example, in Figure 5, FE1 and FE2 can be configured to accept + commands from both the primary CE (CE1) and the backup CE (CE2). + Upon detection of CE1 failure, perhaps across the Fr or Fp reference + point, CE2 is configured to take over activities of CE1. This is + beyond the scope of ForCES and is not discussed further. + + Distributed control can be achieved in a similar fashion, without + much intelligence on the part of FEs. For example, FEs can be + configured to detect RSVP and BGP protocol packets, and forward RSVP + packets to one CE and BGP packets to another CE. Hence, FEs may need + to do packet filtering for forwarding packets to specific CEs. + + + + + + +Yang, et al. Informational [Page 11] + +RFC 3746 ForCES Framework April 2004 + + + ------- Fr ------- + | CE1 | ------| CE2 | + ------- ------- + | \ / | + | \ / | + | \ / | + | \/Fp | + | /\ | + | / \ | + | / \ | + ------- Fi ------- + | FE1 |<----->| FE2 | + ------- ------- + + Figure 5. CE redundancy example. + + This architecture permits multiple FEs to be present in an NE. [4] + dictates that the ForCES Protocol must be able to scale to at least + hundreds of FEs (see [4] Section 5, requirement #11). Each of these + FEs may potentially have a different set of packet processing + functions, with different media interfaces. FEs are responsible for + basic maintenance of layer-2 connectivity with other FEs and with + external entities. Many layer-2 media include sophisticated control + protocols. The FORCES Protocol (over the Fp reference point) will be + able to carry messages for such protocols so that, in keeping with + the dumb FE model, the CE can provide appropriate intelligence and + control over these media. + + When multiple FEs are present, ForCES requires that packets must be + able to arrive at the NE by one FE and leave the NE via a different + FE (See [4], Section 5, Requirement #3). Packets that enter the NE + via one FE and leave the NE via a different FE are transferred + between FEs across the Fi reference point. The Fi reference point + could be used by FEs to discover their (inter-FE) topology, perhaps + during the pre-association phase. The Fi reference point is a + separate protocol from the Fp reference point and is not currently + defined by the ForCES Protocol. + + FEs could be connected in different kinds of topologies and packet + processing may spread across several FEs in the topology. Hence, + logical packet flow may be different from physical FE topology. + Figure 6 provides some topology examples. When it is necessary to + forward packets between FEs, the CE needs to understand the FE + topology. The FE topology may be queried from the FEs by the CEs via + the ForCES Protocol, but the FEs are not required to provide that + information to the CEs. So, the FE topology information may also be + gathered by other means outside of the ForCES Protocol (like inter-FE + topology discovery protocol). + + + +Yang, et al. Informational [Page 12] + +RFC 3746 ForCES Framework April 2004 + + + ----------------- + | CE | + ----------------- + ^ ^ ^ + / | \ + / v \ + / ------- \ + / +->| FE3 |<-+ \ + / | | | | \ + v | ------- | v + ------- | | ------- + | FE1 |<-+ +->| FE2 | + | |<--------------->| | + ------- ------- + ^ | ^ | + | | | | + | v | v + + (a) Full mesh among FE1, FE2, and FE3 + + + ----------- + | CE | + ----------- + ^ ^ ^ ^ + / | | \ + /------ | | ------\ + v v v v + ------- ------- ------- ------- + | FE1 |<->| FE2 |<->| FE3 |<->| FE4 | + ------- ------- ------- ------- + ^ | ^ | ^ | ^ | + | | | | | | | | + | v | v | v | v + + (b) Multiple FEs in a daisy chain + + + + + + + + + + + + + + + +Yang, et al. Informational [Page 13] + +RFC 3746 ForCES Framework April 2004 + + + ^ | + | v + ----------- + | FE1 |<-----------------------| + ----------- | + ^ ^ | + / \ | + | ^ / \ ^ | V + v | v v | v ---------- + --------- --------- | | + | FE2 | | FE3 |<------------>| CE | + --------- --------- | | + ^ ^ ^ ---------- + | \ / ^ ^ + | \ / | | + | v v | | + | ----------- | | + | | FE4 |<----------------------| | + | ----------- | + | | ^ | + | v | | + | | + |----------------------------------------| + + (c) Multiple FEs connected by a ring + + Figure 6. Some examples of FE topology + +3.3. CE Managers + + CE managers are responsible for determining which FEs a CE should + control. It is legitimate for CE managers to be hard-coded with the + knowledge of with which FEs its CEs should communicate with. A CE + manager may also be physically embedded into a CE and be implemented + as a simple keypad or other direct configuration mechanism on the CE. + Finally, CE managers may be physically and logically separate + entities that configure the CE with FE information via such + mechanisms as COPS-PR [7] or SNMP [5]. + +3.4. FE Managers + + FE managers are responsible for determining with which CE any + particular FE should initially communicate. Like CE managers, no + restrictions are placed on how an FE manager decides with which CE + its FEs should communicate, nor are restrictions placed on how FE + managers are implemented. Each FE should have one and only one FE + + + + + +Yang, et al. Informational [Page 14] + +RFC 3746 ForCES Framework April 2004 + + + manager, while different FEs may have the same or different FE + manager(s). Each manager can choose to exist and operate + independently of other manager. + +4. Operational Phases + + Both FEs and CEs require some configuration to be in place before + they can start information exchange and function as a coherent + network element. Two operational phases are identified in this + framework: pre-association and post-association. + +4.1. Pre-association Phase + + The Pre-association phase is the period of time during which an FE + Manager and a CE Manager are determining whether an FE and a CE + should be part of the same network element. The protocols used + during this phase may include all or some of the message exchange + over Fl, Ff, and Fc reference points. However, all these may be + optional and none of this is within the scope of the ForCES Protocol. + +4.1.1. Fl Reference Point + + CE managers and FE managers may communicate across the Fl reference + point in the pre-association phase in order to determine whether an + individual CE and FE, or a set of CEs and FEs should be associated. + Communication across the Fl reference point is optional in this + architecture. No requirements are placed on this reference point. + + CE managers and FE managers may be operated by different entities. + The operator of the CE manager may not want to divulge, except to + specified FE managers, any characteristics of the CEs it manages. + Similarly, the operator of the FE manager may not want to divulge FE + characteristics, except to authorized entities. As such, CE managers + and FE managers may need to authenticate one another. Subsequent + communication between CE managers and FE managers may require other + security functions such as privacy, non-repudiation, freshness, and + integrity. + + + + + + + + + + + + + + +Yang, et al. Informational [Page 15] + +RFC 3746 ForCES Framework April 2004 + + + FE Manager FE CE Manager CE + | | | | + | | | | + |(security exchange) | | + 1|<------------------------------>| | + | | | | + |(a list of CEs and their attributes) | + 2|<-------------------------------| | + | | | | + |(a list of FEs and their attributes) | + 3|------------------------------->| | + | | | | + | | | | + |<----------------Fl------------>| | + + Figure 7. An example of a message exchange over the Fl reference + point + + Once the necessary security functions have been performed, the CE and + FE managers communicate to determine which CEs and FEs should + communicate with each other. At the very minimum, the CE and FE + managers need to learn of the existence of available FEs and CEs + respectively. This discovery process may entail one or both managers + learning the capabilities of the discovered ForCES protocol elements. + Figure 7 shows an example of a possible message exchange between the + CE manager and FE manager over the Fl reference point. + +4.1.2. Ff Reference Point + + The Ff reference point is used to inform forwarding elements of the + association decisions made by the FE manager in the pre-association + phase. Only authorized entities may instruct an FE with respect to + which CE should control it. Therefore, privacy, integrity, + freshness, and authentication are necessary between the FE manager + and FEs when the FE manager is remote to the FE. Once the + appropriate security has been established, the FE manager instructs + the FEs across this reference point to join a new NE or to disconnect + from an existing NE. The FE Manager could also assign unique FE + identifiers to the FEs using this reference point. The FE + identifiers are useful in the post association phase to express FE + topology. Figure 8 shows example of a message exchange over the Ff + reference point. + + + + + + + + + +Yang, et al. Informational [Page 16] + +RFC 3746 ForCES Framework April 2004 + + + FE Manager FE CE Manager CE + | | | | + | | | | + |(security exchange) |(security exchange) + 1|<------------>|authentication 1|<----------->|authentication + | | | | + |(FE ID, attributes) |(CE ID, attributes) + 2|<-------------|request 2|<------------|request + | | | | + 3|------------->|response 3|------------>|response + |(corresponding CE ID) |(corresponding FE ID) + | | | | + | | | | + |<-----Ff----->| |<-----Fc---->| + + Figure 8. Examples of a message exchange + over the Ff and Fc reference points + + Note that the FE manager function may be co-located with the FE (such + as by manual keypad entry of the CE IP address), in which case this + reference point is reduced to a built-in function. + +4.1.3. Fc Reference Point + + The Fc reference point is used to inform control elements of the + association decisions made by CE managers in the pre-association + phase. When the CE manager is remote, only authorized entities may + instruct a CE to control certain FEs. Privacy, integrity, freshness, + and authentication are also required across this reference point in + such a configuration. Once appropriate security has been + established, the CE manager instructs the CEs as to which FEs they + should control and how they should control them. Figure 8 shows + example of a message exchange over the Fc reference point. + + As with the FE manager and FEs, configurations are possible where the + CE manager and CE are co-located and no protocol is used for this + function. + +4.2. Post-association Phase and Fp reference point + + The Post-association phase is the period of time during which an FE + and CE have been configured with information necessary to contact + each other and includes both association establishment and steady- + state communication. The communication between CE and FE is + performed across the Fp ("p" meaning protocol) reference point. + ForCES Protocol is exclusively used for all communication across the + Fp reference point. + + + + +Yang, et al. Informational [Page 17] + +RFC 3746 ForCES Framework April 2004 + + +4.2.1. Proximity and Interconnect between CEs and FEs + + The ForCES Working Group has made a conscious decision that the first + version of ForCES will be focused on "very close" CE/FE localities in + IP networks. Very Close localities consist of control and forwarding + elements that are either components in the same physical box, or + separated at most by one local network hop ([8]). CEs and FEs can be + connected by a variety of interconnect technologies, including + Ethernet connections, backplanes, ATM (cell) fabrics, etc. ForCES + should be able to support each of these interconnects (see [4] + Section 5, requirement #1). When the CEs and FEs are separated + beyond a single L3 routing hop, the ForCES Protocol will make use of + an existing RFC 2914 [3] compliant L4 protocol with adequate + reliability, security, and congestion control (e.g., TCP, SCTP) for + transport purposes. + +4.2.2. Association Establishment + + FE CE + | | + |(Security exchange.) | + 1|<--------------------->| + | | + |(Let me join the NE please.) + 2|---------------------->| + | | + |(What kind of FE are you? -- capability query) + 3|<----------------------| + | | + |(Here is my FE functions/state: use model to + describe) + 4|---------------------->| + | | + |(Initial config for FE -- optional) + 5|<----------------------| + | | + |(I am ready to go. Shall I?) + 6|---------------------->| + | | + |(Go ahead!) | + 7|<----------------------| + | | + + Figure 9. Example of a message exchange between CE and FE + over Fp to establish an NE association + + + + + + +Yang, et al. Informational [Page 18] + +RFC 3746 ForCES Framework April 2004 + + + As an example, figure 9 shows some of the message exchange that may + happen before the association between the CE and FE is fully + established. Either the CE or FE can initiate the connection. + + Security handshake is necessary to authenticate the two communication + endpoints to each other before any further message exchange can + happen. The security handshake should include mutual authentication + and authorization between the CE and FE, but the exact details depend + on the security solution chosen by the ForCES Protocol. + Authorization can be as simple as checking against the list of + authorized end points provided by the FE or CE manager during the + pre-association phase. Both authentication and authorization must be + successful before the association can be established. If either + authentication or authorization fails, the end point must not be + allowed to join the NE. After the successful security handshake, + message authentication and confidentiality are still necessary for + the on-going information exchange between the CE and FE, unless some + form of physical security exists. Whenever a packet fails + authentication, it must be dropped and a notification may be sent to + alert the sender of the potential attack. Section 8 provides more + details on the security considerations for ForCES. + + After the successful security handshake, the FE needs to inform the + CE of its own capability and optionally its topology in relation to + other FEs. The capability of the FE shall be represented by the FE + model, as required in [4] (Section 6, requirement #1). The model + would allow an FE to describe what kind of packet processing + functions it contains, in what order the processing happens, what + kinds of configurable parameters it allows, what statistics it + collects, and what events it might throw, etc. Once such information + is available to the CE, the CE may choose to send some initial or + default configuration to the FE so that the FE can start receiving + and processing packets correctly. Such initialization may not be + necessary if the FE already obtains the information from its own + bootstrap process. Once the necessary initial information is + exchanged, the process of association is completed. Packet + processing and forwarding at the FE cannot begin until association is + established. After the association is established, the CE and FE + enter steady-state communication. + +4.2.3. Steady-state Communication + + Once an association is established between the CE and FE, the ForCES + Protocol is used by the CE and FE over the Fp reference point to + exchange information to facilitate packet processing. + + + + + + +Yang, et al. Informational [Page 19] + +RFC 3746 ForCES Framework April 2004 + + + FE CE + | | + |(Add these new routes.)| + 1|<----------------------| + | | + |(Successful.) | + 2|---------------------->| + | | + | | + |(Query some stats.) | + 1|<----------------------| + | | + |(Reply with stats collected.) + 2|---------------------->| + | | + | | + |(My port is down, with port #.) + 1|---------------------->| + | | + |(Here is a new forwarding table) + 2|<----------------------| + | | + + Figure 10. Examples of a message exchange between CE and FE + over Fp during steady-state communication + + Based on the information acquired through CEs' control processing, + CEs will frequently need to manipulate the packet-forwarding + behaviors of their FE(s) by sending instructions to FEs. For + example, Figure 10 shows message exchange examples in which the CE + sends new routes to the FE so that the FE can add them to its + forwarding table. The CE may query the FE for statistics collected + by the FE and the FE may notify the CE of important events such as + port failure. + + + + + + + + + + + + + + + + + +Yang, et al. Informational [Page 20] + +RFC 3746 ForCES Framework April 2004 + + +4.2.4. Data Packets across Fp reference point + + --------------------- ---------------------- + | | | | + | +--------+ | | +--------+ | + | |CE(BGP) | | | |CE(BGP) | | + | +--------+ | | +--------+ | + | | | | ^ | + | |Fp | | |Fp | + | v | | | | + | +--------+ | | +--------+ | + | | FE | | | | FE | | + | +--------+ | | +--------+ | + | | | | ^ | + | Router | | | Router | | + | A | | | B | | + ---------+----------- -----------+---------- + v ^ + | | + | | + ------------------->--------------- + + Figure 11. Example to show data packet flow between two NEs. + + Control plane protocol packets (such as RIP, OSPF messages) addressed + to any of NE's interfaces are typically redirected by the receiving + FE to its CE, and CE may originate packets and have its FE deliver + them to other NEs. Therefore, the ForCES Protocol over Fp not only + transports the ForCES Protocol messages between CEs and FEs, but also + encapsulates the data packets from control plane protocols. + Moreover, one FE may be controlled by multiple CEs for distributed + control. In this configuration, the control protocols supported by + the FORCES NEs may spread across multiple CEs. For example, one CE + may support routing protocols like OSPF and BGP, while a signaling + and admission control protocol like RSVP is supported in another CE. + FEs are configured to recognize and filter these protocol packets and + forward them to the corresponding CE. + + Figure 11 shows one example of how the BGP packets originated by + router A are passed to router B. In this example, the ForCES + Protocol is used to transport the packets from the CE to the FE + inside router A, and then from the FE to the CE inside router B. In + light of the fact that the ForCES Protocol is responsible for + transporting both the control messages and the data packets between + the CE and FE over the Fp reference point, it is possible to use + either a single protocol or multiple protocols. + + + + + +Yang, et al. Informational [Page 21] + +RFC 3746 ForCES Framework April 2004 + + +4.2.5. Proxy FE + + In the case where a physical FE cannot implement (e.g., due to the + lack of a general purpose CPU) the ForCES Protocol directly, a proxy + FE can be used to terminate the Fp reference point instead of the + physical FE. This allows the CE to communicate to the physical FE + via the proxy by using ForCES, while the proxy manipulates the + physical FE using some intermediary form of communication (e.g., a + non-ForCES protocol or DMA). In such an implementation, the + combination of the proxy and the physical FE becomes one logical FE + entity. It is also possible for one proxy to act on behalf of + multiple physical FEs. + + One needs to be aware of the security implication introduced by the + proxy FE. Since the physical FE is not capable of implementing + ForCES itself, the security mechanism of ForCES can only secure the + communication channel between the CE and the proxy FE, but not all + the way to the physical FE. It is recommended that other security + mechanisms (including physical security property) be employed to + ensure the security between the CE and the physical FE. + +4.3. Association Re-establishment + + FEs and CEs may join and leave NEs dynamically (see [4] Section 5, + requirements #12). When an FE or CE leaves the NE, the association + with the NE is broken. If the leaving party rejoins an NE later, to + re-establish the association, it may need to re-enter the pre- + association phase. Loss of association can also happen unexpectedly + due to a loss of connection between the CE and the FE. Therefore, + the framework allows the bi-directional transition between these two + phases, but the ForCES Protocol is only applicable for the post- + association phase. However, the protocol should provide mechanisms + to support association re-establishment. This includes the ability + for CEs and FEs to determine when there is a loss of association + between them, and to restore association and efficient state + (re)synchronization mechanisms (see [4] Section 5, requirement #7). + Note that security association and state must also be re-established + to guarantee the same level of security (including both + authentication and authorization) exists before and after the + association re-establishment. + + When an FE leaves or joins an existing NE that is already in + operation, the CE needs to be aware of the impact on FE topology and + deal with the change accordingly. + + + + + + + +Yang, et al. Informational [Page 22] + +RFC 3746 ForCES Framework April 2004 + + +4.3.1. CE graceful restart + + The failure and restart of the CE in a router can potentially cause + much stress and disruption on the control plane throughout a network + because in restarting a CE for any reason, the router loses routing + adjacencies or sessions with its routing neighbors. Neighbors who + detect the lost adjacency normally re-compute new routes and then + send routing updates to their own neighbors to communicate the lost + adjacency. Their neighbors do the same thing to propagate throughout + the network. In the meantime, the restarting router cannot receive + traffic from other routers because the neighbors have stopped using + the router's previously advertised routes. When the restarting + router restores adjacencies, neighbors must once again re-compute new + routes and send out additional routing updates. The restarting + router is unable to forward packets until it has re-established + routing adjacencies with neighbors, received route updates through + these adjacencies, and computed new routes. Until convergence takes + place throughout the network, packets may be lost in transient black + holes or forwarding loops. + + A high availability mechanism known as the "graceful restart" has + been used by the IP routing protocols (OSPF [11], BGP [12], IS-IS + [13]) and MPLS label distribution protocol (LDP [10]) to help + minimize the negative effects on routing throughout an entire network + caused by a restarting router. Route flap on neighboring routers is + avoided, and a restarting router can continue to forward packets that + would otherwise be dropped. + + While the details differ from protocol to protocol, the general idea + behind the graceful restart mechanism remains the same. With the + graceful restart, a restarting router can inform its neighbors when + it restarts. The neighbors may detect the lost adjacency but do not + recompute new routes or send routing updates to their neighbors. The + neighbors also hold on to the routes received from the restarting + router before restart and assume they are still valid for a limited + time. By doing so, the restarting router's FEs can also continue to + receive and forward traffic from other neighbors for a limited time + by using the routes they already have. The restarting router then + re-establishes routing adjacencies, downloads updated routes from all + its neighbors, recomputes new routes, and uses them to replace the + older routes it was using. It then sends these updated routes to its + neighbors and signals the completion of the graceful restart process. + + Non-stop forwarding is a requirement for graceful restart. It is + necessary so a router can continue to forward packets while it is + downloading routing information and recomputing new routes. This + ensures that packets will not be dropped. As one can see, one of the + benefits afforded by the separation of CE and FE is exactly the + + + +Yang, et al. Informational [Page 23] + +RFC 3746 ForCES Framework April 2004 + + + ability of non-stop forwarding in the face of the CE failure and + restart. The support of dynamic changes to CE/FE association in + ForCES also makes it compatible with high availability mechanisms, + such as graceful restart. + + ForCES should be able to support a CE graceful restart easily. When + the association is established the first time, the CE must inform the + FEs what to do in the case of a CE failure. If graceful restart is + not supported, the FEs may be told to stop packet processing all + together if its CE fails. If graceful restart is supported, the FEs + should be told to cache and hold on to its FE state, including the + forwarding tables across the restarts. A timer must be included so + that the timeout causes such a cached state to eventually expire. + Those timers should be settable by the CE. + +4.3.2. FE restart + + In the same example in Figure 5, assuming CE1 is the working CE for + the moment, what would happen if one of the FEs, say FE1, leaves the + NE temporarily? FE1 may voluntarily decide to leave the association. + Alternatively, FE1 may stop functioning simply due to unexpected + failure. In the former case, CE1 receives a "leave-association + request" from FE1. In the latter, CE1 detects the failure of FE1 by + some other means. In both cases, CE1 must inform the routing + protocols of such an event, most likely prompting a reachability and + SPF (Shortest Path First) recalculation and associated downloading of + new FIBs from CE1 to the other remaining FEs (only FE2 in this + example). Such recalculation and FIB updates will also be propagated + from CE1 to the NE's neighbors that are affected by the connectivity + of FE1. + + When FE1 decides to rejoin again, or when it restarts again after the + failure, FE1 needs to re-discover its master (CE). This can be + achieved by several means. It may re-enter the pre-association phase + and get that information from its FE manager. It may retrieve the + previous CE information from its cache, if it can validate the + information freshness. Once it discovers its CE, it starts message + exchange with the CE to re-establish the association, as outlined in + Figure 9, with the possible exception that it might be able to bypass + the transport of the complete initial configuration. Suppose that + FE1 still has its routing table and other state information from the + last association. Instead of re-sending all the information, it may + be able to use a more efficient mechanism to re-sync the state with + its CE, if such a mechanism is supported by the ForCES Protocol. For + example, CRC-32 of the state might give a quick indication of whether + or not the state is in-sync with its CE. By comparing its state with + the CE first, it sends an information update + + + + +Yang, et al. Informational [Page 24] + +RFC 3746 ForCES Framework April 2004 + + + only if it is needed. The ForCES Protocol may choose to implement + similar optimization mechanisms, but it may also choose not to, as + this is not a requirement. + +5. Applicability to RFC 1812 + + [4] Section 5, requirement #9 dictates "Any proposed ForCES + architecture must explain how that architecture supports all of the + router functions as defined in RFC 1812." RFC 1812 [2] discusses + many important requirements for IPv4 routers from the link layer to + the application layer. This section addresses the relevant + requirements in RFC 1812 for implementing IPv4 routers based on + ForCES architecture and explains how ForCES satisfies these + requirements by providing guidelines on how to separate the + functionalities required into the forwarding plane and control plane. + + In general, the forwarding plane carries out the bulk of the per- + packet processing that is required at line speed, while the control + plane carries most of the computationally complex operations that are + typical of the control and signaling protocols. However, it is + impossible to draw a rigid line to divide the processing into CEs and + FEs cleanly and the ForCES architecture should not limit the + innovative approaches in control and forwarding plane separation. As + more and more processing power is available in the FEs, some of the + control functions that traditionally are performed by CEs may now be + moved to FEs for better performance and scalability. Such offloaded + functions may include part of ICMP or TCP processing, or part of + routing protocols. Once off-loaded onto the forwarding plane, such + CE functions, even though logically belonging to the control plane, + now become part of the FE functions. Just like the other logical + functions performed by FEs, such off-loaded functions must be + expressed as part of the FE model so that the CEs can decide how to + best take advantage of these off-loaded functions when present on the + FEs. + +5.1. General Router Requirements + + Routers have at least two or more logical interfaces. When CEs and + FEs are separated by ForCES within a single NE, some additional + interfaces are needed for intra-NE communications, as illustrated in + figure 12. This NE contains one CE and two FEs. Each FE has four + interfaces; two of them are used for receiving and transmitting + packets to the external world, while the other two are for intra-NE + connections. CE has two logical interfaces #9 and #10, connected to + interfaces #3 and #6 from FE1 and FE2, respectively. Interface #4 + and #5 are connected for FE1-FE2 communication. Therefore, this + router NE provides four external interfaces (#1, 2, 7, and 8). + + + + +Yang, et al. Informational [Page 25] + +RFC 3746 ForCES Framework April 2004 + + + --------------------------------- + | router NE | + | ----------- ----------- | + | | FE1 | | FE2 | | + | ----------- ----------- | + | 1| 2| 3| 4| 5| 6| 7| 8| | + | | | | | | | | | | + | | | | +----+ | | | | + | | | | | | | | + | | | 9| 10| | | | + | | | -------------- | | | + | | | | CE | | | | + | | | -------------- | | | + | | | | | | + -----+--+----------------+--+---- + | | | | + | | | | + + Figure 12. A router NE example with four interfaces. + + IPv4 routers must implement IP to support its packet forwarding + function, which is driven by its FIB (Forwarding Information Base). + This Internet layer forwarding (see RFC 1812 [2] Section 5) + functionality naturally belongs to FEs in the ForCES architecture. + + A router may implement transport layer protocols (like TCP and UDP) + that are required to support application layer protocols (see RFC + 1812 [2] Section 6). One important class of application protocols is + routing protocols (see RFC 1812 [2] Section 7). In the ForCES + architecture, routing protocols are naturally implemented by CEs. + Routing protocols require that routers communicate with each other. + This communication between CEs in different routers is supported in + ForCES by FEs' ability to redirect data packets addressed to routers + (i.e., NEs), and the CEs' ability to originate packets and have them + delivered by their FEs. This communication occurs across the Fp + reference point inside each router and between neighboring routers' + external interfaces, as illustrated in Figure 11. + +5.2. Link Layer + + Since FEs own all the external interfaces for the router, FEs need to + conform to the link layer requirements in RFC 1812 [2]. Arguably, + ARP support may be implemented in either CEs or FEs. As we will see + later, a number of behaviors that RFC 1812 mandates fall into this + category -- they may be performed by the FE and may be performed by + the CE. A general guideline is needed to ensure interoperability + between separated control and forwarding planes. The guideline we + offer here is that CEs MUST be capable of these kinds of operations + + + +Yang, et al. Informational [Page 26] + +RFC 3746 ForCES Framework April 2004 + + + while FEs MAY choose to implement them. The FE model should indicate + its capabilities in this regard so that CEs can decide where these + functions are implemented. + + Interface parameters, including MTU, IP address, etc., must be + configurable by CEs via ForCES. CEs must be able to determine + whether a physical interface in an FE is available to send packets or + not. FEs must also inform CEs of the status change of the interfaces + (like link up/down) via ForCES. + +5.3. Internet Layer Protocols + + Both FEs and CEs must implement the IP protocol and all mandatory + extensions as RFC 1812 specified. CEs should implement IP options + like source route and record route while FEs may choose to implement + those as well. The timestamp option should be implemented by FEs to + insert the timestamp most accurately. The FE must interpret the IP + options that it understands and preserve the rest unchanged for use + by CEs. Both FEs and CEs might choose to silently discard packets + without sending ICMP errors, but such events should be logged and + counted. FEs may report statistics for such events to CEs via + ForCES. + + When multiple FEs are involved to process packets, the appearance of + a single NE must be strictly maintained. For example, Time-To-Live + (TTL) must be decremented only once within a single NE. For example, + it can be always decremented by the last FE with egress function. + + FEs must receive and process normally any packets with a broadcast + destination address or a multicast destination address that the + router has asked to receive. When IP multicast is supported in + routers, IGMP is implemented in CEs. CEs are also required of ICMP + support, while it is optional for FEs to support ICMP. Such an + option can be communicated to CEs as part of the FE model. Therefore, + FEs can always rely upon CEs to send out ICMP error messages, but FEs + also have the option of generating ICMP error messages themselves. + +5.4. Internet Layer Forwarding + + IP forwarding is implemented by FEs. When the routing table is + updated at the CEs, ForCES is used to send the new route entries from + the CEs to FEs. Each FE has its own forwarding table and uses this + table to direct packets to the next hop interface. + + Upon receiving IP packets, the FE verifies the IP header and + processes most of the IP options. Some options cannot be processed + until the routing decision has been made. The routing decision is + made after examining the destination IP address. If the destination + + + +Yang, et al. Informational [Page 27] + +RFC 3746 ForCES Framework April 2004 + + + address belongs to the router itself, the packets are filtered and + either processed locally or forwarded to the CE, depending upon the + instructions set-up by the CE. Otherwise, the FE determines the next + hop IP address by looking in its forwarding table. The FE also + determines the network interface it uses to send the packets. + Sometimes an FE may need to forward the packets to another FE before + packets can be forwarded out to the next hop. Right before packets + are forwarded out to the next hop, the FE decrements TTL by 1 and + processes any IP options that could not be processed before. The FE + performs IP fragmentation if necessary, determines the link layer + address (e.g., by ARP), and encapsulates the IP datagram (or each of + the fragments thereof) in an appropriate link layer frame and queues + it for output on the interface selected. + + Other options mentioned in RFC 1812 [2] for IP forwarding may also be + implemented at FEs, for example, packet filtering. + + FEs typically forward packets destined locally to CEs. FEs may also + forward exceptional packets (packets that FEs do not know how to + handle) to CEs. CEs are required to handle packets forwarded by FEs + for whatever reason. It might be necessary for ForCES to attach some + meta-data with the packets to indicate the reasons of forwarding from + FEs to CEs. Upon receiving packets with meta-data from FEs, CEs can + decide to either process the packets themselves, or pass the packets + to the upper layer protocols including routing and management + protocols. If CEs are to process the packets by themselves, CEs may + choose to discard the packets, or modify and re-send the packets. + CEs may also originate new packets and deliver them to FEs for + further forwarding. + + Any state change during router operation must also be handled + correctly according to RFC 1812. For example, when an FE ceases + forwarding, the entire NE may continue forwarding packets, but it + needs to stop advertising routes that are affected by the failed FE. + +5.5. Transport Layer + + The Transport layer is typically implemented at CEs to support higher + layer application protocols like routing protocols. In practice, + this means that most CEs implement both the Transmission Control + Protocol (TCP) and the User Datagram Protocol (UDP). + + Both CEs and FEs need to implement the ForCES Protocol. If some + layer-4 transport is used to support ForCES, then both CEs and FEs + need to implement the L4 transport and ForCES Protocols. + + + + + + +Yang, et al. Informational [Page 28] + +RFC 3746 ForCES Framework April 2004 + + +5.6. Application Layer -- Routing Protocols + + Interior and exterior routing protocols are implemented on CEs. The + routing packets originated by CEs are forwarded to FEs for delivery. + The results of such protocols (like forwarding table updates) are + communicated to FEs via ForCES. + + For performance or scalability reasons, portions of the control plane + functions that need faster response may be moved from the CEs and + off-loaded onto the FEs. For example, in OSPF, the Hello protocol + packets are generated and processed periodically. When done at the + CEs, the inbound Hello packets have to traverse from the external + interfaces at the FEs to the CEs via the internal CE-FE channel. + Similarly, the outbound Hello packets have to go from the CEs to the + FEs and to the external interfaces. Frequent Hello updates place + heavy processing overhead on the CEs and can overwhelm the CE-FE + channel as well. Since typically there are far more FEs than CEs in + a router, the off-loaded Hello packets are processed in a much more + distributed and scalable fashion. By expressing such off-loaded + functions in the FE model, we can ensure interoperability. However, + the exact description of the off-loaded functionality corresponding + to the off-loaded functions expressed in the FE model are not part of + the model itself and will need to be worked out as a separate + specification. + +5.7. Application Layer -- Network Management Protocol + + RFC 1812 [2] also dictates that "Routers MUST be manageable by SNMP". + In general, for the post-association phase, most external management + tasks (including SNMP) should be done through interaction with the CE + in order to support the appearance of a single functional device. + Therefore, it is recommended that an SNMP agent be implemented by CEs + and that the SNMP messages received by FEs be redirected to their + CEs. AgentX framework defined in RFC 2741 ([6]) may be applied here + such that CEs act in the role of master agent to process SNMP + protocol messages while FEs act in the role of subagent to provide + access to the MIB objects residing on FEs. AgentX protocol messages + between the master agent (CE) and the subagent (FE) are encapsulated + and transported via ForCES, just like data packets from any other + application layer protocols. + +6. Summary + + This document defines an architectural framework for ForCES. It + identifies the relevant components for a ForCES network element, + including (one or more) FEs, (one or more) CEs, one optional FE + manager, and one optional CE manager. It also identifies the + interaction among these components and discusses all the major + + + +Yang, et al. Informational [Page 29] + +RFC 3746 ForCES Framework April 2004 + + + reference points. It is important to point out that, among all the + reference points, only the Fp interface between CEs and FEs is within + the scope of ForCES. ForCES alone may not be enough to support all + desirable NE configurations. However, we believe that ForCES over an + Fp interface is the most important element in realizing physical + separation and interoperability of CEs and FEs, and hence the first + interface that ought to be standardized. Simple and useful + configurations can still be implemented with only CE-FE interface + being standardized, e.g., single CE with full-meshed FEs. + +7. Acknowledgements + + Joel M. Halpern gave us many insightful comments and suggestions and + pointed out several major issues. T. Sridhar suggested that the + AgentX protocol could be used with SNMP to manage the ForCES network + elements. Susan Hares pointed out the issue of graceful restart with + ForCES. Russ Housley, Avri Doria, Jamal Hadi Salim, and many others + in the ForCES mailing list also provided valuable feedback. + +8. Security Considerations + + The NE administrator has the freedom to determine the exact security + configuration that is needed for the specific deployment. For + example, ForCES may be deployed between CEs and FEs connected to each + other inside a box over a backplane. In such a scenario, physical + security of the box ensures that most of the attacks, such as man- + in-the-middle, snooping, and impersonation, are not possible, and + hence the ForCES architecture may rely on the physical security of + the box to defend against these attacks and protocol mechanisms may + be turned off. However, it is also shown that denial of service + attacks via external interfaces as described below in Section 8.1.8 + is still a potential threat, even for such an "all-in-one-box" + deployment scenario and hence the rate limiting mechanism is still + necessary. This is just one example to show that it is important to + assess the security needs of the ForCES-enabled network elements + under different deployment scenarios. It should be possible for the + administrator to configure the level of security needed for the + ForCES Protocol. + + In general, the physical separation of two entities usually results + in a potentially insecure link between the two entities and hence + much stricter security measurements are required. For example, we + pointed out in Section 4.1 that authentication becomes necessary + between the CE manager and FE manager, between the CE and CE manager, + and between the FE and FE manager in some configurations. The + physical separation of the CE and FE also imposes serious security + requirements for the ForCES Protocol over the Fp interface. This + section first attempts to describe the security threats that may be + + + +Yang, et al. Informational [Page 30] + +RFC 3746 ForCES Framework April 2004 + + + introduced by the physical separation of the FEs and CEs, and then it + provides recommendations and guidelines for the secure operation and + management of the ForCES Protocol over the Fp interface based on + existing standard security solutions. + +8.1. Analysis of Potential Threats Introduced by ForCES + + This section provides the threat analysis for ForCES, with a focus on + the Fp interface. Each threat is described in detail with the + effects on the ForCES Protocol entities or/and the NE as a whole, and + the required functionalities that need to be in place to defend the + threat. + +8.1.1. "Join" or "Remove" Message Flooding on CEs + + Threats: A malicious node could send a stream of false "join NE" or + "remove from NE" requests on behalf of a non-existent or unauthorized + FE to legitimate CEs at a very rapid rate, and thereby creating + unnecessary state in the CEs. + + Effects: If maintaining state for non-existent or unauthorized FEs, a + CE may become unavailable for other processing and hence suffer from + a denial of service (DoS) attack similar to the TCP SYN DoS. If + multiple CEs are used, the unnecessary state information may also be + conveyed to multiple CEs via the Fr interface (e.g., from the active + CE to the stand-by CE) and hence subject multiple CEs to a DoS + attack. + + Requirement: A CE that receives a "join" or "remove" request should + not create any state information until it has authenticated the FE + endpoint. + +8.1.2. Impersonation Attack + + Threats: A malicious node can impersonate a CE or FE and send out + false messages. + + Effects: The whole NE could be compromised. + + Requirement: The CE or FE must authenticate the message as having + come from an FE or CE on the list of the authorized ForCES elements + (provided by the CE or FE Manager in the pre-association phase) + before accepting and processing it. + +8.1.3. Replay Attack + + Threat: A malicious node could replay the entire message previously + sent by an FE or CE entity to get around authentication. + + + +Yang, et al. Informational [Page 31] + +RFC 3746 ForCES Framework April 2004 + + + Effect: The NE could be compromised. + + Requirement: A replay protection mechanism needs to be part of the + security solution to defend against this attack. + +8.1.4. Attack during Fail Over + + Threat: A malicious node may exploit the CE fail-over mechanism to + take over the control of NE. For example, suppose two CEs, say CE-A + and CE-B, are controlling several FEs. CE-A is active and CE-B is + stand-by. When CE-A fails, CE-B is taking over the active CE + position. The FEs already had a trusted relationship with CE-A, but + the FEs may not have the same trusted relationship established with + CE-B prior to the fail-over. A malicious node can take over as CE-B + if such a trusted relationship has not been established prior to or + during the fail-over. + + Effect: The NE may be compromised after such insecure fail-over. + + Requirement: The level of trust between the stand-by CE and the FEs + must be as strong as the one between the active CE and the FEs. The + security association between the FEs and the stand-by CE may be + established prior to fail-over. If not already in place, such + security association must be re-established before the stand-by CE + takes over. + +8.1.5. Data Integrity + + Threats: A malicious node may inject false messages to a legitimate + CE or FE. + + Effect: An FE or CE receives the fabricated packet and performs an + incorrect or catastrophic operation. + + Requirement: Protocol messages require integrity protection. + +8.1.6. Data Confidentiality + + Threat: When FE and CE are physically separated, a malicious node may + eavesdrop the messages in transit. Some of the messages are critical + to the functioning of the whole network, while others may contain + confidential business data. Leaking of such information may result + in compromise even beyond the immediate CE or FE. + + Effect: Sensitive information might be exposed between the CE and FE. + + Requirement: Data confidentiality between the FE and CE must be + available for sensitive information. + + + +Yang, et al. Informational [Page 32] + +RFC 3746 ForCES Framework April 2004 + + +8.1.7. Sharing security parameters + + Threat: Consider a scenario where several FEs are communicating to + the same CE and sharing the same authentication keys for the Fp + interface. If any FE or CE is compromised, all other entities are + compromised. + + Effect: The whole NE is compromised. + + Recommendation: To avoid this side effect, it's better to configure + different security parameters for each FE-CE communication over the + Fp interface. + +8.1.8. Denial of Service Attack via External Interface + + Threat: When an FE receives a packet that is destined for its CE, the + FE forwards the packet over the Fp interface. A malicious node can + generate a huge message storm like routing protocol packets etc. + through the external Fi/f interface so that the FE has to process and + forward all packets to the CE through the Fp interface. + + Effect: The CE encounters resource exhaustion and bandwidth + starvation on Fp interface due to an overwhelming number of packets + from FEs. + + Requirement: Some sort of rate limiting mechanism MUST be in place at + both the FE and CE. The Rate Limiter SHOULD be configured at the FE + for each message type being received through the Fi/f interface. + +8.2. Security Recommendations for ForCES + + The requirements document [4] suggested that the ForCES Protocol + should support reliability over the Fp interface, but no particular + transport protocol is yet specified for ForCES. This framework + document does not intend to specify the particular transport either, + and so we only provide recommendations and guidelines based on the + existing standard security protocols [18] that can work with the + common transport candidates suitable for ForCES. + + We review two existing security protocol solutions, namely IPsec (IP + Security) [15] and TLS (Transport Layer Security) [14]. TLS works + with reliable transports such as TCP or SCTP for unicast, while IPsec + can be used with any transport (UDP, TCP, SCTP) and supports both + unicast and multicast. Both TLS and IPsec can be used potentially to + satisfy all of the security requirements for the ForCES Protocol. In + addition, other approaches that satisfy the requirements can be used + as well, but are not documented here, including the use of L2 + security mechanisms for a given L2 interconnect technology. + + + +Yang, et al. Informational [Page 33] + +RFC 3746 ForCES Framework April 2004 + + + When ForCES is deployed between CEs and FEs inside a box or a + physically secured room, authentication, confidentiality, and + integrity may be provided by the physical security of the box. Thus, + the security mechanisms may be turned off, depending on the + networking topology and its administration policy. However, it is + important to realize that even if the NE is in a single-box, the DoS + attacks as described in Section 8.1.8 can still be launched through + the Fi/f interfaces. Therefore, it is important to have the + corresponding counter-measurement in place, even for single-box + deployment. + +8.2.1. Using TLS with ForCES + + TLS [14] can be used if a reliable unicast transport such as TCP or + SCTP is used for ForCES over the Fp interface. The TLS handshake + protocol is used during the association establishment or re- + establishment phase to negotiate a TLS session between the CE and FE. + Once the session is in place, the TLS record protocol is used to + secure ForCES communication messages between the CE and FE. + + A basic outline of how TLS can be used with ForCES is described + below. Steps 1) through 7) complete the security handshake as + illustrated in Figure 9, while step 8) is for all further + communication between the CE and FE, including the rest of the + messages after the security handshake shown in Figure 9 and the + steady-state communication shown in Figure 10. + + 1) During the Pre-association phase, all FEs are configured with the + CEs (including both the active CE and the standby CE). + + 2) The FE establishes a TLS connection with the CE (master) and + negotiates a cipher suite. + + 3) The FE (slave) gets the CE certificate, validates the signature, + checks the expiration date, and checks whether the certificate has + been revoked. + + 4) The CE (master) gets the FE certificate and performs the same + validation as the FE in step 3). + + 5) If any of the checks fail in step 3) or step 4), the endpoint must + generate an error message and abort. + + 6) After successful mutual authentication, a TLS session is + established between the CE and FE. + + 7) The FE sends a "join NE" message to the CE. + + + + +Yang, et al. Informational [Page 34] + +RFC 3746 ForCES Framework April 2004 + + + 8) The FE and CE use the TLS session for further communication. + + Note that there are different ways for the CE and FE to validate a + received certificate. One way is to configure the FE Manager or CE + Manager or other central component as CA, so that the CE or FE can + query this pre-configured CA to validate that the certificate has not + been revoked. Another way is to have the CE and FE directly + configure a list of valid certificates in the pre-association phase. + + In the case of fail-over, it is the responsibility of the active CE + and the standby CE to synchronize ForCES states, including the TLS + states to minimize the state re-establishment during fail-over. Care + must be taken to ensure that the standby CE is also authenticated in + the same way as the active CE, either before or during the fail-over. + +8.2.2. Using IPsec with ForCES + + IPsec [15] can be used with any transport protocol, such as UDP, + SCTP, and TCP, over the Fp interface for ForCES. When using IPsec, + we recommend using ESP in the transport mode for ForCES because + message confidentiality is required for ForCES. + + IPsec can be used with both manual and automated SA and cryptographic + key management. But IPsec's replay protection mechanisms are not + available if manual key management is used. Hence, automatic key + management is recommended if replay protection is deemed important. + Otherwise, manual key management might be sufficient for some + deployment scenarios, especially when the number of CEs and FEs is + relatively small. It is recommended that the keys be changed + periodically, even for manual key management. + + IPsec can support both unicast and multicast transport. At the time + this document was published, the MSEC working group was actively + working on standardizing protocols to provide multicast security + [17]. Multicast-based solutions relying on IPsec should specify how + to meet the security requirements in [4]. + + Unlike TLS, IPsec provides security services between the CE and FE at + IP level, so the security handshake, as illustrated in Figure 9 + amounts to a "no-op" when manual key management is used. The + following outlines the steps taken for ForCES in such a case. + + 1) During the Pre-association phase, all the FEs are configured with + CEs (including the active CE and standby CE) and SA parameters + manually. + + + + + + +Yang, et al. Informational [Page 35] + +RFC 3746 ForCES Framework April 2004 + + + 2) The FE sends a "join NE" message to the CE. This message and all + others that follow are afforded security service according to the + manually configured IPsec SA parameters, but replay protection is + not available. + + It is up to the administrator to decide whether to share the same key + across multiple FE-CE communication, but it is recommended that + different keys be used. Similarly, it is recommended that different + keys be used for inbound and outbound traffic. + + If automatic key management is needed, IKE [16] can be used for that + purpose. Other automatic key distribution techniques, such as + Kerberos, may be used as well. The key exchange process constitutes + the security handshake as illustrated in Figure 9. The following + shows the steps involved in using IKE with IPsec for ForCES. Steps + 1) to 6) constitute the security handshake in Figure 9. + + 1) During the Pre-association phase, all FEs are configured with the + CEs (including active CE and standby CE), IPsec policy etc. + + 2) The FE kicks off the IKE process and tries to establish an IPsec + SA with the CE (master). The FE (Slave) gets the CE certificate + as part of the IKE negotiation. The FE validates the signature, + checks the expiration date, and checks whether the certificate has + been revoked. + + 3) The CE (master) gets the FE certificate and performs the same + check as the FE in step 2). + + 4) If any of the checks fail in step 2) or step 3), the endpoint must + generate an error message and abort. + + 5) After successful mutual authentication, the IPsec session is + established between the CE and FE. + + 6) The FE sends a "join NE" message to the CE. No SADB entry is + created in FE yet. + + 7) The FE and CE use the IPsec session for further communication. + + The FE Manager, CE Manager, or other central component can be used as + a CA for validating CE and FE certificates during the IKE process. + Alternatively, during the pre-association phase, the CE and FE can be + configured directly with the required information, such as + certificates or passwords etc., depending upon the type of + authentication that administrator wants to configure. + + + + + +Yang, et al. Informational [Page 36] + +RFC 3746 ForCES Framework April 2004 + + + In the case of fail-over, it is the responsibility of the active CE + and standby CE to synchronize ForCES states and IPsec states to + minimize the state re-establishment during fail-over. Alternatively, + the FE needs to establish a different IPsec SA during the startup + operation itself with each CE. This will minimize the periodic state + transfer across the IPsec layer though the Fr (CE-CE) Interface. + +9. References + +9.1. Normative References + + [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [2] Baker, F., Ed., "Requirements for IP Version 4 Routers", RFC + 1812, June 1995. + + [3] Floyd, S., "Congestion Control Principles", BCP 41, RFC 2914, + September 2000. + + [4] Khosravi, H. and Anderson, T., Eds., "Requirements for + Separation of IP Control and Forwarding", RFC 3654, November + 2003. + +9.2. Informative References + + [5] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction + and Applicability Statements for Internet Standard Management + Framework", RFC 3410, December 2002. + + [6] Daniele, M., Wijnen, B., Ellison, M. and D. Francisco, "Agent + Extensibility (AgentX) Protocol Version 1", RFC 2741, January + 2000. + + [7] Chan, K., Seligson, J., Durham, D., Gai, S., McCloghrie, K., + Herzog, S., Reichmeyer, F., Yavatkar, R. and A. Smith, "COPS + Usage for Policy Provisioning (COPS-PR)", RFC 3084, March 2001. + + [8] Crouch, A. et al., "ForCES Applicability Statement", Work in + Progress. + + [9] Anderson, T. and J. Buerkle, "Requirements for the Dynamic + Partitioning of Switching Elements", RFC 3532, May 2003. + + [10] Leelanivas, M., Rekhter, Y. and R. Aggarwal, "Graceful Restart + Mechanism for Label Distribution Protocol", RFC 3478, February + 2003. + + + + +Yang, et al. Informational [Page 37] + +RFC 3746 ForCES Framework April 2004 + + + [11] Moy, J., Pillay-Esnault, P. and A. Lindem, "Graceful OSPF + Restart", RFC 3623, November 2003. + + [12] Sangli, S. et al., "Graceful Restart Mechanism for BGP", Work in + Progress. + + [13] Shand, M. and L. Ginsberg, "Restart Signaling for IS-IS", Work + in Progress. + + [14] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC + 2246, January 1999. + + [15] Kent, S. and R. Atkinson, "Security Architecture for the + Internet Protocol", RFC 2401, November 1998. + + [16] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", + RFC 2409, November 1998. + + [17] Hardjono, T. and Weis, B. "The Multicast Group Security + Architecture", RFC 3740, March 2004. + + [18] Bellovin, S., Schiller, J. and C. Kaufman, Eds., "Security + Mechanisms for the Internet", RFC 3631, December 2003. + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Yang, et al. Informational [Page 38] + +RFC 3746 ForCES Framework April 2004 + + +10. Authors' Addresses + + L. Lily Yang + Intel Corp., MS JF3-206, + 2111 NE 25th Avenue + Hillsboro, OR 97124, USA + + Phone: +1 503 264 8813 + EMail: lily.l.yang@intel.com + + Ram Dantu + Department of Computer Science, + University of North Texas, + Denton, TX 76203, USA + + Phone: +1 940 565 2822 + EMail: rdantu@unt.edu + + Todd A. Anderson + Intel Corp. + 2111 NE 25th Avenue + Hillsboro, OR 97124, USA + + Phone: +1 503 712 1760 + EMail: todd.a.anderson@intel.com + + Ram Gopal + Nokia Research Center + 5, Wayside Road, + Burlington, MA 01803, USA + + Phone: +1 781 993 3685 + EMail: ram.gopal@nokia.com + + + + + + + + + + + + + + + + + + +Yang, et al. Informational [Page 39] + +RFC 3746 ForCES Framework April 2004 + + +11. Full Copyright Statement + + Copyright (C) The Internet Society (2004). This document is subject + to the rights, licenses and restrictions contained in BCP 78, and + except as set forth therein, the authors retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE + REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE + INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed + to pertain to the implementation or use of the technology + described in this document or the extent to which any license + under such rights might or might not be available; nor does it + represent that it has made any independent effort to identify any + such rights. Information on the procedures with respect to + rights in RFC documents can be found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use + of such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository + at http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention + any copyrights, patents or patent applications, or other + proprietary rights that may cover technology that may be required + to implement this standard. Please address the information to the + IETF at ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + +Yang, et al. Informational [Page 40] + -- cgit v1.2.3