1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
|
Network Working Group L. Yang
Request for Comments: 3746 Intel Corp.
Category: Informational R. Dantu
Univ. of North Texas
T. Anderson
Intel Corp.
R. Gopal
Nokia
April 2004
Forwarding and Control Element Separation (ForCES) Framework
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document defines the architectural framework for the ForCES
(Forwarding and Control Element Separation) network elements, and
identifies the associated entities and their interactions.
Table of Contents
1. Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions used in this document . . . . . . . . . . . . 2
1.2. Terminologies . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction to Forwarding and Control Element Separation
(ForCES) . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1. Control Elements and Fr Reference Point . . . . . . . . . 10
3.2. Forwarding Elements and Fi reference point. . . . . . . . 11
3.3. CE Managers . . . . . . . . . . . . . . . . . . . . . . . 14
3.4. FE Managers . . . . . . . . . . . . . . . . . . . . . . . 14
4. Operational Phases . . . . . . . . . . . . . . . . . . . . . . 15
4.1. Pre-association Phase . . . . . . . . . . . . . . . . . . 15
4.1.1. Fl Reference Point . . . . . . . . . . . . . . . . 15
4.1.2. Ff Reference Point . . . . . . . . . . . . . . . . 16
4.1.3. Fc Reference Point . . . . . . . . . . . . . . . . 17
4.2. Post-association Phase and Fp reference point . . . . . . 17
4.2.1. Proximity and Interconnect between CEs and FEs . . 18
Yang, et al. Informational [Page 1]
^L
RFC 3746 ForCES Framework April 2004
4.2.2. Association Establishment. . . . . . . . . . . . . 18
4.2.3. Steady-state Communication . . . . . . . . . . . . 19
4.2.4. Data Packets across Fp reference point . . . . . . 21
4.2.5. Proxy FE . . . . . . . . . . . . . . . . . . . . . 22
4.3. Association Re-establishment. . . . . . . . . . . . . . . 22
4.3.1. CE graceful restart. . . . . . . . . . . . . . . . 23
4.3.2. FE restart . . . . . . . . . . . . . . . . . . . . 24
5. Applicability to RFC 1812. . . . . . . . . . . . . . . . . . . 25
5.1. General Router Requirements . . . . . . . . . . . . . . . 25
5.2. Link Layer. . . . . . . . . . . . . . . . . . . . . . . . 26
5.3. Internet Layer Protocols. . . . . . . . . . . . . . . . . 27
5.4. Internet Layer Forwarding . . . . . . . . . . . . . . . . 27
5.5. Transport Layer . . . . . . . . . . . . . . . . . . . . . 28
5.6. Application Layer -- Routing Protocols. . . . . . . . . . 29
5.7. Application Layer -- Network Management Protocol. . . . . 29
6. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 30
8. Security Considerations. . . . . . . . . . . . . . . . . . . . 30
8.1. Analysis of Potential Threats Introduced by ForCES. . . . 31
8.1.1. "Join" or "Remove" Message Flooding on CEs . . . . 31
8.1.2. Impersonation Attack . . . . . . . . . . . . . . . 31
8.1.3. Replay Attack. . . . . . . . . . . . . . . . . . . 31
8.1.4. Attack during Fail Over. . . . . . . . . . . . . . 32
8.1.5. Data Integrity . . . . . . . . . . . . . . . . . . 32
8.1.6. Data Confidentiality . . . . . . . . . . . . . . . 32
8.1.7. Sharing security parameters. . . . . . . . . . . . 33
8.1.8. Denial of Service Attack via External Interface. . 33
8.2. Security Recommendations for ForCES . . . . . . . . . . . 33
8.2.1. Using TLS with ForCES. . . . . . . . . . . . . . . 34
8.2.2. Using IPsec with ForCES. . . . . . . . . . . . . . 35
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 37
9.1. Normative References. . . . . . . . . . . . . . . . . . . 37
9.2. Informative References. . . . . . . . . . . . . . . . . . 37
10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 39
11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 40
1. Definitions
1.1. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119 [1].
Yang, et al. Informational [Page 2]
^L
RFC 3746 ForCES Framework April 2004
1.2. Terminologies
A set of terminology associated with the ForCES requirements is
defined in [4] and we only include the definitions that are most
relevant to this document here.
Addressable Entity (AE) - An entity that is directly addressable
given some interconnect technology. For example, on IP networks, it
is a device to which we can communicate using an IP address; on a
switch fabric, it is a device to which we can communicate using a
switch fabric port number.
Physical Forwarding Element (PFE) - An AE that includes hardware used
to provide per-packet processing and handling. This hardware may
consist of (but is not limited to) network processors, ASICs
(Application-Specific Integrated Circuits), or general purpose
processors, installed on line cards, daughter boards, mezzanine
cards, or in stand-alone boxes.
PFE Partition - A logical partition of a PFE consisting of some
subset of each of the resources (e.g., ports, memory, forwarding
table entries) available on the PFE. This concept is analogous to
that of the resources assigned to a virtual switching element as
described in [9].
Physical Control Element (PCE) - An AE that includes hardware used to
provide control functionality. This hardware typically includes a
general purpose processor.
PCE Partition - A logical partition of a PCE consisting of some
subset of each of the resources available on the PCE.
Forwarding Element (FE) - A logical entity that implements the ForCES
Protocol. FEs use the underlying hardware to provide per-packet
processing and handling as directed by a CE via the ForCES Protocol.
FEs may happen to be a single blade (or PFE), a partition of a PFE,
or multiple PFEs.
Control Element (CE) - A logical entity that implements the ForCES
Protocol and uses it to instruct one or more FEs on how to process
packets. CEs handle functionality such as the execution of control
and signaling protocols. CEs may consist of PCE partitions or whole
PCEs.
ForCES Network Element (NE) - An entity composed of one or more CEs
and one or more FEs. An NE usually hides its internal organization
from external entities and represents a single point of management to
entities outside the NE.
Yang, et al. Informational [Page 3]
^L
RFC 3746 ForCES Framework April 2004
Pre-association Phase - The period of time during which an FE Manager
(see below) and a CE Manager (see below) are determining whether an
FE and a CE should be part of the same network element. It is
possible for some elements of the NE to be in pre-association phase
while other elements are in the post-association phase.
Post-association Phase - The period of time during which an FE knows
which CE is to control it and vice versa, including the time during
which the CE and FE are establishing communication with one another.
ForCES Protocol - While there may be multiple protocols used within
the overall ForCES architecture, the term "ForCES Protocol" refers
only to the ForCES post-association phase protocol (see below).
ForCES Post-Association Phase Protocol - The protocol used for post-
association phase communication between CEs and FEs. This protocol
does not apply to CE-to-CE communication, FE-to-FE communication, or
to communication between FE and CE managers. The ForCES Protocol is
a master-slave protocol in which FEs are slaves and CEs are masters.
This protocol includes both the management of the communication
channel (e.g., connection establishment, heartbeats) and the control
messages themselves. This protocol could be a single protocol or
could consist of multiple protocols working together, and may be
unicast or multicast based. A separate protocol document will
specify this information.
FE Manager - A logical entity that operates in the pre-association
phase and is responsible for determining to which CE(s) an FE should
communicate. This process is called CE discovery and may involve the
FE manager learning the capabilities of available CEs. An FE manager
may use anything from a static configuration to a pre-association
phase protocol (see below) to determine which CE(s) to use; however,
this is currently out of scope. Being a logical entity, an FE
manager might be physically combined with any of the other logical
entities mentioned in this section.
CE Manager - A logical entity that operates in the pre-association
phase and is responsible for determining to which FE(s) a CE should
communicate. This process is called FE discovery and may involve the
CE manager learning the capabilities of available FEs. A CE manager
may use anything from a static configuration to a pre-association
phase protocol (see below) to determine which FE to use; however,
this is currently out of scope. Being a logical entity, a CE manager
might be physically combined with any of the other logical entities
mentioned in this section.
Yang, et al. Informational [Page 4]
^L
RFC 3746 ForCES Framework April 2004
Pre-association Phase Protocol - A protocol between FE managers and
CE managers that is used to determine which CEs or FEs to use. A
pre-association phase protocol may include a CE and/or FE capability
discovery mechanism. Note that this capability discovery process is
wholly separate from (and does not replace) that used within the
ForCES Protocol. However, the two capability discovery mechanisms
may utilize the same FE model.
FE Model - A model that describes the logical processing functions of
an FE.
ForCES Protocol Element - An FE or CE.
Intra-FE topology - Representation of how a single FE is realized by
combining possibly multiple logical functional blocks along multiple
data paths. This is defined by the FE model.
FE Topology - Representation of how the multiple FEs in a single NE
are interconnected. Sometimes it is called inter-FE topology, to be
distinguished from intra-FE topology used by the FE model.
Inter-FE topology - See FE Topology.
2. Introduction to Forwarding and Control Element Separation (ForCES)
An IP network element (NE) appears to external entities as a
monolithic piece of network equipment, e.g., a router, NAT, firewall,
or load balancer. Internally, however, an IP network element (NE)
(such as a router) is composed of numerous logically separated
entities that cooperate to provide a given functionality (such as
routing). Two types of network element components exist: control
element (CE) in control plane and forwarding element (FE) in
forwarding plane (or data plane). Forwarding elements are typically
ASIC, network-processor, or general-purpose processor-based devices
that handle data path operations for each packet. Control elements
are typically based on general-purpose processors that provide
control functionality, like routing and signaling protocols.
ForCES aims to define a framework and associated protocol(s) to
standardize information exchange between the control and forwarding
plane. Having standard mechanisms allows CEs and FEs to become
physically separated standard components. This physical separation
accrues several benefits to the ForCES architecture. Separate
components would allow component vendors to specialize in one
component without having to become experts in all components.
Standard protocol also allows the CEs and FEs from different
component vendors to interoperate with each other and hence it
becomes possible for system vendors to integrate together the CEs and
Yang, et al. Informational [Page 5]
^L
RFC 3746 ForCES Framework April 2004
FEs from different component suppliers. This interoperability
translates into increased design choices and flexibility for the
system vendors. Overall, ForCES will enable rapid innovation in both
the control and forwarding planes while maintaining interoperability.
Scalability is also easily provided by this architecture in that
additional forwarding or control capacity can be added to existing
network elements without the need for forklift upgrades.
------------------------- -------------------------
| Control Blade A | | Control Blade B |
| (CE) | | (CE) |
------------------------- -------------------------
^ | ^ |
| | | |
| V | V
---------------------------------------------------------
| Switch Fabric Backplane |
---------------------------------------------------------
^ | ^ | ^ |
| | | | . . . | |
| V | V | V
------------ ------------ ------------
|Router | |Router | |Router |
|Blade #1 | |Blade #2 | |Blade #N |
| (FE) | | (FE) | | (FE) |
------------ ------------ ------------
^ | ^ | ^ |
| | | | . . . | |
| V | V | V
Figure 1. A router configuration example with separate blades.
One example of such physical separation is at the blade level. Figure
1 shows such an example configuration of a router, with two control
blades and multiple forwarding blades, all interconnected into a
switch fabric backplane. In such a chassis configuration, the
control blades are the CEs while the router blades are the FEs, and
the switch fabric backplane provides the physical interconnect for
all the blades. Control blade A may be the primary CE while control
blade B may be the backup CE providing redundancy. It is also
possible to have a redundant switch fabric for high availability
support. Routers today with this kind of configuration use
proprietary interfaces for messaging between CEs and FEs. The goal
of ForCES is to replace such proprietary interfaces with a standard
protocol. With a standard protocol like ForCES implemented on all
blades, it becomes possible for control blades from vendor X and
forwarding blades from vendor Y to work seamlessly together in one
chassis.
Yang, et al. Informational [Page 6]
^L
RFC 3746 ForCES Framework April 2004
------- -------
| CE1 | | CE2 |
------- -------
^ ^
| |
V V
============================================ Ethernet
^ ^ . . . ^
| | |
V V V
------- ------- --------
| FE#1| | FE#2| | FE#n |
------- ------- --------
^ | ^ | ^ |
| | | | | |
| V | V | V
Figure 2. A router configuration example with separate boxes.
Another level of physical separation between the CEs and FEs can be
at the box level. In such a configuration, all the CEs and FEs are
physically separated boxes, interconnected with some kind of high
speed LAN connection (like Gigabit Ethernet). These separated CEs
and FEs are only one hop away from each other within a local area
network. The CEs and FEs communicate to each other by running
ForCES, and the collection of these CEs and FEs together become one
routing unit to the external world. Figure 2 shows such an example.
In both examples shown here, the same physical interconnect is used
for both CE-to-FE and FE-to-FE communication. However, that does not
have to be the case. One reason to use different interconnects is
that the CE-to-FE interconnect does not have to be as fast as the
FE-to-FE interconnect, so the more faster and more expensive
connections can be saved for FE-to-FE. The separate interconnects
may also provide reliability and redundancy benefits for the NE.
Some examples of control functions that can be implemented in the CE
include routing protocols like RIP, OSPF, and BGP, control and
signaling protocols like RSVP (Resource Reservation Protocol), LDP
(Label Distribution Protocol) for MPLS, etc. Examples of forwarding
functions in the FE include LPM (longest prefix match) forwarder,
classifiers, traffic shaper, meter, NAT (Network Address
Translators), etc. Figure 3 provides example functions in both CE
and FE. Any given NE may contain one or many of these CE and FE
functions in it. The diagram also shows that the ForCES Protocol is
used to transport both the control messages for ForCES itself and the
Yang, et al. Informational [Page 7]
^L
RFC 3746 ForCES Framework April 2004
data packets that are originated/destined from/to the control
functions in the CE (e.g., routing packets). Section 4.2.4 provides
more detail on this.
-------------------------------------------------
| | | | | | |
|OSPF |RIP |BGP |RSVP |LDP |. . . |
| | | | | | |
-------------------------------------------------
| ForCES Interface |
-------------------------------------------------
^ ^
ForCES | |data
control | |packets
messages| |(e.g., routing packets)
v v
-------------------------------------------------
| ForCES Interface |
-------------------------------------------------
| | | | | | |
|LPM Fwd|Meter |Shaper |NAT |Classi-|. . . |
| | | | |fier | |
-------------------------------------------------
| FE resources |
-------------------------------------------------
Figure 3. Examples of CE and FE functions.
A set of requirements for control and forwarding separation is
identified in [4]. This document describes a ForCES architecture
that satisfies the architectural requirements of [4] and defines a
framework for ForCES network elements and the associated entities to
facilitate protocol definition. Whenever necessary, this document
uses many examples to illustrate the issues and/or possible solutions
in ForCES. These examples are intended to be just examples, and
should not be taken as the only or definite ways of doing certain
things. It is expected that a separate document will be produced by
the ForCES working group to specify the ForCES Protocol.
3. Architecture
This section defines the ForCES architectural framework and the
associated logical components. This ForCES framework defines
components of ForCES NEs, including several ancillary components.
These components may be connected in different kinds of topologies
for flexible packet processing.
Yang, et al. Informational [Page 8]
^L
RFC 3746 ForCES Framework April 2004
---------------------------------------
| ForCES Network Element |
-------------- Fc | -------------- -------------- |
| CE Manager |---------+-| CE 1 |------| CE 2 | |
-------------- | | | Fr | | |
| | -------------- -------------- |
| Fl | | | Fp / |
| | Fp| |----------| / |
| | | |/ |
| | | | |
| | | Fp /|----| |
| | | /--------/ | |
-------------- Ff | -------------- -------------- |
| FE Manager |---------+-| FE 1 | Fi | FE 2 | |
-------------- | | |------| | |
| -------------- -------------- |
| | | | | | | | | |
----+--+--+--+----------+--+--+--+-----
| | | | | | | |
| | | | | | | |
Fi/f Fi/f
Fp: CE-FE interface
Fi: FE-FE interface
Fr: CE-CE interface
Fc: Interface between the CE Manager and a CE
Ff: Interface between the FE Manager and an FE
Fl: Interface between the CE Manager and the FE Manager
Fi/f: FE external interface
Figure 4. ForCES Architectural Diagram
The diagram in Figure 4 shows the logical components of the ForCES
architecture and their relationships. There are two kinds of
components inside a ForCES network element: control element (CE) and
forwarding element (FE). The framework allows multiple instances of
CE and FE inside one NE. Each FE contains one or more physical media
interfaces for receiving and transmitting packets from/to the
external world. The aggregation of these FE interfaces becomes the
NE's external interfaces. In addition to the external interfaces,
there must also exist some kind of interconnect within the NE so that
the CE and FE can communicate with each other, and one FE can forward
packets to another FE. The diagram also shows two entities outside
of the ForCES NE: CE Manager and FE Manager. These two ancillary
entities provide configuration to the corresponding CE or FE in the
pre-association phase (see Section 4.1).
Yang, et al. Informational [Page 9]
^L
RFC 3746 ForCES Framework April 2004
For convenience, the logical interactions between these components
are labeled by reference points Fp, Fc, Ff, Fr, Fl, and Fi, as shown
in Figure 4. The FE external interfaces are labeled as Fi/f. More
detail is provided in Section 3 and 4 for each of these reference
points. All these reference points are important in understanding
the ForCES architecture, however, the ForCES Protocol is only defined
over one reference point -- Fp.
The interface between two ForCES NEs is identical to the interface
between two conventional routers and these two NEs exchange the
protocol packets through the external interfaces at Fi/f. ForCES NEs
connect to existing routers transparently.
3.1. Control Elements and Fr Reference Point
It is not necessary to define any protocols across the Fr reference
point to enable control and forwarding separation for simple
configurations like single CE and multiple FEs. However, this
architecture permits multiple CEs to be present in a network element.
In cases where an implementation uses multiple CEs, the invariant
that the CEs and FEs together appear as a single NE must be
maintained.
Multiple CEs may be used for redundancy, load sharing, distributed
control, or other purposes. Redundancy is the case where one or more
CEs are prepared to take over should an active CE fail. Load sharing
is the case where two or more CEs are concurrently active and any
request that can be serviced by one of the CEs can also be serviced
by any of the other CEs. For both redundancy and load sharing, the
CEs involved are equivalently capable. The only difference between
these two cases is in terms of how many active CEs there are
simultaneously. Distributed control is the case where two or more
CEs are concurrently active but certain requests can only be serviced
by certain CEs.
When multiple CEs are employed in a ForCES NE, their internal
organization is considered an implementation issue that is beyond the
scope of ForCES. CEs are wholly responsible for coordinating amongst
themselves via the Fr reference point to provide consistency and
synchronization. However, ForCES does not define the implementation
or protocols used between CEs, nor does it define how to distribute
functionality among CEs. Nevertheless, ForCES will support
mechanisms for CE redundancy or fail over, and it is expected that
vendors will provide redundancy or fail over solutions within this
framework.
Yang, et al. Informational [Page 10]
^L
RFC 3746 ForCES Framework April 2004
3.2. Forwarding Elements and Fi reference point
An FE is a logical entity that implements the ForCES Protocol and
uses the underlying hardware to provide per-packet processing and
handling as directed by a CE. It is possible to partition one
physical FE into multiple logical FEs. It is also possible for one
FE to use multiple physical FEs. The mapping between physical FE(s)
and logical FE(s) is beyond the scope of ForCES. For example, a
logical partition of a physical FE can be created by assigning some
portion of each of the resources (e.g., ports, memory, forwarding
table entries) available on the ForCES physical FE to each of the
logical FEs. Such a concept of FE virtualization is analogous to a
virtual switching element as described in [9]. If FE virtualization
occurs only in the pre-association phase, it has no impact on ForCES.
However, if FE virtualization results in a resource change taken from
an existing FE (already participating in ForCES post-association
phase), the ForCES Protocol needs to be able to inform the CE of such
a change via asynchronous messages (see [4], Section 5, requirement
#6).
FEs perform all packet processing functions as directed by CEs. FEs
have no initiative of their own. Instead, FEs are slaves and only do
as they are told. FEs may communicate with one or more CEs
concurrently across reference point Fp. FEs have no notion of CE
redundancy, load sharing, or distributed control. Instead, FEs
accept commands from any CE authorized to control them, and it is up
to the CEs to coordinate among themselves to achieve redundancy, load
sharing, or distributed control. The idea is to keep FEs as simple
and dumb as possible so that FEs can focus their resources on the
packet processing functions. Unless otherwise configured or
determined by a ForCEs Protocol exchange, each FE will process
authorized incoming commands directed at it as it receives them on a
first come first serve basis.
For example, in Figure 5, FE1 and FE2 can be configured to accept
commands from both the primary CE (CE1) and the backup CE (CE2).
Upon detection of CE1 failure, perhaps across the Fr or Fp reference
point, CE2 is configured to take over activities of CE1. This is
beyond the scope of ForCES and is not discussed further.
Distributed control can be achieved in a similar fashion, without
much intelligence on the part of FEs. For example, FEs can be
configured to detect RSVP and BGP protocol packets, and forward RSVP
packets to one CE and BGP packets to another CE. Hence, FEs may need
to do packet filtering for forwarding packets to specific CEs.
Yang, et al. Informational [Page 11]
^L
RFC 3746 ForCES Framework April 2004
------- Fr -------
| CE1 | ------| CE2 |
------- -------
| \ / |
| \ / |
| \ / |
| \/Fp |
| /\ |
| / \ |
| / \ |
------- Fi -------
| FE1 |<----->| FE2 |
------- -------
Figure 5. CE redundancy example.
This architecture permits multiple FEs to be present in an NE. [4]
dictates that the ForCES Protocol must be able to scale to at least
hundreds of FEs (see [4] Section 5, requirement #11). Each of these
FEs may potentially have a different set of packet processing
functions, with different media interfaces. FEs are responsible for
basic maintenance of layer-2 connectivity with other FEs and with
external entities. Many layer-2 media include sophisticated control
protocols. The FORCES Protocol (over the Fp reference point) will be
able to carry messages for such protocols so that, in keeping with
the dumb FE model, the CE can provide appropriate intelligence and
control over these media.
When multiple FEs are present, ForCES requires that packets must be
able to arrive at the NE by one FE and leave the NE via a different
FE (See [4], Section 5, Requirement #3). Packets that enter the NE
via one FE and leave the NE via a different FE are transferred
between FEs across the Fi reference point. The Fi reference point
could be used by FEs to discover their (inter-FE) topology, perhaps
during the pre-association phase. The Fi reference point is a
separate protocol from the Fp reference point and is not currently
defined by the ForCES Protocol.
FEs could be connected in different kinds of topologies and packet
processing may spread across several FEs in the topology. Hence,
logical packet flow may be different from physical FE topology.
Figure 6 provides some topology examples. When it is necessary to
forward packets between FEs, the CE needs to understand the FE
topology. The FE topology may be queried from the FEs by the CEs via
the ForCES Protocol, but the FEs are not required to provide that
information to the CEs. So, the FE topology information may also be
gathered by other means outside of the ForCES Protocol (like inter-FE
topology discovery protocol).
Yang, et al. Informational [Page 12]
^L
RFC 3746 ForCES Framework April 2004
-----------------
| CE |
-----------------
^ ^ ^
/ | \
/ v \
/ ------- \
/ +->| FE3 |<-+ \
/ | | | | \
v | ------- | v
------- | | -------
| FE1 |<-+ +->| FE2 |
| |<--------------->| |
------- -------
^ | ^ |
| | | |
| v | v
(a) Full mesh among FE1, FE2, and FE3
-----------
| CE |
-----------
^ ^ ^ ^
/ | | \
/------ | | ------\
v v v v
------- ------- ------- -------
| FE1 |<->| FE2 |<->| FE3 |<->| FE4 |
------- ------- ------- -------
^ | ^ | ^ | ^ |
| | | | | | | |
| v | v | v | v
(b) Multiple FEs in a daisy chain
Yang, et al. Informational [Page 13]
^L
RFC 3746 ForCES Framework April 2004
^ |
| v
-----------
| FE1 |<-----------------------|
----------- |
^ ^ |
/ \ |
| ^ / \ ^ | V
v | v v | v ----------
--------- --------- | |
| FE2 | | FE3 |<------------>| CE |
--------- --------- | |
^ ^ ^ ----------
| \ / ^ ^
| \ / | |
| v v | |
| ----------- | |
| | FE4 |<----------------------| |
| ----------- |
| | ^ |
| v | |
| |
|----------------------------------------|
(c) Multiple FEs connected by a ring
Figure 6. Some examples of FE topology
3.3. CE Managers
CE managers are responsible for determining which FEs a CE should
control. It is legitimate for CE managers to be hard-coded with the
knowledge of with which FEs its CEs should communicate with. A CE
manager may also be physically embedded into a CE and be implemented
as a simple keypad or other direct configuration mechanism on the CE.
Finally, CE managers may be physically and logically separate
entities that configure the CE with FE information via such
mechanisms as COPS-PR [7] or SNMP [5].
3.4. FE Managers
FE managers are responsible for determining with which CE any
particular FE should initially communicate. Like CE managers, no
restrictions are placed on how an FE manager decides with which CE
its FEs should communicate, nor are restrictions placed on how FE
managers are implemented. Each FE should have one and only one FE
Yang, et al. Informational [Page 14]
^L
RFC 3746 ForCES Framework April 2004
manager, while different FEs may have the same or different FE
manager(s). Each manager can choose to exist and operate
independently of other manager.
4. Operational Phases
Both FEs and CEs require some configuration to be in place before
they can start information exchange and function as a coherent
network element. Two operational phases are identified in this
framework: pre-association and post-association.
4.1. Pre-association Phase
The Pre-association phase is the period of time during which an FE
Manager and a CE Manager are determining whether an FE and a CE
should be part of the same network element. The protocols used
during this phase may include all or some of the message exchange
over Fl, Ff, and Fc reference points. However, all these may be
optional and none of this is within the scope of the ForCES Protocol.
4.1.1. Fl Reference Point
CE managers and FE managers may communicate across the Fl reference
point in the pre-association phase in order to determine whether an
individual CE and FE, or a set of CEs and FEs should be associated.
Communication across the Fl reference point is optional in this
architecture. No requirements are placed on this reference point.
CE managers and FE managers may be operated by different entities.
The operator of the CE manager may not want to divulge, except to
specified FE managers, any characteristics of the CEs it manages.
Similarly, the operator of the FE manager may not want to divulge FE
characteristics, except to authorized entities. As such, CE managers
and FE managers may need to authenticate one another. Subsequent
communication between CE managers and FE managers may require other
security functions such as privacy, non-repudiation, freshness, and
integrity.
Yang, et al. Informational [Page 15]
^L
RFC 3746 ForCES Framework April 2004
FE Manager FE CE Manager CE
| | | |
| | | |
|(security exchange) | |
1|<------------------------------>| |
| | | |
|(a list of CEs and their attributes) |
2|<-------------------------------| |
| | | |
|(a list of FEs and their attributes) |
3|------------------------------->| |
| | | |
| | | |
|<----------------Fl------------>| |
Figure 7. An example of a message exchange over the Fl reference
point
Once the necessary security functions have been performed, the CE and
FE managers communicate to determine which CEs and FEs should
communicate with each other. At the very minimum, the CE and FE
managers need to learn of the existence of available FEs and CEs
respectively. This discovery process may entail one or both managers
learning the capabilities of the discovered ForCES protocol elements.
Figure 7 shows an example of a possible message exchange between the
CE manager and FE manager over the Fl reference point.
4.1.2. Ff Reference Point
The Ff reference point is used to inform forwarding elements of the
association decisions made by the FE manager in the pre-association
phase. Only authorized entities may instruct an FE with respect to
which CE should control it. Therefore, privacy, integrity,
freshness, and authentication are necessary between the FE manager
and FEs when the FE manager is remote to the FE. Once the
appropriate security has been established, the FE manager instructs
the FEs across this reference point to join a new NE or to disconnect
from an existing NE. The FE Manager could also assign unique FE
identifiers to the FEs using this reference point. The FE
identifiers are useful in the post association phase to express FE
topology. Figure 8 shows example of a message exchange over the Ff
reference point.
Yang, et al. Informational [Page 16]
^L
RFC 3746 ForCES Framework April 2004
FE Manager FE CE Manager CE
| | | |
| | | |
|(security exchange) |(security exchange)
1|<------------>|authentication 1|<----------->|authentication
| | | |
|(FE ID, attributes) |(CE ID, attributes)
2|<-------------|request 2|<------------|request
| | | |
3|------------->|response 3|------------>|response
|(corresponding CE ID) |(corresponding FE ID)
| | | |
| | | |
|<-----Ff----->| |<-----Fc---->|
Figure 8. Examples of a message exchange
over the Ff and Fc reference points
Note that the FE manager function may be co-located with the FE (such
as by manual keypad entry of the CE IP address), in which case this
reference point is reduced to a built-in function.
4.1.3. Fc Reference Point
The Fc reference point is used to inform control elements of the
association decisions made by CE managers in the pre-association
phase. When the CE manager is remote, only authorized entities may
instruct a CE to control certain FEs. Privacy, integrity, freshness,
and authentication are also required across this reference point in
such a configuration. Once appropriate security has been
established, the CE manager instructs the CEs as to which FEs they
should control and how they should control them. Figure 8 shows
example of a message exchange over the Fc reference point.
As with the FE manager and FEs, configurations are possible where the
CE manager and CE are co-located and no protocol is used for this
function.
4.2. Post-association Phase and Fp reference point
The Post-association phase is the period of time during which an FE
and CE have been configured with information necessary to contact
each other and includes both association establishment and steady-
state communication. The communication between CE and FE is
performed across the Fp ("p" meaning protocol) reference point.
ForCES Protocol is exclusively used for all communication across the
Fp reference point.
Yang, et al. Informational [Page 17]
^L
RFC 3746 ForCES Framework April 2004
4.2.1. Proximity and Interconnect between CEs and FEs
The ForCES Working Group has made a conscious decision that the first
version of ForCES will be focused on "very close" CE/FE localities in
IP networks. Very Close localities consist of control and forwarding
elements that are either components in the same physical box, or
separated at most by one local network hop ([8]). CEs and FEs can be
connected by a variety of interconnect technologies, including
Ethernet connections, backplanes, ATM (cell) fabrics, etc. ForCES
should be able to support each of these interconnects (see [4]
Section 5, requirement #1). When the CEs and FEs are separated
beyond a single L3 routing hop, the ForCES Protocol will make use of
an existing RFC 2914 [3] compliant L4 protocol with adequate
reliability, security, and congestion control (e.g., TCP, SCTP) for
transport purposes.
4.2.2. Association Establishment
FE CE
| |
|(Security exchange.) |
1|<--------------------->|
| |
|(Let me join the NE please.)
2|---------------------->|
| |
|(What kind of FE are you? -- capability query)
3|<----------------------|
| |
|(Here is my FE functions/state: use model to
describe)
4|---------------------->|
| |
|(Initial config for FE -- optional)
5|<----------------------|
| |
|(I am ready to go. Shall I?)
6|---------------------->|
| |
|(Go ahead!) |
7|<----------------------|
| |
Figure 9. Example of a message exchange between CE and FE
over Fp to establish an NE association
Yang, et al. Informational [Page 18]
^L
RFC 3746 ForCES Framework April 2004
As an example, figure 9 shows some of the message exchange that may
happen before the association between the CE and FE is fully
established. Either the CE or FE can initiate the connection.
Security handshake is necessary to authenticate the two communication
endpoints to each other before any further message exchange can
happen. The security handshake should include mutual authentication
and authorization between the CE and FE, but the exact details depend
on the security solution chosen by the ForCES Protocol.
Authorization can be as simple as checking against the list of
authorized end points provided by the FE or CE manager during the
pre-association phase. Both authentication and authorization must be
successful before the association can be established. If either
authentication or authorization fails, the end point must not be
allowed to join the NE. After the successful security handshake,
message authentication and confidentiality are still necessary for
the on-going information exchange between the CE and FE, unless some
form of physical security exists. Whenever a packet fails
authentication, it must be dropped and a notification may be sent to
alert the sender of the potential attack. Section 8 provides more
details on the security considerations for ForCES.
After the successful security handshake, the FE needs to inform the
CE of its own capability and optionally its topology in relation to
other FEs. The capability of the FE shall be represented by the FE
model, as required in [4] (Section 6, requirement #1). The model
would allow an FE to describe what kind of packet processing
functions it contains, in what order the processing happens, what
kinds of configurable parameters it allows, what statistics it
collects, and what events it might throw, etc. Once such information
is available to the CE, the CE may choose to send some initial or
default configuration to the FE so that the FE can start receiving
and processing packets correctly. Such initialization may not be
necessary if the FE already obtains the information from its own
bootstrap process. Once the necessary initial information is
exchanged, the process of association is completed. Packet
processing and forwarding at the FE cannot begin until association is
established. After the association is established, the CE and FE
enter steady-state communication.
4.2.3. Steady-state Communication
Once an association is established between the CE and FE, the ForCES
Protocol is used by the CE and FE over the Fp reference point to
exchange information to facilitate packet processing.
Yang, et al. Informational [Page 19]
^L
RFC 3746 ForCES Framework April 2004
FE CE
| |
|(Add these new routes.)|
1|<----------------------|
| |
|(Successful.) |
2|---------------------->|
| |
| |
|(Query some stats.) |
1|<----------------------|
| |
|(Reply with stats collected.)
2|---------------------->|
| |
| |
|(My port is down, with port #.)
1|---------------------->|
| |
|(Here is a new forwarding table)
2|<----------------------|
| |
Figure 10. Examples of a message exchange between CE and FE
over Fp during steady-state communication
Based on the information acquired through CEs' control processing,
CEs will frequently need to manipulate the packet-forwarding
behaviors of their FE(s) by sending instructions to FEs. For
example, Figure 10 shows message exchange examples in which the CE
sends new routes to the FE so that the FE can add them to its
forwarding table. The CE may query the FE for statistics collected
by the FE and the FE may notify the CE of important events such as
port failure.
Yang, et al. Informational [Page 20]
^L
RFC 3746 ForCES Framework April 2004
4.2.4. Data Packets across Fp reference point
--------------------- ----------------------
| | | |
| +--------+ | | +--------+ |
| |CE(BGP) | | | |CE(BGP) | |
| +--------+ | | +--------+ |
| | | | ^ |
| |Fp | | |Fp |
| v | | | |
| +--------+ | | +--------+ |
| | FE | | | | FE | |
| +--------+ | | +--------+ |
| | | | ^ |
| Router | | | Router | |
| A | | | B | |
---------+----------- -----------+----------
v ^
| |
| |
------------------->---------------
Figure 11. Example to show data packet flow between two NEs.
Control plane protocol packets (such as RIP, OSPF messages) addressed
to any of NE's interfaces are typically redirected by the receiving
FE to its CE, and CE may originate packets and have its FE deliver
them to other NEs. Therefore, the ForCES Protocol over Fp not only
transports the ForCES Protocol messages between CEs and FEs, but also
encapsulates the data packets from control plane protocols.
Moreover, one FE may be controlled by multiple CEs for distributed
control. In this configuration, the control protocols supported by
the FORCES NEs may spread across multiple CEs. For example, one CE
may support routing protocols like OSPF and BGP, while a signaling
and admission control protocol like RSVP is supported in another CE.
FEs are configured to recognize and filter these protocol packets and
forward them to the corresponding CE.
Figure 11 shows one example of how the BGP packets originated by
router A are passed to router B. In this example, the ForCES
Protocol is used to transport the packets from the CE to the FE
inside router A, and then from the FE to the CE inside router B. In
light of the fact that the ForCES Protocol is responsible for
transporting both the control messages and the data packets between
the CE and FE over the Fp reference point, it is possible to use
either a single protocol or multiple protocols.
Yang, et al. Informational [Page 21]
^L
RFC 3746 ForCES Framework April 2004
4.2.5. Proxy FE
In the case where a physical FE cannot implement (e.g., due to the
lack of a general purpose CPU) the ForCES Protocol directly, a proxy
FE can be used to terminate the Fp reference point instead of the
physical FE. This allows the CE to communicate to the physical FE
via the proxy by using ForCES, while the proxy manipulates the
physical FE using some intermediary form of communication (e.g., a
non-ForCES protocol or DMA). In such an implementation, the
combination of the proxy and the physical FE becomes one logical FE
entity. It is also possible for one proxy to act on behalf of
multiple physical FEs.
One needs to be aware of the security implication introduced by the
proxy FE. Since the physical FE is not capable of implementing
ForCES itself, the security mechanism of ForCES can only secure the
communication channel between the CE and the proxy FE, but not all
the way to the physical FE. It is recommended that other security
mechanisms (including physical security property) be employed to
ensure the security between the CE and the physical FE.
4.3. Association Re-establishment
FEs and CEs may join and leave NEs dynamically (see [4] Section 5,
requirements #12). When an FE or CE leaves the NE, the association
with the NE is broken. If the leaving party rejoins an NE later, to
re-establish the association, it may need to re-enter the pre-
association phase. Loss of association can also happen unexpectedly
due to a loss of connection between the CE and the FE. Therefore,
the framework allows the bi-directional transition between these two
phases, but the ForCES Protocol is only applicable for the post-
association phase. However, the protocol should provide mechanisms
to support association re-establishment. This includes the ability
for CEs and FEs to determine when there is a loss of association
between them, and to restore association and efficient state
(re)synchronization mechanisms (see [4] Section 5, requirement #7).
Note that security association and state must also be re-established
to guarantee the same level of security (including both
authentication and authorization) exists before and after the
association re-establishment.
When an FE leaves or joins an existing NE that is already in
operation, the CE needs to be aware of the impact on FE topology and
deal with the change accordingly.
Yang, et al. Informational [Page 22]
^L
RFC 3746 ForCES Framework April 2004
4.3.1. CE graceful restart
The failure and restart of the CE in a router can potentially cause
much stress and disruption on the control plane throughout a network
because in restarting a CE for any reason, the router loses routing
adjacencies or sessions with its routing neighbors. Neighbors who
detect the lost adjacency normally re-compute new routes and then
send routing updates to their own neighbors to communicate the lost
adjacency. Their neighbors do the same thing to propagate throughout
the network. In the meantime, the restarting router cannot receive
traffic from other routers because the neighbors have stopped using
the router's previously advertised routes. When the restarting
router restores adjacencies, neighbors must once again re-compute new
routes and send out additional routing updates. The restarting
router is unable to forward packets until it has re-established
routing adjacencies with neighbors, received route updates through
these adjacencies, and computed new routes. Until convergence takes
place throughout the network, packets may be lost in transient black
holes or forwarding loops.
A high availability mechanism known as the "graceful restart" has
been used by the IP routing protocols (OSPF [11], BGP [12], IS-IS
[13]) and MPLS label distribution protocol (LDP [10]) to help
minimize the negative effects on routing throughout an entire network
caused by a restarting router. Route flap on neighboring routers is
avoided, and a restarting router can continue to forward packets that
would otherwise be dropped.
While the details differ from protocol to protocol, the general idea
behind the graceful restart mechanism remains the same. With the
graceful restart, a restarting router can inform its neighbors when
it restarts. The neighbors may detect the lost adjacency but do not
recompute new routes or send routing updates to their neighbors. The
neighbors also hold on to the routes received from the restarting
router before restart and assume they are still valid for a limited
time. By doing so, the restarting router's FEs can also continue to
receive and forward traffic from other neighbors for a limited time
by using the routes they already have. The restarting router then
re-establishes routing adjacencies, downloads updated routes from all
its neighbors, recomputes new routes, and uses them to replace the
older routes it was using. It then sends these updated routes to its
neighbors and signals the completion of the graceful restart process.
Non-stop forwarding is a requirement for graceful restart. It is
necessary so a router can continue to forward packets while it is
downloading routing information and recomputing new routes. This
ensures that packets will not be dropped. As one can see, one of the
benefits afforded by the separation of CE and FE is exactly the
Yang, et al. Informational [Page 23]
^L
RFC 3746 ForCES Framework April 2004
ability of non-stop forwarding in the face of the CE failure and
restart. The support of dynamic changes to CE/FE association in
ForCES also makes it compatible with high availability mechanisms,
such as graceful restart.
ForCES should be able to support a CE graceful restart easily. When
the association is established the first time, the CE must inform the
FEs what to do in the case of a CE failure. If graceful restart is
not supported, the FEs may be told to stop packet processing all
together if its CE fails. If graceful restart is supported, the FEs
should be told to cache and hold on to its FE state, including the
forwarding tables across the restarts. A timer must be included so
that the timeout causes such a cached state to eventually expire.
Those timers should be settable by the CE.
4.3.2. FE restart
In the same example in Figure 5, assuming CE1 is the working CE for
the moment, what would happen if one of the FEs, say FE1, leaves the
NE temporarily? FE1 may voluntarily decide to leave the association.
Alternatively, FE1 may stop functioning simply due to unexpected
failure. In the former case, CE1 receives a "leave-association
request" from FE1. In the latter, CE1 detects the failure of FE1 by
some other means. In both cases, CE1 must inform the routing
protocols of such an event, most likely prompting a reachability and
SPF (Shortest Path First) recalculation and associated downloading of
new FIBs from CE1 to the other remaining FEs (only FE2 in this
example). Such recalculation and FIB updates will also be propagated
from CE1 to the NE's neighbors that are affected by the connectivity
of FE1.
When FE1 decides to rejoin again, or when it restarts again after the
failure, FE1 needs to re-discover its master (CE). This can be
achieved by several means. It may re-enter the pre-association phase
and get that information from its FE manager. It may retrieve the
previous CE information from its cache, if it can validate the
information freshness. Once it discovers its CE, it starts message
exchange with the CE to re-establish the association, as outlined in
Figure 9, with the possible exception that it might be able to bypass
the transport of the complete initial configuration. Suppose that
FE1 still has its routing table and other state information from the
last association. Instead of re-sending all the information, it may
be able to use a more efficient mechanism to re-sync the state with
its CE, if such a mechanism is supported by the ForCES Protocol. For
example, CRC-32 of the state might give a quick indication of whether
or not the state is in-sync with its CE. By comparing its state with
the CE first, it sends an information update
Yang, et al. Informational [Page 24]
^L
RFC 3746 ForCES Framework April 2004
only if it is needed. The ForCES Protocol may choose to implement
similar optimization mechanisms, but it may also choose not to, as
this is not a requirement.
5. Applicability to RFC 1812
[4] Section 5, requirement #9 dictates "Any proposed ForCES
architecture must explain how that architecture supports all of the
router functions as defined in RFC 1812." RFC 1812 [2] discusses
many important requirements for IPv4 routers from the link layer to
the application layer. This section addresses the relevant
requirements in RFC 1812 for implementing IPv4 routers based on
ForCES architecture and explains how ForCES satisfies these
requirements by providing guidelines on how to separate the
functionalities required into the forwarding plane and control plane.
In general, the forwarding plane carries out the bulk of the per-
packet processing that is required at line speed, while the control
plane carries most of the computationally complex operations that are
typical of the control and signaling protocols. However, it is
impossible to draw a rigid line to divide the processing into CEs and
FEs cleanly and the ForCES architecture should not limit the
innovative approaches in control and forwarding plane separation. As
more and more processing power is available in the FEs, some of the
control functions that traditionally are performed by CEs may now be
moved to FEs for better performance and scalability. Such offloaded
functions may include part of ICMP or TCP processing, or part of
routing protocols. Once off-loaded onto the forwarding plane, such
CE functions, even though logically belonging to the control plane,
now become part of the FE functions. Just like the other logical
functions performed by FEs, such off-loaded functions must be
expressed as part of the FE model so that the CEs can decide how to
best take advantage of these off-loaded functions when present on the
FEs.
5.1. General Router Requirements
Routers have at least two or more logical interfaces. When CEs and
FEs are separated by ForCES within a single NE, some additional
interfaces are needed for intra-NE communications, as illustrated in
figure 12. This NE contains one CE and two FEs. Each FE has four
interfaces; two of them are used for receiving and transmitting
packets to the external world, while the other two are for intra-NE
connections. CE has two logical interfaces #9 and #10, connected to
interfaces #3 and #6 from FE1 and FE2, respectively. Interface #4
and #5 are connected for FE1-FE2 communication. Therefore, this
router NE provides four external interfaces (#1, 2, 7, and 8).
Yang, et al. Informational [Page 25]
^L
RFC 3746 ForCES Framework April 2004
---------------------------------
| router NE |
| ----------- ----------- |
| | FE1 | | FE2 | |
| ----------- ----------- |
| 1| 2| 3| 4| 5| 6| 7| 8| |
| | | | | | | | | |
| | | | +----+ | | | |
| | | | | | | |
| | | 9| 10| | | |
| | | -------------- | | |
| | | | CE | | | |
| | | -------------- | | |
| | | | | |
-----+--+----------------+--+----
| | | |
| | | |
Figure 12. A router NE example with four interfaces.
IPv4 routers must implement IP to support its packet forwarding
function, which is driven by its FIB (Forwarding Information Base).
This Internet layer forwarding (see RFC 1812 [2] Section 5)
functionality naturally belongs to FEs in the ForCES architecture.
A router may implement transport layer protocols (like TCP and UDP)
that are required to support application layer protocols (see RFC
1812 [2] Section 6). One important class of application protocols is
routing protocols (see RFC 1812 [2] Section 7). In the ForCES
architecture, routing protocols are naturally implemented by CEs.
Routing protocols require that routers communicate with each other.
This communication between CEs in different routers is supported in
ForCES by FEs' ability to redirect data packets addressed to routers
(i.e., NEs), and the CEs' ability to originate packets and have them
delivered by their FEs. This communication occurs across the Fp
reference point inside each router and between neighboring routers'
external interfaces, as illustrated in Figure 11.
5.2. Link Layer
Since FEs own all the external interfaces for the router, FEs need to
conform to the link layer requirements in RFC 1812 [2]. Arguably,
ARP support may be implemented in either CEs or FEs. As we will see
later, a number of behaviors that RFC 1812 mandates fall into this
category -- they may be performed by the FE and may be performed by
the CE. A general guideline is needed to ensure interoperability
between separated control and forwarding planes. The guideline we
offer here is that CEs MUST be capable of these kinds of operations
Yang, et al. Informational [Page 26]
^L
RFC 3746 ForCES Framework April 2004
while FEs MAY choose to implement them. The FE model should indicate
its capabilities in this regard so that CEs can decide where these
functions are implemented.
Interface parameters, including MTU, IP address, etc., must be
configurable by CEs via ForCES. CEs must be able to determine
whether a physical interface in an FE is available to send packets or
not. FEs must also inform CEs of the status change of the interfaces
(like link up/down) via ForCES.
5.3. Internet Layer Protocols
Both FEs and CEs must implement the IP protocol and all mandatory
extensions as RFC 1812 specified. CEs should implement IP options
like source route and record route while FEs may choose to implement
those as well. The timestamp option should be implemented by FEs to
insert the timestamp most accurately. The FE must interpret the IP
options that it understands and preserve the rest unchanged for use
by CEs. Both FEs and CEs might choose to silently discard packets
without sending ICMP errors, but such events should be logged and
counted. FEs may report statistics for such events to CEs via
ForCES.
When multiple FEs are involved to process packets, the appearance of
a single NE must be strictly maintained. For example, Time-To-Live
(TTL) must be decremented only once within a single NE. For example,
it can be always decremented by the last FE with egress function.
FEs must receive and process normally any packets with a broadcast
destination address or a multicast destination address that the
router has asked to receive. When IP multicast is supported in
routers, IGMP is implemented in CEs. CEs are also required of ICMP
support, while it is optional for FEs to support ICMP. Such an
option can be communicated to CEs as part of the FE model. Therefore,
FEs can always rely upon CEs to send out ICMP error messages, but FEs
also have the option of generating ICMP error messages themselves.
5.4. Internet Layer Forwarding
IP forwarding is implemented by FEs. When the routing table is
updated at the CEs, ForCES is used to send the new route entries from
the CEs to FEs. Each FE has its own forwarding table and uses this
table to direct packets to the next hop interface.
Upon receiving IP packets, the FE verifies the IP header and
processes most of the IP options. Some options cannot be processed
until the routing decision has been made. The routing decision is
made after examining the destination IP address. If the destination
Yang, et al. Informational [Page 27]
^L
RFC 3746 ForCES Framework April 2004
address belongs to the router itself, the packets are filtered and
either processed locally or forwarded to the CE, depending upon the
instructions set-up by the CE. Otherwise, the FE determines the next
hop IP address by looking in its forwarding table. The FE also
determines the network interface it uses to send the packets.
Sometimes an FE may need to forward the packets to another FE before
packets can be forwarded out to the next hop. Right before packets
are forwarded out to the next hop, the FE decrements TTL by 1 and
processes any IP options that could not be processed before. The FE
performs IP fragmentation if necessary, determines the link layer
address (e.g., by ARP), and encapsulates the IP datagram (or each of
the fragments thereof) in an appropriate link layer frame and queues
it for output on the interface selected.
Other options mentioned in RFC 1812 [2] for IP forwarding may also be
implemented at FEs, for example, packet filtering.
FEs typically forward packets destined locally to CEs. FEs may also
forward exceptional packets (packets that FEs do not know how to
handle) to CEs. CEs are required to handle packets forwarded by FEs
for whatever reason. It might be necessary for ForCES to attach some
meta-data with the packets to indicate the reasons of forwarding from
FEs to CEs. Upon receiving packets with meta-data from FEs, CEs can
decide to either process the packets themselves, or pass the packets
to the upper layer protocols including routing and management
protocols. If CEs are to process the packets by themselves, CEs may
choose to discard the packets, or modify and re-send the packets.
CEs may also originate new packets and deliver them to FEs for
further forwarding.
Any state change during router operation must also be handled
correctly according to RFC 1812. For example, when an FE ceases
forwarding, the entire NE may continue forwarding packets, but it
needs to stop advertising routes that are affected by the failed FE.
5.5. Transport Layer
The Transport layer is typically implemented at CEs to support higher
layer application protocols like routing protocols. In practice,
this means that most CEs implement both the Transmission Control
Protocol (TCP) and the User Datagram Protocol (UDP).
Both CEs and FEs need to implement the ForCES Protocol. If some
layer-4 transport is used to support ForCES, then both CEs and FEs
need to implement the L4 transport and ForCES Protocols.
Yang, et al. Informational [Page 28]
^L
RFC 3746 ForCES Framework April 2004
5.6. Application Layer -- Routing Protocols
Interior and exterior routing protocols are implemented on CEs. The
routing packets originated by CEs are forwarded to FEs for delivery.
The results of such protocols (like forwarding table updates) are
communicated to FEs via ForCES.
For performance or scalability reasons, portions of the control plane
functions that need faster response may be moved from the CEs and
off-loaded onto the FEs. For example, in OSPF, the Hello protocol
packets are generated and processed periodically. When done at the
CEs, the inbound Hello packets have to traverse from the external
interfaces at the FEs to the CEs via the internal CE-FE channel.
Similarly, the outbound Hello packets have to go from the CEs to the
FEs and to the external interfaces. Frequent Hello updates place
heavy processing overhead on the CEs and can overwhelm the CE-FE
channel as well. Since typically there are far more FEs than CEs in
a router, the off-loaded Hello packets are processed in a much more
distributed and scalable fashion. By expressing such off-loaded
functions in the FE model, we can ensure interoperability. However,
the exact description of the off-loaded functionality corresponding
to the off-loaded functions expressed in the FE model are not part of
the model itself and will need to be worked out as a separate
specification.
5.7. Application Layer -- Network Management Protocol
RFC 1812 [2] also dictates that "Routers MUST be manageable by SNMP".
In general, for the post-association phase, most external management
tasks (including SNMP) should be done through interaction with the CE
in order to support the appearance of a single functional device.
Therefore, it is recommended that an SNMP agent be implemented by CEs
and that the SNMP messages received by FEs be redirected to their
CEs. AgentX framework defined in RFC 2741 ([6]) may be applied here
such that CEs act in the role of master agent to process SNMP
protocol messages while FEs act in the role of subagent to provide
access to the MIB objects residing on FEs. AgentX protocol messages
between the master agent (CE) and the subagent (FE) are encapsulated
and transported via ForCES, just like data packets from any other
application layer protocols.
6. Summary
This document defines an architectural framework for ForCES. It
identifies the relevant components for a ForCES network element,
including (one or more) FEs, (one or more) CEs, one optional FE
manager, and one optional CE manager. It also identifies the
interaction among these components and discusses all the major
Yang, et al. Informational [Page 29]
^L
RFC 3746 ForCES Framework April 2004
reference points. It is important to point out that, among all the
reference points, only the Fp interface between CEs and FEs is within
the scope of ForCES. ForCES alone may not be enough to support all
desirable NE configurations. However, we believe that ForCES over an
Fp interface is the most important element in realizing physical
separation and interoperability of CEs and FEs, and hence the first
interface that ought to be standardized. Simple and useful
configurations can still be implemented with only CE-FE interface
being standardized, e.g., single CE with full-meshed FEs.
7. Acknowledgements
Joel M. Halpern gave us many insightful comments and suggestions and
pointed out several major issues. T. Sridhar suggested that the
AgentX protocol could be used with SNMP to manage the ForCES network
elements. Susan Hares pointed out the issue of graceful restart with
ForCES. Russ Housley, Avri Doria, Jamal Hadi Salim, and many others
in the ForCES mailing list also provided valuable feedback.
8. Security Considerations
The NE administrator has the freedom to determine the exact security
configuration that is needed for the specific deployment. For
example, ForCES may be deployed between CEs and FEs connected to each
other inside a box over a backplane. In such a scenario, physical
security of the box ensures that most of the attacks, such as man-
in-the-middle, snooping, and impersonation, are not possible, and
hence the ForCES architecture may rely on the physical security of
the box to defend against these attacks and protocol mechanisms may
be turned off. However, it is also shown that denial of service
attacks via external interfaces as described below in Section 8.1.8
is still a potential threat, even for such an "all-in-one-box"
deployment scenario and hence the rate limiting mechanism is still
necessary. This is just one example to show that it is important to
assess the security needs of the ForCES-enabled network elements
under different deployment scenarios. It should be possible for the
administrator to configure the level of security needed for the
ForCES Protocol.
In general, the physical separation of two entities usually results
in a potentially insecure link between the two entities and hence
much stricter security measurements are required. For example, we
pointed out in Section 4.1 that authentication becomes necessary
between the CE manager and FE manager, between the CE and CE manager,
and between the FE and FE manager in some configurations. The
physical separation of the CE and FE also imposes serious security
requirements for the ForCES Protocol over the Fp interface. This
section first attempts to describe the security threats that may be
Yang, et al. Informational [Page 30]
^L
RFC 3746 ForCES Framework April 2004
introduced by the physical separation of the FEs and CEs, and then it
provides recommendations and guidelines for the secure operation and
management of the ForCES Protocol over the Fp interface based on
existing standard security solutions.
8.1. Analysis of Potential Threats Introduced by ForCES
This section provides the threat analysis for ForCES, with a focus on
the Fp interface. Each threat is described in detail with the
effects on the ForCES Protocol entities or/and the NE as a whole, and
the required functionalities that need to be in place to defend the
threat.
8.1.1. "Join" or "Remove" Message Flooding on CEs
Threats: A malicious node could send a stream of false "join NE" or
"remove from NE" requests on behalf of a non-existent or unauthorized
FE to legitimate CEs at a very rapid rate, and thereby creating
unnecessary state in the CEs.
Effects: If maintaining state for non-existent or unauthorized FEs, a
CE may become unavailable for other processing and hence suffer from
a denial of service (DoS) attack similar to the TCP SYN DoS. If
multiple CEs are used, the unnecessary state information may also be
conveyed to multiple CEs via the Fr interface (e.g., from the active
CE to the stand-by CE) and hence subject multiple CEs to a DoS
attack.
Requirement: A CE that receives a "join" or "remove" request should
not create any state information until it has authenticated the FE
endpoint.
8.1.2. Impersonation Attack
Threats: A malicious node can impersonate a CE or FE and send out
false messages.
Effects: The whole NE could be compromised.
Requirement: The CE or FE must authenticate the message as having
come from an FE or CE on the list of the authorized ForCES elements
(provided by the CE or FE Manager in the pre-association phase)
before accepting and processing it.
8.1.3. Replay Attack
Threat: A malicious node could replay the entire message previously
sent by an FE or CE entity to get around authentication.
Yang, et al. Informational [Page 31]
^L
RFC 3746 ForCES Framework April 2004
Effect: The NE could be compromised.
Requirement: A replay protection mechanism needs to be part of the
security solution to defend against this attack.
8.1.4. Attack during Fail Over
Threat: A malicious node may exploit the CE fail-over mechanism to
take over the control of NE. For example, suppose two CEs, say CE-A
and CE-B, are controlling several FEs. CE-A is active and CE-B is
stand-by. When CE-A fails, CE-B is taking over the active CE
position. The FEs already had a trusted relationship with CE-A, but
the FEs may not have the same trusted relationship established with
CE-B prior to the fail-over. A malicious node can take over as CE-B
if such a trusted relationship has not been established prior to or
during the fail-over.
Effect: The NE may be compromised after such insecure fail-over.
Requirement: The level of trust between the stand-by CE and the FEs
must be as strong as the one between the active CE and the FEs. The
security association between the FEs and the stand-by CE may be
established prior to fail-over. If not already in place, such
security association must be re-established before the stand-by CE
takes over.
8.1.5. Data Integrity
Threats: A malicious node may inject false messages to a legitimate
CE or FE.
Effect: An FE or CE receives the fabricated packet and performs an
incorrect or catastrophic operation.
Requirement: Protocol messages require integrity protection.
8.1.6. Data Confidentiality
Threat: When FE and CE are physically separated, a malicious node may
eavesdrop the messages in transit. Some of the messages are critical
to the functioning of the whole network, while others may contain
confidential business data. Leaking of such information may result
in compromise even beyond the immediate CE or FE.
Effect: Sensitive information might be exposed between the CE and FE.
Requirement: Data confidentiality between the FE and CE must be
available for sensitive information.
Yang, et al. Informational [Page 32]
^L
RFC 3746 ForCES Framework April 2004
8.1.7. Sharing security parameters
Threat: Consider a scenario where several FEs are communicating to
the same CE and sharing the same authentication keys for the Fp
interface. If any FE or CE is compromised, all other entities are
compromised.
Effect: The whole NE is compromised.
Recommendation: To avoid this side effect, it's better to configure
different security parameters for each FE-CE communication over the
Fp interface.
8.1.8. Denial of Service Attack via External Interface
Threat: When an FE receives a packet that is destined for its CE, the
FE forwards the packet over the Fp interface. A malicious node can
generate a huge message storm like routing protocol packets etc.
through the external Fi/f interface so that the FE has to process and
forward all packets to the CE through the Fp interface.
Effect: The CE encounters resource exhaustion and bandwidth
starvation on Fp interface due to an overwhelming number of packets
from FEs.
Requirement: Some sort of rate limiting mechanism MUST be in place at
both the FE and CE. The Rate Limiter SHOULD be configured at the FE
for each message type being received through the Fi/f interface.
8.2. Security Recommendations for ForCES
The requirements document [4] suggested that the ForCES Protocol
should support reliability over the Fp interface, but no particular
transport protocol is yet specified for ForCES. This framework
document does not intend to specify the particular transport either,
and so we only provide recommendations and guidelines based on the
existing standard security protocols [18] that can work with the
common transport candidates suitable for ForCES.
We review two existing security protocol solutions, namely IPsec (IP
Security) [15] and TLS (Transport Layer Security) [14]. TLS works
with reliable transports such as TCP or SCTP for unicast, while IPsec
can be used with any transport (UDP, TCP, SCTP) and supports both
unicast and multicast. Both TLS and IPsec can be used potentially to
satisfy all of the security requirements for the ForCES Protocol. In
addition, other approaches that satisfy the requirements can be used
as well, but are not documented here, including the use of L2
security mechanisms for a given L2 interconnect technology.
Yang, et al. Informational [Page 33]
^L
RFC 3746 ForCES Framework April 2004
When ForCES is deployed between CEs and FEs inside a box or a
physically secured room, authentication, confidentiality, and
integrity may be provided by the physical security of the box. Thus,
the security mechanisms may be turned off, depending on the
networking topology and its administration policy. However, it is
important to realize that even if the NE is in a single-box, the DoS
attacks as described in Section 8.1.8 can still be launched through
the Fi/f interfaces. Therefore, it is important to have the
corresponding counter-measurement in place, even for single-box
deployment.
8.2.1. Using TLS with ForCES
TLS [14] can be used if a reliable unicast transport such as TCP or
SCTP is used for ForCES over the Fp interface. The TLS handshake
protocol is used during the association establishment or re-
establishment phase to negotiate a TLS session between the CE and FE.
Once the session is in place, the TLS record protocol is used to
secure ForCES communication messages between the CE and FE.
A basic outline of how TLS can be used with ForCES is described
below. Steps 1) through 7) complete the security handshake as
illustrated in Figure 9, while step 8) is for all further
communication between the CE and FE, including the rest of the
messages after the security handshake shown in Figure 9 and the
steady-state communication shown in Figure 10.
1) During the Pre-association phase, all FEs are configured with the
CEs (including both the active CE and the standby CE).
2) The FE establishes a TLS connection with the CE (master) and
negotiates a cipher suite.
3) The FE (slave) gets the CE certificate, validates the signature,
checks the expiration date, and checks whether the certificate has
been revoked.
4) The CE (master) gets the FE certificate and performs the same
validation as the FE in step 3).
5) If any of the checks fail in step 3) or step 4), the endpoint must
generate an error message and abort.
6) After successful mutual authentication, a TLS session is
established between the CE and FE.
7) The FE sends a "join NE" message to the CE.
Yang, et al. Informational [Page 34]
^L
RFC 3746 ForCES Framework April 2004
8) The FE and CE use the TLS session for further communication.
Note that there are different ways for the CE and FE to validate a
received certificate. One way is to configure the FE Manager or CE
Manager or other central component as CA, so that the CE or FE can
query this pre-configured CA to validate that the certificate has not
been revoked. Another way is to have the CE and FE directly
configure a list of valid certificates in the pre-association phase.
In the case of fail-over, it is the responsibility of the active CE
and the standby CE to synchronize ForCES states, including the TLS
states to minimize the state re-establishment during fail-over. Care
must be taken to ensure that the standby CE is also authenticated in
the same way as the active CE, either before or during the fail-over.
8.2.2. Using IPsec with ForCES
IPsec [15] can be used with any transport protocol, such as UDP,
SCTP, and TCP, over the Fp interface for ForCES. When using IPsec,
we recommend using ESP in the transport mode for ForCES because
message confidentiality is required for ForCES.
IPsec can be used with both manual and automated SA and cryptographic
key management. But IPsec's replay protection mechanisms are not
available if manual key management is used. Hence, automatic key
management is recommended if replay protection is deemed important.
Otherwise, manual key management might be sufficient for some
deployment scenarios, especially when the number of CEs and FEs is
relatively small. It is recommended that the keys be changed
periodically, even for manual key management.
IPsec can support both unicast and multicast transport. At the time
this document was published, the MSEC working group was actively
working on standardizing protocols to provide multicast security
[17]. Multicast-based solutions relying on IPsec should specify how
to meet the security requirements in [4].
Unlike TLS, IPsec provides security services between the CE and FE at
IP level, so the security handshake, as illustrated in Figure 9
amounts to a "no-op" when manual key management is used. The
following outlines the steps taken for ForCES in such a case.
1) During the Pre-association phase, all the FEs are configured with
CEs (including the active CE and standby CE) and SA parameters
manually.
Yang, et al. Informational [Page 35]
^L
RFC 3746 ForCES Framework April 2004
2) The FE sends a "join NE" message to the CE. This message and all
others that follow are afforded security service according to the
manually configured IPsec SA parameters, but replay protection is
not available.
It is up to the administrator to decide whether to share the same key
across multiple FE-CE communication, but it is recommended that
different keys be used. Similarly, it is recommended that different
keys be used for inbound and outbound traffic.
If automatic key management is needed, IKE [16] can be used for that
purpose. Other automatic key distribution techniques, such as
Kerberos, may be used as well. The key exchange process constitutes
the security handshake as illustrated in Figure 9. The following
shows the steps involved in using IKE with IPsec for ForCES. Steps
1) to 6) constitute the security handshake in Figure 9.
1) During the Pre-association phase, all FEs are configured with the
CEs (including active CE and standby CE), IPsec policy etc.
2) The FE kicks off the IKE process and tries to establish an IPsec
SA with the CE (master). The FE (Slave) gets the CE certificate
as part of the IKE negotiation. The FE validates the signature,
checks the expiration date, and checks whether the certificate has
been revoked.
3) The CE (master) gets the FE certificate and performs the same
check as the FE in step 2).
4) If any of the checks fail in step 2) or step 3), the endpoint must
generate an error message and abort.
5) After successful mutual authentication, the IPsec session is
established between the CE and FE.
6) The FE sends a "join NE" message to the CE. No SADB entry is
created in FE yet.
7) The FE and CE use the IPsec session for further communication.
The FE Manager, CE Manager, or other central component can be used as
a CA for validating CE and FE certificates during the IKE process.
Alternatively, during the pre-association phase, the CE and FE can be
configured directly with the required information, such as
certificates or passwords etc., depending upon the type of
authentication that administrator wants to configure.
Yang, et al. Informational [Page 36]
^L
RFC 3746 ForCES Framework April 2004
In the case of fail-over, it is the responsibility of the active CE
and standby CE to synchronize ForCES states and IPsec states to
minimize the state re-establishment during fail-over. Alternatively,
the FE needs to establish a different IPsec SA during the startup
operation itself with each CE. This will minimize the periodic state
transfer across the IPsec layer though the Fr (CE-CE) Interface.
9. References
9.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Baker, F., Ed., "Requirements for IP Version 4 Routers", RFC
1812, June 1995.
[3] Floyd, S., "Congestion Control Principles", BCP 41, RFC 2914,
September 2000.
[4] Khosravi, H. and Anderson, T., Eds., "Requirements for
Separation of IP Control and Forwarding", RFC 3654, November
2003.
9.2. Informative References
[5] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction
and Applicability Statements for Internet Standard Management
Framework", RFC 3410, December 2002.
[6] Daniele, M., Wijnen, B., Ellison, M. and D. Francisco, "Agent
Extensibility (AgentX) Protocol Version 1", RFC 2741, January
2000.
[7] Chan, K., Seligson, J., Durham, D., Gai, S., McCloghrie, K.,
Herzog, S., Reichmeyer, F., Yavatkar, R. and A. Smith, "COPS
Usage for Policy Provisioning (COPS-PR)", RFC 3084, March 2001.
[8] Crouch, A. et al., "ForCES Applicability Statement", Work in
Progress.
[9] Anderson, T. and J. Buerkle, "Requirements for the Dynamic
Partitioning of Switching Elements", RFC 3532, May 2003.
[10] Leelanivas, M., Rekhter, Y. and R. Aggarwal, "Graceful Restart
Mechanism for Label Distribution Protocol", RFC 3478, February
2003.
Yang, et al. Informational [Page 37]
^L
RFC 3746 ForCES Framework April 2004
[11] Moy, J., Pillay-Esnault, P. and A. Lindem, "Graceful OSPF
Restart", RFC 3623, November 2003.
[12] Sangli, S. et al., "Graceful Restart Mechanism for BGP", Work in
Progress.
[13] Shand, M. and L. Ginsberg, "Restart Signaling for IS-IS", Work
in Progress.
[14] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
2246, January 1999.
[15] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[16] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)",
RFC 2409, November 1998.
[17] Hardjono, T. and Weis, B. "The Multicast Group Security
Architecture", RFC 3740, March 2004.
[18] Bellovin, S., Schiller, J. and C. Kaufman, Eds., "Security
Mechanisms for the Internet", RFC 3631, December 2003.
Yang, et al. Informational [Page 38]
^L
RFC 3746 ForCES Framework April 2004
10. Authors' Addresses
L. Lily Yang
Intel Corp., MS JF3-206,
2111 NE 25th Avenue
Hillsboro, OR 97124, USA
Phone: +1 503 264 8813
EMail: lily.l.yang@intel.com
Ram Dantu
Department of Computer Science,
University of North Texas,
Denton, TX 76203, USA
Phone: +1 940 565 2822
EMail: rdantu@unt.edu
Todd A. Anderson
Intel Corp.
2111 NE 25th Avenue
Hillsboro, OR 97124, USA
Phone: +1 503 712 1760
EMail: todd.a.anderson@intel.com
Ram Gopal
Nokia Research Center
5, Wayside Road,
Burlington, MA 01803, USA
Phone: +1 781 993 3685
EMail: ram.gopal@nokia.com
Yang, et al. Informational [Page 39]
^L
RFC 3746 ForCES Framework April 2004
11. Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed
to pertain to the implementation or use of the technology
described in this document or the extent to which any license
under such rights might or might not be available; nor does it
represent that it has made any independent effort to identify any
such rights. Information on the procedures with respect to
rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository
at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention
any copyrights, patents or patent applications, or other
proprietary rights that may cover technology that may be required
to implement this standard. Please address the information to the
IETF at ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Yang, et al. Informational [Page 40]
^L
|
