1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
|
Internet Engineering Task Force (IETF) C. Shen
Request for Comments: 5979 H. Schulzrinne
Category: Experimental Columbia U.
ISSN: 2070-1721 S. Lee
Samsung
J. Bang
Samsung AIT
March 2011
NSIS Operation over IP Tunnels
Abstract
NSIS Quality of Service (QoS) signaling enables applications to
perform QoS reservation along a data flow path. When the data flow
path contains IP tunnel segments, NSIS QoS signaling has no effect
within those tunnel segments. Therefore, the resulting tunnel
segments could become the weakest QoS link and invalidate the QoS
efforts in the rest of the end-to-end path. The problem with NSIS
signaling within the tunnel is caused by the tunnel encapsulation
that masks packets' original IP header fields. Those original IP
header fields are needed to intercept NSIS signaling messages and
classify QoS data packets. This document defines a solution to this
problem by mapping end-to-end QoS session requests to corresponding
QoS sessions in the tunnel, thus extending the end-to-end QoS
signaling into the IP tunnel segments.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5979.
Shen, et al. Experimental [Page 1]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Shen, et al. Experimental [Page 2]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 6
3.1. IP Tunneling Protocols . . . . . . . . . . . . . . . . . . 6
3.2. NSIS QoS Signaling in the Presence of IP Tunnels . . . . . 7
4. Design Overview . . . . . . . . . . . . . . . . . . . . . . . 10
4.1. Design Requirements . . . . . . . . . . . . . . . . . . . 10
4.2. Overall Design Approach . . . . . . . . . . . . . . . . . 11
4.3. Tunnel Flow ID for Different IP Tunneling Protocols . . . 13
5. NSIS Operation over Tunnels with Preconfigured QoS Sessions . 14
5.1. Sender-initiated Reservation . . . . . . . . . . . . . . . 14
5.2. Receiver-Initiated Reservation . . . . . . . . . . . . . . 15
6. NSIS Operation over Tunnels with Dynamically Created QoS
Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.1. Sender-Initiated Reservation . . . . . . . . . . . . . . . 17
6.2. Receiver-Initiated Reservation . . . . . . . . . . . . . . 19
7. NSIS-Tunnel Signaling Capability Discovery . . . . . . . . . . 22
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
9. Security Considerations . . . . . . . . . . . . . . . . . . . 24
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25
11.1. Normative References . . . . . . . . . . . . . . . . . . . 25
11.2. Informative References . . . . . . . . . . . . . . . . . . 25
1. Introduction
IP tunneling [RFC1853] [RFC2003] is a technique that allows a packet
to be encapsulated and carried as payload within an IP packet. The
resulting encapsulated packet is called an IP tunnel packet, and the
packet being tunneled is called the original packet. In typical
scenarios, IP tunneling is used to exert explicit forwarding path
control (e.g., in Mobile IP [RFC5944]), implement secure IP data
delivery (e.g., in IPsec [RFC4301]), and help packet routing in IP
networks of different characteristics (e.g., between IPv6 and IPv4
networks [RFC4213]). Section 3.1 summarizes a list of common IP
tunneling protocols.
This document considers the situation when the packet being tunneled
contains a Next Step In Signaling (NSIS) [RFC4080] packet. NSIS is
an IP signaling architecture consisting of a Generic Internet
Signaling Transport (GIST) [RFC5971] sub-layer for signaling
transport, and an NSIS Signaling Layer Protocol (NSLP) sub-layer
customizable for different applications. We focus on the Quality of
Service (QoS) NSLP [RFC5974] which provides functionalities that
extend those of the earlier RSVP [RFC2205] signaling. In this
document, the terms "NSIS" and "NSIS QoS" are used interchangeably.
Shen, et al. Experimental [Page 3]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
Without additional efforts, NSIS signaling does not work within IP
tunnel segments of a signaling path. The reason is that tunnel
encapsulation masks the original packet including its header and
payload. However, information from the original packet is required
both for NSIS peer node discovery and for QoS data flow packet
classification. Without access to information from the original
packet, an IP tunnel acts as an NSIS-unaware virtual link in the end-
to-end NSIS signaling path.
This document defines a mechanism to extend end-to-end NSIS signaling
for QoS reservation into IP tunnels. The NSIS-aware IP tunnel
endpoints that support this mechanism are called NSIS-tunnel-aware
endpoints. There are two main operation modes. On one hand, if the
tunnel already has preconfigured QoS sessions, the NSIS-tunnel-aware
endpoints map end-to-end QoS signaling requests directly to existing
tunnel sessions as long as there are enough tunnel session resources;
on the other hand, if no preconfigured tunnel QoS sessions are
available, the NSIS-tunnel-aware endpoints dynamically initiate and
maintain tunnel QoS sessions that are then associated with the
corresponding end-to-end QoS sessions. Note that whether or not the
tunnel preconfigures QoS sessions, and which preconfigured tunnel QoS
sessions a particular end-to-end QoS signaling request should be
mapped to are policy issues that are out of scope of this document.
The rest of this document is organized as follows. Section 2 defines
terminology. Section 3 presents the problem statement including
common IP tunneling protocols and existing behavior of NSIS QoS
signaling over IP tunnels. Section 4 introduces the design
requirements and overall approach of our mechanism. More details
about how NSIS QoS signaling operates with tunnels that use
preconfigured QoS and dynamic QoS signaling are provided in Sections
5 and 6. Section 7 describes a method to automatically discover
whether a tunnel endpoint node supports the NSIS-tunnel
interoperation mechanism defined in this document. Section 8
discusses IANA considerations, and Section 9 considers security.
2. Terminology
This document uses terminology defined in [RFC2473], [RFC5971], and
[RFC5974]. In addition, the following terms are used:
IP Tunnel: A tunnel that is configured as a virtual link between two
IP nodes and on which the encapsulating protocol is IP.
Tunnel IP Header: The IP header prepended to the original packet
during encapsulation. It specifies the tunnel endpoints as source
and destination.
Shen, et al. Experimental [Page 4]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
Tunnel-Specific Header: The header fields inserted by the
encapsulation mechanism after the tunnel IP header and before the
original packet. These headers may or may not exist depending on
the specific tunnel mechanism used. An example of such header
fields is the Encapsulation Security Payload (ESP) header for
IPsec [RFC4301] tunneling mode.
Tunnel Intermediate Node (Tmid): A node that resides in the middle
of the forwarding path between the tunnel entry-point node and the
tunnel exit-point node.
Flow Identifier (Flow ID): The set of header fields that is used to
identify a data flow. For example, it may include flow sender and
receiver addresses, and protocol and port numbers.
End-to-End QoS Signaling: The signaling process that manipulates the
QoS control information in the end-to-end path from the flow
sender to the flow receiver. When the end-to-end flow path
contains tunnel segments, this document uses end-to-end QoS
signaling to refer to the QoS signaling outside the tunnel
segments. This document uses "end-to-end QoS signaling" and "end-
to-end signaling" interchangeably.
Tunnel QoS Signaling: The signaling process that manipulates the QoS
control information in the path inside a tunnel, between the
tunnel entry-point and the tunnel exit-point nodes. This document
uses "tunnel QoS signaling" and "tunnel signaling"
interchangeably.
NSIS-Aware Node: A node that supports NSIS signaling.
NSIS-Aware Tunnel Endpoint Node: A tunnel endpoint node that is also
an NSIS node.
NSIS-Tunnel-Aware Endpoint Node: An NSIS-aware tunnel endpoint node
that also supports the mechanism for NSIS operating over IP
tunnels defined in this document.
Shen, et al. Experimental [Page 5]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
3. Problem Statement
3.1. IP Tunneling Protocols
Tunnel from node B to node D
<---------------------->
Tunnel Tunnel Tunnel
Entry-Point Intermediate Exit-Point
Node Node Node
+-+ +-+ +-+ +-+ +-+
|A|-->--//-->--|B|=====>====|C|===//==>===|D|-->--//-->--|E|
+-+ +-+ +-+ +-+ +-+
Original Original
Packet Packet
Source Destination
Node Node
Figure 1: IP Tunnel
The following description about IP tunneling is derived from
[RFC2473] and adapted for both IPv4 and IPv6.
IP tunneling (Figure 1) is a technique for establishing a "virtual
link" between two IP nodes for transmitting data packets as payloads
of IP packets. From the point of view of the two nodes, this
"virtual link", called an IP tunnel, appears as a point-to-point link
on which IP acts like a link-layer protocol. The two IP nodes play
specific roles. One node encapsulates original packets received from
other nodes or from itself and forwards the resulting tunnel packets
through the tunnel. The other node decapsulates the received tunnel
packets and forwards the resulting original packets towards their
destinations, possibly itself. The encapsulating node is called the
tunnel entry-point node (Tentry), and it is the source of the tunnel
packets. The decapsulating node is called the tunnel exit-point node
(Texit), and it is the destination of the tunnel packets.
An IP tunnel is a unidirectional mechanism - the tunnel packet flow
takes place in one direction between the IP tunnel entry-point and
exit-point nodes. Bidirectional tunneling is achieved by combining
two unidirectional mechanisms, that is, configuring two tunnels, each
in opposite direction to the other -- the entry-point node of one
tunnel is the exit-point node of the other tunnel.
Figure 2 illustrates the original packet and the resulting tunnel
packet. In a tunnel packet, the original packet is encapsulated
within the tunnel header. The tunnel header contains two components,
the tunnel IP header and other tunnel-specific headers. The tunnel
IP header specifies the tunnel entry-point node as the IP source
Shen, et al. Experimental [Page 6]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
address and the tunnel exit-point node as the IP destination address,
causing the tunnel packet to be forwarded in the tunnel. The tunnel-
specific header between the tunnel IP header and the original packet
is optional, depending on the tunneling protocol in use.
+----------------------------------//-----+
| Original | |
| | Original Packet Payload |
| Header | |
+----------------------------------//-----+
< Original Packet >
|
v
< Tunnel Headers > < Original Packet >
+---------+-----------+-------------------------//--------------+
| Tunnel | Tunnel- | |
| IP | Specific | Original Packet |
| Header | Header | |
+---------+-----------+-------------------------//--------------+
< Tunnel IP Packet >
Figure 2: IP Tunnel Encapsulation
Commonly used IP tunneling protocols include Generic Routing
Encapsulation (GRE) [RFC1701][RFC2784], Generic Routing Encapsulation
over IPv4 Networks (GREIPv4) [RFC1702] and IP Encapsulation within IP
(IPv4INIPv4) [RFC1853][RFC2003], Minimal Encapsulation within IP
(MINENC) [RFC2004], IPv6 over IPv4 Tunneling (IPv6INIPv4) [RFC4213],
Generic Packet Tunneling in IPv6 Specification (IPv6GEN) [RFC2473]
and IPsec tunneling mode [RFC4301] [RFC4303]. Among these tunneling
protocols, the tunnel headers in IPv4INIPv4, IPv6INIPv4, and IPv6GEN
contain only a tunnel IP header, and no tunnel-specific header. All
the other tunneling protocols have a tunnel header consisting of both
a tunnel IP header and a tunnel-specific header. The tunnel-specific
header is the GRE header for GRE and GREIPv4, the minimum
encapsulation header for MINENC, and the ESP header for IPsec
tunneling mode. As will be discussed in Section 4.3, some of the
tunnel-specific headers may be used to identify a flow in the tunnel
and facilitate NSIS operating over IP tunnels.
3.2. NSIS QoS Signaling in the Presence of IP Tunnels
Typically, applications use NSIS QoS signaling to reserve resources
for a flow along the flow path. NSIS QoS signaling can be initiated
by either the flow sender or flow receiver. Figure 3 shows an
example scenario with five NSIS nodes, including flow sender node A,
flow receiver node E, and intermediate NSIS nodes B, C, and D. Nodes
that are not NSIS QoS capable are not shown.
Shen, et al. Experimental [Page 7]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
NSIS QoS NSIS QoS NSIS QoS NSIS QoS NSIS QoS
Node Node Node Node Node
+-+ +-+ +-+ +-+ +-+
|A|-->--//-->--|B|----->----|C|---//-->---|D|-->--//-->--|E|
+-+ +-+ +-+ +-+ +-+
Flow Flow
Sender Receiver
Node Node
Figure 3: Example Scenario of NSIS QoS Signaling
Figure 4 illustrates a sender-initiated signaling sequence in the
scenario of Figure 3. Sender node A sends a RESERVE message towards
receiver node E. The RESERVE message gets forwarded by intermediate
NSIS Nodes B, C, and D and finally reaches receiver node E. Receiver
node E then sends back a RESPONSE message confirming the QoS
reservation, again through the previous intermediate NSIS nodes in
the flow path.
There are two important aspects in the above signaling process that
are worth mentioning. First, the flow sender does not initially know
exactly which intermediate nodes are NSIS-aware and should be
involved in the signaling process for a flow from node A to node E.
Discovery of those nodes (namely, nodes B, C, and D) is accomplished
by a separate NSIS peer discovery process (not shown above; see
[RFC5971]). The NSIS peer discovery messages contain special IP
header and payload formats or include a Router Alert Option (RAO)
[RFC2113] [RFC2711]. The special formats of NSIS discovery messages
allow nodes B, C, and D to intercept the messages and subsequently
insert themselves into the signaling path for the flow in question.
After formation of the signaling path, all signaling messages
corresponding to this flow will be passed to these nodes for
processing. Other nodes that are not NSIS-aware simply forward all
signaling messages, as they would any other IP packets that do not
require additional handling.
Shen, et al. Experimental [Page 8]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
Node A Node B Node C Node D Node E
| | | | |
| RESERVE | | | |
+------------->| | | |
| | RESERVE | | |
| +------------->| | |
| | | RESERVE | |
| | +------------->| |
| | | | RESERVE |
| | | +------------->|
| | | | RESPONSE |
| | | |<-------------+
| | | RESPONSE | |
| | |<-------------+ |
| | RESPONSE | | |
| |<-------------+ | |
| RESPONSE | | | |
|<-------------+ | | |
| | | | |
| | | | |
Figure 4: Sender-Initiated NSIS QoS Signaling
Second, the goal of QoS signaling is to install control information
to give QoS treatment for the flow being signaled. Basic QoS control
information includes the data Flow ID for packet classification and
the type of QoS treatment those packets are entitled to. The Flow ID
contains a set of header fields such as flow sender and receiver
addresses, and protocol and port numbers.
Now consider Figure 5 where nodes B, C, and D are endpoints and
intermediate nodes of an IP tunnel. During the signaling path
discovery process, node B can still intercept and process NSIS peer
discovery messages if it recognizes them before performing tunnel
encapsulation; node D can identify NSIS peer discovery messages after
performing tunnel decapsulation. A tunnel intermediate node such as
node C, however, only sees the tunnel header of the packets and will
not be able to identify the original NSIS peer discovery message or
insert itself in the flow signaling path. Furthermore, the Flow ID
of the original flow is based on IP header fields of the original
packet. Those fields are also hidden in the payload of the tunnel
packet. So, there is no way node C can classify packets belonging to
that flow in the tunnel.
Shen, et al. Experimental [Page 9]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
Tunnel from node B to node D
<---------------------->
Tunnel Tunnel Tunnel
Entry-Point Intermediate Exit-Point
NSIS QoS NSIS QoS NSIS QoS NSIS QoS NSIS QoS
Node Node Node Node Node
+-+ +-+ +-+ +-+ +-+
|A|-->--//-->--|B|=====>====|C|===//==>===|D|-->--//-->--|E|
+-+ +-+ +-+ +-+ +-+
Flow Flow
Sender Receiver
Node Node
Figure 5: Example Scenario of NSIS QoS Signaling with IP Tunnel
In summary, an IP tunnel segment normally appears like a QoS-unaware
virtual link. Since the best QoS of an end-to-end path is judged
based on its weakest segment, we need a mechanism to extend NSIS into
the IP tunnel segments, which should allow the tunnel intermediate
nodes to intercept original NSIS signaling messages and classify
original data flow packets in the presence of tunnel encapsulation.
4. Design Overview
4.1. Design Requirements
We identify the following design requirements for NSIS operating over
IP tunnels.
o The mechanism should work with all common IP tunneling protocols
listed in Section 3.1.
o Some IP tunnels maintain preconfigured QoS sessions inside the
tunnel. The mechanism should work for IP tunnels both with and
without preconfigured tunnel QoS sessions.
o The mechanism should minimize the required upgrade to existing
infrastructure in order to facilitate its deployment.
Specifically, we should limit the necessary upgrade to the tunnel
endpoints.
o The mechanism should provide a method for one NSIS-tunnel-aware
endpoint to discover whether the other endpoint is also NSIS-
tunnel-aware, when necessary.
o The mechanism should learn from the design experience of previous
related work on RSVP over IP tunnels (RSVP-TUNNEL) [RFC2746],
while also addressing the following major differences of NSIS from
Shen, et al. Experimental [Page 10]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
RSVP. First, NSIS is designed as a generic framework to
accommodate various signaling application needs, and therefore is
split into a signaling transport layer and a signaling application
layer; RSVP does not have a layer split and is designed only for
QoS signaling. Second, NSIS QoS NSLP allows both sender-initiated
and receiver-initiated reservations; RSVP only supports receiver-
initiated reservations. Third, NSIS deals only with unicast; RSVP
also supports multicast. Fourth, NSIS integrates a new SESSION-ID
feature which is different from the session identification concept
in RSVP.
4.2. Overall Design Approach
The overall design of this NSIS signaling and IP tunnel interworking
mechanism draws similar concepts from RSVP-TUNNEL [RFC2746], but is
tailored and extended for NSIS operation.
Since we only consider unidirectional flows, to accommodate flows in
both directions of a tunnel, we require both tunnel entry-point and
tunnel exit-point to be NSIS-tunnel-aware. An NSIS-tunnel-aware
endpoint knows whether the other tunnel endpoint is NSIS-tunnel-aware
either through preconfiguration or through an NSIS-tunnel capability
discovery mechanism defined in Section 7.
Tunnel endpoints need to always intercept NSIS peer discovery
messages and insert themselves into the NSIS signaling path so they
can receive all NSIS signaling messages and coordinate their
interaction with tunnel QoS.
To facilitate QoS handling in the tunnel, an end-to-end QoS session
is mapped to a tunnel QoS session, either preconfigured or
dynamically created. The tunnel session uses a tunnel Flow ID based
on information available in the tunnel headers, thus allowing tunnel
intermediate nodes to classify flow packets correctly.
For tunnels that maintain preconfigured QoS sessions, upon receiving
a request to reserve resources for an end-to-end session, the tunnel
endpoint maps the end-to-end QoS session to an existing tunnel
session. To simplify the design, the mapping decision is always made
by the tunnel entry-point, regardless of whether the end-to-end
session uses sender-initiated or receiver-initiated NSIS signaling
mode. The details about which end-to-end session can be mapped to
which preconfigured tunnel session depend on policy mechanisms
outside the scope of this document.
For tunnels that do not maintain preconfigured QoS sessions, the
NSIS-tunnel-aware endpoints dynamically create and manage a
corresponding tunnel QoS session for the end-to-end session. Since
Shen, et al. Experimental [Page 11]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
the initiation mode of both QoS sessions can be sender-initiated or
receiver-initiated, to simplify the design, we require that the
initiation mode of the tunnel QoS session follows that of the end-to-
end QoS session. In other words, the end-to-end QoS session and its
corresponding tunnel QoS session are either both sender-initiated or
both receiver-initiated. To keep the handling mechanism consistent
with the case for tunnels with preconfigured QoS sessions, the tunnel
entry-point always initiates the mapping between the tunnel session
and the end-to-end session.
As the mapping initiator, the tunnel entry-point records the
association between the end-to-end session and its corresponding
tunnel session, both in tunnels with and without preconfigured QoS
sessions. This association serves two purposes, one for the
signaling plane and the other for the data plane. For the signaling
plane, the association enables the tunnel entry-point to coordinate
necessary interactions between the end-to-end and the tunnel QoS
sessions, such as QoS adjustment in sender-initiated reservations.
For the data plane, the association allows the tunnel entry-point to
correctly encapsulate data flow packets according to the chosen
tunnel Flow ID. Since the tunnel Flow ID uses header fields that are
visible inside the tunnel, the tunnel intermediate nodes can classify
the data flow packets and apply appropriate QoS treatment.
In addition to the tunnel entry-point recording the association
between the end-to-end session and its corresponding tunnel session,
the tunnel exit-point also needs to maintain the same association for
similar reasons. For the signaling plane, this association at the
tunnel exit-point enables the interaction of the end-to-end and the
tunnel QoS session such as QoS adjustment in receiver-initiated
reservations. For the data plane, this association tells the tunnel
exit-point that the relevant data flow packets need to be
decapsulated according to the corresponding tunnel Flow ID.
In tunnels with preconfigured QoS sessions, the tunnel exit-point may
also learn about the mapping information between the corresponding
tunnel and end-to-end QoS sessions through preconfiguration as well.
In tunnels without preconfigured QoS sessions, the tunnel exit-point
knows the mapping between the corresponding tunnel and end-to-end QoS
sessions through the NSIS signaling process that creates the tunnel
QoS sessions inside the tunnel, with the help of appropriate QoS NSLP
session-binding and message-binding mechanisms.
One problem for NSIS operating over IP tunnels that dynamically
create QoS sessions is that it involves two signaling sequences. The
outcome of the tunnel signaling session directly affects the outcome
of the end-to-end signaling session. Since the two signaling
sessions overlap in time, there are circumstances when a tunnel
Shen, et al. Experimental [Page 12]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
endpoint has to decide whether it should proceed with the end-to-end
signaling session while it is still waiting for results of the tunnel
session. This problem can be addressed in two ways, namely
sequential mode and parallel mode. In sequential mode, end-to-end
signaling pauses while it is waiting for results of tunnel signaling,
and resumes upon receipt of the tunnel signaling outcome. In
parallel mode, end-to-end signaling continues outside the tunnel
while tunnel signaling is still in process and its outcome is
unknown. The parallel mode may lead to reduced signaling delays if
the QoS resources in the tunnel path are sufficient compared to the
rest of the end-to-end path. If the QoS resources in the tunnel path
are more constraint than the rest of the end-to-end path, however,
the parallel mode may lead to wasted end-to-end signaling or may
necessitate renegotiation after the tunnel signaling outcome becomes
available. In those cases, the signaling flow of the parallel mode
also tends to be complicated. This document adopts a sequential mode
approach for the two signaling sequences.
4.3. Tunnel Flow ID for Different IP Tunneling Protocols
A tunnel Flow ID identifies the end-to-end flow for packet
classification within the tunnel. The tunnel Flow ID is based on a
set of tunnel header fields. Different tunnel Flow IDs can be chosen
for different tunneling mechanisms in order to minimize the
classification overhead. This document specifies the following Flow
ID formats for the respective tunneling protocols.
o For IPv6 tunneling protocols (IPv6GEN), the tunnel Flow ID
consists of the tunnel entry-point IPv6 address and the tunnel
exit-point IPv6 address plus a unique IPv6 flow label [RFC3697].
o For IPsec tunnel mode (IPsec), the tunnel Flow ID contains the
tunnel entry-point IP address and the tunnel exit-point IP address
plus the Security Parameter Index (SPI).
o For all other tunneling protocols (GRE, GREIPv4, IPv4INIPv4,
MINENC, IPv6INIPv4), the tunnel entry-point inserts an additional
UDP header between the tunnel header and the original packet. The
Flow ID consists of the tunnel entry-point and tunnel exit-point
IP addresses and the source port number in the additional UDP
header. The source port number is dynamically chosen by the
tunnel entry-point and conveyed to the tunnel exit-point. In
these cases, it is especially important that the tunnel exit-point
understands the additional UDP encapsulation, and therefore can
correctly decapsulate both the normal tunnel header and the
additional UDP header. In other words, both tunnel endpoints need
to be NSIS-tunnel-aware.
Shen, et al. Experimental [Page 13]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
The above recommendations about choosing the tunnel Flow ID apply to
dynamically created QoS tunnel sessions. For preconfigured QoS
tunnel sessions, the corresponding Flow ID is determined by the
configuration mechanism itself. For example, if the tunnel QoS is
Diffserv based, the Diffserv Code Point (DSCP) field value may be
used to identify the corresponding tunnel session.
5. NSIS Operation over Tunnels with Preconfigured QoS Sessions
When tunnel QoS is managed by preconfigured QoS sessions, both the
tunnel entry-point and tunnel exit-point need to be configured with
information about the Flow ID of the tunnel QoS session. This allows
the tunnel endpoints to correctly perform matching encapsulating and
decapsulating operations. The procedures of NSIS operating over
tunnels with preconfigured QoS sessions depend on whether the end-to-
end NSIS signaling is sender-initiated or receiver-initiated. But in
both cases, it is the tunnel entry-point that first creates the
mapping between a tunnel session and an end-to-end session.
5.1. Sender-initiated Reservation
Figure 6 illustrates the signaling sequence when end-to-end signaling
outside the tunnel is sender-initiated. Upon receiving a RESERVE
message from the sender, Tentry checks the tunnel QoS configuration,
determines whether and how this end-to-end session can be mapped to a
preconfigured tunnel session. The mapping criteria are part of the
preconfiguration and outside the scope of this document. Tentry then
tunnels the RESERVE message to Texit. Texit forwards the RESERVE
message to the receiver. The receiver replies with a RESPONSE
message that arrives at Texit, Tentry, and finally the sender. If
the RESPONSE message that Tentry receives confirms that the overall
signaling is successful, Tentry starts to encapsulate all incoming
packets of the data flow using the tunnel Flow ID corresponding to
the mapped tunnel session. Texit knows how to decapsulate the tunnel
packets because it recognizes the mapped tunnel Flow ID based on
information supplied during tunnel session preconfiguration.
Shen, et al. Experimental [Page 14]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
Sender Tentry Tmid Texit Receiver
| | | | |
| RESERVE | | | |
+------------->| | | |
| | RESERVE | |
| +---------------------------->| |
| | | | RESERVE |
| | | +------------->|
| | | | RESPONSE |
| | | |<-------------+
| | RESPONSE | |
| |<----------------------------+ |
| RESPONSE | | | |
|<-------------+ | | |
| | | | |
| | | | |
Figure 6: Sender-Initiated End-to-End Session with Preconfigured
Tunnel QoS Sessions
5.2. Receiver-Initiated Reservation
Figure 7 shows the signaling sequence when end-to-end signaling
outside the tunnel is receiver-initiated. Upon receiving the first
end-to-end Query message, Tentry examines the tunnel QoS
configuration, then updates and tunnels the Query message to Texit.
Texit decapsulates the QUERY message, processes it, and forwards it
toward the receiver. The receiver sends back a RESERVE message
passing through Texit and arriving at Tentry. Tentry decides on
whether and how the QoS request for this end-to-end session can be
mapped to a preconfigured tunnel session based on criteria outside
the scope of this document. Then, Tentry forwards the RESERVE
message towards the sender. The signaling continues until a RESPONSE
message arrives at Tentry, Texit, and finally the receiver. If the
RESPONSE message that Tentry receives confirms that the overall
signaling is successful, Tentry starts to encapsulate all incoming
packets of the data flow using the tunnel Flow ID corresponding to
the mapped tunnel session. Similarly, Texit knows how to decapsulate
the tunnel packets because it recognizes the mapped tunnel Flow ID
based on information supplied during tunnel session preconfiguration.
Since separate tunnel QoS signaling is not involved in preconfigured
QoS tunnels, Figures 6 and 7 make the tunnel look like a single
virtual link. The signaling path simply skips all tunnel
intermediate nodes. However, both Tentry and Texit need to deploy
the NSIS-tunnel-related functionalities described above, including
acting on the end-to-end NSIS signaling messages based on tunnel QoS
Shen, et al. Experimental [Page 15]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
status, mapping end-to-end and tunnel QoS sessions, and correctly
encapsulating and decapsulating tunnel packets according to the
tunnel protocol and the configured tunnel Flow ID.
Sender Tentry Tmid Texit Receiver
| | | | |
| QUERY | | | |
+------------->| | | |
| | QUERY | |
| +---------------------------->| |
| | | | QUERY |
| | | +------------->|
| | | | RESERVE |
| | | |<-------------+
| | RESERVE | |
| |<----------------------------+ |
| RESERVE | | | |
|<-------------+ | | |
| RESPONSE | | | |
+------------->| | | |
| | RESPONSE | |
| +---------------------------->| |
| | | | RESPONSE |
| | | +------------->|
| | | | |
| | | | |
Figure 7: Receiver-Initiated End-to-End Session with Preconfigured
Tunnel QoS Sessions
6. NSIS Operation over Tunnels with Dynamically Created QoS Sessions
When there are no preconfigured tunnel QoS sessions, a tunnel can
apply the same NSIS QoS signaling mechanism used for the end-to-end
path to manage the QoS inside the tunnel. The tunnel NSIS signaling
involves only those NSIS nodes in the tunnel forwarding path. The
Flow IDs for the tunnel signaling are based on tunnel header fields.
NSIS peer discovery messages inside the tunnel distinguish themselves
using the tunnel header fields, which solves the problem for tunnel
intermediate NSIS nodes to intercept signaling messages.
When tunnel endpoints dynamically create tunnel QoS sessions, the
initiation mode of the tunnel session always follows the initiation
mode of the end-to-end session. Specifically, when the end-to-end
session is sender-initiated, the tunnel session should also be
sender-initiated; when the end-to-end session is receiver-initiated,
the tunnel session should also be receiver-initiated.
Shen, et al. Experimental [Page 16]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
The tunnel entry-point conveys the corresponding tunnel Flow ID
associated with an end-to-end session to the tunnel exit-point during
the tunnel signaling process. The tunnel entry-point also informs
the exit-point of the binding between the corresponding tunnel
session and end-to-end session through the BOUND_SESSION_ID QoS NSLP
message object. The reservation message dependencies between the
tunnel session and end-to-end session are resolved using the MSG-ID
and BOUND-MSG-ID objects of the QoS NSLP message binding mechanism.
6.1. Sender-Initiated Reservation
Figure 8 shows the typical messaging sequence of how NSIS operates
over IP tunnels when both the end-to-end session and tunnel session
are sender-initiated. Tunnel signaling messages are distinguished
from end-to-end messages by a prime symbol after the message name.
The sender first sends an end-to-end RESERVE message (1) that arrives
at Tentry. Tentry chooses the tunnel Flow ID, creates the tunnel
session, and associates the end-to-end session with the tunnel
session. Tentry then sends a tunnel RESERVE' message (2) matching
the request of the end-to-end session towards Texit to reserve tunnel
resources. This RESERVE' message (2) includes a MSG-ID object that
contains a randomly generated 128-bit MSG-ID. Meanwhile, Tentry
inserts a BOUND-MSG-ID object containing the same MSG-ID as well as a
BOUND-SESSION-ID object containing the SESSION-ID of the tunnel
session into the original RESERVE message, and sends this RESERVE
message (3) towards Texit using normal tunnel encapsulation. The
Message_Binding_Type flags of both the MSG-ID and BOUND-MSG-ID
objects in the RESERVE' and RESERVE messages (2, 3) are SET,
indicating a bidirectional binding. The tunnel RESERVE' message (2)
is processed hop-by-hop inside the tunnel for the flow identified by
the chosen tunnel Flow ID, while the end-to-end RESERVE message (3)
passes through the tunnel intermediate nodes (Tmid) just like other
tunneled packets. These two messages could arrive at Texit in
different orders, and the reaction of Texit in these different
situations should combine the tunnel QoS message processing rules
with the QoS NSLP processing principles for message binding
[RFC5974], as illustrated below.
The first possibility is shown in the example messaging flow of
Figure 8, where the tunnel RESERVE' message (2), also known as the
triggering message in QoS NSLP message binding terms, arrives first.
Since the message binding is bidirectional, Texit records the MSG-ID
of the RESERVE' message (2), enqueues it and starts a MsgIDWait timer
waiting for the end-to-end RESERVE message (3), also known as the
bound signaling message in QoS NSLP message binding terms. The timer
Shen, et al. Experimental [Page 17]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
Sender Tentry Tmid Texit Receiver
| | | | |
| RESERVE(1) | | | |
+------------->| | | |
| | RESERVE'(2) | | |
| +=============>| | |
| | | RESERVE'(2) | |
| | +=============>| |
| | RESERVE(3) | |
| +---------------------------->| |
| | | RESPONSE'(4) | |
| | |<=============+ |
| | RESPONSE'(4) | | |
| |<=============+ | |
| | | | RESERVE(5) |
| | | +------------->|
| | | | RESPONSE(6) |
| | | |<-------------+
| | RESPONSE(6) | |
| |<----------------------------+ |
| RESPONSE(6) | | | |
|<-------------+ | | |
| | | | |
| | | | |
(1,5): RESERVE w/o BOUND-MSG-ID and BOUND-SESSION-ID
(2): RESERVE' w/ MSG-ID
(3): RESERVE w/ BOUND-MSG-ID and BOUND-SESSION-ID
Figure 8: Sender-Initiated Reservation for Both End-to-End and Tunnel
Signaling
value is set to the default retransmission timeout period
QOSNSLP_REQUEST_RETRY. When the end-to-end RESERVE message (3)
arrives, Texit notices that there is an existing stored MSG-ID which
matches the MSG-ID in the BOUND-MSG-ID object of the incoming RESERVE
message (3). Therefore, the message binding condition has been
satisfied. Texit resumes processing of the tunnel RESERVE' message
(2), creates the reservation state for the tunnel session, and sends
a tunnel RESPONSE' message (4) to Tentry. At the same time, Texit
checks the BOUND-SESSION-ID object of the end-to-end RESERVE message
(3) and records the binding of the corresponding tunnel session with
the end-to-end session. Texit also updates the end-to-end RESERVE
message based on the result of the tunnel session reservation,
removes its tunnel BOUND-SESSION-ID and BOUND-MSG-ID object and
forwards the end-to-end RESERVE message (5) along the path towards
Shen, et al. Experimental [Page 18]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
the receiver. When the receiver receives the end-to-end RESERVE
message (5), it sends an end-to-end RESPONSE message (6) back to the
sender.
The second possibility is that the end-to-end RESERVE message arrives
before the tunnel RESERVE' message at Texit. In that case, Texit
notices a BOUND-SESSION-ID object and a BOUND-MSG-ID object in the
end-to-end RESERVE message, but realizes that the tunnel session does
not exist yet. So, Texit enqueues the RESERVE message and starts a
MsgIDWait timer. The timer value is set to the default
retransmission timeout period QOSNSLP_REQUEST_RETRY. When the
corresponding tunnel RESERVE' message arrives with a MSG-ID matching
that of the outstanding BOUND-MSG-ID object, the message binding
condition is satisfied. Texit sends a tunnel RESPONSE' message back
to Tentry and updates the end-to-end RESERVE message by incorporating
the result of the tunnel session reservation, as well as removing the
tunnel BOUND-SESSION-ID and BOUND-MSG-ID objects. Texit then
forwards the end-to-end RESERVE message along the path towards the
receiver. When the receiver receives the end-to-end RESERVE message,
it sends an end-to-end RESPONSE message back to the sender.
Yet another possibility is that the tunnel RESERVE' message arrives
at Texit first, but the end-to-end RESERVE message never arrives. In
that case, the MsgIDWait timer for the queued tunnel RESERVE' message
will expire. Texit should then send a tunnel RESPONSE' message back
to Tentry indicating a reservation error has occurred, and discard
the tunnel RESERVE' message. The last possibility is that the end-
to-end RESERVE message arrives at Texit first, but the tunnel
RESERVE' message never arrives. In that case, the MsgIDWait timer
for the queued end-to-end RESERVE message will expire. Texit should
then treat this situation as a local reservation failure, and
according to [RFC5974], Texit as a stateful QoS NSLP should generate
an end-to-end RESPONSE message indicating RESERVE error to the
sender.
Once the end-to-end and the tunnel QoS session have both been
successfully created and associated, the tunnel endpoints Tentry and
Texit coordinate the signaling between the two sessions and make sure
that adjustment or teardown of either session may trigger similar
actions for the other session as necessary, by invoking appropriate
signaling messages.
6.2. Receiver-Initiated Reservation
Figure 9 shows the typical messaging sequence of how NSIS signaling
operates over IP tunnels when both end-to-end and tunnel sessions are
receiver-initiated. Upon receiving an end-to-end QUERY message (1)
from the sender, Tentry chooses the tunnel Flow ID and sends a tunnel
Shen, et al. Experimental [Page 19]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
Sender Tentry Tmid Texit Receiver
| | | | |
| QUERY(1) | | | |
+------------->| | | |
| | QUERY'(2) | | |
| +=============>| | |
| | | QUERY'(2) | |
| | +=============>| |
| | | RESPONSE'(3) | |
| | |<=============+ |
| | RESPONSE'(3) | | |
| |<=============+ | |
| | QUERY(4) | |
| +---------------------------->| |
| | | | QUERY(5) |
| | | +------------->|
| | | | RESERVE(6) |
| | | |<-------------+
| | | RESERVE'(7) | |
| | |<=============+ |
| | RESERVE'(7) | | |
| |<=============+ | |
| | RESERVE(8) | |
| |<----------------------------+ |
| | RESPONSE'(9) | | |
| +=============>| | |
| | | RESPONSE'(9) | |
| | +=============>| |
| RESERVE(10) | | | |
|<-------------+ | | |
| RESPONSE(11) | | | |
+------------->| | | |
| | RESPONSE(11) | |
| +---------------------------->| |
| | | | RESPONSE(11) |
| | | +------------->|
| | | | |
| | | | |
(1), (5): QUERY w/ RESERVE-INIT
(2): QUERY' w/ RII
(4): QUERY w/ RESERVE-INIT and BOUND-SESSION-ID
(6), (10): RESERVE w/o BOUND-SESSION-ID
(7): RESERVE' w/ MSG-ID
(8): RESERVE w/ BOUND-MSG-ID and BOUND-SESSION-ID
Figure 9: Receiver-Initiated Reservation for Both End-to-end and
Tunnel Signaling
Shen, et al. Experimental [Page 20]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
QUERY' message (2) matching the request of the end-to-end session
towards Texit. This tunnel QUERY' message (2) is meant to discover
QoS characteristics of the tunnel path, rather than initiate an
actual reservation. Therefore, it includes a Request Identification
Information (RII) object but does not set the RESERVE-INIT flag. The
tunnel QUERY' message (2) is processed hop-by-hop inside the tunnel
for the flow identified by the tunnel Flow ID. When Texit receives
this tunnel QUERY' message (2), it replies with a corresponding
tunnel RESPONSE' message (3) containing the tunnel path
characteristics. After receiving the tunnel RESPONSE' message (3),
Tentry creates the tunnel session, generates an outgoing end-to-end
QUERY message (4) considering the tunnel path characteristics,
appends a tunnel BOUND-SESSION-ID object containing the tunnel
SESSION-ID, and sends it toward Texit using normal tunnel
encapsulation. The end-to-end QUERY message (4) passes along tunnel
intermediate nodes like other tunneled packets. Upon receiving this
end-to-end QUERY message (4), Texit notices the tunnel session
binding, creates the tunnel session state, removes the tunnel BOUND-
SESSION-ID object, and forwards the end-to-end QUERY message (5)
further along the path.
The end-to-end QUERY message (5) arrives at the receiver and triggers
a RESERVE message (6). When Texit receives the RESERVE message (6),
it notices that the session is bound to a receiver-initiated tunnel
session. Therefore, Texit triggers a RESERVE' message (7) toward
Tentry for the tunnel session reservation. This tunnel RESERVE'
message (7) includes a randomly generated 128-bit MSG-ID. Meanwhile,
Texit inserts a BOUND-MSG-ID object containing the same MSG-ID and a
BOUND-SESSION-ID object containing the tunnel SESSION-ID into the
end-to-end RESERVE message (8), and sends it towards Tentry using
normal tunnel encapsulation. The Message_Binding_Type flags of the
MSG-ID and BOUND-MSG-ID objects in the RESERVE' and RESERVE messages
(7,8) are SET, indicating a bidirectional binding.
At Tentry, the tunnel RESERVE' message (7) and the end-to-end RESERVE
message (8) could arrive in either order. In a typical case shown in
Figure 9, the tunnel RESERVE' message (7) arrives first. Tentry then
records the MSG-ID of the tunnel RESERVE' message (7) and starts a
MsgIDWait timer. When the end-to-end RESERVE message (8) with the
BOUND-MSG-ID object containing the same MSG-ID arrives, the message
binding condition is satisfied. Tentry resumes processing of the
tunnel RESERVE' message (7), creates the reservation state for the
tunnel session, and sends a tunnel RESPONSE' message (9) to Texit.
At the same time, Tentry creates the outgoing end-to-end RESERVE
message (10) by incorporating results of the tunnel session
reservation and removing the BOUND-SESSION-ID and BOUND-MSG-ID
Shen, et al. Experimental [Page 21]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
objects, and forwards it along the path towards the sender. When the
sender receives the end-to-end RESERVE message (10), it sends an end-
to-end RESPONSE message (11) back to the receiver.
If the end-to-end RESERVE message arrives before the tunnel RESERVE'
message at Tentry, or either of the two messages fails to arrive at
Tentry, the processing rules at Tentry are similar to those of Texit
in the situation discussed in Section 6.1.
Once the end-to-end and the tunnel QoS session have both been
successfully created and associated, the tunnel endpoints Tentry and
Texit coordinate the signaling between the two sessions and make sure
that adjustment or teardown of either session can trigger similar
actions for the other session as necessary, by invoking appropriate
signaling messages.
7. NSIS-Tunnel Signaling Capability Discovery
The mechanism of NSIS operating over IP tunnels requires the
coordination of both tunnel endpoints in tasks such as special
encapsulation and decapsulation of data flow packets according to the
chosen tunnel Flow ID, as well as the possible creation and
adjustment of the end-to-end and tunnel QoS sessions. Therefore, one
NSIS-tunnel-aware endpoint needs to know that the other tunnel
endpoint is also NSIS-tunnel-aware before initiating this mechanism
of NSIS operating over IP tunnels. In some cases, especially for IP
tunnels with preconfigured QoS sessions, an NSIS-tunnel-aware
endpoint can learn about whether the other tunnel endpoint is also
NSIS-tunnel-aware through preconfiguration. In other cases where
such preconfiguration is not available, the initiating NSIS-tunnel-
aware endpoint may dynamically discover the other tunnel endpoint's
capability through a QoS NSLP NODE_CAPABILITY_TUNNEL object defined
in this section.
The NODE_CAPABILITY_TUNNEL object is a zero-length object with a
standard NSLP object header as shown in Figure 10.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|A|B|r|r| Type |r|r|r|r| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10: NODE_CAPABILITY_TUNNEL Object Format
Type: NODE_CAPABILITY_TUNNEL (0x015) from the shared NSLP object type
space
Shen, et al. Experimental [Page 22]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
Length: 0
The bits marked 'A' and 'B' define the desired behavior for objects
whose Type field is not recognized. If a node does not recognize the
NODE_CAPABILITY_TUNNEL object, the desired behavior is "Forward".
That is, the object must be retained unchanged and forwarded as a
result of message processing. This is satisfied by setting 'AB' to
'10'.
The 'r' bit stands for 'reserved'.
The NODE_CAPABILITY_TUNNEL object is included in a tunnel QUERY' or
RESERVE' message by a tunnel endpoint that needs to learn about the
other endpoint's capability for NSIS tunnel handling. If the
receiving tunnel endpoint is indeed NSIS-tunnel-aware, it recognizes
this object and knows that the sending endpoint is NSIS-tunnel-aware.
The receiving tunnel endpoint places the same object in a tunnel
RESPONSE' message to inform the sending endpoint that it is also
NSIS-tunnel-aware. The use of the NODE_CAPABILITY_TUNNEL object in
the cases of sender-initiated reservation and receiver-initiated
reservation are as follows.
First, assume that the end-to-end session is sender-initiated as in
Figure 8, and the NSIS-tunnel-aware Tentry wants to discover the NSIS
tunnel capability of Texit. After receiving the first end-to-end
RESERVE message (1), Tentry inserts an RII object and a
NODE_CAPABILITY_TUNNEL object into the tunnel RESERVE' message (2)
and sends it to Texit. If Texit is NSIS-tunnel-aware, it learns from
the NODE_CAPABILITY_TUNNEL object that Tentry is also NSIS-tunnel-
aware and includes the same object into the tunnel RESPONSE' message
(4) sent back to Tentry.
Second, assume that the end-to-end session is receiver-initiated as
in Figure 9, and the NSIS-tunnel-aware Tentry wants to discover the
NSIS tunnel capability of Texit. Upon receiving the first end-to-end
QUERY message (1), Tentry inserts an RII object and a
NODE_CAPABILITY_TUNNEL object in the tunnel QUERY' message (2) and
sends it toward Texit. If Texit is NSIS-tunnel-aware, it learns from
the NODE_CAPABILITY_TUNNEL object that Tentry is also NSIS-tunnel-
aware and includes the same object tunnel RESPONSE' message (3) sent
to Tentry.
8. IANA Considerations
This document defines a new object type called NODE_CAPABILITY_TUNNEL
for QoS NSLP. Its Type value (0x015) has been assigned by IANA. The
object format and the setting of the extensibility bits are defined
in Section 7.
Shen, et al. Experimental [Page 23]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
9. Security Considerations
This NSIS and IP tunnel interoperation mechanism has two IPsec-
related security implications. First, NSIS messages may require per-
hop processing within the IPsec tunnel, and that is potentially
incompatible with IPsec. A similar problem exists for RSVP
interacting with IPsec, when the Router Alert option is used
(Appendix A.1 of RFC 4302 [RFC4302]). If this mechanism is indeed
used for NSIS and IPsec tunnels, a so-called covert channel could
exist where someone can create spurious NSIS signaling flows within
the protected network in order to create signaling in the outside
network, which then someone else is monitoring. For highly secure
networks, this would be seen as a way to smuggle information out of
the network, and therefore this channel will need to be rate-limited.
A similar covert channel rate-limit problem exists for using
Differentiated Services (DS) or Explicit Congestion Notification
(ECN) fields with IPsec (Section 5.1.2 of RFC 4301 [RFC4301]).
Second, since the NSIS-tunnel-aware endpoint is responsible for
adapting changes between the NSIS signaling both inside and outside
the tunnel, there could be additional risks for an IPsec endpoint
that is also an NSIS-tunnel-aware endpoint. For example, security
vulnerability (e.g., buffer overflow) on the NSIS stack of that IPsec
tunnel endpoint may be exposed to the unprotected outside network.
Nevertheless, it should also be noted that if any node along the
signaling path is compromised, the whole end-to-end QoS signaling
could be affected, whether or not the end-to-end path includes an
IPsec tunnel.
Several other documents discuss security issues for NSIS. General
threats for NSIS can be found in [RFC4081]. Security considerations
for NSIS NTLP and QoS NSLP are discussed in [RFC5971] and [RFC5974],
respectively.
10. Acknowledgments
The authors would like to thank Roland Bless, Francis Dupont, Lars
Eggert, Adrian Farrel, Russ Housley, Georgios Karagiannis, Jukka
Manner, Martin Rohricht, Peter Saint-Andre, Martin Stiemerling,
Hannes Tschofenig, and other members of the NSIS working group for
comments. Thanks to Yaron Sheffer for pointing out the IPsec-related
security considerations.
Shen, et al. Experimental [Page 24]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
11. References
11.1. Normative References
[RFC2113] Katz, D., "IP Router Alert Option", RFC 2113,
February 1997.
[RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in
IPv6 Specification", RFC 2473, December 1998.
[RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option",
RFC 2711, October 1999.
[RFC2746] Terzis, A., Krawczyk, J., Wroclawski, J., and L. Zhang,
"RSVP Operation Over IP Tunnels", RFC 2746, January 2000.
[RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering,
"IPv6 Flow Label Specification", RFC 3697, March 2004.
[RFC4080] Hancock, R., Karagiannis, G., Loughney, J., and S. Van den
Bosch, "Next Steps in Signaling (NSIS): Framework",
RFC 4080, June 2005.
[RFC4081] Tschofenig, H. and D. Kroeselberg, "Security Threats for
Next Steps in Signaling (NSIS)", RFC 4081, June 2005.
[RFC5971] Schulzrinne, H. and R. Hancock, "GIST: General Internet
Signalling Transport", RFC 5971, October 2010.
[RFC5974] Manner, J., Karagiannis, G., and A. McDonald, "NSIS
Signaling Layer Protocol (NSLP) for Quality-of-Service
Signaling", RFC 5974, October 2010.
11.2. Informative References
[RFC1701] Hanks, S., Li, T., Farinacci, D., and P. Traina, "Generic
Routing Encapsulation (GRE)", RFC 1701, October 1994.
[RFC1702] Hanks, S., Li, T., Farinacci, D., and P. Traina, "Generic
Routing Encapsulation over IPv4 networks", RFC 1702,
October 1994.
[RFC1853] Simpson, W., "IP in IP Tunneling", RFC 1853, October 1995.
[RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003,
October 1996.
Shen, et al. Experimental [Page 25]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
[RFC2004] Perkins, C., "Minimal Encapsulation within IP", RFC 2004,
October 1996.
[RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S.
Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
Functional Specification", RFC 2205, September 1997.
[RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P.
Traina, "Generic Routing Encapsulation (GRE)", RFC 2784,
March 2000.
[RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
for IPv6 Hosts and Routers", RFC 4213, October 2005.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
December 2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, December 2005.
[RFC5944] Perkins, C., Ed., "IP Mobility Support for IPv4, Revised",
RFC 5944, November 2010.
Shen, et al. Experimental [Page 26]
^L
RFC 5979 NSIS Operation over IP Tunnels March 2011
Authors' Addresses
Charles Shen
Columbia University
Department of Computer Science
1214 Amsterdam Avenue, MC 0401
New York, NY 10027
USA
Phone: +1 212 854 3109
EMail: charles@cs.columbia.edu
Henning Schulzrinne
Columbia University
Department of Computer Science
1214 Amsterdam Avenue, MC 0401
New York, NY 10027
USA
Phone: +1 212 939 7004
EMail: hgs@cs.columbia.edu
Sung-Hyuck Lee
Convergence Technologies & Standardization Lab
Samsung Information System America, INC.
95 West Plumeria Drive
San Jose, CA 95134
USA
Phone: 1-408-544-5809
EMail: sung1.lee@samsung.com
Jong Ho Bang
SAMSUNG Advanced Institute of Technology
San 14-1, Nongseo-ri, Giheung-eup
Yongin-si, Gyeonggi-do 449-712
South Korea
Phone: +82 31 280 9585
EMail: jh0278.bang@samsung.com
Shen, et al. Experimental [Page 27]
^L
|
