• Like
10 fn tut3
Upcoming SlideShare
Loading in...5
×
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,799
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
33
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. LISP - A Next Generation Networking Architecture
  • 2. Session Objectives  At the end of this session, you should be able to: – Understand the scalability issues facing the Internet today – Describe how LISP helps solve key scaling issues, and enable interesting new functionalities – Describe the LISP data plane and control plane mechanisms – Understand the basic LISP configuration requirements – Understand Cisco‟s contributions and plans for LISP BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 2
  • 3. Agenda  LISP Overview  LISP Operations  LISP Example  LISP Use Cases  LISP Initiatives  LISP Summary  Additional Material BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 3
  • 4. LISP Overview Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  • 5. LISP Overview Why was LISP developed?  LISP originally conceived to address Internet Scaling What causes scaling issues? − IP addresses denote both location and identity today − Overloaded IP address semantic makes efficient routing impossible − IPv6 does not fix this Why are scaling issues bad? “… routing scalability is the most − Routers require tons of expensive memory important problem facing the Internet to hold the Internet Routing Table in the today and must be solved … ” forwarding plane of a router − It‟s expensive for network builders/operators Internet Architecture Board (IAB) October 2006 Workshop (written as RFC 4984) − Replacing equipment for the wrong reason (to hold the routing table rather than implementing new features…) − It‟s not environmentally GREEN  BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 5
  • 6. LISP Overview What Pollutes the Internet Today? Before Loc/ID Split Internet Provider Z Provider D 10.1.1.0/24 Provider C 15/8 10/8 10.1.1.0/24 15/8 Provider W Provider H Provider G Provider X Provider A Provider Y 12.0.0.0/8 Provider B 10.0.0.0/8 13.0.0.0/8 11.0.0.0/8 10.1.1.0/24 10.1.1.0/24 15.0.0.0/8 15.0.0.0/8 R1 R2 R1 R2 Provider Assigned Provider Independent (PA) (PI) 10.1.1.0/24 15.0.0.0/8 • Addresses at sites, both PA and PI, can get de-aggregated by multi-homing BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 6
  • 7. LISP Overview What Pollutes the Internet Today? Before Loc/ID Split Internet Provider Z Provider D 13/8 12/8 11/8 10.1.1.0/24 Provider C 15/8 10/8 10.1.1.0/24 15/8 Provider W Provider H Provider G Provider X Provider A Provider Y 12.0.0.0/8 Provider B 10.0.0.0/8 13.0.0.0/8 11.0.0.0/8 10.1.1.0/24 10.1.1.0/24 15.0.0.0/8 15.0.0.0/8 12.4.4.1/30 10.9.1.45/30 11.2.1.17/30 13.3.3.5/30 R1 R2 R1 R2 Provider Assigned Provider Independent (PA) (PI) 10.1.1.0/24 15.0.0.0/8 • Addresses at sites, both PA and PI, • Aggregates for infrastructure addresses can get de-aggregated by multi-homing (e.g. CE-PE links) get advertised as well BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 7
  • 8. LISP Overview Why does LISP solve this problem?  Locator/Identity Split creates a “Level of Indirection” by using two namespaces – hosts and locators  This level of indirection allows you to remove host prefixes from the underlying core (Internet) routing system and move them in another system (database): Think “DNS” here: DNS is a Name-to-IP Address lookup… LISP involves an host-to-locator lookup…  Isn‟t this just a case of “moving the problem”? Fast memory used in the “forwarding plane” of routers is very expensive (and consumers a lot of power) Server Memory is very cheap Moves problem from the “forwarding plane” to the “off-line control plane” where significantly greater scale at much lower cost can be achieved BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 8
  • 9. LISP Overview Why does Locator/ID Separation solve this problem? Before Loc/ID Split Internet Provider Z Provider D 13/8 12/8 11/8 10.1.1.0/24 Provider C 15/8 10/8 15/8 10.1.1.0/24 Some-Core-Rtr# show ip route bgp Provider W Provider H ---<skip>--- Provider G is 10.0.0.0/8 variably subnetted, 98 subnets, 6 masks B 10.0.0.0/8 [20/0] via 128.223.3.9, 3d19h B 10.1.1.0/24 [20/0] viaProvider X 3d19h 128.223.3.9, Provider A B Provider Y 11.0.0.0/8 [20/0] via 128.223.3.9, 1d17h 12.0.0.0/8 Provider B ---<skip>--- 10.0.0.0/8 13.0.0.0/8 11.0.0.0/8 12.0.0.0/8 is variably subnetted, 29 subnets, 6 masks B 12.1.0.0/16 [20/0] via 128.223.3.9, 3d19h B 12.4.4.0/22 [20/0] via 128.223.3.9, 3d19h ---<skip>--- 13.0.0.0/8 is variably subnetted, 13 subnets, 4 masks B 13.0.0.0/8 [20/0] via 128.223.3.9, 14:00:10 B 13.0.0.0/10 [20/0] via 128.223.3.9, 5d23h 10.1.1.0/24 10.1.1.0/24 15.0.0.0/8 ---<skip>--- 15.0.0.0/8 B 15.0.0.0/8 [20/0] via 128.223.3.9, 1d17h ---<skip>--- 12.4.4.1/30 10.9.1.45/30 11.2.1.17/30 13.3.3.5/30 many many more...... R1 R2 Some-Core-Rtr# R1 R2 Provider Assigned Provider Independent (PA) (PI) 10.1.1.0/24 15.0.0.0/8 • Addresses at sites, both PA and PI, • Aggregates for infrastructure addresses can get de-aggregated by multi-homing (e.g. CE-PE links) get advertised as well BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 9
  • 10. LISP Overview Why does Locator/ID Separation solve this problem? After New “EID” Namespace Loc/ID B 10.1.1.0/24 [20/0] via 128.223.3.9, 3d19h Split Internet Provider Z B 15.0.0.0/8 [20/0] via Provider D 1d17h 128.223.3.9, 13/8 12/8 11/8 10.1.1.0/24 Provider C 15/8 10/8 15/8 10.1.1.0/24 Some-Core-Rtr# show ip route bgp Provider W Provider H ---<skip>--- Provider G is 10.0.0.0/8 variably subnetted, 98 subnets, 6 masks B 10.0.0.0/8 [20/0] via 128.223.3.9, 3d19h B 10.1.1.0/24 [20/0] viaProvider X 11.0.0.0/8 [20/0] via 128.223.3.9, 1d17h 3d19h 128.223.3.9, Provider A Provider Y ---<skip>--- B 11.0.0.0/8 [20/0] via 128.223.3.9, 1d17h 12.0.0.0/8 Provider B ---<skip>--- 12.0.0.0/8 is variably subnetted, 29 subnets, 6 masks 10.0.0.0/8 13.0.0.0/8 11.0.0.0/8 B 12.0.0.0/8 is variably via 128.223.3.9, 3d19h 6 masks 12.1.0.0/16 [20/0] subnetted, 29 subnets, B 12.4.4.0/22 [20/0] via 128.223.3.9, 3d19h 12.1.0.0/16 ---<skip>--- B 12.4.4.0/22 [20/0] via 128.223.3.9, 3d19h ---<skip>--- 13.0.0.0/8 is variably subnetted, 13 subnets, 4 masks B 13.0.0.0/8 is [20/0] via 128.223.3.9, subnets, 4 masks 13.0.0.0/8 variably subnetted, 13 14:00:10 B 13.0.0.0/10 [20/0] via 128.223.3.9, 14:00:10 13.0.0.0/8 [20/0] via 128.223.3.9, 5d23h ---<skip>--- B 13.0.0.0/10 [20/0] via 128.223.3.9, 5d23h 10.1.1.0/24 10.1.1.0/24 15.0.0.0/8 ---<skip>--- 15.0.0.0/8 B 15.0.0.0/8 [20/0] via 128.223.3.9, 1d17h ---<skip>--- 12.4.4.1/30 10.9.1.45/30 11.2.1.17/30 13.3.3.5/30 many many more...... R1 R2 Some-Core-Rtr# R1 R2 Provider Assigned Provider Independent (PA) (PI) 10.1.1.0/24 15.0.0.0/8 • Addresses at sites, both PA and PI, • Aggregates for infrastructure addresses can get de-aggregated by multi-homing (e.g. CE-PE links) get advertised as well BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 10
  • 11. LISP Overview Protocol Ground Rules and Attributes  Various Loc/ID split schemes have been studied for >15 years but no one implemented or tested any of them…  Cisco decided to put some effort into this and undertook the process of writing code and developing standards to test concepts.  The result is: LISP – the “Locator/ID Separation Protocol”  LISP “Attributes”  LISP “Ground Rules” Designed for router encapsulation Network-based solution Designed for Locator Reachability No host changes Support Unicast and Multicast Data No new addressing to site devices; Support for IPv4 IPv6 EIDs (hosts) and minimal configuration changes RLOCs (locators) Incrementally deployable; interoperable with existing Internet BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 11
  • 12. LISP Overview LISP Header Format draft-ietf-lisp-07 Outer Header: Router supplies RLOCs UDP LISP header Inner Header: Host supplies EIDs BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 12
  • 13. LISP Overview LISP Data Plane Concepts  Network-based “Map and Encap” approach Requires the fewest changes to existing systems – only the CPE No changes in hosts, DNS, or Core infrastructure New Mapping Service required for EID-to-RLOC mapping resolution 7. Application peer-to-peer communications 7. Application 6. Presentation 6. Presentation 5. Session 5. Session source destination host peer-to-peer communications host 4. Transport 4. Transport 3. Network (host) 3. Network (host) 3. Network (host) (LISP UDP) (LISP UDP) (LISP UDP) 3. Network (host) 3. Network (LISP) 3. Network (LISP) 3. Network (LISP) 3. Network (host) 2. Data Link 2. Data Link 2. Data Link 2. Data Link 2. Data Link 1. Physical 1. Physical 1. Physical 1. Physical 1. Physical LISP LISP En-cap ITR ETR De-cap Internet packets packets BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 13
  • 14. LISP Overview MTU Issues?  Like all other encapsulation or tunneling protocols, LISP adds to the packet length, resulting in potential fragmentation issues  Three methods are accounted for in the specification 1. “Don‟t Care” – Avoid fragmentation, don‟t do PMTUD, and assume Core MTU is always greater than access MTU 2. Stateless – ITR fragments, then encapsulates; destination host reassembles 3. Stateful – Avoid fragmentation; run PMTUD between ITR and ETR  Experience shows which mechanisms are necessary Years of experience with IPSec and GRE can inform decisions and approaches for LISP deployment BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 14
  • 15. LISP Overview LISP and MTU…  See additional details about MTU in the “Additional Material” section at the end of this presentation BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 15
  • 16. LISP Overview Now that we have LISP, what else can we do?  Level of Indirection allows us to: Keep either the EID fixed while changing the RLOC Create separate namespace with different allocation properties  By keeping EIDs fixed… You don‟t have to renumber You can keep TCP connections established across moves  By allowing RLOCs to change… Now sites can change service providers Now hosts can move Roaming hand-sets Relocating Virtual Machines Relocating Infrastructure into a Cloud  More on this later in the “Use Cases” section… BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 16
  • 17. LISP Operations Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  • 18. LISP Operations LISP Components – Ingress/Egress Tunnel Router (xTR) ALT ALT MR ALT ALT MS ITR ETR Provider A Provider X S1 10.0.0.0/8 12.0.0.0/8 D1 PITR PETR S Provider B Provider Y D S2 D2 11.0.0.0/8 13.0.0.0/8 ITR ETR ITR – Ingress Tunnel Router ETR – Egress Tunnel Router • Receives packets from site-facing • Receives packets from core-facing interfaces interfaces • Encaps to remote LISP site or natively • De-caps and delivers to local EIDs at forwards to non-LISP site the site BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 18
  • 19. LISP Operations Data Plane – Overview  On-Demand, Cache-based The FIB only contains active map-cache entries  Dynamic Encapsulation No hard tunnel state like GRE  Over-the-Top (CE-based) The “core network” (I.e. Internet) doesn‟t see LISP at Layer 3 BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 19
  • 20. LISP Operations Data Plane Example – Unicast Packet Forwarding PI EID-prefix PI EID-prefix 2.0.0.0/24 3.0.0.0/24 ITR ETR Provider A Provider X S1 10.0.0.0/8 12.0.0.0/8 D1 S Provider B Provider Y D S2 D2 11.0.0.0/8 13.0.0.0/8 ITR ETR 2.0.0.2 -> 3.0.0.3 11.0.0.1 -> 12.0.0.2 11.0.0.1 -> 12.0.0.2 DNS entry: 2.0.0.2 -> 3.0.0.3 2.0.0.2 -> 3.0.0.3 2.0.0.2 -> 3.0.0.3 D.abc.com A 3.0.0.3 EID-prefix: 3.0.0.0/24 Legend: Mapping Locator-set: EIDs -> Green Entry 12.0.0.2, priority: 1, weight: 50 (D1) This policy controlled Locators -> Red Physical link 13.0.0.2, priority: 1, weight: 50 (D2) by destination site BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 20
  • 21. LISP Operations Control Plane – Overview  Distributed “Mapping Database” and “Map Cache”  Map-Servers and Map-Resolvers Provide the service interface for LISP sites into the mapping database  LISP+ALT Designed for a modular, scalable mapping service BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 21
  • 22. LISP Operations LISP Components – Map-Server/Map-Resolver (MS/MR) ALT ALT MR ALT ALT MS ITR ETR Provider A Provider X S1 10.0.0.0/8 12.0.0.0/8 D1 PITR PETR S Provider B Provider Y D S2 D2 11.0.0.0/8 13.0.0.0/8 ITR ETR MR – Map-Resolver MS – Map-Server • Receives Map-Request encapsulated • LISP ETRs Register here; requires from ITR configured “lisp site” policy, key • De-caps Map-Request, forwards thru • Injects routes for registered LISP sites service interface onto the ALT topology into ALT thru ALT service interface • Sends Negative Map-Replies in response • Receives Map-Requests via ALT; en- to Map-Requests for non-LISP sites caps Map-Requests to registered ETRs BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 22
  • 23. LISP Operations LISP Components – LISP-ALT Topology (ALT) ALT ALT MR ALT ALT MS ITR ETR Provider A Provider X S1 10.0.0.0/8 12.0.0.0/8 D1 PITR PETR S Provider B Provider Y D S2 D2 ITR ALT – Alternative 11.0.0.0/8 13.0.0.0/8 Topology ETR • Advertises EID-prefixes in Alternate BGP topology over GRE • Service interface for Map-Requests and Map-Replies • Devices with ALT service interface include: MS, MR, xTR, PxTR • ALT-only router aggregates ALT peering connections and can be off-the-shelf gear, a router, commodity Linux host, etc. BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 23
  • 24. LISP Operations Control Plane – Mapping Database & Map Cache LISP Mapping-Database ALT ALT • EID-to-RLOC mappings in all ETRs for each LISP site • ETR is “authoritative” for its EIDs, sends Map-Replies to ITRs MR ALT ALT MS • ETRs can tailor policy based on Map-Request source ITR ETR Provider A Provider X • Decentralization increases attack resiliency S1 10.0.0.0/8 12.0.0.0/8 D1 PITR PETR S Provider B Provider Y D S2 D2 11.0.0.0/8 13.0.0.0/8 ITR ETR LISP Map Cache • “Lives” on ITRs • Map-Cache populated by Map-Replies from ETRs • Stored in ITRs – only for sites to which they are currently sending packets • ITRs must respect policy of Map-Reply mapping data including TTLs, RLOC up/down status, RLOC priorities/weights BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 24
  • 25. LISP Operations Control Plane – Control Plane Mechanisms  Control Plane EID Registration Map-Register messages Sent by an ETR to a Map-Server to register its associated EID prefixes Specifies the RLOC(s) to be used by the Map-Server when forwarding Map-Requests to the ETR  Control Plane “Data-triggered” mapping service Map-Request messages Sent from an ITR when it needs an EID mapping, to test an RLOC for reachability, or to refresh a mapping before TTL expiration Map-Reply messages Sent from an ETR in response to a valid map-request to provide the EID/RLOC mapping and site ingress Policy for the requested EID BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 25
  • 26. LISP Operations Control Plane Example – ETR Registration Other 3/8 sites… ALT ALT PI EID-prefix PI EID-prefix 65.1.1.1 66.2.2.2 2.0.0.0/24 3.0.0.0/24 MR ALT ALT MS ITR ETR Provider A Provider X S1 10.0.0.0/8 12.0.0.0/8 D1 S Provider B Provider Y D S2 D2 11.0.0.0/8 13.0.0.0/8 ITR ETR 12.0.0.2-> 66.2.2.2 LISP Map-Register [1] (udp 4342) 3.0.0.0/8 3.0.0.0/8 SHA-1 [3] MS advertises [2] ALT advertise throughout into ALT Including to BGP over GRE Legend: EIDs -> Green Map-Resolver Locators -> Red BGP-over-GRE Physical link BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 26
  • 27. LISP Operations Control Plane Example – Map Request ALT ALT PI EID-prefix PI EID-prefix 65.1.1.1 66.2.2.2 2.0.0.0/24 3.0.0.0/24 MR ALT ALT MS ITR ETR Provider A Provider X S1 10.0.0.0/8 12.0.0.0/8 D1 S Provider B Provider Y D S2 D2 11.0.0.0/8 13.0.0.0/8 ITR ETR 2.0.0.2 -> 3.0.0.3 How do I get DNS entry: to 3.0.0.3? [2] [3] [4] 11.0.0.1 -> 65.1.1.1 66.2.2.2 -> 12.0.0.2 D.abc.com A 3.0.0.3 LISP ECM 11.0.0.1 -> 3.0.0.3 LISP ECM (udp 4342) Map-Request (udp 4342) [5] (udp 4342) 11.0.0.1 -> 3.0.0.3 11.0.0.1 -> 3.0.0.3 Legend: nonce Map-Request Map-Request EIDs -> Green [1] (udp 4342) (udp 4342) Locators -> Red nonce nonce BGP-over-GRE Physical link BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 27
  • 28. LISP Operations Control Plane Example – Map Reply ALT ALT PI EID-prefix PI EID-prefix 65.1.1.1 66.2.2.2 2.0.0.0/24 3.0.0.0/24 MR ALT ALT MS ITR ETR Provider A Provider X S1 10.0.0.0/8 12.0.0.0/8 D1 S Provider B Provider Y D S2 D2 11.0.0.0/8 13.0.0.0/8 ITR ETR EID-prefix: 3.0.0.0/24 12.0.0.2 ->11.0.0.1 Mapping Locator-set: Map-Reply [6] (udp 4342) Entry 12.0.0.2, priority: 1, weight: 50 (D1) nonce Legend: EIDs -> Green 13.0.0.2, priority: 1, weight: 50 (D2) 3.0.0.0/24 Locators -> Red 12.0.0.2 [1, 50] 13.0.0.2 [1, 50] BGP-over-GRE Physical link BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 28
  • 29. LISP Operations Locator Liveliness fix  Today if a connection goes down, the route for that connection point is withdrawn from the underlying routing table Without  As consequence of adding the “level of indirection” with LISP, we no longer have direct access to “end-point” liveliness EIDs are removed from DFZ and placed in “”off-line” control plane  Thus, we need new mechanisms to provide liveliness information BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 29
  • 30. LISP Operations Locator Liveliness  We need a way to quickly detect when an RLOC is down to provide fast switchover…  We need recent up-status for an RLOC so that the switchover picks a working path… Existence of a route to an RLOC does not give up-status Requires a keep-alive mechanisms S1  D1 S S2 ? D2 D  Data Plane vs. Control Plane “N” times “M” control plane messages does not scale Determine the best approach for fast switchover Trade off message overhead vs. fast convergence BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 30
  • 31. LISP Operations Locator Liveliness Solves More  Use the Routing Table when you can Scalability Cases  Use ICMP if you can In the data plane  Use Locator-Status-Bits (LSB) In the data plane  Use Echo-Nonce In the data plane for RLOC bi-directional flows  Use TCP-Counts Trade off message overhead vs. fast  Use RLOC-Probing In the control plane, from each source-site to each destination-site ETR BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 31
  • 32. LISP Overview Locator Liveliness  See additional details about Locator Liveliness in the “Additional Material” section at the end of this presentation BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 32
  • 33. LISP Operations Interworking Mechanisms  Early Recognition – LISP will not be widely deployed day-one  Interworking for: LISP-capable sites to non-LISP sites (i.e. the rest of the Internet) non-LISP sites to LISP-capable sites  Two basic Techniques LISP Network Address Translators (LISP-NAT) Proxy Ingress Tunnel Routers & Proxy Egress Tunnel Routers  Proxy-ITR/Proxy-ETR have the most promise Infrastructure LISP network entity Creates a monetized service opportunity for infrastructure players BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 33
  • 34. LISP Operations LISP Components – Proxy ITR/ETR (PITR/PETR) ALT ALT MR ALT ALT MS ITR ETR Provider A Provider X S1 10.0.0.0/8 12.0.0.0/8 D1 PITR PETR S Provider B Provider Y D S2 D2 11.0.0.0/8 13.0.0.0/8 ITR ETR PITR – Proxy ITR PETR – Proxy ETR • Receives traffic from non-LISP sites; • Allows IPv6 LISP sites with IPv4 RLOCs encapsulates traffic to LISP sites to reach IPv6 LISP sites that only have • Advertises coarse-aggregate EID prefixes IPv6 RLOCs • LISP sites see benefits of ingress TE • Allows LISP sites with uRPF restrictions “day-one” to reach non-LISP sites BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 34
  • 35. LISP Operations Interworking Mechanisms – PITR Example [1] [2] 65.1.1.1 -> 2.1.1.1 65.9.1.1 -> 66.1.1.1 65.1.1.1 -> 2.1.1.1 Non-LISP EID Non-LISP LISP Site 2.1.0.0/16 Site Site 65.1.0.0/16 PITR BGP Advertise: 2.0.0.0/8 Non-LISP PITR Non-LISP LISP EID Site BGP Advertise: Site Site 2.2.0.0/16 65.2.0.0/16 2.0.0.0/8 65.0.0.0/12 66.0.0.0/12 PITR BGP Advertise: Non-LISP 2.0.0.0/8 Non-LISP Internet LISP EID Site Site [3] Site 2.3.0.0/16 65.3.0.0/16 65.1.1.1 <- 2.1.1.1 Legend: LISP Sites -> EIDs non-LISP Sites -> RLOCs Physical link BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 35
  • 36. LISP Operations Interworking Mechanisms – PETR Example [2] [1] 65.10.1.1 <- 66.1.1.1 ip lisp use-petr 65.10.1.1 65.1.1.1 <- 2.1.1.1 65.1.1.1 <- 2.1.1.1 Non-LISP EID Non-LISP LISP Site 2.1.0.0/16 65.1.0.0/16 Site PETR Site Non-LISP PITR Non-LISP LISP EID Site BGP Advertise: Site Site 2.2.0.0/16 65.2.0.0/16 2.0.0.0/8 65.0.0.0/12 66.0.0.0/12 PITR BGP Advertise: Non-LISP 2.0.0.0/8 Non-LISP Internet LISP EID Site Site Site 2.3.0.0/16 65.3.0.0/16 [3] [4] 65.1.1.1 -> 2.1.1.1 65.9.2.1 -> 66.1.1.1 65.1.1.1 -> 2.1.1.1 Legend: LISP Sites -> EIDs non-LISP Sites -> RLOCs Physical link BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 36
  • 37. LISP Operations Practical Security Mechanisms  ETRs… SHA-1 HMAC shared-key authentication between ETR and Map-Server to register EIDs into the mapping system Additional policy and security configured on map-server  ITRs… Will not accept unsolicited Map-Replies, and only accepts a Map-Reply that matches Map-Request nonce Will not accept coarser EID-prefixes  ALT BGP is secured with peer authentication sBGP can be added later when implement  Others… Map-Requests rate-limited Map-Replies could carry public keys ITR could encrypt encapsulated data with ESP headers BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 37
  • 38. LISP Operations Management of LISP  Data Plane Management Ping, traceroute of EIDs S1 D1 Ping, traceroute of RLOCs S2 D2  Control Plane Management LISP Internet Groper (LIG) (like “dig” for DNS)  Device Management show and debug commands MIB coming… BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 38
  • 39. LISP Operations Management of LISP  LISP Internet Groper (LIG) Fetches an EID-to-RLOC database mapping entry Both router and host lig implementations available titanium-dino# lig dmm-xtr-2.lisp4.net Send map-request to 128.223.156.35 for 153.16.12.1 ... Received map-reply from 128.223.156.23 with rtt 0.040508 secs Map-cache entry for dmm-xtr-2.lisp4.net EID 153.16.12.1: 153.16.12.0/24, uptime: 00:00:01, expires: 23:59:58, via map-reply, auth Locator Uptime State Priority/ Data Control Weight in/out in/out 128.223.156.23 00:00:01 up 1/100 0/0 0/0 titanium-dino# lig self6 Send loopback map-request to 128.223.156.35 for 2610:d0:2105:: ... Received map-reply from 173.8.188.25 with rtt 0.260715 secs Map-cache entry for EID 2610:d0:2105::: 2610:d0:2105::/48, uptime: 00:00:01, expires: 23:59:58, via map-reply, self Locator Uptime State Priority/ Data Control Weight in/out in/out 173.8.188.25 00:00:01 up 1/33 0/0 0/0 173.8.188.26 00:00:01 up 1/33 0/0 0/0 173.8.188.27 00:00:01 up 1/33 0/0 0/0 2002:ad08:bc19::1 00:00:01 up 2/0 0/0 0/0 BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 39
  • 40. LISP Operations Management of LISP xTR(config)# ip lisp ? alt-vrf Activate LISP-ALT functionality in VRF database-mapping Configures Locator addresses for an ETR etr Configures a LISP Egress Tunnel Router (ETR) itr Configures a LISP Ingress Tunnel Router (ITR) locator-down Manually set locator status to down map-cache Configures static EID-to-RLOC mappings for an ITR map-cache-limit Configures maximum size of map-cache map-request-source Configures source address for Map-Request message path-mtu-discovery Path MTU discovery proxy-etr Configures a LISP Proxy Engress Tunnel Router (PETR) proxy-itr Configures a LISP Proxy Ingress Tunnel Router (PITR) use-petr Encapsulate to Proxy ETR when matching forward-native entry xTR# show ip lisp ? database Show EID-prefixes configured for this site forwarding LISP forwarding module show commands map-cache Display EID-to-RLOC cache mapping in this ITR statistics Display LISP address family statistics | Output modifiers <cr> xTR# debug lisp ? control-plane LISP control plane debug categories detail Enable LISP detailed debugging filter Specify a filter for LISP debug output forwarding LISP forwarding related debug commands BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 40
  • 41. LISP Example Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
  • 42. LISP Example Configurations arin-mrms MS/MR 217.41.88.65 simlo xTR 128.223.156.222 ripe-mrms dmm-isr xTR MS/MR 128.223.156.139 153.16.40.0/24 153.16.21.0/24 193.0.0.170 ! interface Loopback0 ip address 153.16.21.1 255.255.255.255 ! interface FastEthernet0/0 ip address 128.223.156.222 255.255.255.0 ! interface FastEthernet0/0/0 ip address 153.16.21.17 255.255.255.240 ! ip lisp database-mapping 153.16.21.0/24 128.223.156.222 priority 1 weight 100 ip lisp itr map-resolver 128.223.156.139 ip lisp itr ip lisp etr map-server 128.223.156.139 key 6 #%$^%## ip lisp etr ! ip route 0.0.0.0 0.0.0.0 128.223.156.1 ! BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 42
  • 43. LISP Example Configurations arin-mrms MS/MR 217.41.88.65 simlo xTR 128.223.156.222 ripe-mrms dmm-isr xTR MS/MR 128.223.156.139 153.16.40.0/24 153.16.21.0/24 193.0.0.170 ! interface Loopback0 ip address 153.16.40.1 255.255.255.255 ! interface FastEthernet0/0 ip address 217.41.8.65 255.255.255.0 ! interface FastEthernet0/0/0 ip address 153.16.40.2 255.255.255.240 ! ip lisp database-mapping 153.16.40.0/24 217.41.88.65 priority 1 weight 100 ip lisp itr map-resolver 193.0.0.170 ip lisp itr ip lisp etr map-server 193.0.0.170 key 6 #%$^%## ip lisp etr ! ip route 0.0.0.0 0.0.0.0 217.41.88.1 ! BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 43
  • 44. LISP Example Configurations arin-mrms MS/MR 217.41.88.65 simlo xTR 128.223.156.222 ripe-mrms dmm-isr xTR MS/MR 128.223.156.139 153.16.40.0/24 153.16.21.0/24 193.0.0.170 ! hostname arin-mrmr ! ---<skip>--- ! lisp site dmm-isr hostname ripe-mrmr eid-prefix 153.16.21.0/24 route-tag 1234567890 ! authentication-key 3 #%$^%## ---<skip>--- description dmm-isr lisp site simlo ! eid-prefix 153.16.40.0/24 route-tag 1234567890 ---<skip>--- authentication-key 3 #%$^%## description simlo ! ---<skip>--- BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 44
  • 45. LISP Example Operations arin-mrms MS/MR 217.41.88.65 simlo xTR 128.223.156.222 ripe-mrms dmm-isr xTR MS/MR 128.223.156.139 153.16.40.0/24 153.16.21.0/24 193.0.0.170 dmm-isr# show ip lisp database LISP ETR IPv4 Mapping Database, LSBs: 0x1 EID-prefix: 153.16.21.0/28 128.223.156.222, priority: 1, weight: 100, state: up, local dmm-isr# show ip lisp map-cache LISP IPv4 Mapping Cache, 1 entries 0.0.0.0/0, uptime: 00:01:15, expires: never, via static dmm-isr# BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 45
  • 46. LISP Example Operations arin-mrms MS/MR 217.41.88.65 simlo xTR 128.223.156.222 ripe-mrms dmm-isr xTR MS/MR dmm-isr# show ip lisp site dmm-isr LISP Site Registration Information for VRF "default" * = truncated IPv6 address 128.223.156.139 153.16.40.0/24 Site name: "dmm-isr" 153.16.21.0/24 Description: none configured Allowed configured locators: any 193.0.0.170 Allowed EID-prefixes: EID-prefix: 2610:d0:1209::/48 Currently registered: yes First registered: 1w5d Last registered: 00:00:17 Who last registered: 128.223.156.222 Routing table tag: 0x499602d2 Registered locators: 128.223.156.222 (up) EID-prefix: 153.16.21.0/28 Currently registered: yes First registered: 1w5d Last registered: 00:00:17 Who last registered: 128.223.156.222 Routing table tag: 0x499602d2 Registered locators: 128.223.156.222 (up) dmm-isr# BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 46
  • 47. LISP Example Operations arin-mrms MS/MR 217.41.88.65 simlo xTR 128.223.156.222 ripe-mrms dmm-isr xTR MS/MR 128.223.156.139 153.16.40.0/24 153.16.21.0/24 193.0.0.170 dmm-isr# lig self Mapping information for EID 153.16.21.0 from 128.223.156.222 with RTT 0 msecs 153.16.21.0/24, uptime: 00:00:00, expires: 23:59:59, via map-reply, self Locator Uptime State Pri/Wgt 128.223.156.222 00:00:00 up 1/100 dmm-isr# show ip lisp map-cache LISP IPv4 Mapping Cache, 2 entries 0.0.0.0/0, uptime: 00:01:15, expires: never, via static 153.16.21.0/24, uptime: 00:00:02, expires: 23:59:57, via map-reply, self Locator Uptime State Pri/Wgt 128.223.156.222 00:00:02 up 1/100 dmm-isr# BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 47
  • 48. LISP Example Operations arin-mrms MS/MR 217.41.88.65 simlo xTR 128.223.156.222 ripe-mrms dmm-isr xTR MS/MR 128.223.156.139 153.16.40.0/24 153.16.21.0/24 193.0.0.170 dmm-isr# lig 153.16.40.1 Mapping information for EID 153.16.40.1 from 217.41.88.65 with RTT 404 msecs 153.16.40.0/24, uptime: 00:00:00, expires: 1d00h, via map-reply, complete Locator Uptime State Pri/Wgt 217.41.88.65 00:00:00 up 1/100 dmm-isr# show ip lisp map-cache LISP IPv4 Mapping Cache, 3 entries 0.0.0.0/0, uptime: 00:00:13, expires: never, via static 153.16.21.0/24, uptime: 00:00:10, expires: 23:59:49, via map-reply, self Locator Uptime State Pri/Wgt 128.223.156.222 00:00:10 up 1/100 153.16.40.0/24, uptime: 00:00:00, expires: 23:59:59, via map-reply, complete Locator Uptime State Pri/Wgt 217.41.88.65 00:00:00 up 1/100 dmm-isr# BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 48
  • 49. LISP Example Operations arin-mrms MS/MR 217.41.88.65 simlo xTR 128.223.156.222 ripe-mrms dmm-isr xTR MS/MR 128.223.156.139 153.16.40.0/24 153.16.21.0/24 193.0.0.170 dmm-isr# show ip lisp Ingress Tunnel Router (ITR): enabled Egress Tunnel Router (ETR): enabled ITR Map-Resolver: 128.223.156.139 ETR Map-Server(s): 128.223.156.139 (00:00:07) ETR accept mapping data: enabled, verify enabled ETR map-cache TTL: 24 hours Locator Status Algorithms: RLOC-probe algorithm: enabled Static mappings configured: 0 Map-cache limit: 1000 Map-cache activity check period: 60 secs Map-cache size: 3 dmm-isr# BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 49
  • 50. LISP Use Cases Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  • 51. LISP Use Cases Enterprise Use Case 1 – Low OpEx Multi-Homing  Active/active multi-homing Low-OpEx switchover (no BGP)  More efficient bandwidth use by site Use all the bandwidth you pay for Provider A Provider B 10.0.0.0/8 11.0.0.0/8  New link revenue for ISP At the benefit of keeping site‟s routes out of their resources  Decoupling addressing from ISP S1 S2 Site has flexibility to change providers 2.0.0.0/8 Raises the bar for ISPs, better for consumer sites BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 51
  • 52. LISP Use Cases Enterprise Use Case 2 – Dynamic Roaming and VPNs Engineering is using global PI addresses Boston San Francisco Engineering Marketing Core is using global 2.1.0.0/16 10.2.0.0/16 PA addresses Enterprise Core 65.0.0.0/8 Los Angeles New York Engineering Marketing 2.2.0.0/16 10.1.0.0/16 65.5.1.1 65.5.2.2 Marketing is using 2.2.0.0/16 -> Dallas private addresses (65.4.1.1, 65.4.2.2) (65.5.1.1, 65.5.2.2) Engineering Dynamic creation of a site is 2.2.0.0/16 An engineering site moves done by simply registering EID-to-RLOC mapping to the Mapping Database System BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 52
  • 53. LISP Use Cases Service Provider Use Case 1 – Multi-Family Address Support  The Internet core is not dual-stack, deal with it IPv6-only Site IPv6-only Site 2610:d0:1::/48 2610:d0:2::/48 IPv4 Internet Core LISP Site LISP Site PxTR PxTR Dual Stack Dual Stack Dual-Stack ISP 240.1.0.0/16 65.4.0.0/16 2610:d0:1::/48 2001:1:2::/48 LISP Site Non-LISP Site TCP-over-IPv6 Connection dino-unix.lisp6.net ipv6.google.com BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 53
  • 54. LISP Use Cases Service Provider Use Case 2 – Multi-Family Address Support  A possible cable company… IPv6 core; They can‟t upgrade residential on IPv4 IPv4-only Server Site IPv6 Cable Core Network IPv4-only 2.1.0.0/16 Residential Site LISP Site 192.168.1.0/24 PxTR LISP Site PxTR IPv4-only Dual-Stack Region Server Site 65.4.0.0/16 Non-LISP Site IPv6 path IPv4 path BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 54
  • 55. LISP Use Cases Data Center Use Case 1 – Virtual Machine Mobility 2.2.0.0/16 -> A’ 3.1.1.1/32 -> A’ 3.1.0.0/16 -> A Data Center RLOC A RLOC A’ A A’ 3.1.1.254/24 3.1.11.254/24 2.2.2.254/24 2.2.22.254/24 S1 S2 S3 S4 3.1.1.1/24 3.1.11.2/24 2.2.2.3/24 2.2.22.4/24 S1 moves L3 Router LISP Router BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 55
  • 56. LISP Use Cases Data Center Use Case 2 – Load Balancing the SLBs Array of Servers VIPs Array of SLBs EIDs -> RLOC-sets ETR ETR ETR ETR ITR ITR ITR Data Center ITR VIPs are EIDs Internet L3 Router LISP Router Any brand Server Load Balancer Servers BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 56
  • 57. LISP Use Cases LISP Mobile Code Use Case –  What if 2 Mobile Hand-sets could roam and keep a TCP connection established?  What if 2 Mobile Hand-sets could LISP-encapsulate to each other with a path-stretch of 1?  What if you could put up server functionality on your Mobile Hand-set?  What if your Mobile Hand-set could use all radios at the same time? BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 57
  • 58. LISP Use Cases LISP Mobile Code Use Case – This is a LISP site! EID-prefix: 2001:xxxx:yyyy::1/128 wifi 64.0.0.1 Map-Server: 64.1.1.1 3G 65.0.0.1 Can set ingress packet policy! Green x.x.x.x -> EID Red x.x.x.x -> Locator (RLOC) BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 58
  • 59. LISP Use Cases LISP Mobile Code Use Case –  Run lightweight variant of LISP on the MN draft-meyer-lisp-mn-01.txt  EID can be burned into the SIM Can be either an IPv4 or probably an IPv6 address Will be yours forever – it‟s your “Network Name”  Your DHCP address is your MN‟s RLOC  MN carries Map-Server RLOC while roaming  When you get a new DHCP address: Register the new RLOC(s) to Map-Server(es) Update ITR/PITR caches BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 59
  • 60. LISP Use Cases LISP Mobile Code Use Case – Can it scale?  Leave RLOCs alone, they map to underlying physical topology There is absolutely no more-specific state in the core for LISP MNs (or any other LISP site for that matter…)  LISP MN EID more-specific state only in Map-Server Map-Server is control-plane home agent Map-Server already has covering route; no more-specifics in the ALT  The only other place for more-specific state is in devices that cache (ITRs and PITRs) How bad can this be? BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 60
  • 61. LISP Use Cases LISP Mobile Code Use Case – Back-of-the-Envelop Calculation  Assume a map-cache entry is 1000-bytes • 1000-bytes is fairly fat and can be optimized  1M entries (LISP MNs) per ITR requires 1GB of memory (cheap!)  10M entries (LISP MNs) requires 10GB of memory (simple!)  Deploy 100 ITRs at 10M entries each – that‟s 1B LISP MNs 100 ITRs is not unreasonable since good use-experience forces shortest exit Each ITR can hold 10M phones!  This is achievable since granular state is only where you need it and no where else! BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 61
  • 62. LISP Initiatives Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
  • 63. LISP Initiatives Standardization Status Fall 2008 1st IETF WG 2nd BOF San Francisco Minneapolis IETF 2nd IETF WG Oct 2006: 2007 Summer 2008 Stockholm IAB Routing WS LISP in RRG 1st BOF Dublin IETF 3rd IETF WG Hiroshima 2006 2007 2008 2009 2010 Spring 2009: Fall 2010: More Drafts IETF WG Completes Jan 2007: June 2007: Fall 2007: LISP-MS Beijing First Drafts 2nd Set Drafts 3rd Set Drafts LISP-LIG Main LISP LISP-ALT LISP-IW LISP-CONS Summer 2009: Summer 2009: LISP-NERD LISP-MN Loc-Reach-Algs Implemented RRG Effort IETF Effort BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 63
  • 64. LISP Initiatives What’s Cisco Doing in LISP?  Cisco LISP Prototype Implementation Started at Prague IETF, Mar 07; Deployed Pilot Network, July 07 Since then, >220 releases of experimental code  Cisco LISP Product Implementations Phase 1 (December 24, 2009) − ISR, ISR-G2, 7200 (xTR) Phase 2 (March 31, 2010) − ISR, ISR-G2, 7200 (xTR, PxTR, ALT) [IOS 15.1(1)XB1] − ASR 1000 (xTR, PxTR, ALT) [IOS-XE 2.5.1] Available Now! − Nexus 7000 (xTR, PxTR, MS/MR) [NX-OS 5.1(1.13)] − UCS C200 (MS/MR) [NX-OS 5.1(1.13)] Phase 3 (June 30, 2010) • External LISP Efforts − More LISP! – FreeBSD OpenLISP http://gforge.info.ucl.ac.be/projects/openlisp/ – Open Source LIG Diagnostic Tool http://www.github.com/davidmeyer/lig BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 64
  • 65. LISP Initiatives LISP Network – Goals for the LISP Network  Conduct Experiments Provide course-adjustments for protocol architecture  Test Multiple Implementations  Prove ALT Topology maps to EID Address Allocation Delegations  Emulate MSP Business Models  Protocol Learning Tool for Users  Test bed for building Management Tools BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 65
  • 66. BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 66
  • 67. BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 67
  • 68. LISP Initiatives LISP Network – Gaining LISP management experience BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 68
  • 69. Summary Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
  • 70. LISP Summary Key Takeaways  LISP creates a level of indirection that separates End Host addresses from Site address to resolve Internet scaling issues  LISP requires no host changes, minimal CPE changes, and adds some infrastructure components to the core  LISP enables simplified multi-homing with ingress traffic engineering without the need for BGP  LISP enables End Host mobility without requiring renumbering  LISP is an open standard (no Cisco IPR) BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 70
  • 71. LISP Summary References [1] Locator/ID Separation Protocol (LISP) - draft-ietf-lisp-06; 25-Jan-2010. http://tools.ietf.org/html/draft-ietf-lisp-06 LISP Map Server - draft-ietf-lisp-ms-04; 05-Oct-2009. http://tools.ietf.org/html/draft-ietf-lisp-ms-04 LISP ALT - draft-ietf-lisp-alt-02; 25-Jan-2010. http://tools.ietf.org/html/draft-ietf-lisp-alt-01 LISP Interworking - draft-ietf-lisp-interworking-00; 26-May-2009. http://tools.ietf.org/html/draft-ietf-lisp-interworking-00 LISP Multicast - draft-ietf-lisp-multicast-02; 29-Sep-2009. http://tools.ietf.org/html/draft-ietf-lisp-multicast-02 LISP Mobility Architecture - draft-meyer-lisp-mn-01; 01-Feb-2010. http://tools.ietf.org/html/draft-meyer-lisp-mn-00 LISP Internet Groper (LIG) - draft-farinacci-lisp-lig-01; 05-May-2009. http://tools.ietf.org/id/draft-farinacci-lisp-lig-01.txt BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 71
  • 72. LISP Summary References [2]  You can find additional information about the topics and products covered in this session at the following links: http://lisp4.cisco.com http://lisp6.cisco.com http://www.lisp4.net http://www.lisp6.net  Cisco LISP Mailer: lisp-support@external.cisco.com BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 72
  • 73. Q&A BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 73
  • 74. BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 74
  • 75. Additional Material LISP and MTU Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
  • 76. LISP Overview LISP and MTU [1]  LISP encapsulation increase the forwarded packet size IPv4 – 36 bytes IPv6 – 56 bytes  Other tunneling/encapsulation protocols do the same GRE, IPSec, IP-in-IP, etc.  In general - solutions for handling MTU and fragmentation issues with tunnels/encapsulations are well documented Stateful or Stateless Ensure packets don‟t fragment Allow packets to fragment Drop packets BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 76
  • 77. LISP Overview LISP and MTU [2]  Practical MTU on the Internet is 1500 bytes Most of the core supports 4470 or 9162 bytes Hosts assume “effective MTU” of 1500 bytes  When using tunneling mechanisms, prepending headers could make packet sizes > 1500 bytes Larger packets are better for efficiency purposes  Network layer fragmentation is not performance-efficient Decapsulating tunnel routers need reassembly buffers Packet loss causes long buffer holding periods BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 77
  • 78. LISP Overview LISP and MTU [3] – Where is the problem? 1500 ITR ETR S R1 1500 R4 R2 R3 D Here when LISP header Here when Access MTU larger puts packet over 1500 than Core MTU (unlikely) BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 78
  • 79. LISP Overview LISP and MTU [4] Fragment-then-encapsulate Reassemble here… here means… Best alternative! Reassemble here… Fragment Avoid at all cost! 1500 here means… ITR ETR S R1 R4 R2 R3 D Encapsulate-then-fragment Reassemble here… here means… Avoid at all cost! BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 79
  • 80. LISP Overview LISP and MTU [5] – Spec’d Solutions draft-ietf-lisp-07  Stateless Mechanism Allow fragmentation ITR fragments and then encapsulates; destination host reassembles  Stateful Mechanism Avoid fragmentation Use PMT Discovery between ITR and ETR; ITR stores “effective MTU” per locator  Don‟t Care Mechanism Avoid fragmentation and PMTU Discovery Assume core MTU always > access MTU; Assumes always room for tunnel headers BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 80
  • 81. LISP Overview LISP and MTU [6] – Source (Host) Control  When DF=0 (Okay to Fragment) ITR can use “don‟t care” mechanism ITR can use “stateless” mechanism  When DF=1 (Don‟t Fragment) PMTU Discovery performed between Source and ITR ITR can lower MTU for sufficient encapsulation header room  IPv6 is always DF=1 Expectation for PMTU Discovery Plus, always hard for routers to insert Fragment Option BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 81
  • 82. LISP Overview LISP and MTU [7] – LISP Router Control  When Inner Header is DF=0 ITR can do “stateless” mechanism Pre-encap fragments to size well below 1500, and , sets outer header to DF=0 ITR can do “stateful” mechanism Set outer header to DF=1 assures no fragmentation allowed in core, and expects PMTUD on LISP “tunnel”  When Inner Header is DF=1 ITR can do “stateless” mechanism But will never fragment since it can control source packet size ITR can do “stateful” mechanism Enables PMTUD so it can propagate effective MTU back to the source BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 82
  • 83. LISP Overview LISP and MTU [8] – Harsh Reality  You either Fragment or Drop Packets PMTU Discovery causes (periodic) packet drops Fragmentation requires reassembly buffer resources  Experience will show which mechanisms will be necessary Years of experience with IPSec and GRE can inform decisions and approaches for LISP BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 83
  • 84. Additional Material LISP and Locator Liveliness Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
  • 85. LISP Operations Locator Reachability [1] – Problem Statement ? S1 D1 S D S2 D2  ITR S1 needs to know if RLOC D1 is reachable  ITR S1 needs to know if it can switch over to RLOC D2  ITR S1 cannot depend on a D1-prefix route to determine if RLOC D1 is reachable BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 85
  • 86. LISP Operations Locator Reachability [2] – Problem Statement  S1 D1 ? S D S2 D2  Because ITR D1 can reach RLOC S1 does not mean that ITR S1 can reach RLOC D1  All you know is that RLOC D1 has not crashed – but you don‟t know the forwarding path from S1->D1 BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 86
  • 87. LISP Operations Locator Reachability [3] – Problem Statement  We need a way to detect quickly when an RLOC is down to provide fast switchover…  We need to have recent up-status for an RLOC so that the switchover picks a working path… Existence of a route to an RLOC does not give an up-status Requires a keepalive mechanism  Data Plane versus Control Plane “N” times “M” control messages does not scale Determine the best approach for fast switchover Tradeoff message overhead versus fast convergence BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 87
  • 88. LISP Operations Locator Reachability [4] – Problem Statement 0x00000003 S1 D1 S D S2 D2  LISP Encapsulation includes “Locator Status Bits” (LSB)  LSBs are set/sent by ITR to ETR to indicate the up/down status of source-site locators LSB from ITR D1 to RLOC S1 just tells S1 that D1 is not down It does not tell S1 that the path from S1 to D2 is reachable, or that S2 to D2 is reachable BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 88
  • 89. LISP Operations Locator Reachability [5] – Possible Data Paths S1 D1  Totally Symmetric S D S2 D2 S1 D1  Source Symmetric S D S2 D2 S1 D1  Return Path Symmetric S D S2 D2 S1 D1  Totally Asymmetric S S2 D2 D “The Square” BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 89
  • 90. LISP Operations Locator Reachability [6] – Solution Space  Data Plane-based Deep-packet-inspection TCP-connection heuristics (tcp-count) Piggyback “nonce” on data (echo-nonce)  Control Plane-based ITR can probe each ETR for every map-cache entry with control messaging (rloc-probe)  ITR can use “Send and Hope for the Best” approach Use ICMP Unreachables to tell you path-down status There is no ICMP mechanism to indicate a path-back-up status BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 90
  • 91. LISP Operations Locator Reachability [7] – DPI “TCP-Count” SYN ACK S1 D1 S D S2 D2 SYN/ACK  Specifically designed for “the square”, ITRs count SYNs- sent and ACKs-sent for all connections If ACKs are sent, return path from D2 to S2 is validated and path from S1 to D1 is validated If SYNs are sent but no ACKs are sent, there is no return traffic But S1->D1 could be working when D1->D, D->D2, D2->S2, or S2->S is broken. S1 should not switchover to D2 in this case. This mechanism gives you “path-up” status, but not good “down” status BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 91
  • 92. LISP Operations Locator Reachability [8] – Piggyback “Echo-Nonce” E=1, nonce: 0x00123456 S1 D1 S E=0, nonce: 0x00123456 S2 D2 D  Nonces in Data Packets… ITR requests ETR to “echo back” nonce by setting data packet “E-bit” Echo from ETR contains the ITRs nonce with the E-bit cleared (validates “up” status) Detects “down” status via timeout of echo-nonce Only works with symmetric (bi-directional traffic) between RLOC pairs Can be quicker to converge than control message keepalives as long as data is flowing between ITR to ETR BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 92
  • 93. LISP Operations Locator Reachability [9] – Control Msg “rloc-probe” S1 D1 S D S2 D2 Data: Probes:  Add “probe-bit” to Map-Request and Map-Reply messages  Map-Request with probe-bit sent to remote RLOC Allocates random 64-bit nonce  Map-Reply with probe-bit acknowledges Map-Request probe Returns same 64-bit nonce BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 93
  • 94. LISP Operations Locator Reachability [10] – Summary Method Description Advantages Disadvantages rloc-probing • Control Plane Message • Controlled by ITR side • Potentially, high number of • ITR originates Map-Request • Measures RTT control plane messages with probe “P-bit” set • Can do “make-before-break” • Spreading out over time IOS • ETR returns Map-Reply with “P- • Can update mappings at same causes slow switchover NX-OS bit” set, and current mappings. time as probe • Provides opportunity to get • No control plane/data plane mapping updates exchange issue tcp-count • Data Plane DPI • No added messages or • Provides “path-up” status but is • ITR counts SYNs sent and overhead not good at “path-down” status ACKs sent for all connections • Validates forward and return • Limited to “square” data path NX-OS during encapsulation path at the same time • Does not work for • Specifically designed for unidirectional traffic “square” data path echo-nonce • Data Plane Piggyback • Can converge more quickly • Only works with bidirectional • ITR sets “E-bit” and “N-bit” and than control message (symmetric) traffic between sends „nonce‟ with data keepalives for data flows RLOC-pairs NX-OS • ETR responds to “E-bit” and “N- between ITR / ETR • Does not work for bit” with “echo back” of nonce unidirectional traffic • ITR detects “down” status on • Bilateral algorithm – i.e. both time-out of echo-nonce sides must participate BRKCRS-3045 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 94