3.33k likes | 3.92k Views
Advanced - LISP Technical Seminar. TECRST-3191. Darrel Lewis, LISP Technical Leader Gregg Schudel, LISP Technical Marketing Engineer Marco Pessi, LISP Technical Marketing Engineer. Agenda. LISP Overview and Introduction LISP Efficient Multihoming/Multi-AF Support LISP Virtualization/VPN
E N D
Advanced - LISP Technical Seminar TECRST-3191 Darrel Lewis, LISP Technical Leader Gregg Schudel, LISP Technical Marketing Engineer Marco Pessi, LISP Technical Marketing Engineer
Agenda • LISP Overview and Introduction • LISP Efficient Multihoming/Multi-AF Support • LISP Virtualization/VPN • LISP Data Center/Host Mobility • Other LISP Topics, Status and Futures • LISP Open Discussions
Agenda • LISP Overview and Introduction • LISP Efficient Multihoming/Multi-AF Support • LISP Virtualization/VPN • LISP Data Center/Host Mobility • Other LISP Topics, Status and Futures • LISP Open Discussions
Advanced - LISP Technical SeminarLISP Overview TECRST-3191 Darrel Lewis, LISP Technical Leader darlewis@cisco.com
lisp.cisco.com Locator/ID Split and LISP Routing and Addressing Architecture of the Internet Protocol • Addresses today combine location and identity semantics in a single 32-bit or 128-bit number • Separating Location and Identity changes this… • Provide a clear separation at the Network Layer betweenwhat we are lookingforvs. how best to get there • Translation vs. Tunneling is a key question • Network Layer Identifier: WHO you are in the network • long-term binding to the thing that they name, does not change often at all • Network Layer Locator:WHERE you are in the network • Think of the source and destination “addresses” used in routing and forwarding • WHERE you are can change! WHO you are should be the same! 7
lisp.cisco.com LISP Overview Original Motivation… An IP address “overloads” location and identity • Today… “addressing follows topology” • Efficient aggregation is only available for Provider Assigned (PA) addresses • Ingress Traffic Engineering usually requires Provider Independent (PI) addresses and the injection of “more specifics” :: this limits route aggregation compactness • IPv6 does not fix this Route scaling issues drive system costs higher • Forwarding plane (FIB) requires expensive memory • Route scaling “drivers” are also seen in Data Centers and for Mobility :: not just the Internet DFZ “… routing scalability is the most important problem facing the Internet today and must be solved … ” Internet Architecture Board (IAB) October 2006 Workshop (written as RFC 4984) 8
lisp.cisco.com LISP Overview Identity and Location :: an Overloaded Concept in Routing Today… DFZ Routing Table 64.1/17 AS 200 12. 0/8 Enterprise Transit SP 64.1/16 12.0/8 Commodity SP Tier 1 SP 13.0/8 64.1.128/17 AS 100 64.1.0.0/16 Location Site 1 Site 3 Site 2 64.1/16 Identity 64.1.0.0/16 AS 300 13. 0/8 13.0/8 64.1.0.0/17 eBGP 64.1.0.0/17 64.1.0.0/16 12.0/8 64.1.128.0/17 64.1.0.0/16 eBGP 64.1.128.0/17 64.1.0.0/16 IPv4 Internet 9 13.1.1.2/30 12.1.1.2/30
lisp.cisco.com LISP Overview Identity and Location :: an Overloaded Concept in Routing Today… • Let’s put ID address and Locator address in different databases • Let’s create a “level of indirection” between ID and LOCATION in the network! LISP Mapping System Routing Table DFZ 64.1/17 AS 200 12. 0/8 Enterprise Transit SP 64.1/16 • Clear Separation at the Network Layer:: • who/what you are looking for • vs. … • how to best get there 12.0/8 Commodity SP Tier 1 SP 13.0/8 64.1.128/17 AS 100 64.1.0.0/16 Location • Two Approaches:: • Translations (e.g. NAT) • vs. … • Tunnels (e.g. GRE, IPsec, MPLS) Site 3 Site 2 Site 1 64.1/16 Identity AS 300 13. 0/8 What if Locator/ID Separation worked on a GLOBAL Scope? No need to carry all routing in the Forwarding Plane! IPv4 Internet 10 12.1.1.2/30 13.1.1.2/30
lisp.cisco.com LISP Overview Identity and Location :: an Overloaded Concept in Routing Today… • Let’s scale the ID address databases to 1010and allow it to hold any prefix length (e.g. /32) • Let’s provide a mechanism to provide on-the-fly resolution of ID and locator • High scale design, and ability to change locator for fixed ID enables Mobility! LISP Mapping System Routing Table DFZ 64.1/17 AS 200 12. 0/8 Enterprise 64.1/16 @12.1.2.2 @13.1.1.2 Transit SP 64.1/16 12.0/8 Commodity SP Tier 1 SP 13.0/8 64.1.128/17 AS 100 64.1.0.0/16 Location Site 2 Site 1 Site 3 64.1/16 Identity AS 300 13. 0/8 IPv4 Internet 11 12.1.1.2/30 13.1.1.2/30
lisp.cisco.com LISP Overview LISP :: A Routing Architecture – Not a Feature LISP changes the routing architecture to implement a level of indirection between a hosts IDENTITY and its LOCATION in the network • LISP changes the current ROUTING Architecture • Changes lead to DISRUPTION • Disruption leads to OPPORTUNITIES • LISP allows both SPs and Enterprises to do remarkably different things than allowed by traditional approaches • LISP enables NEW services (VPNs, IPv6, Mobility, “cloud”) in one, common, simple architecture 12
lisp.cisco.com LISP Overview Locator/ID Separation :: The Mapping System is the Key • A Mapping Systems is the key component of Loc/ID separation architecture • Mapping systems provide the control plane for the architecture • Mapping systems represent the great opportunity for these architecture to excel • Most of the time, users/operators think about the data plane • The control plane is where the magic happens! • Some general components of a mapping system to be aware… These affect how the system scales much differently than routing state :: must scale to large numbers (such as 1010) of hosts rate :: must be small globally; damp reachability and mobility from globally impacting the system latency :: must be low enough not to harm existing applications scope :: must allow for both a global and a private scope for mapping 13
lisp.cisco.com LISP Overview Locator/ID Separation :: Changing the Routing Architecture • A Locator/ID Separation “architecture” helps solve other current network problems • IPv4/IPv6 Co-existence at the “ID” and “Locator” spaces • IPv4 and IPv6 can be implemented at the “ID” and/or “locator” spaces for simple integration • In reality, anything can be an “ID” and carried over traditional cores (IPv4 and IPv6) • e.g. RFID, VIN#, Geo-Location, MAC-Addr, etc. etc. etc. • Scaling IP Mobility is very similar to scaling Internet Multihoming • Mobility:: “ID” (unique address) moves from one network “location” to another network “location” • Multihoming:: an “ID” (unique address) connects to multiple networks “locations” simultaneously • For both Mobility and Multihoming, the network must keep “more specific state” globally about where something is located at the current time 14
lisp.cisco.com LISP Overview LISP :: A Routing Architecture – Not a Feature • Uses pullvs. pushrouting • OSPF and BGP are push models; routing stored in the forwarding plane • LISP is a pull model; Analogous to DNS; massively scalable • LISP use-cases are complimentary • Simplified multi-homing with Ingress traffic Engineering; no need for BGP • Address Family agnostic support • Virtualization support • End-host mobility without renumbering • An over-the-toptechnology • Address Family agnostic • Incrementally deployable • End systems can be unaware of LISP • Enables IP Number Portability • Never change host IP’s; No renumbering costs • No DNS changes; “name == EID” binding • Session survivability • Deployment simplicity • No host changes • Minimal CPE changes • Some new core infrastructure components • An Open Standard • Being developed in IETF (RFC 6830-6836, 7052) • No Cisco Intellectual Property Rights 15
lisp.cisco.com LISP Operations Main attributes of LISP EID-to-RLOC mapping • LISP namespaces • EID (Endpoint Identifier)is the IP address of a host – just as it is today • RLOC (Routing Locator)is the IP address of the LISP router for the host • EID-to-RLOC mapping is the distributed architecture that maps EIDs to RLOCs EID Space xTR Prefix Next-hop w.x.y.1 e.f.g.h x.y.w.2 e.f.g.h z.q.r.5 e.f.g.h z.q.r.5 e.f.g.h Non-LISP EID RLOCa.a.a.0/24 w.x.y.1 b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 d.d.0.0/16 z.q.r.5 RLOC Space PxTR xTR xTR MS/MR EID Space • Network-based solution • No host changes • Minimal configuration • No DNS changes • Address Family agnostic • Incrementally deployable (support LISP and non-LISP) • Support for mobility 17
lisp.cisco.com LISP Operations LISP :: Mapping Resolution “Level of Indirection” DNS analog • LISP “Level of Indirection” is analogous to a DNS lookup • DNS resolves IP addressesfor URLAnswering the “WHO IS” question DNS Name-to-IP URL Resolution DNS Server host [ who is lisp.cisco.com ] ? [153.16.5.29, 2610:D0:110C:1::3] • LISP resolves locatorsfor queried identitiesAnswering the “WHERE IS” question LISP Identity-to-locator Mapping Resolution LISP Mapping System LISP router [where is 2610:D0:110C:1::3] ? 18 [ locator is 128.107.81.169, 128.107.81.170]
LISP Operations LISP IPv4 EID / IPv4 RLOC Data Packet Header Example IPv4 Outer Header: ITR supplies RLOCs UDP Header: LISP Header: IPv4 Inner Header: Host supplies EIDs 19
LISP Operations LISP Encapsulation Combinations – IPv4 and IPv6 Supported IPv4 Outer Header IPv4 Outer Header UDP LISP UDP LISP IPv4 Inner Header IPv6 Outer Header IPv6 Inner Header IPv4/IPv4 IPv6 Outer Header IPv4/IPv6 UDP LISP UDP LISP IPv4 Inner Header IPv6 Inner Header IPv6/IPv6 IPv6/IPv4 20 • A: It can… But preparation limits issues… • Encapsulation overhead is 36B IPv4 and 56B IPv6 • LISP supports “stateful” (PMTUD) and “stateless”(fragmentation) options • Tunnel/MTU issues are well known (GRE, IPsec, etc.) and are usually operationally tractable Q: Doesn’t encapsulation cause MTU issues?
LISP Operations • ETR – Egress Tunnel Router • Receives packets from core-facing interfaces • De-cap and deliver packets to local EIDs at site LISP Data Plane :: Ingress/Egress Tunnel Router (xTR) packet flow packet flow PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-2 xTR-1 xTR-3 xTR-4 ETR ETR ETR ETR ITR ITR ITR ITR 21 S LISP Site 1 • ITR – Ingress Tunnel Router • Receives packets from site-facing interfaces • Encap to remote LISP sites, or native-fwd to non-LISP sites LISP Site 2 D Provider A 10.0.0.0/8 Provider C 12.0.0.0/8 Provider B 11.0.0.0/8 Provider D 13.0.0.0/8
7 2001:db8:1::1 -> 2001:db8:2::1 2001:db8:1::1 -> 2001:db8:2::1 Map-Cache Entry EID-prefix: 2001:db8:2::/48 Locator-set: 12.0.0.2, priority: 1, weight: 50 13.0.0.2, priority: 1, weight: 50 2001:db8:1::1 -> 2001:db8:2::1 2001:db8:1::1 -> 2001:db8:2::1 This policy controlled by the destination site LISP Operations 2 LISP Data Plane :: Unicast Packet Flow 5 1 10.0.0.2 12.0.0.2 packet flow packet flow 3 13.0.0.2 11.0.0.2 PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-1 xTR-2 xTR-3 xTR-4 DNS entry: D.abc.com AAAA 2001:db8:2::1 ETR ETR ETR ETR ITR ITR ITR ITR 22 S LISP Site 1 LISP Site 2 11.0.0.2 -> 12.0.0.2 11.0.0.2 -> 12.0.0.2 D 4 6 Provider C 12.0.0.0/8 Provider A 10.0.0.0/8 Provider B 11.0.0.0/8 Provider D 13.0.0.0/8
LISP Operations LISP Data Plane :: Ingress/Egress Tunnel Router (xTR) Identical configs on both xTRs! 10.0.0.2 12.0.0.2 packet flow packet flow 13.0.0.2 11.0.0.2 PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-1 xTR-2 xTR-3 xTR-4 ETR ETR ETR ETR ITR ITR ITR ITR 23 ! router lisp locator-set SITE2 12.0.0.2 priority 1 weight 50 13.0.0.2 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 2001:db8:2::/48 locator-set SITE2 exit ! ipv6 itr map-resolver 66.2.2.2 ipv6 itr ipv6 etr map-server 66.2.2.2 key S3cr3t-2 ipv6 etr exit ! ip route 0.0.0.0 0.0.0.0 12.0.0.1 (or 13.0.0.1) ! S LISP Site 1 LISP Site 2 D Provider A 10.0.0.0/8 Provider C 12.0.0.0/8 Provider B 11.0.0.0/8 Provider D 13.0.0.0/8
LISP Operations Packet ELIGABLE for LISP encapsulation LISP Packet Forwarding – ITR Check Map-Cache entries to see which one the destination matches (2) Is SRC within local EID prefix? YES NO Destination lookup in routing table (RIB) (show ip route) YES LISP EncapPckto DST RLOC (3) “fwd-encap” action? Packet NOT ELIGABLE for LISP encapsulation; native forwarding rules apply NO YES Is a route matched for: “drop” action? Drop Packet Check source address of the packet to be forwarded YES Ingress Packet Is there a default route? (0.0.0.0/0 or ::/0) default route (0.0.0.0/0 or ::/0) “no route” NO NO YES Send Map-Request to Map-Resolver Drop Packet Drop Packet “send-request” action? YES NO NO Forward Packet Natively Forward Packet Natively (1) YES LISP Encap Pck to PETR (3) YES use-petr configured? “forward-native” action NOTES: If the destination doesn’t match a “default route” or “no route” – the only other possibility is a match against a “real route” with viable next-hop. This packet is not eligible for LISP encapsulation and is always forwarded natively (and will not use PETR if configured). Because the LISP control plane function automatically installs a default map-cache entry with the action of “send-map-request,” there can never be a “map-cache miss.” The packet is encapsulated and a destination address lookup is performed on the destination/remote RLOC; once the output interface is known, the source RLOC is filled in. NO Forward Packet Natively 24
lisp.cisco.com LISP Operations LISP Control Plane :: Introduction • LISP Control Plane Provides On-Demand Mappings • Control Plane is separate from the Data Plane (UDP 4342 vs UDP 4341) • Map-Resolver and Map-Server (similar to DNS Resolver and DNS Server) • LISP Control Plane Messages for EID-to-RLOC resolution • Distributed databases and map-caches hold mappings 25
Mapping System LISP Operations LISP Control Plane :: Map-Server/Map-Resolver (MS/MR) • MR – Map-Resolver • Receives Map-Request from ITR • Forwards Map-Request to Mapping System • Sends Negative Map-Replies in response to Map-Requests for non-LISP sites 10.0.0.2 12.0.0.2 packet flow packet flow 13.0.0.2 11.0.0.2 PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-1 xTR-2 xTR-3 xTR-4 ETR ETR ETR ETR MR ITR ITR ITR ITR MS • MS – Map-Server • LISP site ETRs register their EID prefixes here; requires configured “lisp site” policy, authentication key • Receives Map-Requests via Mapping System, forwards them to registered ETRs 26 S LISP Site 1 LISP Site 2 D Provider C 12.0.0.0/8 Provider A 10.0.0.0/8 Provider D 13.0.0.0/8 Provider B 11.0.0.0/8
Mapping System LISP Operations LISP Control Plane :: Map-Server/Map-Resolver (MS/MR) • LISP Map Cache (ITR) • Only stores mappings for sites the ITR is currently sending packets to • Populated by receiving Map-Replies from ETRs • ITRs must respect Map-Reply policy (TTLs, RLOC up/down status, RLOC priorities/weights 10.0.0.2 12.0.0.2 • LISP Site Mapping-Database (ETR) • EID-to-RLOC mappings in all ETRs for local LISP site • ETR is “authoritative” for its EIDs, sends Map-Replies to ITRs • ETRs can tailor policy based on Map-Request source packet flow packet flow 13.0.0.2 11.0.0.2 PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-1 xTR-2 xTR-3 xTR-4 ETR ETR ETR ETR MR ITR ITR ITR ITR MS 27 S LISP Site 1 LISP Site 2 D Provider C 12.0.0.0/8 Provider A 10.0.0.0/8 Provider D 13.0.0.0/8 Provider B 11.0.0.0/8
LISP Operations LISP Control Plane :: Control Plane Messages • Control Plane Control Plane EID Registration • Map-Register message • Sent by ETR to Map-Server to register its associated EID prefixes • Specifies RLOC(s) to be used by the MS when forwarding Map-Requests to the ETR • Control Plane “Data-triggered” mapping services • Map-Request message • Sent by an ITR to Map-Resolver to • learn an EID/RLOC mapping • test an RLOC for reachability • refresh a mapping before TTL expiration • respond to a Solicit Map-Request (SMR) • Sent by an ETR (with “S” bit set) • as a Solicit Map-Request (SMR) to signal site change • Map-Reply message • Sent by an ETR to an ITR • in response to valid map-request to provide EID/RLOC mapping and site ingress policy for the requested EID • Map-Notify message • Sent by Map-Server to an ETR to • acknowledge successful registration of an EDI prefix 28
Mapping System LISP Operations LISP Control Plane :: Map-Register 2 Other sites… 12.0.0.2 -> 66.2.2.2 12.0.0.2 -> 66.2.2.2 LISP Map-Register (udp 4342) SHA2 HMAC 2001:db8:2::/48 12.0.0.2, 13.0.0.2 LISP Map-Register . . . 66.2.2.2 10.0.0.2 12.0.0.2 1 1 13.0.0.2 11.0.0.2 PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-1 xTR-2 xTR-3 xTR-4 ETR ETR ETR ETR MR ITR ITR ITR ITR MS 29 S LISP Site 1 LISP Site 2 D Provider C 12.0.0.0/8 Provider A 10.0.0.0/8 Provider B 11.0.0.0/8 Provider D 13.0.0.0/8
Mapping System 2001:db8:1::1 -> 2001:db8:2::1 Map-Cache Entry EID-prefix: 2001:db8:2::/48 Locator-set: 12.0.0.2, priority: 1, weight: 50 13.0.0.2, priority: 1, weight: 50 LISP Operations 2 LISP Control Plane :: Map-Request/Map-Reply 1 66.2.2.2 Is 2001:db8:2::1 a LISP Destination? 6 10.0.0.2 12.0.0.2 packet flow packet flow 13.0.0.2 11.0.0.2 4 3 5 PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-2 xTR-1 xTR-3 xTR-4 66.2.2.2 -> 12.0.0.2 LISP ECM (udp 4342) 11.0.0.2 -> 66.2.2.2 LISP ECM (udp 4342) DNS entry: D.abc.com AAAA 2001:db8:2::1 ETR ETR ETR ETR MR ITR ITR ITR ITR MS 30 12.0.0.2 ->11.0.0.2 Map-Reply (udp 4342) nonce / TTL 2001:db8:2::/48 12.0.0.2 [1, 50] 13.0.0.2 [1, 50] S 11.0.0.2 /2001:db8:2::1 Map-Request (udp 4342)nonce LISP Site 1 11.0.0.2 /2001:db8:2::1 Map-Request (udp 4342)nonce LISP Site 2 D Provider C 12.0.0.0/8 Provider A 10.0.0.0/8 Provider D 13.0.0.0/8 Provider B 11.0.0.0/8
Mapping System Map-Cache Entry EID-prefix: 2001:db8:2::/48 Locator-set: 12.0.0.2, priority: 1, weight: 50 13.0.0.2, priority: 1, weight: 50 lisp.cisco.com LISP Operations LISP Control Plane :: Map-Request/Proxy-Map-Reply 12.0.0.2 -> 66.2.2.2 LISP Map-Register (udp 4342) SHA2 HMAC Proxy-Bit Set 2001:db8:2::/48 12.0.0.2, 13.0.0.2 66.2.2.2 4 10.0.0.2 12.0.0.2 packet flow packet flow 1 13.0.0.2 11.0.0.2 2 3 PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-2 xTR-1 xTR-3 xTR-4 11.0.0.2 -> 66.2.2.2 LISP ECM (udp 4342) ETR ETR ETR ETR MR ITR ITR ITR ITR MS 31 66.2.2.2 ->11.0.0.2 Map-Reply (udp 4342) nonce / TTL 2001:db8:2::/48 12.0.0.2 [1, 50] 13.0.0.2 [1, 50] S LISP Site 1 11.0.0.2 /2001:db8:2::1 Map-Request (udp 4342)nonce LISP Site 2 D Provider C 12.0.0.0/8 Provider A 10.0.0.0/8 Provider B 11.0.0.0/8 Provider D 13.0.0.0/8
Mapping System 2001:db8:1::1 -> 2001:db7:1::1 Map-Cache Entry EID-prefix: 2001:8000::/21 forward-native LISP Operations 1 • Notes: • When an ITR queries for a destination that is not in the Mapping System, the Map-Resolver returns an NMR. • A TTL of 1-minute or 15-minutesis set depending on the space covered by the NMR. LISP Control Plane :: Map-Request/Negative-Map-Reply NOTE: The actual “covering prefix” returned in an NMR depends on the number and distribution of EID prefixes in the Mapping System. The NMR prefix will cover the shortest prefix that doesn’t cover any LISP Sites in the Mapping System 66.2.2.2 Is 2001:db7:1::1 a LISP Destination? 4 10.0.0.2 12.0.0.2 packet flow packet flow 13.0.0.2 11.0.0.2 2 3 PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-2 xTR-1 xTR-3 xTR-4 11.0.0.2 -> 66.2.2.2 LISP ECM (udp 4342) ETR ETR ETR ETR MR ITR ITR ITR ITR MS 32 66.2.2.2 -> 11.0.0.2 Negative-Map-Reply (udp 4342) nonce / TTL 2001:8000::/21 S LISP Site 1 11.0.0.2 /2001:db7:1::1 Map-Request (udp 4342)nonce LISP Site 2 D Provider A 10.0.0.0/8 Provider C 12.0.0.0/8 Provider B 11.0.0.0/8 Provider D 13.0.0.0/8
Mapping System LISP Operations LISP Control Plane :: MS/MR Configuration example 66.2.2.2 10.0.0.2 12.0.0.2 packet flow packet flow 13.0.0.2 11.0.0.2 Alternative PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-1 xTR-2 xTR-3 xTR-4 ETR ETR ETR ETR MR ITR ITR ITR ITR MS 33 ! router lisp site ALL authentication-key ******* eid-prefix 2001:db8::/32 accept-more-specifics exit ! ipv6 map-server ipv6 map-resolver exit ! ! router lisp site Site-1 authentication-key S3cr3t-1 eid-prefix 2001:db8:1::/48 exit ! site Site-2 authentication-key S3cr3t-2 eid-prefix 2001:db8:2::/48 exit ! !-:: more LISP site configs ! ipv6 map-server ipv6 map-resolver exit ! S LISP Site 1 LISP Site 2 D Provider A 10.0.0.0/8 Provider C 12.0.0.0/8 Provider D 13.0.0.0/8 Provider B 11.0.0.0/8
LISP Operations The LISP Beta Network uses DDT today… LISP Control Plane :: Mapping-System Scaling • Scaling the LISP Mapping System • Deploy multiple “stand-alone” Map-Servers” and register each LISP Site to all of them (up to eight) • Deploy Map-Resolvers in an “Anycast” manner • Or, deploy a “hierarchical” Mapping System - DDT LISP Delegated Database Tree ddt-root • DDT – Delegated Distributed Tree • Hierarchy for Instance IDs and for EID Prefixes • DDT Map-Resolvers sends (ECM) Map-Requests • DDT Nodes Return Map-Referral messages • DDT Resolvers resolve the Map-Server’s RLOC iteratively • Conceptually, similar to DNS (IN-ADDR hierarchy) but different prefix encoding, messages, etc. ddt-tld MR MR MR MR MS MS MS MS 34 xTRs PxTRs xTRs xTRs MS/MRs xTRs xTRs MS/MRs MS/MRs DDT xTRs xTRs MS/MRs DDT DDT MS/MRs DDT PxTRs xTRs MS/MRs MS/MRs MS/MRs xTRs PxTRs xTRs xTRs xTRs xTRs xTRs
LISP Operations Public and Private LISP Deployment Models • “Private” LISP deployment support single Enterprises or Entities • LISP Enterprise deploys: • xTRs • Mapping System, if required • Proxy System, if required • “Public” LISP deployment supports the needs of multiple Enterprises • LISP Service Provider deploys “shared” Mapping System and Proxy System • LISP Enterprises subscribe to LISP SP, and deploy their own xTRs BCC Enterprise C LISP Beta Enterprise B CCM NJEdge.Net PCCC Enterprise A CCC InTouch Princeton MU VXNet 35 Stand-Alone Example Global Examples ddt-root.org Private Enterprise Examples LISP SP LISP SP LISP SP LISP Ent LISP Ent
LISP Operations LISP Internetworking :: Day-One Incremental Deployment • Early Recognition • Up-front recognition of an incremental deployment plan • LISP will not be widely deployed day-one • Interworking for: • LISP-sitesto non-LISP sites(e.g. the rest of the Internet) • non-LISP sitesto LISP-sites • Proxy-ITR/Proxy-ETR are deployed today • Infrastructure LISP network entity • Creates a monetized service opportunity for infrastructure players 36
lisp.cisco.com LISP Operations LISP Internetworking :: Day-One Incremental Deployment Mapping System MR 66.2.2.2 • PETR – Proxy ETR • Allows an EID in one AF [IPv4 or IPv6] and the opposite RLOC [IPv6 or IPv4] to reach non-LISP prefix in that same AF (AF-hop-over) • Allows LISP sites with uRPF restrictions to reach non-LISP sites IPv6 Internet 10.0.0.2 12.0.0.2 IPv4 Internet 13.0.0.2 11.0.0.2 PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-2 xTR-1 xTR-3 xTR-4 ETR ETR ETR ETR PITR MS PETR ITR ITR ITR ITR 37 • PITR – Proxy ITR • Receives traffic from non-LISP sites; encapsulates traffic to LISP sites • Advertises coarse-aggregate EID prefixes • LISP sites see ingress TE “day-one” S LISP Site 1 LISP Site 2 D Provider C 12.0.0.0/8 Provider A 10.0.0.0/8 Provider D 13.0.0.0/8 Provider B 11.0.0.0/8
6 3 2001:db8:2::1-> 2001:d:1::1 2001:d:1::1 ->2001:db8:2::1 2001:db8:2::1-> 2001:d:1::1 2001:d:1::1 ->2001:db8:2::1 2001:d:1::1 ->2001:db8:2::1 2001:db8:2::1-> 2001:d:1::1 4 LISP Operations LISP Internetworking :: Day-One Incremental Deployment Mapping System MR 66.2.2.2 2001:f:f::1 2001:f:e::1 IPv6 Internet 10.0.0.2 12.0.0.2 2001:db8::/32 IPv4 Internet 13.0.0.2 11.0.0.2 PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-1 xTR-2 xTR-3 xTR-4 2001:d:1::1 ipv4 use-petr 12.1.1.1 ETR ETR ETR ETR PITR MS PETR ITR ITR ITR ITR 38 S LISP Site 1 LISP Site 2 1 Non-LISP v6 Site 12.0.0.2 -> 12.9.2.1 10.9.1.1 -> 12.0.0.2 D 5 2 Provider C 12.0.0.0/8 Provider A 10.0.0.0/8 Provider D 13.0.0.0/8 Provider B 11.0.0.0/8
LISP Operations Packet ELIGABLE for LISP encapsulation LISP Packet Forwarding – PITR Check Map-Cache entries to see which one the destination matches Does longest mask (or equal) prefix match against “send-map-request” ? YES Destination lookup for match in: routing table (1) AND map-cache with action “send-map-request” (2) YES LISP EncapPckto DST RLOC (5) “fwd-encap” action? NO YES Drop Packet Compare the 2 prefixes found Take the prefix with longest/most specific mask “drop” action? NO YES Ingress Packet Is match found? Forward Packet Natively (4) NO YES NO Send Map-Request to Map-Resolver Drop Packet “send-request” action? NO Drop Packet (3) NO NOTES: The routing table look-up is done in the table specified in the “eid-table” command (default or vrf) A map-cache entry with action “map-request” is created either by a static entry or via the “route-import” mechanism If the destination doesn’t match a RIB route or “send-map-request” map-cache entry, then the only other possible result is the PITR has no forwarding route. The packet is dropped and a “network unreachable” ICMP is generated. The destination is not a LISP EID and a RIB route is available. Address lookup is performed on the destination/remote RLOC; once the output interface is known, the source RLOC is filled in. YES LISP Encap Pck to PETR (5) YES use-petr configured? “forward-native” action NO Forward Packet Natively 39
LISP Operations LISP Locator Reachability…. • When RLOCs go up and down: • We don’t want this reflected in mapping database; must keep the rate factor small • Use following mechanisms: • Underlying BGP where available • ICMP Unreachables, when sent and accepted • Data reception heuristics when available • locator-status-bits in data packets and mapping data • Only use probing when needed: • Pair-wise probing won’t scale xTR-S1 ✔ ? ? xTR-S2 ? LISP Site 1 xTR-S1 D D xTR-D1 xTR-D1 xTR-S2 LISP Site 1 10.0.0.2 11.0.0.2 10.0.0.2 11.0.0.2 13.0.0.2 13.0.0.2 12.0.0.2 12.0.0.2 ETR ETR ETR ETR ETR ETR ETR ETR ITR ITR ITR ITR ITR ITR ITR ITR S S 40 Provider A 10.0.0.0/8 Provider A 10.0.0.0/8 xTR-D2 xTR-D2 Provider Y 13.0.0.0/8 Provider Y 13.0.0.0/8 Provider X 12.0.0.0/8 Provider X 12.0.0.0/8 Provider B 11.0.0.0/8 Provider B 11.0.0.0/8 LISP Site 2 LISP Site 2
LISP Operations LISP RLOC Reachability Concepts • “Routing” information when you have it • E.g. PE-CE links in BGP in MPLS • Direct “data plane” packet flows • LISP exclusive “locator status bits” describe “status” of source site RLOCs to receiving sites • Available (automatically) in LISP • Useful for bi-directional traffic flows Reachability options • RLOC-Probing • Source site “probes” destination RLOCs of active conversations • Available in LISP • Useful for updating reachability info when unidirectional traffic is prevalent 41
xTR3 xTR4 0003 EID-prefix: 2001:db8:2::/48 Locator-set: 12.0.0.2, priority: 1, weight: 50 (D1) 13.0.0.2, priority: 1, weight: 50 (D2) Mapping Entry 0003 xRT3 xTR4 LISP Operations LISP Locator-Reachability Bits (LSB) example loc-reach-bits: 0x0000 0000 7654 3210 b ’xxxx xxxx’ -> ordinal 0 -> ordinal 1 3 1 1 10.0.0.2 12.0.0.2 11.0.0.2 13.0.0.2 PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-2 xTR-1 xTR-3 xTR-4 LSBs provide “data plane” reachability info ETR ETR ETR ETR ITR ITR ITR ITR 42 S LISP Site 1 LISP Site 2 D Provider C 12.0.0.0/8 Provider A 10.0.0.0/8 Provider D 13.0.0.0/8 Provider B 11.0.0.0/8
X X X xTR4 xTR4 EID-prefix: 2001:db8:2::/48 Locator-set: 12.0.0.2, priority: 1, weight: 50 (D1) 13.0.0.2, priority: 1, weight: 50 (D2) Mapping Entry 0002 xRT4 xTR4 lisp.cisco.com LISP Operations LISP Locator-Reachability Bits (LSB) example loc-reach-bits: 0x0000 0003 7654 3210 b ’xxxxxx11’ -> ordinal 0 -> ordinal 1 2 0 10.0.0.2 12.0.0.2 11.0.0.2 13.0.0.2 PI EID-prefix 2001:db8:2::/48 PI EID-prefix 2001:db8:1::/48 xTR-1 xTR-2 xTR-3 xTR-4 Outages are signaled “quickly” when traffic is flowing. (When traffic is not flowing, other mechanisms are needed) ETR ETR ETR ETR ITR ITR ITR ITR 43 S LISP Site 1 LISP Site 2 D Provider C 12.0.0.0/8 Provider A 10.0.0.0/8 Provider D 13.0.0.0/8 Provider B 11.0.0.0/8
ping notes: • Using RLOC to RLOC tests underlying network LISP Operations LISP Management – LISP Data Plane… • Data Plane Management: • ping MS/MR .10 .9 S CORE 10.0.0.0/8 .6 .5 .2 .1 • Left#ping10.0.0.6 source 10.0.0.2 rep 10 • Type escape sequence to abort. • Sending 100, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds: • Packet sent with a source address of 10.0.0.2 • !!!!!!!!!! • Success rate is 100 percent (10/10), round-trip min/avg/max = 0/0/1 ms • Left# LISP Site 2 LISP Site 1 Example: RLOCto RLOC xTR1 xTR2 PI EID-prefix 172.16.1.0/24 PI EID-prefix 172.16.2.0/24 ETR ETR ITR ITR 44 D
ping notes: • Using RLOC to RLOC tests underlying network • Using EID-to-EID tests LISP data plane • ping notes: • Using RLOC to RLOC tests underlying network • Using EID-to-EID tests LISP data plane • When PxTR infrastructure is involved, EID to RLOC and RLOC to EID tests can also be useful LISP Operations LISP Management – LISP Data Plane… • Data Plane Management: • ping • Common Theme: • OVER for EIDs • UNDER for RLOCs MS/MR .10 .9 S CORE 10.0.0.0/8 .6 .5 .2 .1 • Left#ping172.16.2.2 source 172.16.1.2 rep 10 • Type escape sequence to abort. • Sending 100, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds: • Packet sent with a source address of 172.16.1.2 • !!!!!!!!!! • Success rate is 100 percent (10/10), round-trip min/avg/max = 0/0/1 ms • Left# LISP Site 2 LISP Site 1 xTR1 xTR2 Example: EIDto EID PI EID-prefix 172.16.1.0/24 PI EID-prefix 172.16.2.0/24 ETR ETR ITR ITR 45 D
traceroutenotes: • Unlike other “tunneling” techniques, LISP (tries to) shows all intermediate hops • Cross Address Family traceroute is not supported because “traceroute” does not support it LISP Operations LISP Management – LISP Data Plane… • Data Plane Management: • traceroute MS/MR .10 ttl=1 ttl=2 ttl=3 .9 S CORE 10.0.0.0/8 .6 .5 .2 .1 LISP Site 2 LISP Site 1 xTR1 xTR2 PI EID-prefix 172.16.1.0/24 PI EID-prefix 172.16.2.0/24 ETR ETR ITR ITR • Left#traceroute 172.16.2.1 source 172.16.1.1 • Type escape sequence to abort. • Tracing the route to 172.16.2.1 • VRF info: (vrf in name/id, vrf out name/id) • 1 10.0.0.1 1 msec 0 msec 0 msec • 2 10.0.0.60 msec 1 msec 0 msec • 3 172.16.2.1 0 msec * 1 msec • Left# Example: EID to EID D
lignotes: • Fetches an EID-to-RLOC database mapping entry • ligself ipv4 and lig self ipv6indicate immediately whether a site is “registered” to the Map-Server LISP Operations LISP Management – LISP Control Plane… • Control Plane Management: • lig (LISP internet Groper) MS/MR .10 .9 S CORE 10.0.0.0/8 .6 .5 .2 .1 • Left#lig self ipv4 • Mapping information for EID 172.16.1.0from 10.0.0.2with RTT 32 msecs • 172.16.1.0/24, uptime: 00:00:00, expires: 23:59:53, via map-reply, self • Locator Uptime State Pri/Wgt • 10.0.0.2 00:00:00 up 1/100 • Left# LISP Site 2 LISP Site 1 xTR1 xTR2 PI EID-prefix 172.16.1.0/24 PI EID-prefix 172.16.2.0/24 ETR ETR ITR ITR 47 D
lignotes: • Fetches an EID-to-RLOC database mapping entry • ligself ipv4 and lig self ipv6indicate immediately whether a site is “registered” to the Map-Server • Using lig <eid>you can verify that a remote EID is registered (and provide the mapping and policy) LISP Operations LISP Management – LISP Control Plane… • Control Plane Management: • lig (LISP internet Groper) MS/MR .10 .9 S CORE 10.0.0.0/8 .6 .5 .2 .1 • Left#lig 172.16.2.2 • Mapping information for EID 172.16.2.2 from 10.0.0.6 with RTT 36 msecs • 172.16.2.0/24, uptime: 00:00:00, expires: 23:59:52, via map-reply, complete • Locator Uptime State Pri/Wgt • 10.0.0.6 00:00:00 up 1/1 • Left# LISP Site 2 LISP Site 1 xTR1 xTR2 PI EID-prefix 172.16.1.0/24 PI EID-prefix 172.16.2.0/24 ETR ETR ITR ITR 48 D
lisp.cisco.com LISP Overview LISP :: A Routing Architecture – Not a Feature • Uses pullvs. pushrouting • OSPF and BGP are push models; routing stored in the forwarding plane • LISP is a pull model; Analogous to DNS; massively scalable • LISP use-cases are complimentary • Simplified multi-homing with Ingress traffic Engineering; no need for BGP • Address Family agnostic support • Virtualization support • End-host mobility without renumbering • An over-the-toptechnology • Address Family agnostic • Incrementally deployable • End systems can be unaware of LISP • Enables IP Number Portability • Never change host IP’s; No renumbering costs • No DNS changes; “name == EID” binding • Session survivability • Deployment simplicity • No host changes • Minimal CPE changes • Some new core infrastructure components • An Open Standard • Being developed in the IETF (RFC 6830-6836) • No Cisco Intellectual Property Rights 50