Diff: rfc9837v1.txt - rfc9837.txt

	rfc9837v1.txt	rfc9837.txt

	Internet Engineering Task Force (IETF) R. Bonica	Internet Engineering Task Force (IETF) R. Bonica
	Request for Comments: 9837 Juniper Networks	Request for Comments: 9837 Juniper Networks
	Category: Experimental X. Li	Category: Experimental X. Li
	ISSN: 2070-1721 CERNET Center/Tsinghua University	ISSN: 2070-1721 CERNET Center/Tsinghua University
	A. Farrel	A. Farrel
	Old Dog Consulting	Old Dog Consulting
	Y. Kamite	Y. Kamite

	NTT Communications Corporation	NTT DOCOMO BUSINESS
	L. Jalil	L. Jalil
	Verizon	Verizon
	August 2025	August 2025

	The IPv6 VPN Service Destination Option	The IPv6 VPN Service Destination Option

	Abstract	Abstract

	This document describes an experiment in which VPN service	This document describes an experiment in which VPN service
	information is encoded in an experimental IPv6 Destination Option.	information is encoded in an experimental IPv6 Destination Option.

	skipping to change at line 199 ¶	skipping to change at line 199 ¶
	the option. The packet MUST be processed according to the setting of	the option. The packet MUST be processed according to the setting of
	the two highest-order bits of the Option Type (see NOTE below).	the two highest-order bits of the Option Type (see NOTE below).

	NOTE: For this experiment, the Option Type is set to '01011110',	NOTE: For this experiment, the Option Type is set to '01011110',
	i.e., 0x5E. The highest-order two bits are set to 01, indicating	i.e., 0x5E. The highest-order two bits are set to 01, indicating
	that the required action by a destination node that does not	that the required action by a destination node that does not
	recognize the option is to discard the packet. The third highest-	recognize the option is to discard the packet. The third highest-
	order bit is set to 0, indicating that Option Data cannot be modified	order bit is set to 0, indicating that Option Data cannot be modified
	along the path between the packet's source and its destination. The	along the path between the packet's source and its destination. The
	remaining low-order bits are set to '11110' to indicate the single	remaining low-order bits are set to '11110' to indicate the single

	IPv6 Destination Option Type code point available for experimentation	IPv6 Destination Option Type code point available in the "Destination
	in the "Destination Options and Hop-by-Hop Options" registry [V6MSG].	Options and Hop-by-Hop Options" registry [V6MSG] for experimentation.

	4. Forwarding Plane Considerations	4. Forwarding Plane Considerations

	The ingress PE encapsulates the customer data in a tunnel header.	The ingress PE encapsulates the customer data in a tunnel header.
	The tunnel header MUST contain an IPv6 header and a Destination	The tunnel header MUST contain an IPv6 header and a Destination
	Options header that immediately precedes the customer data. It MAY	Options header that immediately precedes the customer data. It MAY
	also include any legal combination of IPv6 extension headers.	also include any legal combination of IPv6 extension headers.


	The IPv6 header contains:	The IPv6 Header contains the following (all defined in [RFC8200]):


	* Version - Defined in [RFC8200]. MUST be equal to 6.	* Version - MUST be equal to 6.


	* Traffic Class - Defined in [RFC8200].	* Traffic Class


	* Flow Label - Defined in [RFC8200].	* Flow Label


	* Payload Length - Defined in [RFC8200].	* Payload Length


	* Next Header - Defined in [RFC8200].	* Next Header


	* Hop Limit - Defined in [RFC8200].	* Hop Limit


	* Source Address - Defined in [RFC8200]. Represents an interface on	* Source Address - Represents an interface on the ingress PE router.
	the ingress PE router. This address SHOULD be chosen according to	This address SHOULD be chosen according to guidance provided in
	guidance provided in [RFC6724].	[RFC6724].


	* Destination Address - Defined in [RFC8200]. Represents an	* Destination Address - Represents an interface on the egress PE
	interface on the egress PE router. This address SHOULD be chosen	router. This address SHOULD be chosen according to guidance
	according to guidance provided in [RFC6724].	provided in [RFC6724].


	The IPv6 Destination Options Extension Header contains:	The IPv6 Destination Options Extension Header contains the following
		(all defined in [RFC8200]):


	* Next Header - Defined in [RFC8200]. MUST identify the protocol of	* Next Header - MUST identify the protocol of the customer data.
	the customer data.


	* Hdr Ext Len - Defined in [RFC8200].	* Hdr Ext Len


	* Options - Defined in [RFC8200]. In this experiment, the Options	* Options - In this experiment, the Options field MUST contain
	field MUST contain exactly one VPN Service Option as defined in	exactly one VPN Service Option as defined in Section 3 of this
	Section 3 of this document. It MAY also contain any legal	document. It MAY also contain any legal combination of other
	combination of other Destination Options.	Destination Options.

	5. Control Plane Considerations	5. Control Plane Considerations

	The FIB can be populated by:	The FIB can be populated by:

	* An operator, using a Command-Line Interface (CLI)	* An operator, using a Command-Line Interface (CLI)

	* A controller, using the Path Computation Element Communication	* A controller, using the Path Computation Element Communication
	Protocol (PCEP) [RFC5440] or the Network Configuration Protocol	Protocol (PCEP) [RFC5440] or the Network Configuration Protocol
	(NETCONF) [RFC6241]	(NETCONF) [RFC6241]

	* A routing protocol	* A routing protocol


	Routing protocol extensions that support the IPv6 VPN Service	Routing protocol extensions that support the VPN Service Option are
	Destination Option are beyond the scope of this document.	beyond the scope of this document.

	6. IANA Considerations	6. IANA Considerations

	This document has no IANA actions.	This document has no IANA actions.

	7. Security Considerations	7. Security Considerations

	A VPN is characterized by the following security policy:	A VPN is characterized by the following security policy:

	* Nodes outside of a VPN cannot inject traffic into the VPN.	* Nodes outside of a VPN cannot inject traffic into the VPN.

	* Nodes inside a VPN cannot send traffic outside of the VPN.	* Nodes inside a VPN cannot send traffic outside of the VPN.

	A set of PE routers cooperate to enforce this security policy. If a	A set of PE routers cooperate to enforce this security policy. If a
	device outside of that set could impersonate a device inside of the	device outside of that set could impersonate a device inside of the
	set, it would be possible for that device to subvert security policy.	set, it would be possible for that device to subvert security policy.
	Therefore, impersonation must not be possible. The following	Therefore, impersonation must not be possible. The following
	paragraphs describe procedures that prevent impersonation.	paragraphs describe procedures that prevent impersonation.


	The IPv6 VPN Service Destination Option can be deployed:	The VPN Service Option can be deployed:

	* On the global Internet	* On the global Internet

	* Inside of a limited domain	* Inside of a limited domain


	When the IPv6 VPN Service Destination Option is deployed on the	When the VPN Service Option is deployed on the global Internet, the
	global Internet, the tunnel that connects the ingress PE to the	tunnel that connects the ingress PE to the egress PE MUST be
	egress PE MUST be cryptographically protected by one of the	cryptographically protected by one of the following:
	following:

	* The IPv6 Authentication Header (AH) [RFC4302]	* The IPv6 Authentication Header (AH) [RFC4302]

	* The IPv6 Encapsulating Security Payload (ESP) Header [RFC4303]	* The IPv6 Encapsulating Security Payload (ESP) Header [RFC4303]


	When the IPv6 VPN Service Destination Option is deployed in a limited	When the VPN Service Option is deployed in a limited domain, all
	domain, all nodes at the edge of limited domain MUST maintain Access	nodes at the edge of limited domain MUST maintain Access Control
	Control Lists (ACLs). These ACLs MUST discard packets that satisfy	Lists (ACLs). These ACLs MUST discard packets that satisfy the
	the following criteria:	following criteria:


	* Contain an IPv6 VPN Service Option	* Contain a VPN Service Option

	* Contain an IPv6 Destination Address that represents an interface	* Contain an IPv6 Destination Address that represents an interface
	inside of the limited domain	inside of the limited domain

	The mitigation techniques mentioned above operate in fail-open mode.	The mitigation techniques mentioned above operate in fail-open mode.
	That is, they require explicit configuration in order to ensure that	That is, they require explicit configuration in order to ensure that
	packets using the approach described in this document do not leak out	packets using the approach described in this document do not leak out
	of a domain. See [SAFE-LIM-DOMAINS] for a discussion of fail-open	of a domain. See [SAFE-LIM-DOMAINS] for a discussion of fail-open
	and fail-closed modes.	and fail-closed modes.


	skipping to change at line 526 ¶	skipping to change at line 525 ¶
	Beijing	Beijing
	China	China
	Email: xing@cernet.edu.cn	Email: xing@cernet.edu.cn

	Adrian Farrel	Adrian Farrel
	Old Dog Consulting	Old Dog Consulting
	United Kingdom	United Kingdom
	Email: adrian@olddog.co.uk	Email: adrian@olddog.co.uk

	Yuji Kamite	Yuji Kamite

	NTT Communications Corporation	NTT DOCOMO BUSINESS
	3-4-1 Shibaura, Minato-ku	Chiyoda-ku, Tokyo
	Japan	Japan
	Email: y.kamite@ntt.com	Email: y.kamite@ntt.com

	Luay Jalil	Luay Jalil
	Verizon	Verizon
	Richardson, Texas	Richardson, Texas
	United States of America	United States of America
	Email: luay.jalil@one.verizon.com	Email: luay.jalil@one.verizon.com

End of changes. 21 change blocks.
	38 lines changed or deleted	37 lines changed or added
This html diff was produced by rfcdiff 1.48.