Internet Draft
IPng Working Group                          A. Conta (Lucent)
INTERNET-DRAFT
                                            July 1997


       IPv6 Inverse Neighbor Discovery for IPv6 and IPv4 Tunnels

                             Specification

                   draft-conta-ipv6-inv-nd-tun-00.txt


Status of this Memo

   This document is an Internet-Draft.  Internet-Drafts are working doc-
   uments of the Internet Engineering Task Force (IETF), its Areas,  and
   its  Working Groups. Note that other groups may also distribute work-
   ing documents as Internet-Drafts.

   Internet-Drafts are draft  documents  valid  for  a  maximum  of  six
   months.  Internet-Drafts  may  be  updated, replaced, or obsoleted by
   other documents at any time.  It is not appropriate to  use  Internet
   Drafts as reference material or to cite them other than as a "working
   draft" or "work in progress."

   To learn the current status of any Internet-Draft, please  check  the
   ``1id-abstracts.txt''  listing  contained  in  the  Internet-  Drafts
   Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net  (Europe),
   munnari.oz.au  (Pacific  Rim),  ds.internic.net  (US  East Coast), or
   ftp.isi.edu (US West Coast).

   Distribution of this memo is unlimited.

Abstract

   This memo describes an extension mechanism to the IPv6 Neighbor  Dis-
   covery and IPv6 Inverse Neighbor Discovery [IND] that applies to IPv6
   and IPv4 tunnels.  The mechanism can be used to advertise the parame-
   ters of a tunnel to its exit point node, and to create a reverse tun-
   nel path between the exit point and entry point nodes of a  unidirec-
   tional  tunnel.   If  such a bidirectional tunnel already exists, the
   mechanism can be used to learn the IPv6 address of the tunnel pseudo-
   interface  of the exit-point node, as well as the reverse tunnel path
   parameters.







Conta                   Expires in six months       [Page 1]




INTERNET-DRAFT         IPv6 Inverse ND for Tunnels          29 July 1997


1. Introduction


   This document defines an extension mechanism  to  the  IPv6  Neighbor
   Discovery and IPv6 Inverse Neighbor Discovery to advertise the param-
   eters of an IPv6 or IPv4 tunnel to the exit point node. The mechanism
   can  be used at the time of configuring a tunnel, to create a reverse
   tunnel path, from the exit-point node to the entry-point node, i.e. a
   bidirectional tunnel.  If the reverse tunnel path already exists, the
   mechanism can be used to learn the IPv6 address of the tunnel pseudo-
   interface  of the exit-point node, as well as the reverse tunnel path
   parameters.

   The keywords MUST, MUST NOT, MAY, OPTIONAL,   REQUIRED,  RECOMMENDED,
   SHALL,  SHALL  NOT,  SHOULD,  SHOULD  NOT   are  to be interpreted as
   defined in RFC 2119.


2. Inverse Neighbor Discovery Messages

   The Inverse Neighbor Discovery Messages defined by  [IND],  with  the
   TLEN,  an  additional  option  defined  later  in  this document, are
   employed with IPv6 tunnels as follows:

2.1.  Inverse Neighbor Discovery Solicitation Message Format

   A tunnel entry-point node sends an Inverse Neighbor Discovery Solici-
   tation to the exit-point node to request the IPv6 address correspond-
   ing to the virtual link-layer address represented by the IPv6 address
   configured as exit-point node address.

   The  sender  node  provides its own virtual link-layer address to the
   target, as well as additional  parameters  such  as  MTU  and  Tunnel
   Nested  Encapsulation Limit (IPv6). A tunnel Inverse Neighbor Discov-
   ery Solicitation is a virtual link-layer unicast message. The message
   is sent as a tunnel packet, i.e. encapsulated in an IPv6 or IPv4 tun-
   nel header that has as source and destination the tunnel  entry-point
   and exit-point node addresses.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Type      |     Code      |          Checksum             |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                           Reserved                            |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Options ...
     +-+-+-+-+-+-+-+-+-+-+-+-



Conta                   Expires in six months       [Page 2]




INTERNET-DRAFT         IPv6 Inverse ND for Tunnels          29 July 1997


   IP Fields:

      Source Address
                     An  IPv6  address  assigned  to  the tunnel pseudo-
                     interface from which this message is sent.

      Destination Address
                     The solicited-node multicast address of  the  exit-
                     point  node - built based on the exit-point node IP
                     address.  Alternatively,  the  all-node   multicast
                     address could be used.

      Hop Limit      255

      Priority       15

      Authentication Header
                     If a Security Association for the IP Authentication
                     Header exists between the sender and  the  destina-
                     tion address (entry and exit point node addresses),
                     then the sender SHOULD include this header.


   ICMP Fields:

      Type           135 or [TBD] if considered a new message

      Code           0

      Checksum       The ICMP checksum.  See [ICMPv6].

      Reserved       This field is unused.  It MUST be initialized to
                     zero by the sender  and  MUST  be  ignored  by  the
                     receiver.

   Required options:

      Source link-layer address
                     The  IPv6  or  IPv4  address  configured  as tunnel
                     entry-point node address, which plays the  role  of
                     the sender's virtual link-layer address.

      Target link-layer address
                     The IPv6 or IPv4 address configured as tunnel exit-
                     point node address, which plays  the  role  of  the
                     receiver's virtual link-layer address.

   Possible options:



Conta                   Expires in six months       [Page 3]




INTERNET-DRAFT         IPv6 Inverse ND for Tunnels          29 July 1997


   MTU            The MTU of this link (tunnel MTU).

   TNEL           The configured value of the Tunnel Nested
                  Encapsulation Limit (IPv6 only).



   Future  versions  of  this  protocol  may  add  other  option  types.
   Receivers MUST silently ignore any options they do not recognize  and
   continue processing the message.


2.2   Inverse Neighbor Discovery Advertisement Message Format

   A  tunnel exit-point node sends Inverse Neighbor Discovery Advertise-
   ments in response to Inverse Neighbor Discovery Solicitations if it ?
   created  a  reverse  tunnel,  i.e.  a  bidirectional  tunnel, or if a
   reverse tunnel path exists.

   The message is send as a tunnel packet, i.e. encapsulated in a tunnel
   header  that  has as source and destination the reverse tunnel entry-
   point and exit-point node addresses.

         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 =
1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |     Type      |     Code      |          Checksum             |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |R|S|O|                     Reserved                            |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                                                               |
        +                                                               +
        |                                                               |
        +                       Target Address                          +
        |                                                               |
        +                                                               +
        |                                                               |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |   Options ...
        +-+-+-+-+-+-+-+-+-+-+-+-


   IP Fields:

      Source Address
                     An IPv6 address assigned to the tunnel pseudo-interface
                     from which the advertisement is sent.




Conta                   Expires in six months       [Page 4]




INTERNET-DRAFT         IPv6 Inverse ND for Tunnels          29 July 1997


      Destination Address
                     The IPv6 Source Address of the invoking Neighbor
                     Solicitation.

      Hop Limit      255

      Priority       15

      Authentication Header
                     If a Security Association for the IP Authentication
                     Header exists between the sender and the destination
                     address, then the sender SHOULD include this header.


   ICMP Fields:

      Type           136

      Code           0

      Checksum       The ICMP checksum.  See [ICMPv6].

      R              Router flag.  When set, the R-bit indicates that the
                     sender is a router.  The R-bit is used by Neighbor
                     Unreachability Detection to detect a router that
                     changes to a host.

      S              Solicited flag.  When set, the S-bit indicates that
                     the advertisement was sent in response to a Neighbor
                     Solicitation from the Destination address.  The S-bit
                     is used as a reachability confirmation for Neighbor
                     Unreachability Detection.  It MUST NOT be set in
                     multicast advertisements or in unsolicited unicast
                     advertisements.

      O              Override flag.  When set, the O-bit indicates that
                     the advertisement should override an existing cache
                     entry  and  update the cached virtual link-layer to
                     IPv6 address mapping.   When  it  is  not  set  the
                     advertisement  will  not  update  a  cached virtual
                     link-layer address to IPv6 address  mapping  though
                     it will update an existing Neighbor Cache entry for
                     which no IPv6 address is known.

      Reserved       29-bit unused field.  It MUST be initialized to zero
                     by the sender and MUST be ignored by the receiver.





Conta                   Expires in six months       [Page 5]




INTERNET-DRAFT         IPv6 Inverse ND for Tunnels          29 July 1997


      Target Address
                     The IPv6 or IPv4 address of the tunnel exit-point node
                     corresponding to the Target Link-Layer  Address  in
                     the  Inverse Neighbor Discover Solicitation message
                     that prompted this  advertisement.   For  an  unso-
                     licited  advertisement,  the  IPv6  or IPv4 address
                     whose virtual link-layer address  to  IPv6  address
                     mapping has changed.

   Mandatory options:

      Target link-layer address
                     The virtual link-layer address of the target, i.e., the
                     IPv6 or IPv4 address of the tunnel exit-point node,
                     sender of the advertisement.

      Source link-layer address
                     The virtual link-layer address of the source, i.e., the
                     IPv6 or IPv4 address of the tunnel entry-point node,
                     receiver of the advertisement.

   Possible options:


   MTU            The MTU of this link (tunnel virtual link).

   TNEL           The configured  value for the Tunnel Nested
                  Encapsulation Limit. For IPv6 only.
                  This is the value for the reverse tunnel.



   Future  versions  of  this  protocol  may  add  other  option  types.
   Receivers MUST silently ignore any options they do not recognize  and
   continue processing the message.


2.3.  Tunnel Nested Encapsulation Limit.

   This is an option to be sued with IPv6 tunnels only [TUNNEL].
      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Type      |    Length     |           Reserved            |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     TNEL      |                Reserved                       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+




Conta                   Expires in six months       [Page 6]




INTERNET-DRAFT         IPv6 Inverse ND for Tunnels          29 July 1997


Fields:

   Type           5

   Length         1

   Reserved       This field is unused.  It MUST be initialized to zero
                  by the sender and MUST be ignored by the receiver.

   TNEL           The configured value for the Tunnel Nested
                  Encapsulation Limit.

   Reserved       This field is unused.  It MUST be initialized to zero
                  by the sender and MUST be ignored by the receiver.


3. Conceptual Model

   An  IPv6  or  an IPv4 for IPv6 transition tunnel is configured at the
   tunnel entry-point node as a virtual link to  the  tunnel  exit-point
   node.  This  leaves a tunnel exit-point unaware of the existence of a
   tunnel terminating at that node.   Although  tunnel  entry-point  and
   exit-point  addresses  pin-point  the  virtual  link  end points, the
   reverse path from the exit-point node to the entry point node may  be
   completely  different than the direct path, unless both are specified
   as direct strict source route and respectively  its  reversed  strict
   source route.  This implies that a tunnel is unidirectional.

   The  end-point nodes addresses are used to fill the source and desti-
   nation fields  in the  tunnel  header  prepended  to  a  packet  sent
   through the tunnel, similarly to a link-layer encapsulation. The tun-
   nel virtual link is virtually terminated in tunnel  pseudo-interfaces
   at  both ends. These pseudo-interfaces have their own IPv6 addresses.
   A tunnel entry-point pseudo-interface  IPv6  address  may  appear  as
   original  packet  source address if a packet originated at the tunnel
   entry-point node is forwarded through the tunnel towards its destina-
   tion.   Knowing and using as destination the IPv6 address of the tun-
   nel pseudo-interface of the exit-point node  may  result  in  packets
   sent  through the tunnel only if the forwarding path to that destina-
   tion is configured so.

   The entry-point node can advertise to the exit-point node the config-
   uring  of  a tunnel by way of Inverse Neighbor Discovery Solicitation
   messages.  As a result, the exit-point node learning about the tunnel
   may  optionally  create  a  reverse  path  tunnel, hence creating the
   effect of a bidirectional tunnel, with potentially  different  direct
   and reverse paths.  Additionally, by responding with Inverse Neighbor
   Discovery Advertising messages,  the  exit-point  node  notifies  the



Conta                   Expires in six months       [Page 7]




INTERNET-DRAFT         IPv6 Inverse ND for Tunnels          29 July 1997


   bidirectional tunnel effect to the entry-point node.


4. Security Considerations

   The  creation  of  a reverse tunnel path raises security issues which
   need be discussed. At this early stage this  memo  does  not  address
   those security issues.


5. Acknowledgments

   This  draft  is a result of a discussion with Steve Deering about the
   applicability and benefits of Neighbor Discovery  for  IPv6  tunnels.
   After  more  thinking  and  in combination with IPv6 Inverse Neighbor
   Discovery things seemed to fall into place.

   The IPv4 part was quickly added after Dan Harrington  suggested  that
   it would be a good idea to have it.

   Thanks  to Thomas Narten and Erik Nordmakr for discussing the idea =
of
   this memo.

6. References

   [RFC-1883] S. Deering, R. Hinden, "Internet Protocol Version 6 Speci-
   fication"


   [RFC-1885]  A. Conta, and S. Deering "Internet Control Message Proto-
   col for the Internet Protocol Version 6 (IPv6)"


   [RFC-1970] T. Narten, E. Nordmark, W.Simpson "Neighbor Discovery  for
   IP Version 6 (IPv6)"


   [RFC-1825]  R. Atkinson, "Security Architecture for the Internet Pro-
   tocol"


   [RFC-1826] R. Atkinson, "IP Authentication Header"


   [RFC-2200] J. Reynolds, J. Postel, "Assigned Numbers"






Conta                   Expires in six months       [Page 8]




INTERNET-DRAFT         IPv6 Inverse ND for Tunnels          29 July 1997


   [IND] A. Conta "IPv6 Inverse Neighbor Discovery.


7. Authors' Addresses

   Alex Conta
   Lucent Technologies Inc.
   300 Baker Ave, Suite 100
   Concord, MA 01742
   +1-508-287-2800/ext 2842

   email: aconta@lucent.com







































Conta                   Expires in six months       [Page 9]