LISP – Locator/ID Separation Protocol

LISP – Locator/ID Separation Protocol

Hernán Contreras G. Consulting Systems Engineer

[email protected]

© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public LISP CA Training 2

LISP Next Gen Routing Architecture Locator-ID Separation Protocol (LISP) “Elevator Pitch”

  LISP is a “Next-Generation Routing Architecture” – not just a “feature”

  The LISP delivers: – Internet & Intranet Scalability: Reduction of Core Routing Table IP state

– ISP transparency • Flexible Routing Policy

• Prefix Portability

– Seamless Mobility

– IPv4/IPv6 co-existence

– VPN semantics (multi-tenancy)

Directory

Resolution & Registration Data Path


  LISP originally conceived to address Internet Scaling What causes scaling issues? −  IP addresses denote both location and

identity today

− Overloaded IP address semantic makes efficient routing impossible

−  IPv6 does not fix this

Why are scaling issues bad? − Routers require tons of expensive memory

to hold the Internet Routing Table in the forwarding plane of a router

−  It’s expensive for network builders/operators

− Replacing equipment for the wrong reason (to hold the routing table rather than implementing new features…)

−  It’s not environmentally GREEN

“… routing scalability is the most important problem facing the Internet today and must be solved … ”

Internet Architecture Board (IAB) October 2006 Workshop (written as RFC 4984)

LISP Overview Why was LISP developed?


Provider G

Provider D Provider Z

Provider W Provider H

Provider Assigned (PA)

10.1.1.0/24

15.0.0.0/8 15.0.0.0/8 10.1.1.0/24

R1

LISP Overview What Pollutes the Internet?

R2

10.1.1.0/24

Provider Independent (PI)

15.0.0.0/8

R1 R2

Provider Y 13.0.0.0/8

Provider X 12.0.0.0/8 Provider A

10.0.0.0/8 Provider B 11.0.0.0/8

15.0.0.0/8 Provider C 10.1.1.0/24 10.0.0.0/8

15.0.0.0/8 10.1.1.0/24

Internet


S

  EIDs – Used inside of sites End-site addresses for hosts and routers EIDs go in DNS records – same as today! Generally not globally routed on underlying infrastructure New namespace

  RLOCs – Used in the Core Infrastructure addresses for LISP routers and ISP routers – Routed just like today! Hosts do not know about them Globally routed and aggregated along the Internet connectivity topology Existing namespace

LISP Overview Locator/ID Separation


R2

EID Space

Locator Space

R1

Provider X 10.0.0.0/8

LISP creates two Name Spaces: EID (Endpoint Identifier) is the host IP address RLOC (Routing Locator) is the infrastructure IP address of the LISP router

In LISP, the EID can move independently of the RLOC


Provider G




10.1.1.0/24

15.0.0.0/8 15.0.0.0/8 10.1.1.0/24

R1

LISP Overview Why does Locator/ID Split solve this problem?

R2

10.1.1.0/24


15.0.0.0/8

R1 R2



10.0.0.0/8 Provider B 11.0.0.0/8

Provider C 10.1.1.0/24

Internet

•  Addresses at sites, both PA and PI, can get de-aggregated by multi-homing

•  Aggregates for infrastructure addresses (e.g. CE-PE links) get advertised as well

12.4.4.1/30 13.3.3.5/30 11.2.1.17/30 10.9.1.45/30

13/8 12/8 11/8

15.0/9 15.128/9 10.1.1.0/24 10/8

Some-Core-Rtr# show ip route bgp 10.0.0.0/8 is variably subnetted, 15 subnets, 8 masks B 10.1.1.0/24 [20/0] via 128.223.3.9, 3d19h 11.0.0.0/8 is variably subnetted, 8 subnets, 4 masks B 11.0.0.0/8 [20/0] via 128.223.3.9, 1d17h 12.0.0.0/8 is variably subnetted, 29 subnets, 6 masks B 12.1.0.0/16 [20/0] via 128.223.3.9, 3d19h B 12.4.4.0/22 [20/0] via 128.223.3.9, 3d19h 13.0.0.0/8 is variably subnetted, 13 subnets, 4 masks B 13.0.0.0/8 [20/0] via 128.223.3.9, 14:00:10 B 13.3.0.0/10 [20/0] via 128.223.3.9, 5d23h 15.0.0.0/8 is variably subnetted, 2 subnets, 1 masks B 15.0.0.0/9 [20/0] via 128.223.3.9, 14:00:10 B 15.128.0.0/9 [20] via 128.223.3.9, 3d19h

Existing “locator” Namespace

Before Loc/ID Split


LISP Overview Why does Locator/ID Split solve this problem?

Provider G




10.1.1.0/24

15.0.0.0/8 15.0.0.0/8 10.1.1.0/24

R1 R2

10.1.1.0/24


15.0.0.0/8

R1 R2



10.0.0.0/8 Provider B 11.0.0.0/8

Provider C 10.1.1.0/24

Internet

•  Addresses at sites, both PA and PI, can get de-aggregated by multi-homing

•  Aggregates for infrastructure addresses (e.g. CE-PE links) get advertised as well

12.4.4.1/30 13.3.3.5/30 11.2.1.17/30 10.9.1.45/30

13/8 12/8 11/8

15/8 15/8 10.1.1.0/24 10/8 10/8

After Loc/ID Split

New “host” Namespace

15.0.0.0/8 ... ...

10.1.1.0/24

Some-Core-Rtr# show ip route bgp 10.0.0.0/8 is variably subnetted, 15 subnets, 8 masks 11.0.0.0/8 is variably subnetted, 8 subnets, 4 masks B 11.0.0.0/8 [20/0] via 128.223.3.9, 1d17h 12.0.0.0/8 is variably subnetted, 29 subnets, 6 masks B 12.1.0.0/16 [20/0] via 128.223.3.9, 3d19h B 12.4.4.0/22 [20/0] via 128.223.3.9, 3d19h 13.0.0.0/8 is variably subnetted, 13 subnets, 4 masks B 13.0.0.0/8 [20/0] via 128.223.3.9, 14:00:10 B 13.3.0.0/10 [20/0] via 128.223.3.9, 5d23h

Existing “locator” Namespace

Off-line control plane


peer-to-peer communications

peer-to-peer communications source

host destination

host

Internet

7. Application

5. Session 6. Presentation

4. Transport

2. Data Link

1. Physical

3. Network (host)

En-cap packets

7. Application

5. Session 6. Presentation

4. Transport

2. Data Link

1. Physical

3. Network (host)

2. Data Link

3. Network (LISP)

1. Physical

3. Network (host)

(LISP UDP)

De-cap packets

2. Data Link

3. Network (LISP)

1. Physical

3. Network (host)

(LISP UDP)

LISP ITR

LISP ETR

LISP Overview LISP Data Plane Concepts

  Network-based “Map and Encap” approach Requires the fewest changes to existing systems – only the CPE No changes in hosts, DNS, or Core infrastructure New Mapping Service required for EID-to-RLOC mapping resolution

•  Design for encapsulation and router placement

2. Data Link

3. Network (LISP)

1. Physical

3. Network (host)

(LISP UDP)

EID packets are encapsulated in RLOC packets and forwarded over the Internet


LISP Overview LISP Header Format

Outer Header: Router supplies

RLOCs

draft-ietf-lisp-15

Inner Header: Host supplies

EIDs

LISP header

UDP


LISP Operations LISP Components – Ingress/Egress Tunnel Router (xTR)

ITR – Ingress Tunnel Router •  Receives packets from site-facing

interfaces •  Encaps to remote LISP site or natively

forwards to non-LISP site

ETR – Egress Tunnel Router •  Receives packets from core-facing

interfaces •  De-caps and delivers to local EIDs at

the site

S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D

Provider A 10.0.0.0/8

Provider B 11.0.0.0/8



PITR PETR

MR

ALT

MS

ALT

ALT ALT


LISP Operations Data Plane Example – Unicast Packet Forwarding

10.0.0.1

11.0.0.1 13.0.0.2

12.0.0.2 S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





PI EID-prefix 2.0.0.0/24


DNS entry: D.abc.com A 3.0.0.3

2.0.0.2 -> 3.0.0.3

EID-prefix: 3.0.0.0/24 Locator-set: 12.0.0.2, priority: 1, weight: 50 (D1)

13.0.0.2, priority: 1, weight: 50 (D2)

Mapping Entry This policy controlled

by destination site

2.0.0.2 -> 3.0.0.3 11.0.0.1 -> 12.0.0.2

2.0.0.2 -> 3.0.0.3 11.0.0.1 -> 12.0.0.2 2.0.0.2 -> 3.0.0.3

Legend: EIDs -> Green Locators -> Red Physical link


S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





LISP Operations Control Plane – Mapping Database & Map Cache

PITR PETR

MR

ALT

MS

ALT

ALT ALT

LISP Map Cache •  Obtained and stored in ITRs for the sites they are currently

sending packets to •  Map-Cache populated by Map-Replies from ETRs •  Stored in ITRs – only for sites to which they are currently

sending packets •  ITRs must respect policy of Map-Reply mapping data including

TTLs, RLOC up/down status, RLOC priorities/weights

LISP Mapping-Database •  Stored in all ETRs of each LISP site, not centralized •  EID-to-RLOC mappings in all ETRs for each LISP site •  ETR is “authoritative” for its EIDs, sends Map-Replies to

ITRs •  ETRs can tailor policy based on Map-Request source •  Decentralization increases attack resiliency


LISP Operations LISP Components – Map-Server/Map-Resolver (MS/MR)

S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





PITR PETR

MR

ALT

MS

ALT

ALT ALT

MS – Map-Server •  LISP ETRs Register here; requires

configured “lisp site” policy, key •  Injects routes for registered LISP sites

into ALT thru ALT service interface •  Receives Map-Requests via ALT; en-

caps Map-Requests to registered ETRs

MR – Map-Resolver •  Receives Map-Request encapsulated

from ITR •  De-caps Map-Request, forwards thru

service interface onto the ALT topology •  Sends Negative Map-Replies in response

to Map-Requests for non-LISP sites

When ALT is used, Map-Servers advertise EID-prefixes


LISP Operations LISP Components – LISP-ALT Topology (ALT)

S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





PITR PETR

MR

ALT

MS

ALT

ALT ALT

ALT – Alternative Topology •  Advertises EID-prefixes in Alternate BGP

topology over GRE •  Service interface for Map-Requests and

Map-Replies •  Devices with ALT service interface include:

MS, MR, xTR, PxTR •  ALT-only router aggregates ALT peering

connections and can be off-the-shelf gear, a router, commodity Linux host, etc.


LISP Operations How LISP-ALT Works

Legend: EIDs -> Green Locators -> Red GRE Tunnel Low Opex Physical link Map-Request Map-Reply

ETR

ETR

ETR

ITR

EID-prefix 240.1.2.0/24

ITR

EID-prefix 240.1.1.0/24

ALT EID-prefix 240.2.1.0/24

240.0.0.1 -> 240.1.1.1

2.2.2.2

EID-prefix 240.0.0.0/24

240.0.0.1 -> 240.1.1.1 11.0.0.1 -> 1.1.1.1

ALT-rtr

ALT-rtr

ALT-rtr

ALT-rtr

ALT-rtr

ALT-rtr

12.0.0.1

11.0.0.1

?

11.0.0.1 -> 240.1.1.1

? <- 24

0.1.1.0/24

<- 240.1.2.0/24

< - 240.1.0.0/16 ?

11.0.0.1 -> 240.1.1.1

?

1.1.1.1 -> 11.0.0.1

When sites are attached to the ALT with GRE tunnels


LISP Modular Mapping Database Infrastructure

xTRs

xTRs

xTRs

xTRs

xTRs

xTRs

xTRs

xTRs

xTRs

xTRs

xTRs xTRs

xTRs

xTRs

xTRs xTRs xTRs

MS/MRs

MS/MRs MS/MRs

MS/MRs

MS/MRs

MS/MRs

MS/MRs MS/MRs

ALT ALT ALT

ALT

Legend: LISP Sites -> green 1st layer access infrastructure -> blue 2nd layer core infrastructure -> red

Want the ability to swap Mapping Database Infrastructure without changing sites


LISP Operations Control Plane Example – ETR Registration

65.1.1.1 66.2.2.2

10.0.0.1

11.0.0.1 13.0.0.2

12.0.0.2



S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





MR

ALT

MS

ALT

ALT ALT

Legend: EIDs -> Green Locators -> Red BGP-over-GRE Physical link

[1] 12.0.0.2-> 66.2.2.2 LISP Map-Register

(udp 4342) SHA-1

MS advertises into ALT

BGP over GRE

3.0.0.0/8 [2] ALT advertise

throughout Including to

Map-Resolver

[3] 3.0.0.0/8

Other 3/8 sites…


LISP Operations Control Plane Example – Map Request

65.1.1.1 66.2.2.2

10.0.0.1

11.0.0.1 13.0.0.2

12.0.0.2



S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





MR

ALT

MS

ALT

ALT ALT


DNS entry: D.abc.com A 3.0.0.3

2.0.0.2 -> 3.0.0.3 How do I get to 3.0.0.3?

11.0.0.1 -> 3.0.0.3 Map-Request

(udp 4342) nonce

11.0.0.1 -> 65.1.1.1 LISP ECM (udp 4342)

[1]

[2]

[3] [4]

11.0.0.1 -> 3.0.0.3 Map-Request

(udp 4342) nonce 11.0.0.1 -> 3.0.0.3

Map-Request (udp 4342)

nonce

66.2.2.2 -> 12.0.0.2 LISP ECM (udp 4342) [5]


LISP Operations Control Plane Example – Map Reply

65.1.1.1 66.2.2.2

10.0.0.1

11.0.0.1 13.0.0.2

12.0.0.2



S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





MR

ALT

MS

ALT

ALT ALT


12.0.0.2 ->11.0.0.1 Map-Reply (udp 4342)

nonce 3.0.0.0/24

12.0.0.2 [1, 50] 13.0.0.2 [1, 50]

[6]

EID-prefix: 3.0.0.0/24 Locator-set: 12.0.0.2, priority: 1, weight: 50 (D1)

13.0.0.2, priority: 1, weight: 50 (D2)

Mapping Entry


Interworking Using LISP-NAT

Legend: LISP Sites -> Green (and EIDs) non-LISP Sites -> Red (and RLOCs) xTR

R-prefix 65.1.0.0/16

R-prefix 65.2.0.0/16

R-prefix 65.3.0.0/16

65.0.0.0/12

65.3.3.3 -> 66.3.3.3 1.3.3.3 -> 65.3.3.3

65.3.3.3 -> 1.3.3.3

Forward 66.0.0.0/12

Forward

Local/Uncoordinated Solution

1.1.1.1 -> 1.2.2.2 66.1.1.1 -> 66.2.2.2

NR-prefix 1.2.0.0/16



66.2.2.2

66.3.3.3 -> 65.3.3.3 Translate


Interworking Using PTRs

R-prefix 65.1.0.0/16

R-prefix 65.2.0.0/16

R-prefix 65.3.0.0/16

65.0.0.0/12 66.0.0.0/12

Infrastructure Solution Legend: LISP Sites -> Green (and EIDs) non-LISP Sites -> Red (and RLOCs) xTR




66.2.2.2 65.9.2.1

PTR BGP Advertise:

1.0.0.0/8

PTR BGP Advertise:

1.0.0.0/8

PTR BGP Advertise:

1.0.0.0/8

65.9.3.1

65.9.1.1

65.1.1.1 -> 1.1.1.1 (1)

1.1.1.1 -> 65.1.1.1

Forward Natively

(3)

Encapsulate

65.1.1.1 -> 1.1.1.1 65.9.1.1 -> 66.1.1.1

(2)


  LISP creates a level of indirection that separates End Host addresses from Site address to resolve Internet scaling issues

  LISP requires no host changes, minimal CPE changes, and adds some infrastructure components to the core

  LISP enables simplified multi-homing with ingress traffic engineering without the need for BGP

  LISP enables End Host mobility without requiring renumbering

  LISP is an open standard (no Cisco IPR)

LISP Summary Key Takeaways

  LISP “Ground Rules” Network-based solution No host changes No new addressing to site devices; minimal configuration changes Incrementally deployable; interoperable with existing Internet

  LISP “Attributes” Designed for router encapsulation Designed for Locator Reachability Support Unicast and Multicast Data Support for IPv4 IPv6 EIDs (hosts) and RLOCs (locators)


  Needs: •  Site connectivity to multiple providers

•  Low OpEx/CapEx

  LISP Solution:

•  LISP provides a streamlined solution for handling multi-provider connectivity and policy without BGP complexity

Benefits:

•  Multi-homing across different providers

•  Simple policy management

•  Ingress Traffic Engineering

•  Egress Traffic Engineering

Site 2

ISP A

Site 1

ISP B

LISP encap/decap

xTR xTR

xTR

LISP Use-‐Cases – Mul0-‐Homing/Redundancy Use-‐Case Descrip0on


LISP Use Cases LISP Mobility Solution

S1

S2

ITR

ITR

1.0.0.1

2.0.0.1 S



3G Provider 3.0.0.0/8

4G Provider 4.0.0.0/8

WiFi Provider 5.0.0.0/8

LISP EID-prefix 10.0.0.0/8

DNS entry: mn.abc.com A 153.16.1.1

EID: 153.16.1.1

3.3.3.3

4.4.4.4

EID: 153.16.1.1

4.4.4.4

5.5.5.5

MN roams, stays multi-homed and TCP connections do not reset

10.1.1.1 -> 153.16.1.1 10.1.1.1 -> 153.16.1.1 2.0.0.1 -> 4.4.4.4

10.1.1.1 -> 153.16.1.1 2.0.0.1 -> 5.5.5.5

Map-Cache Entry: EID-prefix: 153.16.1.1/32 Locator-set: 4.4.4.4, priority: 1, weight: 50 3.3.3.3, priority: 1, weight: 50 Legend:

EIDs -> Green Locators -> Red

Map-Cache Entry: EID-prefix: 153.16.1.1/32 Locator-set: 4.4.4.4, priority: 2, weight: 100 5.5.5.5, priority: 1, weight: 100


  Needs: •  Highly-scalable, low OpEx VPNs

•  Remove IGP scaling limitations for Branch WAN aggregation

  LISP Solution: •  Using LISP in-lieu of the IGP resolves the adjacency

scaling issues

Benefits: •  Very high scale WAN aggregation (1000s

of sites)

•  Minimal State on Branch Routers

•  ISP Transparency

•  LISP Integrated Benefits

−  Integrated Multi-homing and simple policy

−  Integrated Segmentation

−  Integrated Mobility

−  IPv4/IPv6 Co-Existence

LISP Use-‐Cases – Highly Scalable VPNs Use-‐Case Descrip0on

IPv6 Network

IPv4 LISP Spoke Site

Any to Any Access



xTR xTR xTR

IPv4 LISP Hub Site

xTR

GET VPN KS

LISP MS/MR

IPv4 Data

IPv4 Data IPv4 Data

IPv6 IPv4 Encrypted

IPv6 IPv4 Data

IPv4 over IPv6 Encapsulation

(LISP Mixed Mode) • W/ No Encryption

• W/ Encryption

VPN Platform Service: • Private LISP EID

Mapping/Resolution • GET Key Distribution

IPv4 Data


S D

EIDs

Customers Customers

EIDs IPv4

IPv6 IPv6

IPv4

SP Backbone(s) (RLOCs)

LISP for IPv6 Transition

  Scales SP Backbone/Internet routing by “tunneling” PI Customer space (EID) across aggregated SP Backbone/Internet routing space (RLOC)

  Customers – PI IPv4 and/or IPv6 routing space, EIDs only   Tunnel Routers – attach customer EID networks to Internet, encaps/decaps

EID packets in RLOC headers based on mappings   Mapping Service – manages EID-RLOC mappings on Tunnel Routers

ITR

ITR

ETR

ETR

S1

S2

D1

D2

S -> D S -> D RLOC-S2 -> RLOC-D1 S -> D

RLOC-S2 -> RLOC-D1 S -> D

Mapping Service ITR=Ingress Tunnel Router

ETR=Ingress Tunnel Router

PE TR/XLAT

VPNs

Internet(s)


IPv4 Internet

IPv6 Internet

IPv4-IPv6 Interworking Architecture Cisco Pilot Deployment: 6-to-6-over-4 using LISP

M-R M-R M-R

M-S

ALT

Cisco IPv4

IPv4

IPv4

SERVERS SERVERS

IPv4

IPv4 RLOC

IPv6 EID

xTR

Current

NEW SERVERS

lisp6. cisco.com AAAA Record Advertised by Cisco.com

Non-LISP IPv6 Site

ALT ALT

PETR PETR PETR PTR PTR PITR


LISP Summary References

Locator/ID Separation Protocol (LISP) - draft-ietf-lisp-15; 10-Jan-2012. http://tools.ietf.org/html/draft-ietf-lisp-15

LISP Map Server - draft-ietf-lisp-ms-11; 20-Aug-2011. http://tools.ietf.org/html/draft-ietf-lisp-ms-11

LISP ALT - draft-ietf-lisp-alt-08; 09-Sep-2011. http://tools.ietf.org/html/draft-ietf-lisp-alt-01

LISP Interworking - draft-ietf-lisp-interworking-02; 01-Jul-2011. http://tools.ietf.org/html/draft-ietf-lisp-interworking-00

LISP Multicast - draft-ietf-lisp-multicast-08; 13-Sep-2011. http://tools.ietf.org/html/draft-ietf-lisp-multicast-02

LISP MIB – draf-lisp-mib-02; 01-Jun-2011. http://tools.ietf.org/html/draft-lisp-mib-02

LISP Internet Groper (LIG) – draft--lisp-lig-06; 09-Sep-2011. http://tools.ietf.org/id/draft-lisp-lig-06


International LISP Network •  Cisco-operated

–  >3 years operational –  >60 sites, 10 countries

•  Built for LISP demonstration, experimentation, and proof-of-concept testing –  IPv4 and IPv6 –  PITR/PETR

Conduct Experiments Provide course-adjustments for protocol architecture

Test Multiple Implementations Prove ALT Topology maps to EID Address Allocation Delegations Emulate MSP Business Models Protocol Learning Tool for Users Test bed for building Management Tools


LISP Summary References

  You can find additional information about the topics and products covered in this session at the following links:

•  http://lisp4.cisco.com http://lisp6.cisco.com •  http://www.lisp4.net http://www.lisp6.net •  http://tools.ietf.org/wg/lisp/

• Notable sites: – http://www.lisp4.facebook.com (Facebook) – http://lisp4.cisco.com, http://lisp6.cisco.com (Cisco) – http://www.cisco.com/go/lisp

•  External Mailer: [email protected]

LISP – Locator/ID Separation Protocol

Documents

Transcript of LISP – Locator/ID Separation Protocol