Internet Engineering Task Force (IETF) P. Yegani Request for Comments: 6245 Juniper Networks Category: Standards Track K. Leung ISSN: 2070-1721 Cisco Systems A. Lior Bridgewater Systems K. Chowdhury J. Navali Cisco Systems May 2011
Internet Engineering Task Force (IETF) P. Yegani Request for Comments: 6245 Juniper Networks Category: Standards Track K. Leung ISSN: 2070-1721 Cisco Systems A. Lior Bridgewater Systems K. Chowdhury J. Navali Cisco Systems May 2011
Generic Routing Encapsulation (GRE) Key Extension for Mobile IPv4
移动IPv4的通用路由封装(GRE)密钥扩展
Abstract
摘要
The Generic Routing Encapsulation (GRE) specification contains a Key field, which MAY contain a value that is used to identify a particular GRE data stream. This specification defines a new Mobile IP extension that is used to exchange the value to be used in the GRE Key field. This extension further allows the Mobility Agents to set up the necessary protocol interfaces prior to receiving the mobile node traffic. The new extension allows a Foreign Agent to request GRE tunneling without disturbing the Home Agent behavior specified for Mobile IPv4. GRE tunneling with the Key field allows the operators to have home networks that consist of multiple Virtual Private Networks (VPNs), which may have overlapping home addresses. When the tuple <Care of Address, Home Address, and Home Agent Address> is the same across multiple subscriber sessions, GRE tunneling will provide a means for the Foreign Agent and Home Agent to identify data streams for the individual sessions based on the GRE key. In the absence of this key identifier, the data streams cannot be distinguished from each other -- a significant drawback when using IP-in-IP tunneling.
通用路由封装(GRE)规范包含一个键字段,该字段可能包含用于标识特定GRE数据流的值。本规范定义了一个新的移动IP扩展,用于交换GRE密钥字段中要使用的值。该扩展还允许移动代理在接收移动节点业务之前设置必要的协议接口。新的扩展允许外部代理请求GRE隧道,而不会干扰为移动IPv4指定的归属代理行为。带有密钥字段的GRE隧道允许运营商拥有由多个虚拟专用网络(VPN)组成的家庭网络,这些虚拟专用网络可能具有重叠的家庭地址。当元组<转交地址、家庭地址和家庭代理地址>在多个订户会话中相同时,GRE隧道将为外部代理和家庭代理提供一种基于GRE密钥识别各个会话的数据流的方法。在缺少该密钥标识符的情况下,数据流无法相互区分——这是在IP隧道中使用IP时的一个显著缺点。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6245.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6245.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................2 2. Terminology .....................................................3 3. GRE Key Extension ...............................................3 4. Operation and Use of the GRE Key Extension ......................3 4.1. Foreign Agent Requirements for GRE Tunneling Support .......3 4.2. Home Agent Requirements for GRE Tunneling Support ..........4 4.3. Mobile Node Requirements for GRE Tunneling Support .........5 5. GRE Key Extension and Tunneling Procedures ......................5 6. IANA Considerations .............................................6 7. Security Considerations .........................................6 8. Acknowledgements ................................................7 9. Normative References ............................................7
1. Introduction ....................................................2 2. Terminology .....................................................3 3. GRE Key Extension ...............................................3 4. Operation and Use of the GRE Key Extension ......................3 4.1. Foreign Agent Requirements for GRE Tunneling Support .......3 4.2. Home Agent Requirements for GRE Tunneling Support ..........4 4.3. Mobile Node Requirements for GRE Tunneling Support .........5 5. GRE Key Extension and Tunneling Procedures ......................5 6. IANA Considerations .............................................6 7. Security Considerations .........................................6 8. Acknowledgements ................................................7 9. Normative References ............................................7
This document specifies a new extension for use by a Foreign Agent (FA) operating Mobile IP for IPv4. The new extension allows a Foreign Agent to request Generic Routing Encapsulation (GRE) [RFC2784] tunneling without disturbing the Home Agent (HA) behavior specified for Mobile IPv4 [RFC5944]. This extension contains the GRE key [RFC2890] required for establishing a GRE tunnel between the FA and the HA.
本文档指定了一个新的扩展,供运行IPv4移动IP的外部代理(FA)使用。新的扩展允许外部代理请求通用路由封装(GRE)[RFC2784]隧道,而不会干扰为移动IPv4[RFC5944]指定的归属代理(HA)行为。此扩展包含在FA和HA之间建立GRE隧道所需的GRE密钥[RFC2890]。
GRE tunneling with the Key field allows the operators to have home networks that consist of multiple Virtual Private Networks (VPNs), which may have overlapping home addresses. When the tuple <Care of Address, Home Address, and Home Agent Address> is the same across
带有密钥字段的GRE隧道允许运营商拥有由多个虚拟专用网络(VPN)组成的家庭网络,这些虚拟专用网络可能具有重叠的家庭地址。当元组<Care of Address,Home Address,and Home Agent Address>在不同的位置相同时
multiple subscriber sessions, GRE tunneling will provide a means for the FA and the HA to identify data streams for the individual sessions based on the GRE key. In the absence of this key identifier, the data streams cannot be distinguished from each other -- a significant drawback when using IP-in-IP tunneling.
在多个用户会话中,GRE隧道将为FA和HA提供一种基于GRE密钥识别各个会话数据流的方法。在缺少该密钥标识符的情况下,数据流无法相互区分——这是在IP隧道中使用IP时的一个显著缺点。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Other terminology is used as already defined in [RFC5944].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。使用[RFC5944]中已定义的其他术语。
The format of the GRE Key Extension conforms to the extension format specified for Mobile IPv4 [RFC5944]. This extension option is used by the Foreign Agent to supply GRE key and other necessary information to the Home Agent to establish a GRE tunnel between the FA and the HA.
GRE密钥扩展的格式符合为移动IPv4指定的扩展格式[RFC5944]。外国代理使用此扩展选项向本国代理提供GRE密钥和其他必要信息,以便在FA和HA之间建立GRE隧道。
The FA MUST support IP-in-IP tunneling of datagrams for Mobile IPv4 [RFC5944]. The FA may support GRE tunneling that can be used, for example, to allow for overlapping private home IP addresses (Section 4.2.2.5 of [X.S0011-E]). If the FA is capable of supporting GRE encapsulation, it should set the 'G' (GRE encapsulation) bit in the Flags field in the Agent Advertisement message sent to the Mobile Node (MN) during the Mobile IP session establishment.
FA必须支持移动IPv4[RFC5944]数据报的IP-in-IP隧道。FA可支持GRE隧道,例如,允许重叠的专用家庭IP地址(见[X.S0011-E]第4.2.2.5节)。如果FA能够支持GRE封装,那么它应该在移动IP会话建立期间发送给移动节点(MN)的代理广告消息的Flags字段中设置“G”(GRE封装)位。
If the MN does not set the 'G' bit, the FA MAY fall back to using IP-in-IP encapsulation for the session per [RFC5944].
如果MN未设置“G”位,FA可能会退回到按照[RFC5944]为会话使用IP-in-IP封装。
If the MN does not set the 'G' bit and does not set the 'D' (Decapsulation by mobile node) bit (i.e., the mobile node does not request GRE tunneling and is not using a co-located care-of address), and the local policy allows the FA to override the 'G' bit setting received from the MN, the FA MUST include the GRE Key Extension as defined in this memo in the Registration Request (RRQ) that it propagates to the HA. The presence of this extension is a request for GRE encapsulation that takes precedence over the setting of the 'G' bit in the Registration Request. The FA MUST NOT modify the 'G' bit in the Registration Request because it is protected by the Mobile-Home Authentication extension.
如果MN未设置“G”位且未设置“D”(移动节点解除封装)位(即,移动节点未请求GRE隧道且未使用同一位置的转交地址),且本地策略允许FA覆盖从MN接收的“G”位设置,FA必须在向医管局传播的注册请求(RRQ)中包含本备忘录中定义的GRE密钥扩展。此扩展的存在是对GRE封装的请求,优先于注册请求中的“G”位设置。FA不得修改注册请求中的“G”位,因为它受移动家庭身份验证扩展的保护。
If the FA does not support GRE encapsulation, the FA MUST reset the 'G' bit in the Agent Advertisement message. In this case, if the MN sets the 'G' bit in the Registration Request message, the FA returns a Registration Reply (RRP) message to the MN with code 'requested encapsulation unavailable' (72) per [RFC5944].
如果FA不支持GRE封装,FA必须重置代理播发消息中的“G”位。在这种情况下,如果MN在注册请求消息中设置了“G”位,FA根据[RFC5944]向MN返回一条注册回复(RRP)消息,代码为“请求的封装不可用”(72)。
If the FA allows GRE encapsulation, and either the MN requested GRE encapsulation or local policy dictates using GRE encapsulation for the session, and the 'D' bit is not set (i.e., the mobile node is not using a co-located care-of address), the FA MUST include the GRE Key in the GRE Key Extension in all Mobile IP Registration Requests (including initial, renewal, and de-registration requests) before forwarding the request to the HA. The FA may include a GRE key of value zero in the GRE Key Extension to signal that the HA assigns GRE keys in both directions. The GRE key assignment in the FA and the HA is outside the scope of this memo.
如果FA允许GRE封装,并且MN请求的GRE封装或本地策略指示对会话使用GRE封装,并且未设置“D”位(即,移动节点未使用共同定位的转交地址),则FA必须在所有移动IP注册请求中的GRE密钥扩展中包括GRE密钥(包括初始、续签和注销请求),然后将请求转发给医管局。FA可能会在GRE密钥扩展中包含一个值为零的GRE密钥,以表示医管局在两个方向分配GRE密钥。FA和医管局中的GRE密钥分配不在本备忘录的范围内。
The GRE Key Extension SHALL follow the format defined in [RFC5944]. This extension SHALL be added after the MN-HA and MN-FA Challenge and MN-AAA (Mobile Node - Authentication, Authorization, and Accounting) extensions (if any) and before the FA-HA Auth extension (if any).
GRE密钥扩展应遵循[RFC5944]中定义的格式。此扩展应在MN-HA和MN-FA质询和MN-AAA(移动节点-身份验证、授权和计费)扩展(如有)之后和FA-HA身份验证扩展(如有)之前添加。
The HA MUST follow the procedures specified in [RFC5944] in processing this extension in Registration Request messages.
HA必须遵循[RFC5944]中规定的程序处理注册请求消息中的此扩展。
If the HA receives the GRE Key Extension in a Registration Request and does not recognize this non-skippable extension, it MUST silently discard the message. The HA MUST use other alternative forms of encapsulation (e.g., IP-in-IP tunneling), when requested by the mobile node per [RFC5944].
如果HA在注册请求中接收到GRE密钥扩展名,并且不识别此不可跳过的扩展名,则必须以静默方式放弃该消息。当移动节点根据[RFC5944]提出请求时,HA必须使用其他替代形式的封装(例如,IP隧道中的IP)。
If the HA receives the GRE Key Extension in a Registration Request and recognizes the GRE Key Extension but is not configured to support GRE encapsulation, it MUST send an RRP with code 'requested encapsulation unavailable (139)' [RFC3024].
如果HA在注册请求中收到GRE密钥扩展,并识别GRE密钥扩展,但未配置为支持GRE封装,则必须发送一个RRP,代码为“请求的封装不可用(139)”[RFC3024]。
If the HA receives a Registration Request with a GRE Key Extension but without the 'G' bit set, the HA SHOULD treat this as if the 'G' bit is set in the Registration Request; i.e., the presence of a GRE Key Extension indicates a request for GRE encapsulation.
如果HA收到具有GRE密钥扩展但未设置“G”位的注册请求,则HA应将其视为注册请求中设置了“G”位;i、 例如,GRE密钥扩展的存在表示对GRE封装的请求。
If the HA receives the GRE Key Extension in a Registration Request, and it recognizes the GRE Key Extension as well as supports GRE encapsulation, the following procedures should apply:
如果医管局在注册请求中收到GRE密钥扩展,并且识别GRE密钥扩展并支持GRE封装,则应适用以下程序:
o The HA SHOULD accept the RRQ and send an RRP with code 'registration accepted (0)'.
o 医管局应接受RRQ,并发送代码为“注册已接受(0)”的RRP。
o The HA MUST assign a GRE key and include the GRE Key Extension in the RRP before sending it to the FA.
o 医管局必须分配GRE密钥,并在将其发送给FA之前将GRE密钥扩展包含在RRP中。
o The HA MUST include the GRE Key Extension in all RRPs in response to any RRQ that included the GRE Key Extension, when a GRE key is available for the registration.
o 当GRE密钥可用于注册时,医管局必须在所有RRP中包含GRE密钥扩展,以响应任何包含GRE密钥扩展的RRQ。
If the HA receives the GRE Key Extension in the initial Registration Request and recognizes the GRE Key Extension carrying a GRE key value of zero, it SHOULD accept the RRQ and send an RRP with code 'registration accepted (0)', and the following procedures apply:
如果医管局在初始注册申请中收到GRE密钥扩展,并识别出GRE密钥扩展带有零GRE密钥值,则医管局应接受RRQ并发送代码为“注册已接受(0)”的RRP,以下程序适用:
o The HA MUST assign GRE keys for both directions and include these keys in the GRE Key Extension in the RRP before sending it to the FA.
o 医管局必须为两个方向分配GRE密钥,并在发送给FA之前将这些密钥包含在RRP的GRE密钥扩展中。
o The HA MUST include the GRE Key Extension in the RRP in response to the initial RRQ that included the GRE Key Extension, when a GRE key is available for the registration.
o 当GRE密钥可用于注册时,医管局必须在RRP中包含GRE密钥扩展,以响应包含GRE密钥扩展的初始RRQ。
If the MN is capable of supporting GRE encapsulation, it SHOULD set the 'G' bit in the Flags field in the Registration Request per [RFC5944].
如果MN能够支持GRE封装,则应根据[RFC5944]在注册请求的标志字段中设置“G”位。
GRE tunneling support for Mobile IP will permit asymmetric GRE keying; i.e., the FA assigns a GRE key for use in encapsulated traffic, and the HA can assign its own GRE key. Once the GRE keys have been exchanged, the FA uses the HA-assigned key in the encapsulating GRE header for reverse tunneling, and the HA uses the FA-assigned key in the encapsulating GRE header.
对移动IP的GRE隧道支持将允许非对称GRE键控;i、 例如,FA分配一个GRE密钥用于封装的流量,HA可以分配自己的GRE密钥。交换GRE密钥后,FA使用封装GRE头中的HA分配密钥进行反向隧道,HA使用封装GRE头中的FA分配密钥。
The format of the GRE Key Extension is as shown below.
GRE密钥扩展名的格式如下所示。
The GRE Key Extension MAY be included in Registration Requests or Registration Replies [RFC5944]. The GRE Key Extension is used to inform the recipient of the Mobile IP request of the value to be used in the GRE Key field.
GRE密钥扩展可以包含在注册请求或注册回复中[RFC5944]。GRE密钥扩展用于通知移动IP请求的接收者GRE密钥字段中要使用的值。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Sub-Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Sub-Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: GRE Key Extension
图1:GRE密钥扩展
Type
类型
48 - An 8-bit identifier of the GRE Key Extension type (non-skippable)
48-GRE密钥扩展类型的8位标识符(不可跳过)
Sub-Type
子类型
0
0
Length
长
4
4.
Key Identifier
密钥标识
This is a four-octet value assigned during registration and inserted in every GRE packet of the user traffic.
这是在注册期间分配的四个八位组值,并插入到用户流量的每个GRE数据包中。
The GRE Key Extension defined in this memo is a Mobile IP extension as defined in [RFC5944]. IANA has assigned a Type value (48) for this extension from the non-skippable range (0-127).
本备忘录中定义的GRE密钥扩展是[RFC5944]中定义的移动IP扩展。IANA已为此扩展从不可跳过范围(0-127)分配了一个类型值(48)。
The GRE Key Extension introduces a new sub-type numbering space, where the value 0 has been assigned from the range 0 to 255. Approval of new GRE Key Extension sub-type values is to be made through Expert Review with Specification Required.
GRE键扩展引入了一个新的子类型编号空间,其中的值0已从0到255范围内指定。新GRE密钥扩展子类型值的批准将通过专家审查进行,并需要规范。
This specification does not introduce any new security considerations, beyond those described in [RFC5944].
除[RFC5944]中所述的安全注意事项外,本规范未引入任何新的安全注意事项。
Despite its name, the GRE Key Extension has little to do with security. The word "Key" here is not used in the cryptographic sense of a shared secret that must be protected but rather in the sense of an "index" or demultiplexing value that can be used to distinguish packets belonging to a given flow within a GRE tunnel.
尽管名称不同,GRE密钥扩展与安全性关系不大。这里的“密钥”一词不是在必须保护的共享秘密的加密意义上使用的,而是在“索引”或解复用值的意义上使用的,该值可用于区分属于GRE隧道内给定流的数据包。
Thanks to Jun Wang, Gopal Dommety, and Sri Gundavelli for their helpful comments, offline discussions, and review of the initial draft version of this document. Also, Pete McCann and Simon Mizikovsky provided valuable review comments.
感谢Jun Wang、Gopal Dommety和Sri Gundavelli对本文件初稿的有益评论、离线讨论和审查。此外,皮特·麦肯(Pete McCann)和西蒙·米齐科夫斯基(Simon Mizikovsky)提供了宝贵的评论。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, March 2000.
[RFC2784]Farinaci,D.,Li,T.,Hanks,S.,Meyer,D.,和P.Traina,“通用路由封装(GRE)”,RFC 27842000年3月。
[RFC2890] Dommety, G., "Key and Sequence Number Extensions to GRE", RFC 2890, September 2000.
[RFC2890]Dommety,G.“GRE的密钥和序列号扩展”,RFC 28902000年9月。
[RFC3024] Montenegro, G., Ed., "Reverse Tunneling for Mobile IP, revised", RFC 3024, January 2001.
[RFC3024]黑山,G.,编辑,“移动IP反向隧道,修订版”,RFC 3024,2001年1月。
[RFC5944] Perkins, C., Ed., "IP Mobility Support for IPv4, Revised", RFC 5944, November 2010.
[RFC5944]Perkins,C.,Ed.,“IPv4的IP移动支持,修订版”,RFC 59442010年11月。
[X.S0011-E] 3rd Generation Partnership Project 2, "cdma2000 Wireless IP Network Standard: Simple IP and Mobile IP Access Services", 3GPP2 X.S0011-002-E Version 1.0, November 2009, <http://www.3gpp2.org/Public_html/specs/ X.S0011-002-E_v1.0_091116.pdf>.
[X.S0011-E]第三代合作伙伴项目2,“cdma2000无线IP网络标准:简单IP和移动IP接入服务”,3GPP2 X.S0011-002-E版本1.0,2009年11月<http://www.3gpp2.org/Public_html/specs/ X.S0011-002-E_v1.0_091116.pdf>。
Authors' Addresses
作者地址
Parviz Yegani Juniper Networks 1194 North Mathilda Ave. Sunnyvale, California 94089 USA Phone: +1 408-759-1973 EMail: pyegani@juniper.net
Parviz Yegani Juniper Networks 1194 North Mathilda Ave.Sunnyvale,California 94089美国电话:+1 408-759-1973电子邮件:pyegani@juniper.net
Kent Leung Cisco Systems Incorporated 170 West Tasman Drive San Jose, California 95134 USA Phone: +1 408 526 5030 EMail: kleung@cisco.com
Kent Leung Cisco Systems Incorporated 170 West Tasman Drive San Jose,California 95134美国电话:+1 408 526 5030电子邮件:kleung@cisco.com
Avi Lior Bridgewater Systems Corporation 303 Terry Fox Drive Ottawa, Ontario K2K 3J1 Canada Phone: +1 613-591-6655 EMail: avi@bridgewatersystems.com
Avi Lior Bridgewater系统公司303 Terry Fox Drive渥太华,安大略省K2K 3J1加拿大电话:+1 613-591-6655电子邮件:avi@bridgewatersystems.com
Kuntal Chowdhury Cisco Systems Incorporated 170 West Tasman Drive San Jose, California 95134 USA EMail: kchowdhu@cisco.com
Kuntal Chowdhury Cisco Systems Incorporated 170 West Tasman Drive San Jose,California 95134美国电子邮件:kchowdhu@cisco.com
Jay Navali Cisco Systems Incorporated 170 West Tasman Drive San Jose, California 95134 USA EMail: jnavali@cisco.com
Jay Navali Cisco Systems Incorporated 170 West Tasman Drive San Jose,California 95134美国电子邮件:jnavali@cisco.com