[linux-2.6-block.git] / Documentation / networking / ila.rst

.. SPDX-License-Identifier: GPL-2.0

===================================
Identifier Locator Addressing (ILA)
===================================


Introduction
============

Identifier-locator addressing (ILA) is a technique used with IPv6 that
differentiates between location and identity of a network node. Part of an
address expresses the immutable identity of the node, and another part
indicates the location of the node which can be dynamic. Identifier-locator
addressing can be used to efficiently implement overlay networks for
network virtualization as well as solutions for use cases in mobility.

ILA can be thought of as means to implement an overlay network without
encapsulation. This is accomplished by performing network address
translation on destination addresses as a packet traverses a network. To
the network, an ILA translated packet appears to be no different than any
other IPv6 packet. For instance, if the transport protocol is TCP then an
ILA translated packet looks like just another TCP/IPv6 packet. The
advantage of this is that ILA is transparent to the network so that
optimizations in the network, such as ECMP, RSS, GRO, GSO, etc., just work.

The ILA protocol is described in Internet-Draft draft-herbert-intarea-ila.


ILA terminology
===============

  - Identifier
		A number that identifies an addressable node in the network
		independent of its location. ILA identifiers are sixty-four
		bit values.

  - Locator
		A network prefix that routes to a physical host. Locators
		provide the topological location of an addressed node. ILA
		locators are sixty-four bit prefixes.

  - ILA mapping
		A mapping of an ILA identifier to a locator (or to a
		locator and meta data). An ILA domain maintains a database
		that contains mappings for all destinations in the domain.

  - SIR address
		An IPv6 address composed of a SIR prefix (upper sixty-
		four bits) and an identifier (lower sixty-four bits).
		SIR addresses are visible to applications and provide a
		means for them to address nodes independent of their
		location.

  - ILA address
		An IPv6 address composed of a locator (upper sixty-four
		bits) and an identifier (low order sixty-four bits). ILA
		addresses are never visible to an application.

  - ILA host
		An end host that is capable of performing ILA translations
		on transmit or receive.

  - ILA router
		A network node that performs ILA translation and forwarding
		of translated packets.

  - ILA forwarding cache
		A type of ILA router that only maintains a working set
		cache of mappings.

  - ILA node
		A network node capable of performing ILA translations. This
		can be an ILA router, ILA forwarding cache, or ILA host.


Operation
=========

There are two fundamental operations with ILA:

  - Translate a SIR address to an ILA address. This is performed on ingress
    to an ILA overlay.

  - Translate an ILA address to a SIR address. This is performed on egress
    from the ILA overlay.

ILA can be deployed either on end hosts or intermediate devices in the
network; these are provided by "ILA hosts" and "ILA routers" respectively.
Configuration and datapath for these two points of deployment is somewhat
different.

The diagram below illustrates the flow of packets through ILA as well
as showing ILA hosts and routers::

    +--------+                                                +--------+
    | Host A +-+                                         +--->| Host B |
    |        | |              (2) ILA                   (')   |        |
    +--------+ |            ...addressed....           (   )  +--------+
	       V  +---+--+  .  packet      .  +---+--+  (_)
   (1) SIR     |  | ILA  |----->-------->---->| ILA  |   |   (3) SIR
    addressed  +->|router|  .              .  |router|->-+    addressed
    packet        +---+--+  .     IPv6     .  +---+--+        packet
		   /        .    Network   .
		  /         .              .   +--+-++--------+
    +--------+   /          .              .   |ILA ||  Host  |
    |  Host  +--+           .              .- -|host||        |
    |        |              .              .   +--+-++--------+
    +--------+              ................


Transport checksum handling
===========================

When an address is translated by ILA, an encapsulated transport checksum
that includes the translated address in a pseudo header may be rendered
incorrect on the wire. This is a problem for intermediate devices,
including checksum offload in NICs, that process the checksum. There are
three options to deal with this:

- no action	Allow the checksum to be incorrect on the wire. Before
		a receiver verifies a checksum the ILA to SIR address
		translation must be done.

- adjust transport checksum
		When ILA translation is performed the packet is parsed
		and if a transport layer checksum is found then it is
		adjusted to reflect the correct checksum per the
		translated address.

- checksum neutral mapping
		When an address is translated the difference can be offset
		elsewhere in a part of the packet that is covered by
		the checksum. The low order sixteen bits of the identifier
		are used. This method is preferred since it doesn't require
		parsing a packet beyond the IP header and in most cases the
		adjustment can be precomputed and saved with the mapping.

Note that the checksum neutral adjustment affects the low order sixteen
bits of the identifier. When ILA to SIR address translation is done on
egress the low order bits are restored to the original value which
restores the identifier as it was originally sent.


Identifier types
================

ILA defines different types of identifiers for different use cases.

The defined types are:

      0: interface identifier

      1: locally unique identifier

      2: virtual networking identifier for IPv4 address

      3: virtual networking identifier for IPv6 unicast address

      4: virtual networking identifier for IPv6 multicast address

      5: non-local address identifier

In the current implementation of kernel ILA only locally unique identifiers
(LUID) are supported. LUID allows for a generic, unformatted 64 bit
identifier.


Identifier formats
==================

Kernel ILA supports two optional fields in an identifier for formatting:
"C-bit" and "identifier type". The presence of these fields is determined
by configuration as demonstrated below.

If the identifier type is present it occupies the three highest order
bits of an identifier. The possible values are given in the above list.

If the C-bit is present,  this is used as an indication that checksum
neutral mapping has been done. The C-bit can only be set in an
ILA address, never a SIR address.

In the simplest format the identifier types, C-bit, and checksum
adjustment value are not present so an identifier is considered an
unstructured sixty-four bit value::

     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                            Identifier                         |
     +                                                               +
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The checksum neutral adjustment may be configured to always be
present using neutral-map-auto. In this case there is no C-bit, but the
checksum adjustment is in the low order 16 bits. The identifier is
still sixty-four bits::

     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                            Identifier                         |
     |                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                               |  Checksum-neutral adjustment  |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The C-bit may used to explicitly indicate that checksum neutral
mapping has been applied to an ILA address. The format is::

     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     |C|                    Identifier                         |
     |     +-+                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                               |  Checksum-neutral adjustment  |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The identifier type field may be present to indicate the identifier
type. If it is not present then the type is inferred based on mapping
configuration. The checksum neutral adjustment may automatically
used with the identifier type as illustrated below::

     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Type|                      Identifier                         |
     +-+-+-+                         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                               |  Checksum-neutral adjustment  |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

If the identifier type and the C-bit can be present simultaneously so
the identifier format would be::

     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Type|C|                    Identifier                         |
     +-+-+-+-+                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                               |  Checksum-neutral adjustment  |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


Configuration
=============

There are two methods to configure ILA mappings. One is by using LWT routes
and the other is ila_xlat (called from NFHOOK PREROUTING hook). ila_xlat
is intended to be used in the receive path for ILA hosts .

An ILA router has also been implemented in XDP. Description of that is
outside the scope of this document.

The usage of for ILA LWT routes is:

ip route add DEST/128 encap ila LOC csum-mode MODE ident-type TYPE via ADDR

Destination (DEST) can either be a SIR address (for an ILA host or ingress
ILA router) or an ILA address (egress ILA router). LOC is the sixty-four
bit locator (with format W:X:Y:Z) that overwrites the upper sixty-four
bits of the destination address.  Checksum MODE is one of "no-action",
"adj-transport", "neutral-map", and "neutral-map-auto". If neutral-map is
set then the C-bit will be present. Identifier TYPE one of "luid" or
"use-format." In the case of use-format, the identifier type field is
present and the effective type is taken from that.

The usage of ila_xlat is:

ip ila add loc_match MATCH loc LOC csum-mode MODE ident-type TYPE

MATCH indicates the incoming locator that must be matched to apply
a the translaiton. LOC is the locator that overwrites the upper
sixty-four bits of the destination address. MODE and TYPE have the
same meanings as described above.


Some examples
=============

::

     # Configure an ILA route that uses checksum neutral mapping as well
     # as type field. Note that the type field is set in the SIR address
     # (the 2000 implies type is 1 which is LUID).
     ip route add 3333:0:0:1:2000:0:1:87/128 encap ila 2001:0:87:0 \
	  csum-mode neutral-map ident-type use-format

     # Configure an ILA LWT route that uses auto checksum neutral mapping
     # (no C-bit) and configure identifier type to be LUID so that the
     # identifier type field will not be present.
     ip route add 3333:0:0:1:2000:0:2:87/128 encap ila 2001:0:87:1 \
	  csum-mode neutral-map-auto ident-type luid

     ila_xlat configuration

     # Configure an ILA to SIR mapping that matches a locator and overwrites
     # it with a SIR address (3333:0:0:1 in this example). The C-bit and
     # identifier field are used.
     ip ila add loc_match 2001:0:119:0 loc 3333:0:0:1 \
	 csum-mode neutral-map-auto ident-type use-format

     # Configure an ILA to SIR mapping where checksum neutral is automatically
     # set without the C-bit and the identifier type is configured to be LUID
     # so that the identifier type field is not present.
     ip ila add loc_match 2001:0:119:0 loc 3333:0:0:1 \
	 csum-mode neutral-map-auto ident-type use-format
Commit	Line	Data
1d2698fa MCC	1	.. SPDX-License-Identifier: GPL-2.0
	2
	3	===================================
7afc19bc	4	Identifier Locator Addressing (ILA)
1d2698fa	5	===================================
7afc19bc TH	6
	7
	8	Introduction
	9	============
	10
	11	Identifier-locator addressing (ILA) is a technique used with IPv6 that
	12	differentiates between location and identity of a network node. Part of an
	13	address expresses the immutable identity of the node, and another part
	14	indicates the location of the node which can be dynamic. Identifier-locator
	15	addressing can be used to efficiently implement overlay networks for
	16	network virtualization as well as solutions for use cases in mobility.
	17
	18	ILA can be thought of as means to implement an overlay network without
	19	encapsulation. This is accomplished by performing network address
	20	translation on destination addresses as a packet traverses a network. To
	21	the network, an ILA translated packet appears to be no different than any
	22	other IPv6 packet. For instance, if the transport protocol is TCP then an
	23	ILA translated packet looks like just another TCP/IPv6 packet. The
	24	advantage of this is that ILA is transparent to the network so that
	25	optimizations in the network, such as ECMP, RSS, GRO, GSO, etc., just work.
	26
	27	The ILA protocol is described in Internet-Draft draft-herbert-intarea-ila.
	28
	29
	30	ILA terminology
	31	===============
	32
1d2698fa MCC	33	- Identifier
1d2698fa MCC	34	A number that identifies an addressable node in the network
7afc19bc TH	35	independent of its location. ILA identifiers are sixty-four
	36	bit values.
	37
1d2698fa MCC	38	- Locator
1d2698fa MCC	39	A network prefix that routes to a physical host. Locators
7afc19bc TH	40	provide the topological location of an addressed node. ILA
	41	locators are sixty-four bit prefixes.
	42
	43	- ILA mapping
	44	A mapping of an ILA identifier to a locator (or to a
	45	locator and meta data). An ILA domain maintains a database
	46	that contains mappings for all destinations in the domain.
	47
	48	- SIR address
	49	An IPv6 address composed of a SIR prefix (upper sixty-
	50	four bits) and an identifier (lower sixty-four bits).
	51	SIR addresses are visible to applications and provide a
	52	means for them to address nodes independent of their
	53	location.
	54
	55	- ILA address
	56	An IPv6 address composed of a locator (upper sixty-four
	57	bits) and an identifier (low order sixty-four bits). ILA
	58	addresses are never visible to an application.
	59
1d2698fa MCC	60	- ILA host
1d2698fa MCC	61	An end host that is capable of performing ILA translations
7afc19bc TH	62	on transmit or receive.
7afc19bc TH	63
1d2698fa MCC	64	- ILA router
1d2698fa MCC	65	A network node that performs ILA translation and forwarding
7afc19bc TH	66	of translated packets.
	67
	68	- ILA forwarding cache
	69	A type of ILA router that only maintains a working set
	70	cache of mappings.
	71
1d2698fa MCC	72	- ILA node
1d2698fa MCC	73	A network node capable of performing ILA translations. This
7afc19bc TH	74	can be an ILA router, ILA forwarding cache, or ILA host.
	75
	76
	77	Operation
	78	=========
	79
	80	There are two fundamental operations with ILA:
	81
	82	- Translate a SIR address to an ILA address. This is performed on ingress
	83	to an ILA overlay.
	84
	85	- Translate an ILA address to a SIR address. This is performed on egress
	86	from the ILA overlay.
	87
	88	ILA can be deployed either on end hosts or intermediate devices in the
	89	network; these are provided by "ILA hosts" and "ILA routers" respectively.
	90	Configuration and datapath for these two points of deployment is somewhat
	91	different.
	92
	93	The diagram below illustrates the flow of packets through ILA as well
1d2698fa	94	as showing ILA hosts and routers::
7afc19bc TH	95
	96	+--------+ +--------+
	97	\| Host A +-+ +--->\| Host B \|
	98	\| \| \| (2) ILA (') \| \|
	99	+--------+ \| ...addressed.... ( ) +--------+
1d2698fa	100	V +---+--+ . packet . +---+--+ (_)
7afc19bc TH	101	(1) SIR \| \| ILA \|----->-------->---->\| ILA \| \| (3) SIR
	102	addressed +->\|router\| . . \|router\|->-+ addressed
	103	packet +---+--+ . IPv6 . +---+--+ packet
1d2698fa MCC	104	/ . Network .
1d2698fa MCC	105	/ . . +--+-++--------+
7afc19bc TH	106	+--------+ / . . \|ILA \|\| Host \|
	107	\| Host +--+ . .- -\|host\|\| \|
	108	\| \| . . +--+-++--------+
	109	+--------+ ................
	110
	111
	112	Transport checksum handling
	113	===========================
	114
	115	When an address is translated by ILA, an encapsulated transport checksum
	116	that includes the translated address in a pseudo header may be rendered
	117	incorrect on the wire. This is a problem for intermediate devices,
	118	including checksum offload in NICs, that process the checksum. There are
	119	three options to deal with this:
	120
	121	- no action Allow the checksum to be incorrect on the wire. Before
	122	a receiver verifies a checksum the ILA to SIR address
	123	translation must be done.
	124
	125	- adjust transport checksum
	126	When ILA translation is performed the packet is parsed
	127	and if a transport layer checksum is found then it is
	128	adjusted to reflect the correct checksum per the
	129	translated address.
	130
	131	- checksum neutral mapping
	132	When an address is translated the difference can be offset
bb38ccce	133	elsewhere in a part of the packet that is covered by
7afc19bc TH	134	the checksum. The low order sixteen bits of the identifier
	135	are used. This method is preferred since it doesn't require
	136	parsing a packet beyond the IP header and in most cases the
	137	adjustment can be precomputed and saved with the mapping.
	138
	139	Note that the checksum neutral adjustment affects the low order sixteen
	140	bits of the identifier. When ILA to SIR address translation is done on
	141	egress the low order bits are restored to the original value which
	142	restores the identifier as it was originally sent.
	143
	144
	145	Identifier types
	146	================
	147
	148	ILA defines different types of identifiers for different use cases.
	149
	150	The defined types are:
	151
	152	0: interface identifier
	153
	154	1: locally unique identifier
	155
	156	2: virtual networking identifier for IPv4 address
	157
	158	3: virtual networking identifier for IPv6 unicast address
	159
	160	4: virtual networking identifier for IPv6 multicast address
	161
	162	5: non-local address identifier
	163
	164	In the current implementation of kernel ILA only locally unique identifiers
	165	(LUID) are supported. LUID allows for a generic, unformatted 64 bit
	166	identifier.
	167
	168
	169	Identifier formats
	170	==================
	171
	172	Kernel ILA supports two optional fields in an identifier for formatting:
	173	"C-bit" and "identifier type". The presence of these fields is determined
	174	by configuration as demonstrated below.
	175
	176	If the identifier type is present it occupies the three highest order
	177	bits of an identifier. The possible values are given in the above list.
	178
	179	If the C-bit is present, this is used as an indication that checksum
	180	neutral mapping has been done. The C-bit can only be set in an
	181	ILA address, never a SIR address.
	182
	183	In the simplest format the identifier types, C-bit, and checksum
	184	adjustment value are not present so an identifier is considered an
1d2698fa	185	unstructured sixty-four bit value::
7afc19bc TH	186
	187	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	188	\| Identifier \|
	189	+ +
	190	\| \|
	191	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	192
	193	The checksum neutral adjustment may be configured to always be
	194	present using neutral-map-auto. In this case there is no C-bit, but the
	195	checksum adjustment is in the low order 16 bits. The identifier is
1d2698fa	196	still sixty-four bits::
7afc19bc TH	197
	198	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	199	\| Identifier \|
	200	\| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	201	\| \| Checksum-neutral adjustment \|
	202	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	203
	204	The C-bit may used to explicitly indicate that checksum neutral
1d2698fa	205	mapping has been applied to an ILA address. The format is::
7afc19bc TH	206
	207	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	208	\| \|C\| Identifier \|
	209	\| +-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	210	\| \| Checksum-neutral adjustment \|
	211	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	212
	213	The identifier type field may be present to indicate the identifier
	214	type. If it is not present then the type is inferred based on mapping
	215	configuration. The checksum neutral adjustment may automatically
1d2698fa	216	used with the identifier type as illustrated below::
7afc19bc TH	217
	218	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	219	\| Type\| Identifier \|
	220	+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	221	\| \| Checksum-neutral adjustment \|
	222	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	223
	224	If the identifier type and the C-bit can be present simultaneously so
1d2698fa	225	the identifier format would be::
7afc19bc TH	226
	227	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	228	\| Type\|C\| Identifier \|
	229	+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	230	\| \| Checksum-neutral adjustment \|
	231	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	232
	233
	234	Configuration
	235	=============
	236
	237	There are two methods to configure ILA mappings. One is by using LWT routes
	238	and the other is ila_xlat (called from NFHOOK PREROUTING hook). ila_xlat
	239	is intended to be used in the receive path for ILA hosts .
	240
	241	An ILA router has also been implemented in XDP. Description of that is
	242	outside the scope of this document.
	243
	244	The usage of for ILA LWT routes is:
	245
	246	ip route add DEST/128 encap ila LOC csum-mode MODE ident-type TYPE via ADDR
	247
	248	Destination (DEST) can either be a SIR address (for an ILA host or ingress
	249	ILA router) or an ILA address (egress ILA router). LOC is the sixty-four
	250	bit locator (with format W:X:Y:Z) that overwrites the upper sixty-four
	251	bits of the destination address. Checksum MODE is one of "no-action",
	252	"adj-transport", "neutral-map", and "neutral-map-auto". If neutral-map is
	253	set then the C-bit will be present. Identifier TYPE one of "luid" or
	254	"use-format." In the case of use-format, the identifier type field is
	255	present and the effective type is taken from that.
	256
	257	The usage of ila_xlat is:
	258
	259	ip ila add loc_match MATCH loc LOC csum-mode MODE ident-type TYPE
	260
	261	MATCH indicates the incoming locator that must be matched to apply
	262	a the translaiton. LOC is the locator that overwrites the upper
	263	sixty-four bits of the destination address. MODE and TYPE have the
	264	same meanings as described above.
	265
	266
	267	Some examples
	268	=============
	269
1d2698fa MCC	270	::
	271
	272	# Configure an ILA route that uses checksum neutral mapping as well
	273	# as type field. Note that the type field is set in the SIR address
	274	# (the 2000 implies type is 1 which is LUID).
	275	ip route add 3333:0:0:1:2000:0:1:87/128 encap ila 2001:0:87:0 \
	276	csum-mode neutral-map ident-type use-format
	277
	278	# Configure an ILA LWT route that uses auto checksum neutral mapping
	279	# (no C-bit) and configure identifier type to be LUID so that the
	280	# identifier type field will not be present.
	281	ip route add 3333:0:0:1:2000:0:2:87/128 encap ila 2001:0:87:1 \
	282	csum-mode neutral-map-auto ident-type luid
	283
	284	ila_xlat configuration
	285
	286	# Configure an ILA to SIR mapping that matches a locator and overwrites
	287	# it with a SIR address (3333:0:0:1 in this example). The C-bit and
	288	# identifier field are used.
	289	ip ila add loc_match 2001:0:119:0 loc 3333:0:0:1 \
	290	csum-mode neutral-map-auto ident-type use-format
	291
	292	# Configure an ILA to SIR mapping where checksum neutral is automatically
	293	# set without the C-bit and the identifier type is configured to be LUID
	294	# so that the identifier type field is not present.
	295	ip ila add loc_match 2001:0:119:0 loc 3333:0:0:1 \
	296	csum-mode neutral-map-auto ident-type use-format