<?xmlversion="1.0" encoding="UTF-8"?> <!-- Edited by Dino Farinacci farinacci@gmail.com -->version='1.0' encoding='UTF-8'?> <!DOCTYPE rfcSYSTEM "rfc2629.dtd">[ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="info" ipr="trust200902"docName="draft-farinacci-lisp-decent-22"> <?rfc toc="yes" ?> <?rfc symrefs="yes" ?> <?rfc sortrefs="yes"?> <?rfc iprnotified="no" ?> <?rfc strict="yes" ?>docName="draft-farinacci-lisp-decent-22" number="9962" obsoletes="" updates="" submissionType="independent" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version="3"> <front><title>A Decent LISP<title abbrev="LISP-Decent">A Decentralized Locator/ID Separation Protocol Mapping System (LISP-Decent)</title> <seriesInfo name="RFC" value="9962"/> <authorinitials='D'initials="D" surname="Farinacci"fullname='Dino Farinacci'>fullname="Dino Farinacci"> <organization>lispers.net</organization><address><postal> <street></street><address> <postal> <city>San Jose</city> <region>CA</region><code></code> <country>USA</country><country>United States of America</country> </postal><email>farinacci@gmail.com</email></address><email>farinacci@gmail.com</email> </address> </author> <authorinitials='C'initials="C" surname="Cantrell"fullname='Colin Cantrell'>fullname="Colin Cantrell"> <organization>Nexus</organization><address><postal> <street></street><address> <postal> <city>Tempe</city> <region>AZ</region><code></code> <country>USA</country><country>United States of America</country> </postal><email>colin@nexus.io</email></address><email>colin@nexus.io</email> </address> </author><date></date><date month="April" year="2026"/> <abstract><t>This draft<t> This document describes how theLISP mapping systemLocator/ID Separation Protocol (LISP) Mapping System can be distributed forscale,scale and decentralized formanagement and maintainmanagement, while maintaining trust amongdata-planedata plane nodes.The intended status for this documentThis is an Informational RFC and should be used by LISP-Decent implementations to interoperate with each other.</t> </abstract><note title="Requirements Language"> <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t> </note></front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>The LISP architectureand protocols<xref target="RFC9300"/>format="default"/> introduces two new numberingspaces, Endpoint Identifiers (EIDs) and Routing Locators (RLOCs)spaces that are intended to provide overlay networkfunctionality.functionality: Endpoint Identifiers (EIDs) and Routing Locators (RLOCs). To map fromEIDEIDs to a set of RLOCs, acontrol-plane mapping systemcontrol plane Mapping System is used <xreftarget="RFC6836"/>target="RFC6836" format="default"/> <xreftarget="RFC8111"/>.target="RFC8111" format="default"/>. Thesemapping systemsMapping Systems are naturally distributed in their deployment for scalability but are centrally managed by a third-party entity, namely a Mapping System Provider (MSP). The entities that use themapping system,Mapping System, such asdata-planedata plane LISP Tunnel Routers (xTRs), depend on and trust the MSP. They do not participate in themapping systemMapping System other than to register and retrieve information <xref target="RFC9301"/>.</t>format="default"/>.</t> <t>This document introduces a Decentralized Mapping System (DMS) so the xTRs can participate in themapping systemMapping System as well as use it. They can trust each other rather than rely on third-party infrastructure. The xTRs act as Map-Servers to maintain distributed state for scale and reduce the attack surface. The trust relationships between the xTRs are established through authentication and authorization procedures in <xref target="RFC9301"/>format="default"/> and <xreftarget="I-D.ietf-lisp-ecdsa-auth"/>.</t>target="I-D.ietf-lisp-ecdsa-auth" format="default"/>.</t> <t>This design was first introduced to the LISPWGWorking Group (WG) in January of 2018. It was presented in London in March 2018 <xreftarget="MAR-WG-PRESO"/>target="IETF101-PRESO" format="default"/> and in PragueJulyin March 2019 <xreftarget="JUL-WG-PRESO"/>.target="IETF104-PRESO" format="default"/>. ThisinformationalInformational document is not a standard and did not reach community consensus to make it an IETF LISPworking groupWG document.</t> <t>The intended audience for this specification are protocol development engineers who would implement this specification in products as well network engineers who deploy the technology in operational environments.</t> <t>This design does not conflict with those designs or contradicts any other LISP design principles produced by the working group. This solution makes no fundamental LISPprotocolchanges and adheres to the specifications documented in <xreftarget="RFC9301"/>.</t>target="RFC9301" format="default"/>.</t> <t>By the nature of this work, this document uses IP addresses as examples. They should not be copied or used outside of a lab environment. Deployments should use addresses appropriate for their environment.</t> </section> <sectiontitle="Definition of Terms"> <t><list style="hanging"> <t hangText="Mappingnumbered="true" toc="default"> <name>Definitions of Terms</name> <dl newline="false" spacing="normal"> <dt>Mapping System Provider(MSP):"> infrastructure(MSP):</dt> <dd> Infrastructure service that deploys LISP Map-Resolvers and Map-Servers <xreftarget="RFC9301"/>target="RFC9301" format="default"/> and possibly LISP-ALT nodes <xreftarget="RFC6836"/>target="RFC6836" format="default"/> or LISP-DDT nodes <xreftarget="RFC8111"/>.target="RFC8111" format="default"/>. ALT-nodes and DDT-nodes use different algorithms for connectingtogetherMap-Resolvers andMap-Servers.Map-Servers together. The MSP can be managed by a separate organization other than the one that manages xTRs. This model provides a business separation betweenwhothe organization that managesand(and is responsibleforfor) thecontrol-planecontrol plane versuswhothe organization that manages thedata-planedata plane overlayservice.</t> <t hangText="Decentralizedservice.</dd> <dt>Decentralized Mapping System(DMS):">a(DMS):</dt> <dd>A mapping system entity that is managed by the xTR nodes that use it and not third-party nodes/operators. The xTRs themselves are part of themapping system.Mapping System. The state of themapping systemMapping System is fully distributed across xTRs, decentralized, and the trust relies on the xTRs that use and participate in their own mappingsystem.</t> <t hangText="Decent-Pull Basedsystem.</dd> <dt>Decent-Pull-Based MappingSystem:">theSystem:</dt> <dd>The mapping system ispull-basedpull-based, meaning that xTRs willlookuplook up and register mappings by algorithmic transformation to locate which Map-Resolvers and Map-Servers are used. It is required that the lookup and registration uses a consistent algorithmic transformation function. Map-Registers are sent to specific Map-Servers. Map-Requests are considered external lookups when sent to Map-Resolvers on xTRs that do not participate in the mapping system and the Map-Requests are considered internal lookups when they are sent to Map-Resolvers on xTRs that do participate in the mappingsystem.</t> <t hangText="Modulus Value:">thissystem.</dd> <dt>Modulus Value:</dt> <dd>This value is used in thePull-BasedPull-based Mapping System. It defines the number ofmap-serverMap-Server sets used for themapping system.Mapping System. The modulus value is used to produce a Name Index used for aDNSDomain Name System (DNS) lookup. The Modulus Value is chosen based on the horizontal scale-out width of themap-serverMap-Server cluster the network operator chooses todeploy.</t> <t hangText="Name Index:">thisdeploy.</dd> <dt>Name Index:</dt> <dd>This index value <index> is used in thePull-BasedPull-based Mapping System. For amapping systemMapping System that is configured with amap-serverMap-Server set of DNS names in the form of <name>.example.com, thename indexName Index is prepended to <name> to form the lookup name <index>.<name>.example.com. If the Modulus Value is 8, then thename indexesName Indexes are 0 through7.</t> <t hangText="Hash Mask:">The7.</dd> <dt>Hash Mask:</dt> <dd>The Hash Mask is used in thePull-BasedPull-based Mapping System. It is a mask value with 1bitsbit left justified. The mask is used to select what high-order bits of an EID-prefix are used in the hashfunction.</t> <t hangText="Decent-Push Basedfunction.</dd> <dt>Decent-Push-Based MappingSystem:">the mapping systemSystem:</dt> <dd>The Mapping System ispush-basedpush-based, meaning that xTRs will push registrations via IP multicast to a group of Map-Servers and do local lookups acting as their ownMap-Resolvers.</t> <t hangText="ReplicationMap-Resolvers.</dd> <dt>Replication List Entry(RLE):">an(RLE):</dt> <dd>An RLOC-record format that contains a list of RLOCs that an Ingress Tunnel Router (ITR) replicates multicast packets on a multicast overlay. The RLE format is specified in <xreftarget="RFC8060"/>.target="RFC8060" format="default"/>. RLEs are used with theDecent-Pushed Based mapping system.</t> <t hangText="GroupDecent-Push-based Mapping System.</dd> <dt>Group AddressEID:">anEID:</dt> <dd>An EID-record format that contains IPv4 (0.0.0.0/0, G) or IPv6 (0::/0, G) state. This state is encoded as a Multicast Info TypeLCAFLISP Canonical Address Format (LCAF) specified in <xreftarget="RFC8060"/>.target="RFC8060" format="default"/>. Members of a seed-group send Map-Registers for (0.0.0.0/0, G) or (0::/0, G) with an RLOC-record that RLE encodes its RLOC address. Details are specified in <xreftarget="RFC8378"/>.</t> <t hangText="Seed-Group:">atarget="RFC8378" format="default"/>.</dd> <dt>Seed-Group:</dt> <dd>A set of Map-Servers joined to a multicast group for theDecent-Push BasedDecent-Push-based MappingsystemSystem or are mapped by DNS names in aPull-BasedPull-based Mapping System. A core seed-group is used to bootstrap a set of LISP-Decent xTRs so they can learn about each other and use each other'smapping systemMapping System service. A seed-group can be pull-based to bootstrap theDecent-Push based mapping system.Decent-Push-based Mapping System. That is, a set of DNS mappedmap-serversMap-Servers can be used to join the mapping system's IP multicastgroup.</t> </list></t>group.</dd> </dl> <section> <name>Requirements Language</name> <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section> </section> <sectiontitle="Overview">numbered="true" toc="default"> <name>Overview</name> <t>The clients of theDecentralized Mapping System (DMS)DMS are also the providers of mapping state, see <xreftarget="RFC9301"/>target="RFC9301" format="default"/> for formal details. Clients are typically Egress Tunnel Routers (ETRs) that Map-Register EID-to-RLOC mapping state to the mapping database system. ITRs are clients in that they send Map-Requests to the mapping database system to obtain EID-to-RLOC mappings that are cached fordata-planedata plane use. When xTRs participate in a DMS, they are also acting as Map-Resolvers and Map-Servers using the protocol machinery defined in LISPcontrol-planecontrol plane specifications <xreftarget="RFC9301"/>,target="RFC9301" format="default"/>, <xreftarget="RFC9303"/>,target="RFC9303" format="default"/>, and <xreftarget="I-D.ietf-lisp-ecdsa-auth"/>.target="I-D.ietf-lisp-ecdsa-auth" format="default"/>. The xTRs are not required to run the database mapping transport system protocols specified in <xreftarget="RFC6836"/>target="RFC6836" format="default"/> or <xreftarget="RFC8111"/>.</t>target="RFC8111" format="default"/>.</t> <t>This document will describe two decentralized and distributed mapping system mechanisms. ADecent-Push BasedDecent-Push-based Mapping System uses IP multicast so xTRs can find each other by locally joining an IP multicast group. ADecent-Pull BasedDecent-Pull-based Mapping System uses DNS with an algorithmic transformation function so xTRs can find each other.</t> <t>The document proposes two approaches to provide state/bandwidth, ease of configurability, and robustness/complexitytradeoffs.trade-offs. When theDecent-Push BasedDecent-Push-based approach isusedused, there is less messaging involved. xTRs can multicast a single Map-Register messagewhichthat goes to all Map-Servers joined to the multicast group. When Map-Servers are added to or removed from the Map-Server cluster group, themapping systemMapping System updates quickly with little human intervention. In the push model, all mapping state is stored in all Map-Servers so there is robustness achieved through redundancy. However, this requires a multicast underlay in nodes between all xTRs and Map-Servers. When a multicast underlay is not available, theDecent-Pull BasedDecent-Pull-based approach can be used with the help of theDNS system.DNS. This approach uses less state overall among the Map-Servers (they each have differentmapping systemMapping System state) and the ITRs know which Map-Server to ask by using the hashing techniques described later in this document.</t> <t>This document does not describe any compatibility with other mapping systems. The design is intentional so that all xTRs and Map-Servers support this specification. Moreover, all xTRs and Map-ServersMUST<bcp14>MUST</bcp14> support either thePull-Basedpull-based orPush-Basedpush-based algorithms. They cannot be mixed. When both are used, they are completely discretemapping systemsMapping Systems just like they would be using one of the LISPWorking Group mapping systemWG Mapping System designs. An implementation can decide to implement only thePull-Basedpull-based approach or thePush-Basedpush-based approach and still be compliant with this specification.</t><t><vspace blankLines='40' /></t></section> <sectiontitle="Decent-Push Basednumbered="true" toc="default"> <name>Decent-Push-Based MappingSystem">System</name> <t>The xTRs are organized in a mapping-system group. The group is identified by an IPv4 or IPv6 multicast group address or using aDecent-Pull basedDecent-Pull-based approach described in <xreftarget="PULL"/>.target="PULL" format="default"/>. When using multicast, the xTRs join the same multicast group and receive LISPcontrol-planecontrol plane messages addressed to the group. Messages sent to the multicast group are distributed when the underlay network supports IP multicast <xreftarget="RFC6831"/>target="RFC6831" format="default"/> or via the overlay multicast mechanism described in <xreftarget="RFC8378"/>.target="RFC8378" format="default"/>. When overlay multicast is used and LISP Map-Register messages are sent to the group, they are LISP data encapsulated withaan instance-ID set to 0xffffff in the LISP header. The inner header of the encapsulated packet has the destination address set to the multicast group address and the outer header that is prepended has the destination address set to the RLOC ofmapping systemMapping System group member. The members of themapping systemMapping System group are kept in the LISPdata-planedata plane map-cache so packets for the group can be replicated to each member RLOC.</t> <t>All xTRs in amapping systemMapping System group will store the same registered mappings and maintain the state as Map-Servers normally do. The members are not only receivers of the multicastgroupgroup, but they also send packets to the group.</t> <sectiontitle="Componentsnumbered="true" toc="default"> <name>Components of aDecent-Pushed BasedDecent-Push-Based LISP-DecentxTR">xTR</name> <t>When an xTR is configured to be a LISP-Decent xTR (or PxTR <xreftarget="RFC6832"/>),target="RFC6832" format="default"/>), it runs the ITR, ETR, Map-Resolver, and Map-Server LISP network functions.</t> <t>The following diagram shows 3 LISP-Decent xTRs joined tomapping systemMapping System group address 233.252.1.1. When the ETR function of xTR1 originates a Map-Register, it is sent to all xTRs (including itself) synchronizing all 3 Map-Servers in xTR1, xTR2, and xTR3. The ITR function can populate its map-cache by sending a Map-Request locally to its Map-Resolver so it can replicate packets to each RLOC for EID 233.252.1.1.</t> <t>In this document, there is no special meaning for the multicast group address 233.252.1.1. It is used for example purposes only.</t><figure> <preamble></preamble> <artwork><![CDATA[<artwork name="" type="" align="left" alt=""><![CDATA[ xTR1 Map-Request +--------------------+ (always local) | +-----+ +-----+ | +---------------| ITR | | ETR |-------------+ | | +-----+ +-----+ | | | | | | Map-Register toEID| | +-------+ | | EID 233.252.1.1encapsulated to+------------------>| MR/MS |<---------------+RLOCs xTR1, xTR2, and xTR3encapsulated to | +-------+ | | RLOCs xTR1, xTR2, +--------------------+ | and xTR3 | +--------------------+------------+ | | | | +----------v---------+ +----------v---------+ | +--------+ | | +--------+ | | | MR/MS | | | | MR/MS | | | +--------+ | | +--------+ | | +-----+ +-----+ | | +-----+ +-----+ | | | ITR | | ETR | | | | ITR | | ETR | | | +-----+ +-----+ | | +-----+ +-----+ | +--------------------+ +--------------------+ xTR2xTR3 ]]></artwork> <postamble /> </figure>xTR3]]></artwork> <t>Note that if any external xTR would like to use a Map-Resolver from themapping systemMapping System group, it only needs to have one of the LISP-Decent Map-Resolvers configured. Bydoing alookingto thisat the Map-Resolver for EID 233.252.1.1, the external xTR could get the complete list of members for themapping systemMapping System group.</t> <t>For future study, an external xTR could multicast the Map-Request to 233.252.1.1 and either one of the LISP-Decent Map-Resolvers would return a Map-Reply or the external xTR is prepared to receive multiple Map-Replies.</t> </section> <sectiontitle="Implementation Considerations">numbered="true" toc="default"> <name>Implementation Considerations</name> <t>There are no LISPprotocolchanges required to support theDecent-Push basedDecent-Push-based LISP-Decent set of procedures. An implementation that sends Map-Register messages to a multicast group versus a specific Map-Server unicast addressMUST<bcp14>MUST</bcp14> change to call thedata-planedata plane component so the ITR functionality in the node can encapsulate the Map-Register as a unicast packet to each member of themapping systemMapping System group.</t> <t>An ITRSHOULD lookup<bcp14>SHOULD</bcp14> look up itsmapping systemMapping System group address periodically to determine if the membership has changed. The lookup interval is a configuration parameter only needed whenwhenthe ITR does not use the PubSub capability documented in <xreftarget="RFC9437"/>target="RFC9437" format="default"/> to be notified when a new member joins or leaves the multicast group. When PubSub is not used, there needs to be coordination (via configuration management) among all xTRs so they rendezvous roughly at the same time and to the same group address.</t> </section> <sectiontitle="Configurationnumbered="true" toc="default"> <name>Configuration andAuthentication">Authentication</name> <t>When xTRs are joined to a multicast group, theyMUST<bcp14>MUST</bcp14> have their site registration configuration consistent. Any policy or authentication key materialMUST<bcp14>MUST</bcp14> be configured consistently among all members. When <xreftarget="I-D.ietf-lisp-ecdsa-auth"/>target="I-D.ietf-lisp-ecdsa-auth" format="default"/> is used to sign Map-Register messages,public-keyspublic keys can be registered to themapping systemMapping System group using the site authentication key mentioned above or using a different authentication key from the one used for registering EID records. An out-of-band registration controller, like an ETR dedicated for this function, can send Map-Register messages for public-key encoded EIDs.</t> </section> <sectiontitle="Core Seed-Group">numbered="true" toc="default"> <name>Core Seed-Group</name> <t>A core seed-group can be discovered using a multicast group in aDecent-Push basedDecent-Push-based system or a Map-Server set of DNS names in aDecent-Pull basedDecent-Pull-based system (see <xreftarget="PULL"/>target="PULL" format="default"/> for details).</t> <t>When using multicast for themapping systemMapping System group, a core seed-group multicast group address can be preconfigured to bootstrap the decentralizedmapping system.Mapping System. The group address (or DNS name that maps to a group address) can be explicitly configured in a few xTRs to start building up the registrations. Then as other xTRs come online, they can add themselves to the core seed-group by joining the seed-group multicast group.</t> <t>Alternatively or additionally, new xTRs can join a newmapping systemMapping System multicast group to form another layer of a decentralizedmapping system.Mapping System. The group address and members of this new layer seed-group would be registered to the core seed-group address and stored in the core seed-group mapping system. Note that eachmapping systemMapping System layer could have a specific function or a specific circle of trust.</t><t><vspace blankLines='20' /></t><t>This multi-layermapping systemMapping System can be illustrated:</t><figure> <preamble></preamble> <artwork><![CDATA[<artwork name="" type="" align="left" alt=""><![CDATA[ ____________ ----------- / core \ 233.252.2.2 / layer-1 \ | seed-group | ----------> | I | | 233.252.1.1 | | / \ | \____________/ | J---K | | \___________/ | 233.252.3.3 | v --------- / layer-2 \ | X | | / \ | | Y---Z | \_________/ Configured in xTRs A, B, and C (they make up the core seed-group): 233.252.1.1 -> RLE: A, B, C core seed-group DMS, mapping state in A, B, and C: 233.252.2.2 -> RLE: I, J, K 233.252.3.3 -> RLE: X, Y, Z layer-1 seed-group DMS (inter-continental), mapping state in I, J, K: EID1 -> RLOCs: i(1), j(2) ... EIDn -> RLOCs: i(n), j(n) layer-2 seed-group DMS (intra-continental), mapping sate in X, Y, Z:: EIDa -> RLOCs: x(1), y(2) ... EIDz -> RLOCs: x(n),y(n) ]]></artwork> <postamble /> </figure>y(n)]]></artwork> <t>The core seed-group multicast address 233.252.1.1 is configured in xTRs A,BB, and C so when each of them send Map-Register messages, they would all be able to maintain synchronized mapping state. Any EID can be registered to thisDMSDMS, but in this example, seed-group multicast group EIDs are being registered only to find othermapping systemMapping System groups.</t> <t>For example,lets say thatxTR I boots up and it wants to find its other peers in itsmapping systemMapping System group address 233.252.2.2. Group address 233.252.2.2 is configured so xTR I knows what group to join for itsmapping systemMapping System group.ButHowever, xTR I needs amapping systemMapping System to register to, so the core seed-group is used and available to receive Map-Registers. The other xTRs J and K in themapping systemMapping System group do the same so when any of I,JJ, or K needs to register EIDs, they can now send their Map-Register messages to group address 233.252.2.2. Examples of EIDs beingregisterregistered are EID1 through EIDn shown above.</t> <t>When Map-Registers are sent to group address 233.252.2.2, they are encapsulated by the LISPdata-planedata plane by looking up EID 233.252.2.2 in the core seed-groupmapping system.Mapping System. For the map-cache entry to be populated for 233.252.2.2, thedata-plane MUSTdata plane <bcp14>MUST</bcp14> send a Map-Request so the RLOCs I, J, and K are cached for replication. To use the core seed-groupmapping system,Mapping System, thedata-plane MUSTdata plane <bcp14>MUST</bcp14> know of at least one of the RLOCs A, B, and/or C.</t> </section> </section> <sectiontitle="Decent-Pull Basedanchor="PULL" numbered="true" toc="default"> <name>Decent-Pull-Based MappingSystem" anchor="PULL">System</name> <sectiontitle="Componentsnumbered="true" toc="default"> <name>Components of a Decent-Pulled Based LISP-DecentxTR">xTR</name> <t>When an xTR is configured to be a LISP-Decent xTR (or PxTR <xreftarget="RFC6832"/>),target="RFC6832" format="default"/>), it runs the ITR, ETR, Map-Resolver, and Map-Server LISP network functions.</t> <t>Unlike theDecent-Push BasedDecent-Push-based Mapping System, the xTRs do not need to be organized by joining a multicast group. In aDecent-Pull BasedDecent-Pull-based Mapping System, a hash function over an EID is used to identify which xTR is used as the Map-Resolver and Map-Server. TheDomain Name System (DNS)DNS <xreftarget="RFC1034"/>target="RFC1034" format="default"/> <xreftarget="RFC1035"/>target="RFC1035" format="default"/> is used as a resource discovery mechanism.</t> <t>The RLOC addresses of the xTRs will be A and AAAA records for DNS names that map algorithmically from the hash of the EID. A SHA-256 hash function <xreftarget="RFC6234"/>target="RFC6234" format="default"/> over the followingASCII formattedASCII-formatted EID string is used:</t><figure> <preamble></preamble> <artwork><![CDATA[<artwork name="" type="" align="left" alt=""><![CDATA[ [<iid>]<eid>/<ml>[<iid>]<group>/<gml>-<source>/<sml> ]]></artwork> <postamble /> </figure>[<iid>]<group>/<gml>-<source>/<sml>]]></artwork> <t>In this section, where you see angle brackets, they are replaced with values in ASCII characters. For example, a unicast EID of 1.1.1.1 in instance-id 11 would be encoded as a string "[11]1.1.1.1/32".</t><t>Where <iid><t><iid> is the instance-ID and <eid> is the EID of any EID-type defined in <xreftarget="RFC8060"/>. And then thetarget="RFC8060" format="default"/>. The Modulus Value <mv> is used to produce the Name Index <index> used to build the DNS lookup name:</t><figure> <preamble></preamble> <artwork><![CDATA[<artwork name="" type="" align="left" alt=""><![CDATA[ eid = "[<iid>]<eid>/<ml>" index = hash.sha_256(eid) MODmv ]]></artwork> <postamble /> </figure>mv]]></artwork> <t>The Hash Mask is used to select what bits are used in the SHA-256 hash function. This is required to support longest match lookups in themapping system.Mapping System. The samemap-serverMap-Server set needs to be selected when looking up a more-specific EID found in the Map-Request message with one that could match a less-specific EID-prefix registered and found in the Map-Register message. For example, if an EID-prefix [0]240.0.1.0/24 is registered to themapping systemMapping System and EID [0]240.0.1.1/32 is looked up to match the registered prefix, a Hash Mask of 8 bytes can be used to AND both the /32 or /24 entries to produce the same hash string bits of "[0]240.0".</t> <t>For (*,G) and (S,G) multicast entries in themapping system,Mapping System, the hash strings are:</t><figure> <preamble></preamble> <artwork><![CDATA[<artwork name="" type="" align="left" alt=""><![CDATA[ sg-eid = "[<iid>]<group>/<gml>-<source>/<sml>" index = hash.sha_256(sg-eid) MOD mv starg-eid = "[<iid>]<group>/<gml>-0.0.0.0/0" index = hash.sha_256(starg-eid) MODmv ]]></artwork> <postamble /> </figure>mv]]></artwork> <t>The Hash MaskMUST<bcp14>MUST</bcp14> include the string "[<iid>]<group>" and not string <source>. So when looking up [0](2.2.2.2, 233.252.1.1) that will match a (*, 233.252.1.1/32), the hash string produced with a Hash Mask of 12 bytes is "[0]233.252.1.1".</t> <t>When the <index> is computed from a unicast or multicast EID, the DNS lookup name becomes:</t><figure> <preamble></preamble> <artwork><![CDATA[ <index>.map-server.example.com ]]></artwork> <postamble /> </figure><artwork name="" type="" align="left" alt=""><![CDATA[ <index>.map-server.example.com]]></artwork> <t>When an xTR does a DNS lookup on the lookup name, it will send Map-Register messages to all A and AAAA records for EID registrations. For Map-Request messages, xTRsMAY<bcp14>MAY</bcp14> round robin EID lookup requests among the A and AAAA records.</t> </section> <sectiontitle="Configurablenumbered="true" toc="default"> <name>Configurable EID Prefix Lengths forLookups">Lookups</name> <t>In implementations where EID allocations follow a predictable pattern, operatorsMAY<bcp14>MAY</bcp14> configure ITRs to use specific prefix lengths for lookups when the EID falls within well-known allocation ranges. This configuration allows ITRs to compute the correct hash index even when data packets carry more-specific EIDs than the prefix lengths used by ETRs during registration.</t> <t>For example, if an operator allocates EIDs in the range [0]240.11.0.0/16 and all ETRs register these EIDs with a /24 prefix length, ITRs receiving data packets for EIDs like [0]240.11.1.1/32 will still hash on the /24 prefix to locate the correct Map-Server. Without this configuration, the ITR would hash on the /32 and potentially query the wrong Map-Server.</t> <t>ITRsSHOULD<bcp14>SHOULD</bcp14> support configuration of EID prefix ranges and their associated lookup prefix lengths. When an ITR performs a Map-Request lookup, itSHOULD<bcp14>SHOULD</bcp14> check if the destination EID matches any configured range. If a match is found, the ITRMUST<bcp14>MUST</bcp14> use the configured lookup prefix length instead of the EID'snativeregistered prefix length when computing the hash string. When multiple configured ranges match a given EID, the range with the longest (most-specific) configured prefix lengthMUST<bcp14>MUST</bcp14> be selected.</t> <t>The configuration consists of pairs of EID-prefix (the well-known EID allocation range inCIDRClassless Inter-Domain Routing (CIDR) notation, e.g., 240.11.0.0/16) and lookup-length (the prefix length to use for hash computation when EIDs fall within this range, 0-32 bytes forIPv4,IPv4 and 0-128 bytes for IPv6).</t> <t>Implementation note: When computing the hash string for a lookup where the EID matches a configured range, the ITRMUST<bcp14>MUST</bcp14> construct the hash string using the configured lookup-length, ensuring that the bits beyond the lookup-length are zero (i.e., the EID address is masked to the lookup-length before converting to the hash string format).</t> <t>Example configuration with multiple EID ranges:</t><figure> <preamble></preamble> <artwork><![CDATA[<artwork name="" type="" align="left" alt=""><![CDATA[ EID Range Configuration: Range: [0]240.11.0.0/16 -> lookup-length: 24 Range: [0]240.12.0.0/16 -> lookup-length: 30 Range: [0]240.13.0.0/16 -> lookup-length: 25 Lookup Examples: EID [0]240.11.1.1/32 -> hash on [0]240.11.1.0/24 EID [0]240.12.2.5/32 -> hash on [0]240.12.2.4/30 EID [0]240.13.3.7/32 -> hash on [0]240.13.3.0/25 EID [0]240.14.1.1/32 -> hash on [0]240.14.1.1/32 (no match, use full EID) ]]></artwork><postamble /> </figure><t>This approach is particularly useful in deployments where themapping systemMapping System uses a consistent ETR registration strategy (e.g., all ETRs in a region register with /24prefixes)prefixes), but ITRs receive packets with more-specific destinations (/32 addresses). By configuring the expected registration prefix length for each allocation range, ITRs can reliably locate the correct Map-Servers without modifyingtheLISPprotocolsor introducing complex multi-level lookups.</t> </section> <sectiontitle="Deployment Example">numbered="true" toc="default"> <name>Deployment Example</name> <t>Here is an example deployment of aDecent-Pull basedDecent-Pull-based model. Let's say that 4map-serverMap-Server sets are provisioned for themapping system. ThereforeMapping System. Therefore, 4 distinct DNS names are allocated and a Modulus Value 4 is used. Each DNS name is allocated Name Index 0 through 3:</t><figure> <preamble></preamble> <artwork><![CDATA[<artwork name="" type="" align="left" alt=""><![CDATA[ 0.map-server.lispers.net 1.map-server.lispers.net 2.map-server.lispers.net3.map-server.lispers.net ]]></artwork> <postamble /> </figure>3.map-server.lispers.net]]></artwork> <t>The A records for each name can be assigned as:</t><figure> <preamble></preamble> <artwork><![CDATA[<artwork name="" type="" align="left" alt=""><![CDATA[ 0.map-server.lispers.net: A <rloc1-att> A <rloc2-verizon> 1.map-server.lispers.net: A <rloc1-bt> A <rloc2-dt> 2.map-server.lispers.net: A <rloc1-cn> A <rloc2-kr> 3.map-server.lispers.net: A <rloc1-au> A<rloc2-nz> ]]></artwork> <postamble /> </figure><rloc2-nz>]]></artwork> <t>When an xTR wants to register"[1000]fd::2222","[1000]fd::2222/128", it hashes the EID string to produce, for example, hash value0x66.0x67. Using the modulus value 4 (0x67 & 0x3) produces index 0x3, so the DNS name 3.map-server.lispers.net is used and a Map-Register is sent to <rloc1-au> and <rloc2-nz>.</t> <t>Note that theDecent-Pull basedDecent-Pull-based method can be used for a core seed-group for bootstrapping aDecent-Push based mapping systemDecent-Push-based Mapping System where multicast groups are registered.</t> </section> <sectiontitle="Management Considerations">numbered="true" toc="default"> <name>Management Considerations</name> <t>An implementationSHOULD<bcp14>SHOULD</bcp14> do periodic DNS lookups to determine if A records have changed for a DNS entry. This is a configuration parameter the network operator selects. This specification makes no recommendation for an interval value.</t> <t>When xTRs derive Map-Resolver and Map-Server names from the DNS, they need to use the same ModulusValue otherwiseValue. Otherwise, some xTRs willlookuplook up EIDs to the wrong place they were registered.</t> <t>The Modulus Value can be configured or pushed to the LISP-Decent xTRs. A future version of this document will describe a push mechanism so all xTRs use a consistent modulus value.</t> </section> </section> <sectiontitle="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>Refer tothe Security Considerations section of<xreftarget="RFC9301"/>target="RFC9301" sectionFormat="of" section="9"/> for a complete list of security mechanisms as well as pointers to threat analysisdrafts.</t> <t>It is recommended, wheredocuments.</t> <t>Where DNS is deployed for thePull-BasedPull-based Mapping System, it is recommended to use DNSSEC <xreftarget="RFC9364"/> be usedtarget="RFC9364" format="default"/> to add more security to the DNS lookup system.</t> <t>Replay attacks, spoofing, and trust relationships are discussed in detail in <xreftarget="RFC9301"/>target="RFC9301" format="default"/> and <xreftarget="RFC9303"/>.</t>target="RFC9303" format="default"/>.</t> </section> <sectiontitle="IANA Considerations"> <t>At this time there arenumbered="true" toc="default"> <name>IANA Considerations</name> <t>This document has nospecific requests for IANA.</t>IANA actions.</t> </section> </middle> <back><references title='Normative References'> <?rfc include="reference.RFC.2119'?> <?rfc include="reference.RFC.8174'?> <?rfc include="reference.RFC.9300'?> <?rfc include="reference.RFC.9301'?> <?rfc include="reference.RFC.9303'?> <?rfc include="reference.RFC.9364'?> <?rfc include="reference.RFC.6832'?> <?rfc include="reference.RFC.6836'?> <?rfc include="reference.RFC.8111'?> <?rfc include="reference.RFC.8060'?> <?rfc include="reference.RFC.1034'?> <?rfc include="reference.RFC.1035'?> <?rfc include="reference.RFC.6234'?> <?rfc include="reference.RFC.9437'?> <?rfc include="reference.RFC.6831'?> <?rfc include="reference.RFC.8378'?><displayreference target="I-D.ietf-lisp-ecdsa-auth" to="ECDSA-AUTH"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9300.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9301.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9303.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9364.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6832.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6836.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8111.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8060.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6234.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9437.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6831.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8378.xml"/> </references><references title='Informative References'> <?rfc include='http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-lisp-ecdsa-auth.xml'?><references> <name>Informative References</name> <!--[I-D.ietf-lisp-ecdsa-auth] draft-ietf-lisp-ecdsa-auth-15 IESG State: I-D Exists as of 12/12/25 --> <referenceanchor="MAR-WG-PRESO">anchor="I-D.ietf-lisp-ecdsa-auth" target="https://datatracker.ietf.org/doc/html/draft-ietf-lisp-ecdsa-auth-16"> <front> <title>LISPWG March 2018 Presentation</title>Control-Plane ECDSA Authentication and Authorization</title> <author fullname="Dino Farinacci" initials="D." surname="Farinacci"> <organization>lispers.net</organization> </author> <author fullname="Erik Nordmark" initials="E." surname="Nordmark"> <organization>Zededa</organization> </author> <date day="29" month="January" year="2026"/> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-lisp-ecdsa-auth-16"/> </reference> <reference anchor="IETF101-PRESO" target="https://datatracker.ietf.org/meeting/101/materials/slides-101-lisp-lisp-decentralized-mapping-system-00"> <front> <title>A Decentralized Mapping System: draft-farinacci-lisp-decent-00</title> <author fullname="Dino Farinacci"/> <author fullname="Colin Cantrell"/> <date year="2018"month="March" />month="March"/> </front><refcontent>https://www.dropbox.com/scl/fi/eqoqestxsoc4w7zh2t8dr/lisp-decent-ietf-london.pdf?rlkey=dw0c96xtbi4c5074a2i90g4qh</refcontent><refcontent>IETF 101 Proceedings</refcontent> </reference> <referenceanchor="JUL-WG-PRESO">anchor="IETF104-PRESO" target="https://datatracker.ietf.org/meeting/104/materials/slides-104-lisp-a-decent-lisp-mapping-system-00"> <front><title>LISP WG July 2019 Presentation</title><title>A Decentralized Mapping System: draft-farinacci-lisp-decent-03</title> <author fullname="Dino Farinacci"/> <author fullname="Colin Cantrell"/> <date year="2019"month="July" />month="March"/> </front><refcontent>https://www.dropbox.com/scl/fi/3z7uichvi8x9940xlz6pm/lisp-decent-ietf-prague.pdf?rlkey=4v1lup23zc0j6kpicqfr2npro</refcontent><refcontent>IETF 104 Proceedings</refcontent> </reference> </references> </references> <sectiontitle="Acknowledgments">numbered="false" toc="default"> <name>Acknowledgments</name> <t>The authors would like to thank the LISP WG for their review and acceptance of this draft.</t> <t>The authors would also like to give a special thanks toRoman Shaposhnik<contact fullname="Roman Shaposhnik"/> for several discussions that occurred before thefirstinitial draftwas published.</t> <t>ISE Eliot Lear and Victor Morenoof this document.</t> <t><contact fullname="Eliot Lear"/> and <contact fullname="Victor Moreno"/> are appreciated for their effortsproof readingproofreading the draft beforeInformational RFC publication.</t> </section> <section title="Document Change Log"> <t>[RFC Editor: Please delete this section onpublication asRFC.]</t> <section title="Changes to draft-farinacci-lisp-decent-22"> <t><list style="symbols"> <t>Posted March 2026.</t> <t>Add section on configuring EID-prefix mask lengths in ITRs so when a non /32 or /128 is registered, the lookup hash is consistent with the registration hash.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-21"> <t><list style="symbols"> <t>Posted November 2025.</t> <t>Remove normative references to bis documents for RFC6831, RFC8378, and RFC8060 but keep the original RFCs.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-20"> <t><list style="symbols"> <t>Posted October 2025.</t> <t>Made editorial changes suggested by Eliot.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-19"> <t><list style="symbols"> <t>Posted October 2025.</t> <t>Victor Moreno completed proof-read and submitted editorial comments.</t> <t>Dino completed final proof-read.</t> <t>Updated references to latest working group drafts and RFCs.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-18"> <t><list style="symbols"> <t>Posted July 2025.</t> <t>Made suggested changes to reflect comments from Joel and Padma per ISE (Eliot) distinguished review request. This should be final review cycle.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-17"> <t><list style="symbols"> <t>Posted April 2025.</t> <t>Made suggested changes to reflect second review from ISE (Eliot Lear).</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-16"> <t><list style="symbols"> <t>Posted December 2024.</t> <t>Made suggested changes from ISE review.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-15"> <t><list style="symbols"> <t>Posted June 2024.</t> <t>Making draftanISE submission as InformationalRFC.</t><t>Update references and document expiry timer.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-14"> <t><list style="symbols"> <t>Posted April 2024.</t> <t>Update references and document expiry timer.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-13"> <t><list style="symbols"> <t>Posted October 2023.</t> <t>Make the general definitions of "pull-based" and "push-based" be more specific to the way LISP-Decent uses them. Call them Decent-Pull and Decent-Push.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-12"> <t><list style="symbols"> <t>Posted August 2023.</t> <t>Update references and document expiry timer.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-11"> <t><list style="symbols"> <t>Posted February 2023.</t> <t>Update references and document expiry timer.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-10"> <t><list style="symbols"> <t>Posted August 2022.</t> <t>Update references and document expiry timer.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-09"> <t><list style="symbols"> <t>Posted February 2022.</t> <t>Update references and document expiry timer.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-08"> <t><list style="symbols"> <t>Posted August 2021.</t> <t>Update references and document expiry timer.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-07"> <t><list style="symbols"> <t>Posted March 2021.</t> <t>Update references and document expiry timer.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-06"> <t><list style="symbols"> <t>Posted September 2020.</t> <t>Update references and document expiry timer.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-05"> <t><list style="symbols"> <t>Posted March 2020.</t> <t>Update references and document expiry timer.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-04"> <t><list style="symbols"> <t>Posted September 2019.</t> <t>Update references and document expiry timer.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-03"> <t><list style="symbols"> <t>Posted March 2019.</t> <t>Introduce the Hash Mask which is used to grab common bits from a registered prefix and a lookup prefix.</t> <t>Spec how multicast lookups are done in the pull-based mapping system.</t> <t>Indicate the hash string includes the unicast EID mask-length and multicast group and source mask-lengths.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-02"> <t><list style="symbols"> <t>Posted November 2018.</t> <t>Changed references from peer-group to seed-group to make the algorithms in this document more like how blockchain networks initialize the peer-to-peer network.</t> <t>Added pull mechanism to complement the push mechanism. The pull mechanism could be used as a seed-group to bootstrap the push mechanism.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-01"> <t><list style="symbols"> <t>Posted July 2018.</t> <t>Document timer and reference update.</t> </list></t> </section> <section title="Changes to draft-farinacci-lisp-decent-00"> <t><list style="symbols"> <t>Initial draft posted January 2018.</t> </list></t> </section></section> </back> </rfc>