RFC 9486 | IOAM IPv6 Options | September 2023 |
Bhandari & Brockners | Standards Track | [Page] |
In situ Operations, Administration, and Maintenance (IOAM) records operational and telemetry information in the packet while the packet traverses a path between two points in the network. This document outlines how IOAM Data-Fields are encapsulated in IPv6.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9486.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
In situ Operations, Administration, and Maintenance (IOAM) records operational and telemetry information in the packet while the packet traverses a path between two points in the network. IOAM concepts and associated nomenclature as well as IOAM Data-Fields are defined in [RFC9197]. This document outlines how IOAM Data-Fields are encapsulated in IPv6 [RFC8200] and discusses deployment requirements for networks that use IPv6-encapsulated IOAM Data-Fields.¶
The terms "encapsulation" and "decapsulation" are used in this document in the same way as in [RFC9197]: An IOAM encapsulating node incorporates one or more IOAM Option-Types into packets that IOAM is enabled for.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Abbreviations used in this document:¶
IOAM in IPv6 is used to enhance diagnostics of IPv6 networks. It complements other mechanisms designed to enhance diagnostics of IPv6 networks, such as the "IPv6 Performance and Diagnostic Metrics (PDM) Destination Option" described in [RFC8250].¶
At the time this document was written, several implementations of IOAM for IPv6 exist, e.g., IOAM for IPv6 in the Linux Kernel (supported from Kernel version 5.15 onward, IPv6 IOAM in Linux Kernel) and IOAM for IPv6 in Vector Packet Processing (VPP).¶
IOAM Data-Fields can be encapsulated with two types of extension headers in IPv6 packets -- either the hop-by-hop options header or the destination options header. Multiple options with the same option type MAY appear in the same hop-by-hop options or destination options header with distinct content.¶
An IPv6 packet carrying IOAM data in an extension header can have other extension headers, compliant with [RFC8200].¶
Variable-length field. The data is specific to the Option-Type, as detailed below.¶
The IOAM Pre-allocated Trace Option-Type, defined in Section 4.4 of [RFC9197], is represented as an IPv6 option in the hop-by-hop extension header:¶
The IOAM POT Option-Type, defined in Section 4.5 of [RFC9197], is represented as an IPv6 option in the hop-by-hop extension header:¶
The IOAM E2E Option, defined in Section 4.6 of [RFC9197], is represented as an IPv6 option in destination extension header:¶
The IOAM Direct Export Option-Type, defined in Section 3.2 of [RFC9326], is represented as an IPv6 option in the hop-by-hop extension header:¶
All the IOAM IPv6 options defined here have alignment requirements. Specifically, they all require alignment on multiples of 4 bytes. This ensures that fields specified in [RFC9197] are aligned at a multiple-of-4 offset from the start of the hop-by-hop and destination options header.¶
IPv6 options can have a maximum length of 255 octets. Consequently, the total length of IOAM Option-Types including all data fields is also limited to 255 octets when encapsulated into IPv6.¶
IOAM deployments in IPv6 networks MUST take the following considerations and requirements into account.¶
For deployments where the IOAM-Domain is bounded by hosts, hosts will perform the operation of IOAM Data-Field encapsulation and decapsulation, i.e., hosts will place the IOAM Data-Fields directly in the IPv6 header or remove the IOAM Data-Fields directly from the IPv6 header. IOAM data is carried in IPv6 packets as hop-by-hop or destination options as specified in this document.¶
For deployments where the IOAM-Domain is bounded by network devices, network devices such as routers form the edge of an IOAM-Domain. Network devices will perform the operation of IOAM Data-Field encapsulation and decapsulation. Network devices will encapsulate IOAM Data-Fields in an additional, outer, IPv6 header that carries the IOAM Data-Fields.¶
This document describes the encapsulation of IOAM Data-Fields in IPv6. For general IOAM security considerations, see [RFC9197]. Security considerations of the specific IOAM Data-Fields for each case (i.e., Trace, POT, and E2E) are also described and defined in [RFC9197].¶
As this document describes new options for IPv6, the security considerations of [RFC8200] and [RFC8250] apply.¶
From a network-protection perspective, there is an assumed trust model such that any node that adds IOAM to a packet, removes IOAM from a packet, or modifies IOAM Data-Fields of a packet is assumed to be allowed to do so. By default, packets that include IPv6 extension headers with IOAM information MUST NOT be leaked through the boundaries of the IOAM-Domain.¶
IOAM-Domain boundary routers MUST filter any incoming traffic from outside the IOAM-Domain that contains IPv6 extension headers with IOAM information. IOAM-Domain boundary routers MUST also filter any outgoing traffic leaving the IOAM-Domain that contains IPv6 extension headers with IOAM information.¶
In the general case, an IOAM node only adds, removes, or modifies an IPv6 extension header with IOAM information, if the directive to do so comes from a trusted source and the directive is validated.¶
Problems may occur if the above behaviors are not implemented or if the assumed trust model is violated (e.g., through a security breach). In addition to the security considerations discussed in [RFC9197], the security considerations associated with IPv6 extension headers listed in [RFC9098] apply.¶
The network devices in an IOAM-Domain are trusted to add, update, and remove IOAM options according to the constraints specified in [RFC8200]. IOAM-Domain does not rely on the AH as defined in [RFC4302] to secure IOAM options. The use of IOAM options with AH and its processing are not defined in this document. Future documents may define the use of IOAM with AH and its processing.¶
IANA has assigned the IPv6 Option-Types from the "Destination Options and Hop-by-Hop Options" subregistry of "Internet Protocol Version 6 (IPv6) Parameters" <https://www.iana.org/assignments/ipv6-parameters/>.¶
Hex Value | Binary Value | Description | Reference | ||
---|---|---|---|---|---|
act | chg | rest | |||
0x11 | 00 | 0 | 10001 | IOAM Destination Option and IOAM Hop-by-Hop Option | RFC 9486 |
0x31 | 00 | 1 | 10001 | IOAM Destination Option and IOAM Hop-by-Hop Option | RFC 9486 |
The authors would like to thank Tom Herbert, Éric Vyncke, Nalini Elkins, Srihari Raghavan, Ranganathan T S, Karthik Babu Harichandra Babu, Akshaya Nadahalli, Stefano Previdi, Hemant Singh, Erik Nordmark, LJ Wobker, Mark Smith, Andrew Yourtchenko, and Justin Iurman for the comments and advice. For the IPv6 encapsulation, this document leverages concepts described in [IPV6-RECORD-ROUTE]. The authors would like to acknowledge the work done by the author Hiroshi Kitamura and people involved in writing it.¶
This document was the collective effort of several authors. The text and content were contributed by the editors and the coauthors listed below.¶