The IPv6 Tunnel Payload Forwarding (TPF)
OptionJuniper Networks2251 Corporate Park DriveHerndon20171VirginiaUSArbonica@juniper.netNTT Communications Corporation3-4-1 Shibaura, Minato-kuTokyo108-8118Japany.kamite@ntt.comVerizonRichardsonTexasUSAluay.jalil@one.verizon.comByteDanceBuilding 1, AVIC Plaza, 43 N 3rd Ring W Rd Haidian
DistrictBeijing100000P.R. Chinayifeng.zhou@bytedance.comBaiduNo.10 Xibeiwang East Road Haidian DistrictBeijing100193P.R. Chinaphdgang@gmail.com
INT Area
6manIPv6VPNDestination OptionThis document explains how IPv6 options can be used in IPv6 tunnels.
It also defines the IPv6 Tunnel Payload Forwarding (TPF) option.This document explains how IPv6 options
can be used in IPv6 tunnels. It also defines the IPv6 Tunnel
Payload Forwarding (TPF) option.An IPv6 tunnel connects two nodes,
called the entry-point and the exit-point. The entry-point receives a
packet and encapsulates it in a Tunnel IPv6 Header. depicts the encapsulation.The original packet can be any layer-2 or layer-3 packet (e.g.,
Ethernet, IPv4, IPv6). The Tunnel Header is an IPv6 header followed by
zero or more extension headers. The resulting packet is a Tunnel IPv6
Packet.The entry-point sends the Tunnel IPv6 Packet to the exit-point which
then executes the following procedure:Process the Tunnel IPv6 Header.Remove the Tunnel IPv6 Header, exposing the original packet.Submit the original packet to the next-protocol engine.The exit-point node processes the Tunnel IPv6 Header in strict
left-to-right order. It processes the IPv6 header first and then
processes extension headers in the order that they appear in the packet.
The IPv6 header, and each extension header, includes a Next Header
field. The last Next Header field processed identifies the next-protocol
engine.Entry-point nodes can send optional information to the next-protocol
engine on the exit-point node. For example, the entry-point can
indicate:The interface through which the next-protocol engine should send
the packet.The routing table that the next-protocol engine should use to
process the packet.To send this information, the entry-point node includes an IPv6
Destination Option header in the Tunnel IPv6 Header. The IPv6
Destination Options header includes an IPv6 TPF option and the IPv6 TPF
option includes TPF information. The next-protocol engine on the
exit-point node uses TPF information when it forwards the original
packet.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only
when, they appear in all capitals, as shown here.The TPF Option contains the following fields:Option Type: 8-bit selector. TPF option. Value TBD by IANA.
(Suggested value: 33). See Note below.Opt Data Len - 8-bit unsigned integer. Length of the option, in
octets, excluding the Option Type and Option Length fields. This
field MUST be set to 4.Option Data - 32-bits. Tunnel Payload Forwarding (TPF)
Information.The TPF option MAY appear in a Destination Options header that
precedes an upper-layer header. It MUST NOT appear in a Hop-by-hop
Options header or in a Destination Options header that precedes a
Routing header.NOTE : The highest-order two bits of the Option Type (i.e., the "act"
bits) are 01. These bits specify the action taken by a destination node
that does not recognize the option. The required action is to discard
the packet. The third highest-order bit of the Option Type (i.e., the
"chg" bit) is 0. This indicates that Option Data cannot be modified
along the path between the packet's source and its destination.An exit-point node supports one or more next-protocol engines (e.g.,
Ethernet, IPv4, IPv6). Each next-protocol engine supports a default
forwarding procedure and zero or more special forwarding procedures.When an exit-point node submits a packet to a next-protocol engine
without TPF information, the next-protocol engine executes its default
forwarding procedure. For example, assume that the exit-point node
receives the following Tunnel IPv6 Packet:The Tunnel IPv6 Packet does not contain TPF information.The original packet is IPv4.In this case, the exit-point node processes and removes the
Tunnel IPv6 Header. It then submits the original packet, without any TPF
information, to the IPv4 protocol engine.The IPv4 protocol engine executes its default forwarding procedure.
It searches its Forwarding Information Base (FIB) for and entry that
matches the original packet's destination address. If the search returns
a FIB entry, the protocol engine forwards the packet through an
interface that the FIB entry identifies.When an exit-point node submits a packet to a next-protocol engine
with TPF information, the next-protocol engine executes a special
forwarding procedure. For example, assume that the exit-point node
receives the following Tunnel IPv6 packet:The Tunnel IPv6 Packet contains TPF information that identifies
an interface.The original packet is IPv4.In this case, the exit-point node processes and removes the
Tunnel IPv6 Header. It then submits the original packet, along with TPF
information, to the IPv4 protocol engine.The IPv4 protocol engine executes a special forwarding procedure. It
forwards the packet through the interface identified by TPF information,
without searching the FIB.TPF information is opaque. While it must be understood by the
entry-point node and the exit-point node, it does not need to be
understood by any other node.The IPv6 TPF option is useful in deployments where IPv6 tunnels
carry:Layer 3 Virtual Private Network (L3VPN)
traffic.Ethernet Virtual Private Network (EVPN)
traffic.When an IPv6 tunnel carries L3VPN traffic, VPN context
information can be encoded in an IPv6 TPF option. Therefore, the MPLS
service label that is normally present in an L3VPN packet can be
eliminated.When an IPv6 tunnel carries EVPN traffic, VPN context information can
be encoded in an IPv6 TPF option. Therefore, the UDP and VXLAN headers
that might otherwise be present can be eliminated.TPF information MUST NOT be accepted from untrusted sources. The
following are acceptable methods of risk mitigation:Authenticate the IPv6 TPF option using the IPv6 Authentication Header (AH) or the IPv6 Encapsulating Security Payload (ESP) Header
.Maintain a secure TPF domain.All nodes at the edge of a secure TPF domain discard packets
that satisfy the following criteria:Contain an IPv6 TPF option.Contain an IPv6 Destination Address that represents an interface
inside of the secure TPF domain.IANA is requested to allocate a code point from the Destination
Options and Hop-by-hop Options registry
(https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#ipv6-parameters-2).
This option is called "Tunnel Payload Forwarding Option". The "act" bits
are 01 and the "chg" bit is 0. The suggested value is 33.Thanks to Dr. Vanessa Ameen, Brian Carpenter, Adrian Farrel, Tom
Herbert, John Leddy, Srihari Sangli and Tony Li for their comments.Chris LenartVerizon22001 Loudoun County ParkwayAshburn, Virginia 20147 USAEmail: chris.lenart@verizon.comGreg PresburyHughes Network Systems11717 Exploration LaneGermantown, Maryland 20876 USAEmail: greg.presbury@hughes.com