<?xml version='1.0' encoding='utf-8'?>
<!-- This template is for creating an Internet Draft using xml2rfc,
     which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent" [
<!-- One method to get references from the online citation libraries.
     There has to be one entity for each item to be referenced.
     An alternate method (rfc include) is described in the references. --><!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml">
<!ENTITY RFC6550 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6550.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
     please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
     (Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
     (using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="yes" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF"
     category="std" docName="draft-ietf-roll-efficient-npdao-15" number="0000" consensus="true" ipr="trust200902"
      xml:lang="en" version="3" obsoletes="" updates="" submissionType="IETF" xml:lang="en" version="3">
  <!-- xml2rfc v2v3 conversion 2.23.1 -->
      docName="draft-ietf-roll-efficient-npdao-15"
      sortRefs="true" symRefs="true" tocInclude="true">

<!-- category values: std, bcp, info, exp, and historic
    ipr values: full3667, noModification3667, noDerivatives3667
    you can add the attributes updates="NNNN" and obsoletes="NNNN"
    they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** -->

  <front>
    <title abbrev="Efficient Route Invalidation">Efficient Route
    Invalidation</title>

<!-- The abbreviated title is used in the page header - it is only necessary if the
    full title is longer than 39 characters -->
    <title abbrev="Efficient Route Invalidation">Efficient Route Invalidation</title>

    <seriesInfo name="Internet-Draft" value="draft-ietf-roll-efficient-npdao-15"/> name="RFC" value="0000"/>
    <author fullname="Rahul Arvind Jadhav" initials="R.A." role="editor" surname="Jadhav">
      <organization>Huawei</organization>
      <address>
        <postal>
          <street>Kundalahalli Village, Whitefield,</street>
          <city>Bangalore</city>
          <region>Karnataka</region>
          <code>560037</code>
          <country>India</country>
        </postal>
        <phone>+91-080-49160700</phone>
        <email>rahul.ietf@gmail.com</email>
      </address>
    </author>
    <author initials="P" surname="Thubert" fullname="Pascal Thubert">
      <organization abbrev="Cisco">Cisco Systems, Inc</organization>
      <address>
        <postal>
          <street>Building D</street>
          <street>45 Allee des Ormes - BP1200 </street>
          <city>MOUGINS - Sophia Antipolis</city>
          <code>06254</code>
          <country>France</country>
        </postal>
        <phone>+33 497 23 26 34</phone>
        <email>pthubert@cisco.com</email>
      </address>
    </author>
    <author fullname="Rabi Narayan Sahoo" initials="R.N." surname="Sahoo">
      <organization>Huawei</organization>
      <address>
        <postal>
          <street>Kundalahalli Village, Whitefield, </street>
          <city>Bangalore</city>
          <region>Karnataka</region>
          <code>560037</code>
          <country>India</country>
        </postal>
        <phone>+91-080-49160700</phone>
        <email>rabinarayans@huawei.com</email>
      </address>
    </author>
    <author initials="Z" surname="Cao" fullname="Zhen Cao">
      <organization>Huawei</organization>
      <address>
        <postal>
          <street>W Chang'an Ave</street>
          <city>Beijing</city>
          <country>P.R. China</country>
        </postal>
        <email>zhencao.ietf@gmail.com</email>
      </address>
    </author>
    <date month="August" year="2019"/>
    <!-- If the month and year are both specified and are the current ones, xml2rfc will fill
         in the current day for you. If only the current year is specified, xml2rfc will fill
     in the current day and month for you. If the year is not the current one, it is
     necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the
     purpose of calculating the expiry date). With drafts it is normally sufficient to
     specify just the year. -->
    <!-- Meta-data Declarations -->
    <area>General</area>
    <workgroup>ROLL</workgroup>
    <!-- WG name at the upperleft corner of the doc,
         IETF is fine for individual submissions.
     If this element is not present, the default is "Network Working Group",
         which is used by the RFC Editor as a nod to the history of the IETF. -->
    <keyword>template</keyword>
    <!-- Keywords will be incorporated into HTML output
         files in a meta tag but they have no effect on text or nroff
         output. If you submit your draft to the RFC Editor, the
         keywords will be used for the search engine. -->
    <abstract>
      <t>
        This document explains the problems associated with the current use of
        NPDAO messaging and also discusses the requirements for an optimized
        route invalidation messaging scheme. Further a new proactive route
        invalidation message called as "Destination Cleanup Object" (DCO) is
        specified which fulfills requirements of an optimized route
        invalidation messaging.
      </t>
    </abstract>
  </front>
  <middle>
    <section numbered="true" toc="default">
      <name>Introduction</name>
      <t>
            RPL <xref target="RFC6550" format="default"/> (Routing Protocol for Low power and
            lossy networks) specifies a proactive distance-vector based routing
            scheme. RPL has optional messaging in the form of DAO
            (Destination Advertisement Object) messages, which the 6LBR (6Lo
            Border Router) and 6LR (6Lo Router) can use to learn a route
            towards the downstream nodes. In storing mode, DAO messages would
            result in routing entries being created on all intermediate 6LRs
            from the node's parent all the way towards the 6LBR.
      </t>
      <t>
            RPL allows the use of No-Path DAO (NPDAO) messaging to invalidate a
            routing path corresponding to the given target, thus releasing
            resources utilized on that path. A NPDAO is a DAO message with
            route lifetime of zero, originates at the target node and always
            flows upstream towards the 6LBR. This document explains the
            problems associated with the current use of NPDAO messaging and
            also discusses the requirements for an optimized route invalidation
            messaging scheme. Further a new proactive route invalidation
            message called as "Destination Cleanup Object" (DCO) is specified
            which fulfills requirements of an optimized route invalidation
            messaging.
      </t>
      <t>
            The document only caters to the RPL's storing mode of operation
            (MOP). The non-storing MOP does not require use of NPDAO for route
            invalidation since routing entries are not maintained on 6LRs.
      </t>
      <section numbered="true" toc="default">
        <name>Requirements Language and Terminology</name>
        <t>
                The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
                NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
                "MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
                NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
                "<bcp14>MAY</bcp14>", and "OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
                described in BCP 14 <xref target="RFC2119" format="default"/> <xref target="RFC8174" format="default"/> when, and only when, they appear in all
                capitals, as shown here.
        </t>
        <t>
                This specification requires readers to be familiar with all the
                terms and concepts that are discussed in "RPL: IPv6 Routing
                Protocol for Low-Power and Lossy Networks" <xref target="RFC6550" format="default"/>.
        </t>
        <dl newline="true" spacing="compact"> spacing="normal">
          <dt>Low Power and Lossy Networks (LLN):</dt>
          <dd>
                        Network in which both the routers and their
                        interconnect are constrained. LLN routers typically
                        operate with constraints on processing power, memory,
                        and energy (batter power). Their interconnects are
                        characterized by high loss rates, low data rates, and
                        instability.
                    </dd>
          <dt>6LoWPAN Router (6LR):</dt>
          <dd>
                        An intermediate router that is able to send and receive Router
                        Advertisements (RAs) and Router Solicitations (RSs) as well as
                        forward and route IPv6 packets.
                    </dd>
          <dt>Directed Acyclic Graph (DAG):</dt>
          <dd>
                        A directed graph having the property that all edges are
                        oriented in such a way that no cycles exist.
                    </dd>
          <dt>Destination-Oriented DAG (DODAG):</dt>
          <dd>
                        A DAG rooted at a single destination, i.e., at a single
                        DAG root with no outgoing edges.
                    </dd>
          <dt>6LoWPAN Border Router (6LBR):</dt>
          <dd>
                        A border router which is a DODAG root and is the edge
                        node for traffic flowing in and out of the 6LoWPAN
                        network.
                    </dd>
          <dt>Destination Advertisement Object (DAO):</dt>
          <dd>
                        DAO messaging allows downstream routes to the nodes to
                        be established.
                    </dd>
          <dt>DODAG Information Object (DIO):</dt>
          <dd>
                        DIO messaging allows upstream routes to the 6LBR to be
                        established. DIO messaging is initiated at the DAO
                        root.
                    </dd>
          <dt>Common Ancestor node</dt>
          <dd>
                        6LR/6LBR node which is the first common node between
                        two paths of a target node.
                    </dd>
          <dt>No-Path DAO (NPDAO):</dt>
          <dd>
                        A DAO message which has target with lifetime 0 used for
                        the purpose of route invalidation.
                    </dd>
          <dt>Destination Cleanup Object (DCO):</dt>
          <dd>
                        A new RPL control message code defined by this
                        document. DCO messaging improves proactive route
                        invalidation in RPL.
                    </dd>
          <dt>Regular DAO:</dt>
          <dd>
                        A DAO message with non-zero lifetime. Routing
                        adjacencies are created or updated based on this
                        message.
                    </dd>
          <dt>Target node:</dt>
          <dd>
                        The node switching its parent whose routing adjacencies
                        are updated (created/removed).
                    </dd>
        </dl>
      </section>
      <section anchor="current_npdao" numbered="true" toc="default">
        <name>Current NPDAO messaging</name>
        <t>
                RPL uses NPDAO messaging in the storing mode so that the node
                changing its routing adjacencies can invalidate the previous
                route. This is needed so that nodes along the previous path can
                release any resources (such as the routing entry) they maintain
                on behalf of target node.
        </t>
        <t>
                For the rest of this document consider the following topology:
        </t>
        <figure anchor="sample_top">
          <name>Sample                     topology</name>
          <artwork align="center" name="" type="" alt=""><![CDATA[
    (6LBR)
      |
      |
      |
     (A)
     / \
    /   \
   /     \
 (G)     (H)
  |       |
  |       |
  |       |
 (B)     (C)
   \      ;
    \    ;
     \  ;
      (D)
      / \
     /   \
    /     \
  (E)     (F)
                        ]]></artwork>
        </figure>
        <t>
                Node (D) is connected via preferred parent (B). (D) has an
                alternate path via (C) towards the 6LBR. Node (A) is the common
                ancestor for (D) for paths through (B)-(G) and (C)-(H). When
                (D) switches from (B) to (C), RPL allows sending NPDAO to (B)
                and regular DAO to (C).
        </t>
      </section>
      <!--
        <section title="Cases when No-Path DAO may be used">
            <t> There are following cases in which a node switches its parent
                and may employ No-Path DAO messaging:</t>

            <t>Case I: Current parent becomes unavailable because of transient
                or permanent link or parent node failure.</t>

            <t>Case II: The node finds a better parent node i.e. the metrics of
                another parent is better than its current parent.</t>

            <t>Case III: The node switches to a new parent whom it "thinks" has
                a better metric but does not in reality.</t>

            <t>The usual steps of operation when the node switches the parent
                is that the node sends a No-Path DAO message via its current parent
                to invalidate its current route and subsequently it tries to
                establish a new routing path by sending a new DAO via its new
                parent.</t>
        </section>
        -->
      <section numbered="true" toc="default">
        <name>Why Is NPDAO Important?</name>
        <t>
                Nodes in LLNs may be resource constrained. There is limited
                memory available and routing entry records are one of the
                primary elements occupying dynamic memory in the nodes. Route
                invalidation helps 6LR nodes to decide which entries could be
                discarded to better optimize resource utilization. Thus it
                becomes necessary to have an efficient route invalidation
                mechanism. Also note that a single parent switch may result in
                a "sub-tree" switching from one parent to another. Thus the
                route invalidation needs to be done on behalf of the sub-tree
                and not the switching node alone. In the above example, when
                Node (D) switches parent, the route updates needs to be done
                for the routing tables entries of (C),(H),(A),(G), and (B) with
                destination (D),(E) and (F). Without efficient route
                invalidation, a 6LR may have to hold a lot of stale route
                entries.
        </t>
      </section>
    </section>
    <section anchor="current_npdao_problems" numbered="true" toc="default">
      <name>Problems with current NPDAO messaging</name>
      <section numbered="true" toc="default">
        <name>Lost NPDAO due to link break to the previous parent</name>
        <t>
                When a node switches its parent, the NPDAO is to be sent to
                its previous parent and a regular DAO to its new parent. In
                cases where the node switches its parent because of transient
                or permanent parent link/node failure then the NPDAO message is
                bound to fail.
        </t>
        <!--
            <t>
                RPL allows use of route lifetime to remove unwanted routes in
                case the routes could not be refreshed. But route lifetimes in
                case of LLNs could be substantially high and thus the route
                entries would be stuck for longer times.
            </t>
            -->
      </section>
      <section numbered="true" toc="default">
        <name>Invalidate Routes of Dependent Nodes</name>
        <t>
                RPL does not specify how route invalidation will work for
                dependent nodes rooted at the switching node, resulting in
                stale routing entries of the dependent nodes. The only way for
                6LR to invalidate the route entries for dependent nodes would
                be to use route lifetime expiry which could be substantially
                high for LLNs.
        </t>
        <t>
                In the example topology, when Node (D) switches its parent,
                Node (D) generates an NPDAO on its behalf. There is no NPDAO
                generated by the dependent child nodes (E) and (F), through the
                previous path via (D) to (B) and (G), resulting in stale
                entries on nodes (B) and (G) for nodes (E) and (F).
        </t>
      </section>
      <section numbered="true" toc="default">
        <name>Possible route downtime caused by asynchronous operation of NPDAO and DAO</name>
        <t>
                A switching node may generate both an NPDAO and DAO via two
                different paths at almost the same time. There is a possibility
                that an NPDAO generated may invalidate the previous route and
                the regular DAO sent via the new path gets lost on the way.
                This may result in route downtime impacting downward
                traffic for the switching node.
        </t>
        <t>
                In the example topology, consider Node (D) switches from parent
                (B) to (C). An NPDAO sent via the previous route may invalidate
                the previous route whereas there is no way to determine whether
                the new DAO has successfully updated the route entries on the
                new path.
        </t>
      </section>
    </section>
    <section anchor="requirements" numbered="true" toc="default">
      <name>Requirements for the NPDAO Optimization</name>
      <section numbered="true" toc="default">
        <name>Req#1: Remove messaging dependency on link to the previous parent</name>
        <t>
                When the switching node sends the NPDAO message to the previous
                parent, it is normal that the link to the previous parent is
                prone to failure (that's why the node decided to switch).
                Therefore, it is required that the route invalidation does not
                depend on the previous link which is prone to failure. The
                previous link referred here represents the link between the
                node and its previous parent (from whom the node is now
                disassociating).
        </t>
      </section>
      <section numbered="true" toc="default">
        <name>Req#2: Dependent nodes route invalidation on parent             switching</name>
        <t>
                It should be possible to do route invalidation for dependent
                nodes rooted at the switching node.
        </t>
      </section>
      <section numbered="true" toc="default">
        <name>Req#3: Route invalidation should not impact data traffic</name>
        <t>
                While sending the NPDAO and DAO messages, it is possible that
                the NPDAO successfully invalidates the previous path, while the
                newly sent DAO gets lost (new path not set up successfully).
                This will result in downstream unreachability to the node
                switching paths. Therefore, it is desirable that the route
                invalidation is synchronized with the DAO to avoid the risk of
                route downtime.
        </t>
      </section>
    </section>
    <!--	Too Confusing section and may not be needed now... If required this can be added in Appendix.
    <section title="Existing Solution">
        <section title="NPDAO can be generated by the parent node who detects
        link failure to the child">
            <t>RPL states mechanisms which could be utilized to clear DAO
            states in a sub-DODAG. [RFC6550] Section 11.2.2.3 states "With DAO
            inconsistency loop recovery, a packet can be used to recursively
            explore and clean up the obsolete DAO states along a
            sub-DODAG".</t>

            <t>Thus in the sample topology in Figure 1, when Node (B) detects
            link failure to (D), (B) has an option of generating an NPDAO on
            behalf of Node (D) and its sub-childs, (E) and (F).</t>

            <t>This section explains why generation of an NPDAO in such cases
            may not function as desired. Primarily the DAO state information in
            the form of Path Sequence plays a major role here. Every target is
            associated with a Path Sequence number which relates to the latest
            state of the target. <xref target="RFC6550"/> Section 7.1 explains
            the semantics of Path Sequence number. The target node increments
            the Path Sequence number every time it generates a new DAO. The
            router nodes en-route utilize this Path Sequence number to decide
            the freshness of target information. If a non-target node has to
            generate an NPDAO then it could use following two possibilities
            with Path Sequence number: </t>

            <t>Let the Path Sequence number of old regular DAO that flowed
            through (B) be x. The subsequent regular DAO generated by Node (D)
            will have sequence number x+1.</t>

            <t>i. Node (B) uses the previous Path Sequence number from the
            regular DAO i.e. NPDAO(pathseq=x)</t>

            <t>ii. Node (B) increments the Path Sequence number i.e.
            NPDAO(pathseq=x+1)</t>

            <t>In case i, the NPDAO(pathseq=x) will be dropped by all the
            intermediate nodes since the semantics of Path Sequence number
            dictates that any DAO with an older Path Sequence number be
            dropped.</t>

            <t>In case ii, there is a risk that the NPDAO(pathseq=x+1)
            traverses up the DODAG and invalidates all the routes till the root
            and then the regular DAO(pathseq=x+1) from the target traverses
            upwards. In this case the regular DAO(pathseq=x+1) will be dropped
            from common ancestor node to the root. This will result in route
            downtime.</t>

            <t>Another problem with this scheme is its dependence on the
            upstream neighbor to detect that the downstream neighbor is
            unavailable. There are two possibilities by which such a detection
            might be put to work:</t>

            <t>i. There is P2P traffic from the previous sub-DODAG to any of
            nodes in the sub-tree which has switched the path. In the above
            example, lets consider that Node (G) has P2P traffic for either of
            nodes (D), (E), or (F). In this case, Node (B) will detect
            forwarding error while forwarding the packets from Node (B) to (D).
            But dependence on P2P traffic may not be an optimal way to solve
            this problem considering the reactive approach of the scheme. The
            P2P traffic pattern might be sparse and thus such a detection might
            kick-in too late.</t>

            <t>ii. The other case is where Node (B) explicitly employs some
            mechanism to probe directly attached downstream child nodes. Such
            kind of schemes are seldom used.</t>
        </section>

        <section title="NPDAO can be generated once the link is restored to
        the previous parent">
            <t>This scheme solves a specific scenario of transient links. The
            child node can detect that the connection to previous parent is
            restored and then transmit an NPDAO to the previous parent to
            invalidate the route. This scheme is stateful, thus requires more
            memory and solves a specific scenario.</t>
        </section>
    </section>
    -->
    <section numbered="true" toc="default">
      <name>Changes to RPL signaling</name>
      <section numbered="true" toc="default">
        <name>Change in RPL route invalidation semantics</name>
        <t>
                As described in <xref target="current_npdao" format="default"/>, the NPDAO
                originates at the node changing to a new parent and traverses
                upstream towards the root. In order to solve the problems as
                mentioned in <xref target="current_npdao_problems" format="default"/>, the
                document adds a new proactive route invalidation message
                called "Destination Cleanup Object" (DCO) that originates at a
                common ancestor node and flows downstream between the new and
                old path. The common ancestor node generates a DCO in response
                to the change in the next-hop on receiving a regular DAO with
                updated Path Sequence for the target.
        </t>
        <t>
                The 6LRs in the path for DCO take action such as route
                invalidation based on the DCO information and subsequently send
                another DCO with the same information downstream to the next
                hop. This operation is similar to how the DAOs are handled on
                intermediate 6LRs in storing MOP in <xref target="RFC6550" format="default"/>.
                Just like DAO in storing MOP, the DCO is sent using link-local
                unicast source and destination IPv6 address. Unlike DAO, which
                always travels upstream, the DCO always travels downstream.
        </t>
        <t>
                In <xref target="sample_top" format="default"/>, when node D decides to
                switch the path from B to C, it sends a regular DAO to node C
                with reachability information containing the address of D as
                the target and an incremented Path Sequence. Node C will update
                the routing table based on the reachability information in the
                DAO and in turn generate another DAO with the same reachability
                information and forward it to H. Node H also follows the same
                procedure as Node C and forwards it to node A. When node A
                receives the regular DAO, it finds that it already has a
                routing table entry on behalf of the target address of node D.
                It finds however that the next hop information for reaching
                node D has changed i.e., node D has decided to change the
                paths. In this case, Node A which is the common ancestor node
                for node D along the two paths (previous and new), should
                generate a DCO which traverses downwards in the network. Node A
                handles normal DAO forwarding to 6LBR as required by <xref target="RFC6550" format="default"/>.
        </t>
      </section>
      <section anchor="transit_opt_changes" numbered="true" toc="default">
        <name>Transit Information Option changes</name>
        <t>
                Every RPL message is divided into base message fields and
                additional Options as described in Section 6 of <xref target="RFC6550" format="default"/>.
		sectionFormat="of" section="6"/>. The base fields apply to the message as a
                whole and options are appended to add message/use-case specific
                attributes. As an example, a DAO message may be attributed by
                one or more "RPL Target" options which specify the reachability
                information for the given targets. Similarly, a Transit
                Information option may be associated with a set of RPL Target
                options.
        </t>
        <t>
                This document specifies a change in the Transit Information Option to
                contain the "Invalidate previous route" (I) flag. This I-flag signals
                the common ancestor node to generate a DCO on behalf of the
                target node. The I-flag is carried in the Transit Information
                Option which augments the reachability information for a given
                set of RPL Target(s). Transit Information Option with I-flag
                set should be carried in the DAO message when route
                invalidation is sought for the corresponding target(s).
        </t>
        <figure anchor="transit_info_with_i">
          <name>Updated Transit Information Option (New I flag                     added)</name>
          <artwork align="center" name="" type="" alt=""><![CDATA[
0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   Type = 0x06 | Option Length |E|I|  Flags    | Path Control  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Path Sequence | Path Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        ]]></artwork>
        </figure>
        <t>
                I
        <dl newline="true">
                <dt>I (Invalidate previous route) flag: The flag:</dt><dd>The 'I' flag is set by the
                target node to indicate to the common ancestor node that it
                wishes to invalidate any previous route between the two paths.
        </t> paths.</dd>
        </dl>
        <t>
                <xref target="RFC6550" format="default"/> allows the parent address to be sent in
                the Transit Information Option depending on the mode of
                operation. In case of storing mode of operation the field is
                usually not needed. In case of DCO, the parent address field
                MUST NOT
                <bcp14>MUST NOT</bcp14> be included.
        </t>
        <t>
                The common ancestor node SHOULD <bcp14>SHOULD</bcp14> generate a DCO message in
                response to this I-flag when it sees that the routing
                adjacencies have changed for the target. The I-flag is
                intended to give the target node control over its own route
                invalidation, serving as a signal to request DCO generation.
        </t>
      </section>
      <section numbered="true" toc="default">
        <name>Destination Cleanup Object (DCO)</name>
        <t>
                A new ICMPv6 RPL control message code is defined by this
                specification and is referred to as "Destination Cleanup Object"
                (DCO), which is used for proactive cleanup of state and routing
                information held on behalf of the target node by 6LRs. The DCO
                message always traverses downstream and cleans up route
                information and other state information associated with the
                given target.
        </t>
        <figure anchor="dco_obj">
          <name>DCO base object</name>
          <artwork align="center" name="" type="" alt=""><![CDATA[
0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| RPLInstanceID |K|D|   Flags   |   Reserved    | DCOSequence   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                                                               +
|                                                               |
+                            DODAGID(optional)                  +
|                                                               |
+                                                               +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   Option(s)...
+-+-+-+-+-+-+-+-+
                        ]]></artwork>
        </figure>
        <t>
                RPLInstanceID: 8-bit
<dl newline="true">
<dt>RPLInstanceID:
</dt>
<dd>8-bit field indicating the topology instance associated with the DODAG, as
learned from the DIO.
        </t>
        <t>
                K: The
</dd>
<dt>K:
</dt>
<dd>The 'K' flag indicates that the recipient of DCO message is expected to
send a DCO-ACK back. If the DCO-ACK is not received even after setting the 'K'
flag, an implementation may retry the DCO at a later time. The number of
retries are implementation and deployment dependent and are expected to be
kept similar with those used in DAO retries in <xref target="RFC6550"
format="default"/>. <xref target="dco_retry" format="default"/> specifies the
considerations for DCO retry. A node receiving a DCO message without the 'K'
flag set MAY <bcp14>MAY</bcp14> respond with a DCO-ACK, especially to report an error
condition. An example error condition could be that the node sending the
DCO-ACK does not find the routing entry for the indicated target. When the
sender does not set the 'K' flag it is an indication that the sender does not
expect a response, and the sender SHOULD NOT <bcp14>SHOULD NOT</bcp14> retry the DCO.
        </t>
        <t>
                D: The
</dd>
<dt>D:
</dt>
<dd>The 'D' flag indicates that the DODAGID field is present. This flag MUST <bcp14>MUST</bcp14>
be set when a local RPLInstanceID is used.
        </t>
        <t>
                Flags: The
</dd>
<dt>Flags:
</dt>
<dd>The 6 bits remaining unused in the Flags field are reserved for future
use. These bits MUST <bcp14>MUST</bcp14> be initialized to zero by the sender and MUST <bcp14>MUST</bcp14> be ignored
by the receiver.
        </t>
        <t>
                Reserved: 8-bit
</dd>
<dt>Reserved:
</dt>
<dd>8-bit unused field. The field MUST <bcp14>MUST</bcp14> be initialized to zero by the sender
and MUST <bcp14>MUST</bcp14> be ignored by the receiver.
        </t>
        <t>
                DCOSequence:
</dd>
<dt>DCOSequence:
</dt>
<dd> 8-bit field incremented at each unique DCO message from a node and echoed
in the DCO-ACK message. The initial DCOSequence can be chosen randomly by the
node. <xref target="base_rules" format="default"/> explains the handling of
the DCOSequence.
        </t>
        <t>
                DODAGID
</dd>
<dt>DODAGID (optional): 128-bit
</dt>
<dd>128-bit unsigned integer set by a DODAG root that uniquely identifies a
DODAG. This field MUST <bcp14>MUST</bcp14> be present when the 'D' flag is set and MUST NOT <bcp14>MUST NOT</bcp14> be
present if 'D' flag is not set. DODAGID is used when a local RPLInstanceID is
in use, in order to identify the DODAGID that is associated with the RPLInstanceID.
        </t>
</dd>

</dl>

        <section numbered="true" toc="default">
          <name>Secure DCO</name>
          <t>
                    A Secure DCO message follows the format in Figure 7 of <xref target="RFC6550" format="default"/> Figure 7, format="default"/>, where the base message
                    format is the DCO message shown in <xref target="dco_obj" format="default"/>.
          </t>
        </section>
        <section numbered="true" toc="default">
          <name>DCO Options</name>
          <t>
                    The DCO message MUST <bcp14>MUST</bcp14> carry at least one RPL Target and the
                    Transit Information Option and MAY <bcp14>MAY</bcp14> carry other valid
                    options. This specification allows for the DCO message to
                    carry the following options:
          </t>
          <ul empty="true" spacing="compact">
            <li>0x00 Pad1</li>
            <li>0x01 PadN</li>
            <li>0x05 RPL Target</li>
            <li>0x06 Transit Information</li>
            <li>0x09 RPL
<table>
<tbody>
<tr><td>0x00</td><td>Pad1</td></tr>
<tr><td>0x01</td><td>PadN</td></tr>
<tr><td>0x05</td><td>RPL Target</td></tr>
<tr><td>0x06</td><td>Transit Information</td></tr>
<tr><td>0x09</td><td>RPL Target Descriptor</li>
          </ul> Descriptor</td></tr>
</tbody>
</table>

          <t>
                    Section 6.7 of
                    <xref target="RFC6550" format="default"/> sectionFormat="of" section="6.7" /> defines all the
                    above mentioned options. The DCO carries an RPL Target
                    Option and an associated Transit Information Option with a
                    lifetime of 0x00000000 to indicate a loss of reachability
                    to that Target.
          </t>
        </section>
        <section numbered="true" toc="default">
          <name>Path Sequence number in the DCO</name>
          <t>
                    A DCO message may contain a Path Sequence in the Transit
                    Information Option to identify the freshness of the DCO
                    message. The Path Sequence in the DCO MUST <bcp14>MUST</bcp14> use the same
                    Path Sequence number present in the regular DAO message
                    when the DCO is generated in response to a DAO message.
                    Thus if a DCO is received by a 6LR and subsequently a DAO
                    is received with an old sequence number, then the DAO
                    MUST
                    <bcp14>MUST</bcp14> be ignored. When the DCO is generated in response to a
                    DCO from upstream parent, the Path Sequence MUST <bcp14>MUST</bcp14> be copied
                    from the received DCO.
          </t>
        </section>
        <section numbered="true" toc="default">
          <name>Destination Cleanup Option Acknowledgment (DCO-ACK)</name>
          <t>
                    The DCO-ACK message SHOULD <bcp14>SHOULD</bcp14> be sent as a unicast packet by a
                    DCO recipient in response to a unicast DCO message with 'K'
                    flag set. If 'K' flag is not set then the receiver of the
                    DCO message MAY <bcp14>MAY</bcp14> send a DCO-ACK, especially to report an error
                    condition.
          </t>
          <figure anchor="dco_ack">
            <name>DCO-ACK base                         object</name>
            <artwork align="center" name="" type="" alt=""><![CDATA[
0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| RPLInstanceID |D|   Flags     |  DCOSequence  |    Status     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                                                               +
|                                                               |
+                            DODAGID(optional)                  +
|                                                               |
+                                                               +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            ]]></artwork>
          </figure>
          <t>
                    RPLInstanceID: 8-bit

 <dl newline="true"> <dt>RPLInstanceID:</dt>

<dd>8-bit field indicating the topology instance associated with the DODAG, as
learned from the DIO.
          </t>
          <t>
                    D: The </dd>
<dt>RPLInstanceID:
</dt>
<dd>8-bit field indicating the topology instance associated with the DODAG, as
learned from the DIO.
</dd>
<dt>D:
</dt>
<dd>The 'D' flag indicates that the DODAGID field is present.  This flag MUST <bcp14>MUST</bcp14>
be set when a local RPLInstanceID is used.
          </t>
          <t>
                    Flags: 7-bit
</dd>
<dt>Flags:
</dt>
<dd>7-bit unused field. The field MUST <bcp14>MUST</bcp14> be initialized to zero by the sender
and MUST <bcp14>MUST</bcp14> be ignored by the receiver.
          </t>
          <t>
                    DCOSequence: 8-bit
</dd>
<dt>DCOSequence:
</dt>
<dd>8-bit field. The DCOSequence in DCO-ACK is copied from the DCOSequence
received in the DCO message.
          </t>
          <t>
                    Status: Indicates
</dd>
<dt>Status:
</dt>
<dd>Indicates the completion. Status 0 is defined as unqualified acceptance in
this specification. Status 1 is defined as "No routing-entry for the Target
found". The remaining status values are reserved as rejection codes.
          </t>
          <t>
                    DODAGID
</dd>

<dt>DODAGID (optional): 128-bit
</dt>
<dd>128-bit unsigned integer set by a DODAG root that uniquely identifies a
DODAG. This field MUST <bcp14>MUST</bcp14> be present when the 'D' flag is set and MUST NOT <bcp14>MUST NOT</bcp14> be
present when 'D' flag is not set. DODAGID is used when a local RPLInstanceID
is in use, in order to identify the DODAGID that is associated with the
RPLInstanceID.
          </t>  </dd> </dl>

        </section>
        <section numbered="true" toc="default">
          <name>Secure DCO-ACK</name>
          <t>
                    A Secure DCO-ACK message follows the format in Figure 7 of
		    <xref target="RFC6550" format="default"/> Figure 7, format="default"/>, where the base message
                    format is the DCO-ACK message shown in <xref target="dco_ack" format="default"/>.
          </t>
        </section>
      </section>
      <section anchor="base_rules" numbered="true" toc="default">
        <name>DCO Base Rules</name>
        <ol spacing="compact" spacing="normal" type="1">
          <li>
                        If a node sends a DCO message with newer or different
                        information than the prior DCO message transmission, it
                        MUST
                        <bcp14>MUST</bcp14> increment the DCOSequence field by at least one.
                        A DCO message transmission that is identical to the
                        prior DCO message transmission MAY <bcp14>MAY</bcp14> increment the
                        DCOSequence field. The DCOSequence counter follows the
                        sequence counter operation as defined in Section 7.2 of
                        <xref target="RFC6550" format="default"/>. sectionFormat="of" section="7.2"/>.
                    </li>
          <li>
                        The RPLInstanceID and DODAGID fields of a DCO message
                        MUST
                        <bcp14>MUST</bcp14> be the same value as that of the DAO message in
                        response to which the DCO is generated on the common
                        ancestor node.
                    </li>
          <li>
                        A node MAY <bcp14>MAY</bcp14> set the 'K' flag in a unicast DCO message to
                        solicit a unicast DCO-ACK in response in order to
                        confirm the attempt.
                    </li>
          <li>
                        A node receiving a unicast DCO message with the 'K'
                        flag set SHOULD <bcp14>SHOULD</bcp14> respond with a DCO-ACK. A node
                        receiving a DCO message without the 'K' flag set MAY <bcp14>MAY</bcp14>
                        respond with a DCO-ACK, especially to report an error
                        condition.
                    </li>
          <li>
                        A node receiving a unicast DCO message MUST <bcp14>MUST</bcp14> verify the
                        stored Path Sequence in context to the given target. If
                        the stored Path Sequence is more fresh, newer than
                        the Path Sequence received in the DCO, then the DCO
                        MUST
                        <bcp14>MUST</bcp14> be dropped.
                    </li>
          <li>
                        A node that sets the 'K' flag in a unicast DCO message
                        but does not receive DCO-ACK in response MAY <bcp14>MAY</bcp14> reschedule
                        the DCO message transmission for another attempt, up
                        until an implementation specific number of retries.
                    </li>
          <li>
                        A node receiving a unicast DCO message with its own
                        address in the RPL Target Option MUST <bcp14>MUST</bcp14> strip-off that
                        Target Option. If this Target Option is the only one in
                        the DCO message then the DCO message MUST <bcp14>MUST</bcp14> be dropped.
                    </li>
        </ol>
        <t>
                The scope of DCOSequence values is unique to the node which
                generates it.
        </t>
      </section>
      <section numbered="true" toc="default">
        <name>Unsolicited DCO</name>
        <t>
                A 6LR may generate an unsolicited DCO to unilaterally cleanup
                the path on behalf of the target entry. The 6LR has all the
                state information, namely, the Target address and the Path
                Sequence, required for generating DCO in its routing table.
                The conditions why 6LR may generate an unsolicited DCO are
                beyond the scope of this document but some possible reasons
                could be:
        </t>
        <ol spacing="compact" spacing="normal" type="1">
          <li>
                        On route expiry of an entry, a 6LR may decide to
                        graciously cleanup the entry by initiating DCO.
                    </li>
          <li>
                        6LR needs to entertain higher priority entries in case
                        the routing table is full, thus resulting in eviction
                        of an existing routing entry. In this case the eviction
                        can be handled graciously using DCO.
                    </li>
        </ol>
        <t>
                Note that if the 6LR initiates a unilateral path cleanup using
                DCO and if it has the latest state for the target then the DCO
                would finally reach the target node. Thus the target node would
                be informed of its invalidation.
        </t>
      </section>
      <section numbered="true" toc="default">
        <name>Other considerations</name>
        <section numbered="true" toc="default">
          <name>Dependent Nodes invalidation</name>
          <t>
                    Current RPL <xref target="RFC6550" format="default"/> does not provide a
                    mechanism for route invalidation for dependent nodes. This
                    document allows the dependent nodes invalidation. Dependent
                    nodes will generate their respective DAOs to update their
                    paths, and the previous route invalidation for those nodes
                    should work in the similar manner described for switching
                    node. The dependent node may set the I-flag in the Transit
                    Information Option as part of regular DAO so as to
                    request invalidation of previous route from the common
                    ancestor node.
          </t>
          <t>
                    Dependent nodes do not have any indication regarding if any
                    of their parents in turn have decided to switch their
                    parent. Thus for route invalidation the dependent nodes may
                    choose to always set the 'I' flag in all its DAO message's
                    Transit Information Option. Note that setting the I-flag is
                    not counterproductive even if there is no previous
                    route to be invalidated.
          </t>
        </section>
        <section numbered="true" toc="default">
          <name>NPDAO and DCO in the same network</name>
          <t>
                    The current NPDAO mechanism in <xref target="RFC6550" format="default"/> can
                    still be used in the same network where DCO is used. The
                    NPDAO messaging can be used, for example, on route lifetime
                    expiry of the target or when the node simply decides to
                    gracefully terminate the RPL session on graceful node
                    shutdown. Moreover, a deployment can have a mix of nodes
                    supporting the DCO and the existing NPDAO mechanism. It is
                    also possible that the same node supports both the NPDAO
                    and DCO signaling for route invalidation.
          </t>
          <t>
                    Section 9.8 of
                    <xref target="RFC6550" format="default"/> sectionFormat="of" section="9.8"/> states, "When a
                    node removes a node from its DAO parent set, it SHOULD <bcp14>SHOULD</bcp14>
                    send a No-Path DAO message to that removed DAO parent to
                    invalidate the existing router". This document introduces
                    an alternative and more optimized way of route invalidation
                    but it also allows existing NPDAO messaging to work. Thus
                    an implementation has two choices to make when a route
                    invalidation is to be initiated:
          </t>
          <ol spacing="compact" spacing="normal" type="1">
            <li>
                            Use NPDAO to invalidate the previous route and
                            send regular DAO on the new path.
                        </li>
            <li>
                            Send regular DAO on the new path with the 'I'
                            flag set in the Transit Information Option such
                            that the common ancestor node initiates the DCO
                            message downstream to invalidate the previous
                            route.
                        </li>
          </ol>
          <t>
                    This document recommends using option 2 for reasons
                    specified in <xref target="requirements" format="default"/> in this
                    document.
          </t>
          <t>
                    This document assumes that all the 6LRs in the network
                    support this specification. If there are 6LRs en-route DCO
                    message path which do not support this document, then the
                    route invalidation for corresponding targets may not work
                    or may work partially i.e., only part of the path
                    supporting DCO may be invalidated. Alternatively, a node
                    could generate an NPDAO if it does not receive a DCO with
                    itself as target within specified time limit. The specified
                    time limit is deployment specific and depends upon the
                    maximum depth of the network and per hop average latency.
                    Note that sending NPDAO and DCO for the same operation
                    would not result in unwanted side-effects because the
                    acceptability of NPDAO or DCO depends upon the Path
                    Sequence freshness.
          </t>
        </section>
        <section anchor="dco_retry" numbered="true" toc="default">
          <name>Considerations for DCO retry</name>
          <t>
                    A DCO message could be retried by a sender if it sets the
                    'K' flag and does not receive a DCO-ACK. The DCO retry time
                    could be dependent on the maximum depth of the network and
                    average per hop latency. This could range from 2 seconds to
                    120 seconds depending on the deployment. In case the
                    latency limits are not known, an implementation MUST NOT <bcp14>MUST NOT</bcp14>
                    retry more than once in 3 seconds and MUST NOT <bcp14>MUST NOT</bcp14> retry more
                    than 3 times.
          </t>
          <t>
                    The number of retries could also be set depending on how
                    critical the route invalidation could be for the deployment
                    and the link layer retry configuration. For networks
                    supporting only MP2P and P2MP flows, such as in AMI and
                    telemetry applications, the 6LRs may not be very keen to
                    invalidate routes, unless they are highly
                    memory-constrained. For home and building automation
                    networks which may have substantial P2P traffic, the 6LRs
                    might be keen to invalidate efficiently because it may
                    additionally impact the forwarding efficiency.
          </t>
        </section>
        <section numbered="true" toc="default">
          <name>DCO with multiple preferred parents</name>
          <t>
                    <xref target="RFC6550" format="default"/> allows a node to select multiple
                    preferred parents for route establishment. Section 9.2.1
                    of
                    <xref target="RFC6550" format="default"/> sectionFormat="of" section="9.2.1"/> specifies, "All DAOs generated
                    at the same time for the same Target MUST <bcp14>MUST</bcp14> be sent with the
                    same Path Sequence in the Transit Information".
                    Subsequently when route invalidation has to be initiated,
                    RPL mentions use of NPDAO which can be initiated with an
                    updated Path Sequence to all the parent nodes through which
                    the route is to be invalidated.
          </t>
          <t>
                    With DCO, the Target node itself does not initiate the
                    route invalidation and it is left to the common ancestor
                    node. A common ancestor node when it discovers an updated
                    DAO from a new next-hop, it initiates a DCO. With multiple
                    preferred parents, this handling does not change. But in
                    this case it is recommended that an implementation
                    initiates a DCO after a time period (DelayDCO) such that
                    the common ancestor node may receive updated DAOs from all
                    possible next-hops. This will help to reduce DCO control
                    overhead i.e., the common ancestor can wait for updated
                    DAOs from all possible directions before initiating a DCO
                    for route invalidation. After timeout, the DCO needs to be
                    generated for all the next-hops for whom the route
                    invalidation needs to be done.
          </t>
          <t>
                    This document recommends using a DelayDCO timer value of
                    1sec. This value is inspired by the default DelayDAO value
                    of 1sec in <xref target="RFC6550" format="default"/>. Here the hypothesis is
                    that the DAOs from all possible parent sets would be
                    received on the common ancestor within this time period.
          </t>
          <t>
                    It is still possible that a DCO is generated before all the
                    updated DAOs from all the paths are received. In this case,
                    the ancestor node would start the invalidation procedure
                    for paths from which the updated DAO is not received. The
                    DCO generated in this case would start invalidating the
                    segments along these paths on which the updated DAOs are
                    not received. But once the DAO reaches these segments, the
                    routing state would be updated along these segments and
                    should not lead to any inconsistent routing state.
          </t>
          <t>
                    Note that there is no requirement for synchronization
                    between DCO and DAOs. The DelayDCO timer simply ensures
                    that the DCO control overhead can be reduced and is only
                    needed when the network contains nodes using multiple
                    preferred parent.
          </t>
        </section>
      </section>
    </section>
    <section anchor="Acknowledgments" numbered="true" toc="default">
      <name>Acknowledgments</name>
      <t>
            Many thanks to Alvaro Retana, Cenk Gundogan, Simon Duquennoy, Georgios
            Papadopoulous, Peter Van Der Stok for their review and comments.
            Alvaro Retana helped shape this document's final version with
            critical review comments.
      </t>
    </section>
    <!-- Possibly a 'Contributors' section ... -->
    <section anchor="IANA" numbered="true" toc="default">
      <name>IANA Considerations</name>
      <t>
            IANA is requested to allocate new codes for the DCO and DCO-ACK
            messages from the RPL Control Codes registry.
      </t>
      <table align="center">
        <thead>
          <tr>
            <th align="center">Code</th>
            <th align="center">Description</th>
            <th align="center">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="center">TBD1</td>
            <td align="center">Destination Cleanup Object</td>
            <td align="center">This document</td>
          </tr>
          <tr>
            <td align="center">TBD2</td>
            <td align="center">Destination Cleanup Object Acknowledgment</td>
            <td align="center">This document</td>
          </tr>
          <tr>
            <td align="center">TBD3</td>
            <td align="center">Secure Destination Cleanup Object</td>
            <td align="center">This document</td>
          </tr>
          <tr>
            <td align="center">TBD4</td>
            <td align="center">Secure Destination Cleanup Object Acknowledgment</td>
            <td align="center">This document</td>
          </tr>
        </tbody>
      </table>
      <t>
            IANA is requested to allocate bit 1 from the Transit Information
            Option Flags registry for the I-flag (<xref target="transit_opt_changes" format="default"/>)
      </t>
      <section numbered="true" toc="default">
        <name>New Registry for the Destination Cleanup Object (DCO) Flags</name>
        <t>
                IANA is requested to create a registry for the 8-bit Destination Cleanup
                Object (DCO) Flags field. This registry should be located in
                existing category of "Routing Protocol for Low Power and Lossy
                Networks (RPL)".
        </t>
        <t>
                New bit numbers may be allocated only by an IETF Review. Each
                bit is tracked with the following qualities:
        </t>
        <ul spacing="compact">
          <li>Bit number (counting from bit 0 as the most significant bit)</li>
          <li>Capability description</li>
          <li>Defining RFC</li>
        </ul>
        <t>
                The following bits are currently defined:
        </t>
        <table align="center">
          <name>DCO Base Flags</name>
          <thead>
            <tr>
              <th align="center">Bit number</th>
              <th align="center">Description</th>
              <th align="center">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">0</td>
              <td align="center">DCO-ACK request (K)</td>
              <td align="center">This document</td>
            </tr>
            <tr>
              <td align="center">1</td>
              <td align="center">DODAGID field is present (D)</td>
              <td align="center">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section numbered="true" toc="default">
        <name>New Registry for the Destination Cleanup Object Acknowledgment (DCO-ACK) Status field</name>
        <t>
                IANA is requested to create a registry for the 8-bit Destination Cleanup
                Object Acknowledgment (DCO-ACK) Status field. This registry
                should be located in existing category of "Routing Protocol for
                Low Power and Lossy Networks (RPL)".
        </t>
        <t>
                New Status values may be allocated only by an IETF Review. Each
                value is tracked with the following qualities:
        </t>
        <ul spacing="compact">
          <li>Status Code</li>
          <li>Description</li>
          <li>Defining RFC</li>
        </ul>
        <t>
                The following values are currently defined:
        </t>
        <table align="center">
          <name>DCO-ACK Status Codes</name>
          <thead>
            <tr>
              <th align="center">Status Code</th>
              <th align="center">Description</th>
              <th align="center">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">0</td>
              <td align="center">Unqualified acceptance</td>
              <td align="center">This document</td>
            </tr>
            <tr>
              <td align="center">1</td>
              <td align="center">No routing-entry for the indicated Target found</td>
              <td align="center">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section numbered="true" toc="default">
        <name>New Registry for the Destination Cleanup Object (DCO)         Acknowledgment Flags</name>
        <t>
                IANA is requested to create a registry for the 8-bit
                Destination Cleanup Object (DCO) Acknowledgment Flags field.
                This registry should be located in existing category of
                "Routing Protocol for Low Power and Lossy Networks (RPL)".
        </t>
        <t>
                New bit numbers may be allocated only by an IETF Review. Each
                bit is tracked with the following qualities:
        </t>
        <ul spacing="compact">
          <li>Bit number (counting from bit 0 as the most significant bit)</li>
          <li>Capability description</li>
          <li>Defining RFC</li>
        </ul>
        <t>
                The following bits are currently defined:
        </t>
        <table align="center">
          <name>DCO-ACK Base Flags</name>
          <thead>
            <tr>
              <th align="center">Bit number</th>
              <th align="center">Description</th>
              <th align="center">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">0</td>
              <td align="center">DODAGID field is present (D)</td>
              <td align="center">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
    <section anchor="Security" numbered="true" toc="default">
      <name>Security Considerations</name>
      <t>
            This document introduces the ability for a common ancestor node to
            invalidate a route on behalf of the target node. The common
            ancestor node could be directed to do so by the target node using
            the I-flag in DCO's Transit Information Option. However, the common
            ancestor node is in a position to unilaterally initiate the route
            invalidation since it possesses all the required state information,
            namely, the Target address and the corresponding Path Sequence.
            Thus a rogue common ancestor node could initiate such an
            invalidation and impact the traffic to the target node.
      </t>
      <t>
            This document also introduces an I-flag which is set by the target
            node and used by the ancestor node to initiate a DCO if the
            ancestor sees an update in the route adjacency. However,
            this flag could be spoofed by a malicious 6LR in the path and can
            cause invalidation of an existing active path. Note that invalidation
            will happen only if the other conditions such as Path Sequence
            condition is also met. Having said that, such a malicious 6LR may
            spoof a DAO on behalf of the (sub) child with the I-flag set and
            can cause route invalidation on behalf of the (sub) child node.
            Note that, using existing mechanisms offered by <xref target="RFC6550" format="default"/>, a malicious 6LR might also spoof a DAO with
            lifetime of zero or otherwise cause denial of service by dropping
            traffic entirely, so the new mechanism described in this document
            does not present a substantially increased risk of disruption.
      </t>
      <t>
            This document assumes that the security mechanisms as defined in
            <xref target="RFC6550" format="default"/> are followed, which means that the common
            ancestor node and all the 6LRs are part of the RPL network because
            they have the required credentials. A non-secure RPL network needs
            to take into consideration the risks highlighted in this section as
            well as those highlighted in <xref target="RFC6550" format="default"/>.
      </t>
      <t>
            All RPL messages support a secure version of messages which allows
            integrity protection using either a MAC or a signature. Optionally,
            secured RPL messages also have encryption protection for
            confidentiality.
      </t>
      <t>
            The document adds new messages (DCO, DCO-ACK) which are
            syntactically similar to existing RPL messages such as DAO,
            DAO-ACK. Secure versions of DCO and DCO-ACK are added similar to
            other RPL messages (such as DAO, DAO-ACK).
      </t>
      <t>
            RPL supports three security modes as mentioned in Section 10.1 of
            <xref target="RFC6550" format="default"/>: sectionFormat="of" section="10.1"/>:
      </t>
      <ol spacing="compact" spacing="normal" type="1">
        <li>
                    Unsecured: In this mode, it is expected that the RPL control messages
                    are secured by other security mechanisms, such as
                    link-layer security. In this mode, the RPL control messages,
                    including DCO, DCO-ACK, do not have Security sections.
                    Also note that unsecured mode does not imply that all
                    messages are sent without any protection.
                </li>
        <li>
                    Preinstalled: In this mode, RPL uses secure messages. Thus
                    secure versions of DCO, DCO-ACK MUST <bcp14>MUST</bcp14> be used in this mode.
                </li>
        <li>
                    Authenticated: In this mode, RPL uses secure messages. Thus
                    secure versions of DCO, DCO-ACK MUST <bcp14>MUST</bcp14> be used in this mode.
                </li>
      </ol>
    </section>
  </middle>
  <back>
    <!-- References split into informative and normative -->
    <!-- There are 2 ways to insert reference entries from the citation libraries:
     1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
     2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
        (for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")

     Both are cited textually in the same manner: by using xref elements.
     If you use the PI option, xml2rfc will, by default, try to find included files in the same
     directory as the including file. You can also define the XML_LIBRARY environment variable
     with a value containing a set of directories to search. These can be either in the local
     filing system or remote ones accessed by http (http://domain/dir/... ).-->
    <references>
      <name>Normative References</name>
      <!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
      <reference anchor="RFC6550" target="https://www.rfc-editor.org/info/rfc6550"> target="https://www.rfc-editor.org/info/rfc6550" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6550.xml">
        <front>
          <title>RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks</title>
          <seriesInfo name="DOI" value="10.17487/RFC6550"/>
          <seriesInfo name="RFC" value="6550"/>
          <author initials="T." surname="Winter" fullname="T. Winter" role="editor">
            <organization/>
          </author>
          <author initials="P." surname="Thubert" fullname="P. Thubert" role="editor">
            <organization/>
          </author>
          <author initials="A." surname="Brandt" fullname="A. Brandt">
            <organization/>
          </author>
          <author initials="J." surname="Hui" fullname="J. Hui">
            <organization/>
          </author>
          <author initials="R." surname="Kelsey" fullname="R. Kelsey">
            <organization/>
          </author>
          <author initials="P." surname="Levis" fullname="P. Levis">
            <organization/>
          </author>
          <author initials="K." surname="Pister" fullname="K. Pister">
            <organization/>
          </author>
          <author initials="R." surname="Struik" fullname="R. Struik">
            <organization/>
          </author>
          <author initials="JP." surname="Vasseur" fullname="JP. Vasseur">
            <organization/>
          </author>
          <author initials="R." surname="Alexander" fullname="R. Alexander">
            <organization/>
          </author>
          <date year="2012" month="March"/>
          <abstract>
            <t>Low-Power and Lossy Networks (LLNs) are a class of network in which both the routers and their interconnect are constrained.  LLN routers typically operate with constraints on processing power, memory, and energy (battery power).  Their interconnects are characterized by high loss rates, low data rates, and instability.  LLNs are comprised of anything from a few dozen to thousands of routers.  Supported traffic flows include point-to-point (between devices inside the LLN), point-to-multipoint (from a central control point to a subset of devices inside the LLN), and multipoint-to-point (from devices inside the LLN towards a central control point).  This document specifies the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL), which provides a mechanism whereby multipoint-to-point traffic from devices inside the LLN towards a central control point as well as point-to-multipoint traffic from the central control point to the devices inside the LLN are supported.  Support for point-to-point traffic is also available.  [STANDARDS-TRACK]</t>
          </abstract>
        </front>
      </reference>
      <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="BCP" value="14"/>
          <author initials="S." surname="Bradner" fullname="S. Bradner">
            <organization/>
          </author>
          <date year="1997" month="March"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
      </reference>
      <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="BCP" value="14"/>
          <author initials="B." surname="Leiba" fullname="B. Leiba">
            <organization/>
          </author>
          <date year="2017" month="May"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.</t>
          </abstract>
        </front>
      </reference>
    </references>
    <section anchor="app-additional" numbered="true" toc="default">
      <name>Example Messaging</name>
      <section numbered="true" toc="default">
        <name>Example DCO Messaging</name>
        <t>
            In <xref target="sample_top" format="default"/>, node (D) switches its parent from
            (B) to (C). This example assumes that Node D has already
            established its own route via Node B-G-A-6LBR using pathseq=x. The
            example uses DAO and DCO messaging convention and specifies only
            the required parameters to explain the example namely, the
            parameter 'tgt', which stands for Target Option and value of this
            parameter specifies the address of the target node. The parameter
            'pathseq', which specifies the Path Sequence value carried in the
            Transit Information Option. The parameter 'I_flag' specifies the
            'I' flag in the Transit Information Option.
            sequence of actions is as follows:
        </t>
        <ol spacing="compact" spacing="normal" type="1">
          <li>Node D switches its parent from node B to node C</li>
          <li>D sends a regular DAO(tgt=D,pathseq=x+1,I_flag=1) in the
                    updated path to C</li>
          <li>C checks for a routing entry on behalf of D, since it cannot
                    find an entry on behalf of D it creates a new routing entry
                    and forwards the reachability information of the target D
                    to H in a DAO(tgt=D,pathseq=x+1,I_flag=1).</li>
          <li>Similar to C, node H checks for a routing entry on behalf of
                    D, cannot find an entry and hence creates a new routing
                    entry and forwards the reachability information of the
                    target D to A in a DAO(tgt=D,pathseq=x+1,I_flag=1).</li>
          <li>
                    Node A receives the DAO(tgt=D,pathseq=x+1,I_flag=1), and
                    checks for a routing entry on behalf of D. It finds a
                    routing entry but checks that the next hop for target D is
                    different (i.e., Node G). Node A checks the I_flag and
                    generates DCO(tgt=D,pathseq=x+1) to previous next hop for
                    target D which is G. Subsequently, Node A updates the
                    routing entry and forwards the reachability information of
                    target D upstream DAO(tgt=D,pathseq=x+1,I_flag=1).
                </li>
          <li>
                    Node G receives the DCO(tgt=D,pathseq=x+1). It checks if
                    the received path sequence is later than the stored path
                    sequence. If it is later, Node G invalidates the routing entry
                    of target D and forwards the (un)reachability information
                    downstream to B in DCO(tgt=D,pathseq=x+1).
                </li>
          <li>
                    Similarly, B processes the DCO(tgt=D,pathseq=x+1) by
                    invalidating the routing entry of target D and forwards the
                    (un)reachability information downstream to D.
                </li>
          <li>
                    D ignores the DCO(tgt=D,pathseq=x+1) since the target is
                    itself.
                </li>
          <li>
                    The propagation of the DCO will stop at any node where the
                    node does not have an routing information associated with
                    the target. If cached routing information is present and
                    the cached Path Sequence is higher than the value in the
                    DCO, then the DCO is dropped.
                </li>
        </ol>
      </section>
      <section numbered="true" toc="default">
        <name>Example DCO Messaging with multiple preferred parents</name>
        <figure anchor="sample_top_mpp">
          <name>Sample                     topology 2</name>
          <artwork align="center" name="" type="" alt=""><![CDATA[
        (6LBR)
          |
          |
          |
        (N11)
         / \
        /   \
       /     \
    (N21)   (N22)
      /      / \
     /      /   \
    /      /     \
 (N31)  (N32)  (N33)
     :    |    /
      :   |   /
       :  |  /
        (N41)
                        ]]></artwork>
        </figure>
        <t>
                In <xref target="sample_top_mpp" format="default"/>, node (N41) selects multiple
                preferred parents (N32) and (N33).
                The sequence of actions is as follows:
        </t>
        <ol spacing="compact" spacing="normal" type="1">
          <li>
                        (N41) sends DAO(tgt=N41,PS=x,I_flag=1) to (N32) and (N33).
                        Here I_flag refers to the Invalidation flag and PS refers to
                        Path Sequence in Transit Information option.
                    </li>
          <li>
                        (N32) sends DAO(tgt=N41,PS=x,I_flag=1) to (N22). (N33) also
                        sends DAO(tgt=N41,PS=x,I_flag=1) to (N22). (N22) learns
                        multiple routes for the same destination (N41) through
                        multiple next-hops. (N22) may receive the DAOs from
                        (N32) and (N33) in any order with the I_flag set. The
                        implementation should use the DelayDCO timer to wait to
                        initiate the DCO. If (N22) receives an updated DAO from
                        all the paths then the DCO need not be initiated in
                        this case. Thus the route table at N22 should contain
                        (Dst,NextHop,PS): { (N41,N32,x), (N41,N33,x) }.
                    </li>
          <li>
                        (N22) sends DAO(tgt=N41,PS=x,I_flag=1) to (N11).
                    </li>
          <li>
                        (N11) sends DAO(tgt=N41,PS=x,I_flag=1) to (6LBR). Thus the
                        complete path is established.
                    </li>
          <li>
                        (N41) decides to change preferred parent set from {
                        N32, N33 } to { N31, N32 }.
                    </li>
          <li>
                        (N41) sends DAO(tgt=N41,PS=x+1,I_flag=1) to (N32). (N41)
                        sends DAO(tgt=N41,PS=x+1,I_flag=1) to (N31).
                    </li>
          <li>
                        (N32) sends DAO(tgt=N41,PS=x+1,I_flag=1) to (N22).
                        (N22) has multiple routes to destination (N41). It sees
                        that a new Path Sequence for Target=N41 is received and
                        thus it waits for pre-determined time period (DelayDCO
                        time period) to invalidate another route
                        {(N41),(N33),x}. After time period, (N22) sends
                        DCO(tgt=N41,PS=x+1) to (N33). Also (N22) sends the
                        regular DAO(tgt=N41,PS=x+1,I_flag=1) to (N11).
                    </li>
          <li>
                        (N33) receives DCO(tgt=N41,PS=x+1). The received Path
                        Sequence is latest and thus it invalidates the entry
                        associated with target (N41). (N33) then sends the
                        DCO(tgt=N41,PS=x+1) to (N41). (N41) sees itself as the
                        target and drops the DCO.
                    </li>
          <li>
                        From Step 6 above, (N31) receives the
                        DAO(tgt=N41,PS=x+1,I_flag=1). It creates a routing
                        entry and sends the DAO(tgt=N41,PS=x+1,I_flag=1) to
                        (N21). Similarly (N21) receives the DAO and
                        subsequently sends the DAO(tgt=N41,PS=x+1,I_flag=1) to
                        (N11).
                    </li>
          <li>
                        (N11) receives DAO(tgt=N41,PS=x+1,I_flag=1) from (N21).
                        It waits for DelayDCO timer since it has multiple
                        routes to (N41). (N41) will receive
                        DAO(tgt=N41,PS=x+1,I_flag=1) from (N22) from Step 7
                        above. Thus (N11) has received regular
                        DAO(tgt=N41,PS=x+1,I_flag=1) from all paths and thus
                        does not initiate DCO.
                    </li>
          <li>
                        (N11) forwards the DAO(tgt=N41,PS=x+1,I_flag=1) to 6LBR
                        and the full path is established.
                    </li>
        </ol>
      </section>
    </section>
  </back>
</rfc>