Insertion of IPv6 Segment Routing Headers in a Controlled Domain
draft-voyer-6man-extension-header-insertion-03
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Expired".
|
|
|---|---|---|---|
| Authors | Daniel Voyer , John Leddy , Clarence Filsfils , Darren Dukes , Stefano Previdi , Satoru Matsushima | ||
| Last updated | 2018-05-25 | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-voyer-6man-extension-header-insertion-03
Network Working Group D. Voyer, ED.
Internet-Draft D. Bernier
Intended status: Informational Bell Canada
Expires: December 26, 2018 J. Leddy
Comcast
C. Filsfils
D. Dukes, ED.
Cisco Systems, Inc.
S. Previdi
Individual Contributor
S. Matsushima
Softbank
May 25, 2018
Insertion of IPv6 Segment Routing Headers in a Controlled Domain
draft-voyer-6man-extension-header-insertion-03
Abstract
The network operator and vendor community has clearly indicated that
IPv6 header insertion is useful and required. This is notably the
case when the entire journey of the packet remains in its source
domain. In such a context, it does not matter where the extension
header is inserted. The source domain may decide to place the IPv6
extension header insertion where it suits its best: at the source of
the packet or at any midpoint within the source domain.
Voyer, et al. Expires December 26, 2018 [Page 1]
Internet-Draft IPv6 SRH Insertion November 20, 2017
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Source Domain and Packet Journey . . . . . . . . . . . . . . 3
2.1. Example: 6PE . . . . . . . . . . . . . . . . . . . . . . 4
3. Transit through a Source Domain . . . . . . . . . . . . . . . 5
3.1. Example: SDWAN . . . . . . . . . . . . . . . . . . . . . 5
4. SRH insertion in Source Domain . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
7. Manageability Considerations . . . . . . . . . . . . . . . . 7
8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 7
Voyer, et al. Expires December 26, 2018 [Page 2]
Internet-Draft IPv6 SRH Insertion November 20, 2017
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
10.1. Normative References . . . . . . . . . . . . . . . . . . 8
10.2. Informative References . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
We define the concept of "domain" as the set of nodes under the same
administration. For example, a network operator infrastructure
including routers and links grouped into BGP autonomous systems (ASs)
and routing domains (running OSFP or IS-IS).
We define "source domain" as the domain of the source of the packet.
2. Source Domain and Packet Journey
(--- Source Domain ---)
( )
( 1-----2-----3-----9 )
( | | )
( 4-----5 )
(---------------------)
Figure 1: Source Domain
In the previous diagram:
o All the nodes 1 to 9 are in the same domain D.
o Node 1 originates a packet P1 destined to 9 (SA=1, DA=9).
o Domain D runs a link-state routing protocols which implements the
Fast Reroute (FRR) service through the Topology Independent Loop
Free Alternates (TI-LFA,
[I-D.bashandy-rtgwg-segment-routing-ti-lfa]).
o All link metrics are set to 10.
o Node 2's TI-LFA pre-computed backup path for the destination 9 is
the Segment Routing Policy <5, 9> via outgoing interface (OIF) to
node 4 according to [I-D.filsfils-spring-segment-routing-policy],
[I-D.filsfils-spring-srv6-network-programming] and
[I-D.ietf-6man-segment-routing-header].
Within the 50 milliseconds of link 2-3 failure detection, node 2
reroutes the traffic destined to 9 by inserting the pre-computed
segment routing header (SRH) with SID list <5, 9> and forwards the
Voyer, et al. Expires December 26, 2018 [Page 3]
Internet-Draft IPv6 SRH Insertion November 20, 2017
packet to node 4. Node 4 forwards based on DA=5 to neighbor 5. Node
5 updates the DA to 9 and removes the SRH. Node 9 receives the
packet with (SA=1, DA=9).
This FRR service is clearly beneficial for the operator of domain D:
without this FRR operation, depending on the scale of the domain and
the quality of the routing convergence implementation, traffic could
be dropped for hundreds to thousands of milliseconds waiting for the
routing plane to converge.
This FRR service is largely deployed with MPLS.
It is important to note that the operators industry is strongly
requiring the same TI-LFA FRR service without the need to deploy or
maintain the MPLS layer.
Obviously, this FRR service increases the size of the packet during
its journey within domain D. This is well-known to operators. Well-
known mitigation techniques have been deployed for more than 15 years
for the MPLS-based FRR service and the numerous VPN services. The
same exact technique can be used which consists of deploying an
infrastructure capable of an MTU value higher in the core than at the
ingress edge.
2.1. Example: 6PE
An illustrative example of packet size increasing while in transit is
given by the 6PE use case ([RFC4798]) and consists of the following:
o An ingress router encapsulates incoming IPv6 packets into a MPLS
label stack.
o The ingress router forwards the encapsulated packet across the
MPLS core infrastructure of the operator.
o While transiting in the core, the size of the label stack (hence
the size of the packet) may increase when additional labels are
pushed on top of the packet due to services such as traffic
engineering (TE) and/or fast reroute (FRR).
o Once the packet reaches the egress router, the label stack is
removed and the packet is sent out of the operator network as an
IPv6 packet.
Using the example topology in Figure 1:
Voyer, et al. Expires December 26, 2018 [Page 4]
Internet-Draft IPv6 SRH Insertion November 20, 2017
o Router 1 receives an incoming IPv6 packet, classifies it and does
push a label corresponding to the egress router this packet must
reach (router 9). At this stage the packet size has already
increased by the size of one label (32 bits).
o In addition, router 1 is configured with a policy consisting of a
traffic engineered path (2, 4, 5, 9) represented by an additional
label. At this stage the packet size has increased by the size of
two labels).
o While in transit in the traffic engineered path, a link may fail
and fast reroute (FRR) may have been provisioned so that the
packet is immediately re-routed (e.g., by router 4) using an
additional label. At this stage the packet size has increased by
the size of three labels.
o It has also to be noted that the packet may be part of a virtual
private network (VPN) service in which case it will have an
additional label corresponding to the VPN the packet belongs to.
In this case the packet size has increased by the size of four
labels.
o Once the packet reaches its egress router (router 9) the label
stack is consumed, the packet shape and size is restored to its
original state and the packet is forwarded externally, as a plain
IPv6 packet.
3. Transit through a Source Domain
(--- Source Domain ---)
( )
A---( 1-----2-----3-----9 )---B
( | | )
( 4-----5 )
(---------------------)
Figure 2: Transit Through a Source Domain
We now consider a packet P2 sent from A to B where A and B are
external nodes to the domain D.
We assume that when node 1 receives the packet, for service
transparency reason (the packet that exits the domain MUST be the
same as when it entered the domain), node 1 encapsulates the packet
P2 in an outer IPv6 header with SA=1 and DA=9. We call the resulting
packet P3.
Voyer, et al. Expires December 26, 2018 [Page 5]
Internet-Draft IPv6 SRH Insertion November 20, 2017
Note that node 1 in Domain D is the source of a new IPv6 packet (P3)
that encapsulates P2, therefore we refer to this scenario as "Transit
Through a Source domain".
From the viewpoint of domain D, packet P3 is the same as packet P1 of
the previous use-case. Indeed, domain D only considers the outer
header and from that viewpoint, the outer header is the same: (SA=1,
DA=9). Furthermore, as for packet P1, the entire journey of packet
P3 is contained within domain D.
Node 2 may thus rightfully insert an SRH on packet P3 to implement a
sub-50 milliseconds FRR operation upon the loss of the link 2-to-3
and node 5 can remove this SRH.
The transparency of the service is guaranteed: the insertion and
removal of the SRH on packet P3 has no impact on packet P2. P2 at
the exit of the domain D is the same as at the entrance of the domain
D.
Customers of the transit service offered by domain D do demand FRR
services. The 50 millisecond FRR operation provides a much better
service availability than 100's to 1000's of milliseconds of loss for
each routing transition.
3.1. Example: SDWAN
An illustration example of transit through a source domain is given
by [I-D.dukes-sr-for-sdwan], and consist of the following:
o An ingress SDWAN Edge node encrypts and encapsulates incoming IPv4
or IPv6 packets in an IPv6 header;
o The ingress node inserts an SRH with a binding SID;
o The use of the binding SID is an explicit agreement within the
source domain to apply a given SLA to the traffic containing the
binding SID;
o As the packet traverses the source domain, the binding SID and the
SRH containing it MAY be removed (if the binding SID was a PSP
SID);
o A new SRH MAY be inserted within the source domain, corresponding
to the path represented by the binding SID, and this SRH MAY be
removed before the packet exits the source domain (again depending
on the last SID in the SID list and whether or not it was a PSP
SID).
Voyer, et al. Expires December 26, 2018 [Page 6]
Internet-Draft IPv6 SRH Insertion November 20, 2017
Using the example topology in Figure 1:
o Router 1 receives a packet destined to B, which it encrypts and
encapsulates in an IPv6 header destined to router 9;
o Router 1 inserts an SRH containing a binding SID S2.1 (a binding
SID at 2,) to receive a path with a negotiated SLA, and sends the
packet toward S1 with an outer header and SRH of:
(SA=1,DA=S2.1)(9,S2.1;SL=1)
o Router 2 receives the packet and perform PSP for S2.1
o Router 2 inserts a new SRH with segment list <S3,S4>
o Once the packet reaches its egress router (router 9) the SRH has
been removed (if S4 was a PSP SID), the outer IPv6 header is
removed, the inner packet decrypted and the original packet is
forwarded externally toward B.
4. SRH insertion in Source Domain
This document reminds that for a packet whose journey is
completely contained within its source domain, it does not matter
where the IPv6 extension header insertion is done.
It could be at the source or at the first-hop router or at any
node of the source domain.
The source domain owns the packet and decides the location, which
suits it best.
During the packet journey in the source domain, any node in the
source domain may insert an SRH and the egress node MUST remove
both the outer IPv6 header and inserted SRH.
In conclusion, in a context of a controlled/trusted domain, the
insertion of SRHs in packets that are sourced within the domain is
useful, required and also harmless. Hence, a context-less ban of
IPv6 extension header insertion does not make sense.
Voyer, et al. Expires December 26, 2018 [Page 7]
Internet-Draft IPv6 SRH Insertion November 20, 2017
5. Security Considerations
This document proposes to insert an SRH to a transit packet if
such packet is originated and destined within a controlled/trusted
domain. Typically, when an operator encapsulates an externally
received packet and sends this packet in a tunneled mode from
ingress to egress, insertion of SRH is safe and confined within
the operator's infrastructure. In such conditions, the security
of the original packet is not compromised by header insertion and
the packet leaves the operator's domain without the any header
that the operator may have added.
A controlled/trusted domain can operate SRv6-based services for
internal traffic while preventing any external traffic from
accessing these internal SRv6-based services. Several mechanisms
exists and are currently used by operators. Here follows a non-
exhaustive example list:
o Access-lists (ACL) on the each externally facing interface in
order to drop any incoming traffic with SA or DA belonging to the
internal SID space.
o ACL to prevent access to local SIDs from outside the operator's
infrastructure.
o Support Unicast-RPF on source address on external interface.
6. IANA Considerations
This document doesn't introduce any IANA request.
7. Manageability Considerations
TBD
8. Contributors
TBD
9. Acknowledgements
TBD
10. References
Voyer, et al. Expires December 26, 2018 [Page 8]
Internet-Draft IPv6 SRH Insertion November 20, 2017
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
10.2. Informative References
[I-D.bashandy-rtgwg-segment-routing-ti-lfa]
Bashandy, A., Filsfils, C., Decraene, B., Litkowski, S.,
and P. Francois, "Abstract", draft-bashandy-rtgwg-segment-
routing-ti-lfa-00 (work in progress), February 2017.
[I-D.filsfils-spring-segment-routing-policy]
Filsfils, C., Sivabalan, S., Yoyer, D., Nanduri, M., Lin,
S., bogdanov@google.com, b., Horneffer, M., Clad, F.,
Steinberg, D., Decraene, B., and S. Litkowski, "Segment
Routing Policy for Traffic Engineering", draft-filsfils-
spring-segment-routing-policy-00 (work in progress),
February 2017.
[I-D.filsfils-spring-srv6-network-programming]
Filsfils, C., Leddy, J., daniel.voyer@bell.ca, d.,
daniel.bernier@bell.ca, d., Steinberg, D., Raszuk, R.,
Matsushima, S., Lebrun, D., Decraene, B., Peirens, B.,
Salsano, S., Naik, G., Elmalky, H., Jonnalagadda, P.,
Sharif, M., Ayyangar, A., Mynam, S., Bashandy, A., Raza,
K., Dukes, D., Clad, F., and P. Camarillo, "SRv6 Network
Programming", draft-filsfils-spring-srv6-network-
programming-00 (work in progress), March 2017.
[I-D.ietf-6man-segment-routing-header]
Previdi, S., Filsfils, C., Raza, K., Leddy, J., Field, B.,
daniel.voyer@bell.ca, d., daniel.bernier@bell.ca, d.,
Matsushima, S., Leung, I., Linkova, J., Aries, E., Kosugi,
T., Vyncke, E., Lebrun, D., Steinberg, D., and R. Raszuk,
"IPv6 Segment Routing Header (SRH)", draft-ietf-6man-
segment-routing-header-06 (work in progress), March 2017.
[I-D.dukes-sr-for-sdwan]
Dukes, D., Filsfils, C., Dawra, G., Camirillo, P., Clad, F.,
Salsano, S., draft-dukes-sr-for-sdwan-00 (work in progress)
October 2017.
[RFC4798] De Clercq, J., Ooms, D., Prevost, S., and F. Le Faucheur,
"Connecting IPv6 Islands over IPv4 MPLS Using IPv6
Provider Edge Routers (6PE)", RFC 4798,
Voyer, et al. Expires December 26, 2018 [Page 9]
Internet-Draft IPv6 SRH Insertion November 20, 2017
DOI 10.17487/RFC4798, February 2007,
<http://www.rfc-editor.org/info/rfc4798>.
Voyer, et al. Expires December 26, 2018 [Page 10]
Internet-Draft IPv6 SRH Insertion November 20, 2017
Authors' Addresses
Daniel Voyer (editor)
Bell Canada
Montreal
CA
Email: daniel.voyer@bell.ca
John Leddy
Comcast
4100 East Dry Creek Road
Centennial, CO 80122
US
Email: John_Leddy@comcast.com
Clarence Filsfils
Cisco Systems, Inc.
Brussels
BE
Email: cfilsfil@cisco.com
Stefano Previdi
Individual Contributor
Italy
Email: stefano@previdi.net
Darren Dukes (editor)
Cisco Systems
Canada
Email: ddukes@cisco.com
Satoru Matsushima
Softbank
Email: satoru.matsushima@g.softbank.co.jp
Voyer, et al. Expires December 26, 2018 [Page 11]