Network Working Group                                    Ahmed Bashandy
Internet Draft                                        Clarence Filsfils
Intended status: Informational                      Cisco Systems, Inc.
Expires: November 2017                               Stephane Litkowski
                                                                 Orange
                                                        Pierre Francois
                                                 Individual Contributor
                                                           May 12, 2017

                  Loop avoidance using Segment Routing
              draft-bashandy-rtgwg-segment-routing-uloop-00


Abstract

This document presents a mechanism aimed at providing loop avoidance
in the case of IGP network convergence event.  The solution relies on
the temporary use of SR policies ensuring loop-freeness over the
post-convergence paths from the converging node to the destination.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008. The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s)
   controlling the copyright in such materials, this document may not
   be modified outside the IETF Standards Process, and derivative
   works of it may not be created outside the IETF Standards Process,
   except to format it for publication as an RFC or to translate it
   into languages other than English.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other
   documents at any time.  It is inappropriate to use Internet-Drafts
   as reference material or to cite them other than as "work in
   progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt



Bashandy              Expires November 12, 2017                [Page 1]


Internet-Draft            SR Loop Avoidance                    May 2017

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on November 12, 2017.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.



Table of Contents

   1. Introduction...................................................2
      1.1. Conventions used in this document.........................3
   2. Loop-free two-stage convergence process........................4
   3. Computing loop-avoiding SR policies............................5
   4. Analysis.......................................................5
      4.1. Incremental Deployment....................................5
      4.2. No impact on capacity planning............................5
   5. Security Considerations........................................6
   6. IANA Considerations............................................6
   7. Contributors...................................................6
   8. References.....................................................6
      8.1. Normative References......................................6
      8.2. Informative References....................................6
   9. Acknowledgments................................................6

1. Introduction

   Forwarding loops happen during the convergence of the IGP, as a
   result of transient inconsistency among forwarding states of the
   nodes of the network.

   This document provides a mechanism leveraging Segment Routing to
   ensure loop-freeness during the IGP reconvergence process following
   a link-state change event.



Bashandy              Expires November 12, 2017                [Page 2]


Internet-Draft            SR Loop Avoidance                    May 2017

   We use Figure 1 to illustrate the mechanism.  In this scenario, all
   the IGP link metrics are 1, excepted R3-R4 whose metric is 100.  We
   consider the traffic from S to D.

                          +-------R1------R2---+
                         /                      \
                        /                        \
                  S---R0                         R3-----D
                        \                        /
                         \                      /
                          +-------R5------R4---+
                                               100
         Figure 1 Illustrative scenario, failure of link R2-R3


   When the link between R2 and R3 fails, traffic sent from S to D,
   initially flowing along S-R0-R1-R2-R3-D is subject to transient
   forwarding loops while routers update their forwarding state for
   destination D. For example, if R0 updates its FIB before R5, packets
   for D may loop between R0 and R5.  If R5 updates its FIB before R4,
   packets for D may loop between R5 and R4.

   Using segment routing, a headend can enforce an explicit path
   without creating any state along the desired path.  As a result, a
   converging node can enforce traffic on the post-convergence path in
   a loop-free manner, using a list of segments (typically short).  We
   suggest that the converging node enforces its post-convergence path
   to the destination when applying this behavior to ease operation
   (predictability of path, less capacity planning issues ...); nodes
   converge over their new optimal path, but temporarily use an SR
   policy to ensure loop-freeness over that path.

   In our example, R0 can temporarily steer traffic destined to D over
   SR path [NodeSID(R4), AdjSID(R4->R3), D].  By doing so, packets for
   D will be forwarded by R5 as per NodeSID(R4), and by R4 as per
   AdjSID(R4->R3).  From R3 on, the packet is forwarded as per
   destination D. As a result, traffic follows the desired path,
   regardless of the forwarding state for destination D at R5 and R4.
   After some time, the normal forwarding behavior (without using an SR
   policy) can be applied; routers will converge to their final
   forwarding state, still consistently forwarding along the post-
   convergence paths across the network.

   1.1. Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
   NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
   in this document are to be interpreted as described in RFC-2119



Bashandy              Expires November 12, 2017                [Page 3]


Internet-Draft            SR Loop Avoidance                    May 2017

   In this document, these words will appear with that interpretation
   only when in ALL CAPS. Lower case uses of these words are not to
   be interpreted as carrying RFC-2119 significance.

2. Loop-free two-stage convergence process

   Upon a topology change, when a node R converging for destination D
   does not trust the loop-freeness of its post-convergence path for
   destination D, it applies the following two-stage convergence
   process for destination D.

   Stage 1: After computing the new path to D, for a configured amount
   of time C, R installs a FIB entry for D that steers packets to D via
   a loop-free SR path.  C is assumed to be configured as per the
   worst-case convergence time of a node, network-wide.  The SR path is
   computed when the event occurs.

   Stage 2: After C elapses, R installs the normal post-convergence FIB
   entry for D, i.e. without any additional segments inserted that
   ensure the loop-free property.

   Loop-freeness is ensured during this process, because:

   1.  Paths made of non up-to-date routers are loop-free.

   Routers which forward as per the initial state of the network are
   consistent.

   2.  A packet reaching a node in stage 1 is ensured to reach its
   destination.

   When a packet reaches a router in stage 1, it is steered on a SR
   path ensuring a loop-free post-convergence path, whatever the state
   of other routers on the path.

   3.  Paths made of a mix of routers in stage 1 and stage 2 are
   consistent.

   After C milliseconds, all routers are forwarding as per their post-
   convergence paths, either expressed classically or as a loop-free SR
   path.

   In our example, when R2-R3 fails, R0 forwards traffic for
   destination D over SR Path [NodeSID(R4), AdjSID(R4->R3), D], for C
   milliseconds. During that period, packets sent by R0 to D are loop-
   free as per the application of the policy.  When C elapses, R0 now
   uses its normal post-convergence path to the destination, forwarding
   packets for D as is to R5.



Bashandy              Expires November 12, 2017                [Page 4]


Internet-Draft            SR Loop Avoidance                    May 2017

   R5 also implements loop avoidance, and has thus temporarily used a
   loop-avoiding SR policy for D. This policy is [AdjSID(R4->R3), D],
   oif R5->R4.  If R5 is still applying the stage 1 behavior, the
   packet will be forwarded using this policy, and will thus safely
   reach the destination.  If R5 also had moved to stage 2, it forwards
   the packet as per its normal post-convergence path, via R4.  The
   forwarding state of R4 for D at stage 1 and stage 2 are the same:
   oif R4->R3, as forwarding packets for destination D as is to R3
   ensures a loop-free post-convergence path.

3. Computing loop-avoiding SR policies

   The computation to turn a post-convergence path into a loop-free
   list of segments is outside the scope of this document.  It is a
   local behavior at a node.

   In a future revision of this document, we may provide a reference
   approach to compute loop-avoiding policies for link up, link metric
   increase, link down, link metric decrease, node up, and node down
   events. TI-LFA Repair Tunnel

4. Analysis

   In this section, we review the main characteristics of the proposed
   solution.  These characteristics are illustrated in [3].

   4.1. Incremental Deployment

   There is no requirement for a full network upgrade to get benefits
   from the solution.

   (1) Nodes that are upgraded bring benefit for the traffic passing
   through them.

   (2) Nodes that are not upgraded to support SR-based loop-avoidance
   will cause the micro-loops that they were causing before, unless
   they get avoided by the local behavior of a node supporting the
   behavior.

   4.2. No impact on capacity planning

   By ensuring loop-free post-convergence paths, the behavior remains
   in line with the natural expected convergence process of the IGP.
   Enabling SR-based loop-avoidance hence does not require
   consideration for capacity planning, compared to any loop avoidance
   mechanism that lets traffic follow a different path than the post-
   convergence one. The behavior is local.  Nothing is expected from
   remote nodes except the basic support of Prefix and Adjacency SID's.



Bashandy              Expires November 12, 2017                [Page 5]


Internet-Draft            SR Loop Avoidance                    May 2017

5. Security Considerations

   The behavior described in this document is internal functionality
   to a router that result in the ability to explicitly steer traffic
   over the post convergence path after a remote topology change in a
   manner that guarantees loop freeness. As such no additional
   security risk is introduced by using the mechanisms proposed in
   this document.

6. IANA Considerations

   No requirements for IANA

7. Contributors

      Additional contributors: Bruno Decraene and Peter Psenak.

8. References

   8.1. Normative References

   8.2. Informative References

   [1]   Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., and
         Shakir, R., "Segment Routing Architecture", draft-ietf-spring-
         segment-routing-11 (work in progress), November 2016.

   [2]   Shand, M. and Bryant, S., "IP Fast Reroute Framework", RFC
         5714,    January 2010.

   [3]   Litkowski, S., "Avoiding micro-loops using Segment Routing",
         MPLS World Congress , 2016.



9. Acknowledgments

   This document was prepared using 2-Word-v2.0.template.dot.













Bashandy              Expires November 12, 2017                [Page 6]


Internet-Draft            SR Loop Avoidance                    May 2017

Authors' Addresses

   Ahmed Bashandy
   Cisco Systems
   170 West Tasman Dr, San Jose, CA 95134, USA
   Email: bashandy@cisco.com

   Clarence Filsfils
   Cisco Systems
   Brussels, Belgium
   Email: cfilsfil@cisco.com

   Stephane Litkowski
   Orange
   Email: stephane.litkowski@orange.com

   Pierre Francois
   pfrpfr@gmail.com

































Bashandy              Expires November 12, 2017                [Page 7]