Network Working Group                                      S. De Cnodder
Internet Draft                                                C. Pelsser
Expiration Date: January 2005


                                                               July 2004


                  Protection for inter-AS MPLS tunnels
            draft-decnodder-ccamp-interas-protection-00.txt


Status of this Memo


   By submitting this Internet-Draft, I certify that any applicable
   patent or other IPR claims of which I am aware have been disclosed,
   or will be disclosed, and any of which I become aware will be
   disclosed, in accordance with RFC 3668.


   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.


   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."


   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt


   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.


Abstract


   This document describes a solution for link protection, node
   protection, Shared Risk Link Group (SRLG) protection and fast
   recovery of inter-AS packet based LSPs. These problems are
   highlighted in [ASREQ]. The proposed solution is based on RSVP-TE
   [RFC3209] as recommended by [ASREQ]. Only the protection of links
   between 2 ASs, the protection of their SRLGs and of the nodes at the
   border of an AS are in the scope of this document.


1. Introduction


   This document describes a solution for the following requirements
   from [ASREQ]:


   1) link protection




De Cnodder, Pelsser       Expires January 2005                  [Page 1]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   2) node protection


   3) SRLG protection


   4) fast recovery


   5) based on RSVP-TE [RFC3209]


   MPLS Fast-Reroute techniques based on [FRR] together with the RSVP
   objects eXclude Route Object (XRO) and Explicit eXclude Route
   Subobject (EXRS), as defined in [XRO], will be used to fulfill the
   above requirements. Only the protection of links between 2 ASs, the
   protection of their SRLGs and of the nodes at the border of an AS are
   in the scope of this document.


   Section 2 proposes to tunnel inter-AS LSPs through intra-AS LSPs
   inside an AS, as described in [HIER]. This tunneling favors the
   confidentiality requirement concerning intra-AS topologies [ASREQ] as
   well as the establishment of inter-AS LSPs. The establishment of
   inter-AS LSPs will not be studied further in this draft. In this
   document it is assumed that ASes define their SRLGs independently
   from the SRLGs in other ASes.


   Section 3 shows that an end-to-end recovery LSP, crossing multiple
   ASs, can only provide link and node protection. For SRLG protection
   and fast recovery, the methods in [FRR] have to be used. Section 5
   and section 6 describe how these methods can be used for the
   protection of inter-AS LSPs with detour LSPs and bypass tunnels.
   Nodes other than those mentioned in this document must use the
   methods in [FRR] to establish detour LSPs or bypass tunnels.
   Moreover, these nodes establish detour LSPs that merge with the
   working LSP in the same AS where they are originated, or these nodes
   establish/use bypass tunnels that terminate in the same AS as where
   they originate.


2. Inter-AS LSP tunneled through an intra-AS LSP


   To improve scalability and confidentiality (which is outside the
   scope of this document), an inter-AS LSP can be tunneled through an
   intra-AS LSP [HIER]. For instance, in Figure 2 of Section 4, the link
   between R21 and R22 could be an LSP passing multiple core routers.
   And, the inter-AS LSP is tunneled through this LSP. Whether an
   inter-AS LSP is tunneled or not through an intra-AS LSP is not
   relevant for this document since this intra-AS LSP behaves as any
   other link in the network.


   The procedures described in the following sections apply for inter-AS
   link, node and SRLG protection of inter-AS LSPs whether they are




De Cnodder, Pelsser       Expires January 2005                  [Page 2]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   tunneled or not.


3. Problems in SRLG protection with disjoint end-to-end LSPs


   The motivation to support fast-reroute techniques as described in
   [FRR] is twofold: first of all, it supports fast recovery, and,
   second, it provides SRLG protection, which is not the case for a
   disjoint end-to-end LSP. The problem to support SRLG protection, with
   the latter method, is described in this section.


   There are different ways to provide end-to-end protection of inter-AS
   LSPs.  A first possibility is to establish a secondary path that
   crosses different ASs than the working LSP. An alternative is to
   establish an LSP that follows the same AS path to the destination as
   the working LSP, i.e. it crosses the same ASs in the same order, but
   is link or node disjoint from the working LSP. However, these two
   solutions do not permit to establish an LSP that is disjoint from the
   SRLGs of the working LSP. That is, it is not possible to protect the
   working inter-AS LSP against SRLGs failures with a single end-to-end
   link or node disjoint LSP. This is due to the fact that ASs may
   possess links belonging to the same SRLG even if these ASs do not
   have the same convention to designate this SRLG. The allocation of
   SRLGs is not consistent among the ASs.


   To explain this, we introduce the concepts of SRLG scope and SRLG ID
   scope. The SRLG scope of a particular SRLG is the collection of nodes
   that have a consistent understanding of that particular SRLG. This
   means that all nodes in the SRLG scope see the same set of links
   belonging to that SRLG. The nodes in an SRLG scope will not be aware
   of links outside the SRLG scope that may share for instance physical
   resources with links in the SRLG scope that are in the SRLG, and
   hence could fail at the same time.


   Not all nodes in a particular SRLG scope must use the same SRLG ID to
   identify that particular SRLG. An SRLG scope can consist of different
   non-overlapping sections and each such section can use a different
   SRLG ID to refer to the SRLG. At the boundaries of these sections,
   there exists a one-to-one mapping of the corresponding SRLG IDs that
   identify the same SRLG. Such section of an SRLG scope where a
   particular SRLG ID is used to identify the SRLG, is called the SRLG
   ID scope.


   Example 1: If a particular SRLG groups all the links of AS 1 and AS 2
   that use a particular physical resource, and hence could fail at the
   same time, then the SRLG scope consists of AS 1 and AS 2. If AS 1
   uses SRLG ID x to identify that SRLG and AS 2 uses SRLG ID y, then
   there are two SRLG IDs and their corresponding SRLG ID scopes are AS
   1 and AS 2, and there is a one-to-one mapping of the SRLG IDs between




De Cnodder, Pelsser       Expires January 2005                  [Page 3]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   these SRLG ID scopes, i.e. x in AS 1 translates to y in AS 2.


   Example 2: Suppose that a particular SRLG groups links in AS 1 that
   could fail at the same time and that another SRLG groups links in AS
   2, i.e. the SRLG scope of the SRLGs are their corresponding ASs. AS 1
   and AS 2 may use the same SRLG ID. Using the same SRLG ID does not
   mean that the 2 SRLGs are linked to each other is some way.


         AS1             AS2              AS3
    /----------\  /-------------- \  /------------\


           R12 ---- R21 ---- R23 ---- R31
         /              \                 \
        /                \                 \
    R11                  R25                 R33
        \                  \               /
         \                  \             /
           R13 ---- R22 ---- R24 ---- R32


                 Figure 1: end-to-end SRLG protection



   When SRLGs whose corresponding SRLG scope does not contain all ASs
   crossed by the inter-AS LSP, an end-to-end recovery LSP may fail to
   provide SRLG protection as explained by the example that follows.
   Suppose we have a working LSP going from R11 in AS1 to R33 in AS3
   through R13, R22, R24 and R32. It is not possible to protect this LSP
   against SRLG failures with a recovery LSP crossing for instance R12,
   R21, R23 and R31 when there are SRLGs with SRLG scopes corresponding
   to a single AS (AS1, AS2, or AS3) or only 2 ASs. Suppose the SRLG
   scopes consists of only 1 AS, then AS3 could have links which can
   fail together with links in AS1 and neither AS1 nor AS3 will be aware
   of it. For example, link R11-R13 and link R31-R33 may share a
   physical resource but in case there are no SRLGs defined with SRLG
   scope containing AS1 and AS3, this will not be known by any of the
   ASs. This example relies on the fact that different ASs may use the
   same resources to join different nodes in their respective domain. A
   similar situation occurs when the working and the recovery LSP do not
   share the same AS path but instead partially cross different ASs.


   In this document we consider SRLG scopes consisting of an AS.
   Therefore, this document only focuses on local protection, as defined
   in [FRR], because it is not possible to provide full protection of
   SRLGs with such SRLG scopes, along an inter-AS LSP, with a single
   end-to-end LSP.  The solution proposed in this document enables the
   provision of link, node and SRLG protection of inter-AS LSPs.


4. Network model and terminology




De Cnodder, Pelsser       Expires January 2005                  [Page 4]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   To illustrate the procedures described in the next sections, the
   following network model is used:


               AS1                AS2
         /-------------\    /------------\


          +---+   +---+      +---+   +---+
    ------|R11|---|R12|------|R21|---|R22|------
          +---+   +---+      +---+   +---+
            |       |          |       |
            |       |          |       |
            |       |          |       |
          +---+   +---+      +---+   +---+
    ------|R13|---|R14|------|R23|---|R24|------
          +---+   +---+      +---+   +---+
            |       |          |       |
            |       |          |       |
            |       |          |       |
          +---+   +---+      +---+   +---+
    ------|R15|---|R16|------|R25|---|R26|------
          +---+   +---+      +---+   +---+


                 Figure 2: a reference network model



   The working LSP is established from a certain node (not shown on the
   figure) and goes over routers R13, R14, R23, and R24 towards the
   destination (also not shown on the figure). AS1 is referred to as the
   upstream AS of AS2, and AS2 is referred to as the downstream AS of
   AS1.


   An "egress AS-BR" or a "primary egress AS-BR" is an Autonomous System
   Border Router (AS-BR) at which the working LSP leaves an AS. In the
   network example, in figure 2, this is router R14, inside AS1.


   An "ingress AS-BR" or a "primary ingress AS-BR" is an AS-BR at which
   the working LSP enters an AS. In the network example, this is router
   R23, inside AS2.


   A "secondary egress AS-BR" is an AS-BR at which the bypass tunnel or
   the detour LSP leaves an AS. In the network example, this could be
   router R12 or R16, in AS1.


   A "secondary ingress AS-BR" is an AS-BR at which the bypass tunnel or
   the detour LSP enters an AS. In the network example, this could be
   router R21 or R25, in AS2.


   "Inter-AS link protection" is the protection of an LSP against a




De Cnodder, Pelsser       Expires January 2005                  [Page 5]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   failure of the link connecting two ASs on the path of the LSP. In the
   network example, the inter-AS link R14-R23 is to be protected.


   "Inter-AS node protection" is the protection of an LSP against an
   AS-BR failure. This can be the egress AS-BR, R14, or the ingress AS-
   BR, R23, for the considered example.


   "Inter-AS SRLG protection" is the protection of an LSP against a
   simultaneous failure of all links that belong to certain SRLGs which
   also contain the inter-AS link (R14-R23 in figure 2).


   Other terminology and abbreviations are taken from [FRR].


5. Protection with detour LSPs


 5.1 Link protection with detour LSPs


  5.1.1 Procedures for the egress AS-BR


   The primary egress AS-BR has to establish a detour LSP to protect the
   inter-AS link. The destination of the detour LSP will be the same as
   the destination of the working LSP. The detour LSP may merge with the
   working LSP at any downstream node or with other detour LSPs of the
   same working LSP, established by nodes downstream of the link to be
   protected. The egress AS-BR has to determine a secondary egress AS-BR
   and then it can perform a path calculation towards this AS-BR.


   The primary egress AS-BR can select any other AS-BR as secondary
   egress AS-BR but it is recommended to select an AS-BR that is
   connected to the downstream AS of the working LSP (i.e. the AS where
   the primary ingress AS-BR is located). In case this condition is not
   met, it could be for instance possible that the downstream AS of the
   detour LSP chooses a path that goes through the AS where the detour
   LSP was originated causing loops. This is illustrated in Figure 3.
   Suppose the working LSP crosses the domains AS1, AS2, AS3 and AS4 in
   that order. The detour LSP protecting the link between AS2 and AS3
   does not take the alternative link between AS2 and AS3 but it takes
   AS6, then AS6 could take AS5 as next AS and then at the end the
   detour LSP arrives at AS1 where it merges with the working LSP. It is
   clear that such detour does not protect the link that it is supposed
   to protect. Note that it is only recommended and not a must to take
   the same downstream AS because there are ways to solve this problem
   by excluding ASs [XRO] but this would be a rather complex solution.









De Cnodder, Pelsser       Expires January 2005                  [Page 6]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



        _______       _______       _______       _______
       (       )     (       )-----(       )-----(       )
       (  AS1  )-----(  AS2  )     (  AS3  )     (  AS4  )
       (_______)     (_______)-----(_______)-----(_______)
           |             |             |             |
           |             |             |             |
           |             |             |             |
        ___|___       ___|___       ___|___       ___|___
       (       )     (       )     (       )     (       )
       (  AS5  )-----(  AS6  )-----(  AS7  )-----(  AS8  )
       (_______)     (_______)     (_______)     (_______)


          Figure 3: a detour LSP merging at a wrong place



   In addition, it is recommended that the detour LSP merges in the AS
   where this downstream ingress AS-BR is located (the merging node
   could be the ingress AS-BR itself) if the destination of the working
   LSP is not in the downstream AS. For example, in figure 3, the detour
   LSP protecting the link of the working LSP between AS2 and AS3 should
   merge with the working LSP in AS3. If this does not happen, AS3 could
   select AS7 as next AS for the detour LSP and from then on A7 could
   select AS6, which further goes to AS5 and AS1 where the detour LSP
   merges with the working LSP upstream from the failure to protect.
   This recommendation also improves the scalability of the solution
   since merging LSPs diminishes the number of states to be maintained,
   the bandwidth to be reserved, and so on.


   Therefore, the ERO for the detour LSP starting at the egress AS-BR
   should contain several path's segments. It should first contain a
   strict or a loose path towards the secondary egress AS-BR followed by
   a segment of the RRO of the working LSP. The latter segment begins at
   the last hop in the downstream AS (the egress AS-BR in the downstream
   AS) of the working LSP and contains all hops thereafter up until the
   destination. For instance, in Figure 3, with a working LSP crossing
   AS1-AS2-AS3-AS4, the ERO of the detour LSP protecting the link of the
   working LSP between AS2 and AS3, should at least contain the routers
   of the working LSP in AS4 and the egress AS-BR of AS3 recorded in the
   RRO. That is, the ERO of the detour LSP at least contains:  (1) A
   strict or loose path toward the secondary egress ASBR (2) The path of
   the working LSP starting at the last hop inside the downstream AS and
   ending at the destination of the working LSP. In the example network
   of Figure 2, we have a working LSP crossing the routers R13, R14,
   R23, R24, etc. Suppose that the selected egress AS-BR is R16 and the
   calculated path towards R16 is R14-R13-R15-R16 (R14 is originator of
   detour LSP) assuming that R14-R16 does not match the constraints of
   the detour LSP. The ERO of the detour LSP protecting link R14-R23
   should therefore be composed of routers R13-R15-R16 (all strict)




De Cnodder, Pelsser       Expires January 2005                  [Page 7]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   followed by R24 (with loose flag set) and the following routers after
   R24 of the working LSP in the downstream AS of AS2, which is not
   shown in Figure 2. The path between R16 and R24 has to be calculated
   by R16 and R25.


   There are two possible methods to determine the secondary egress AS-
   BR at the primary egress AS-BR. (1) The egress AS-BR can be manually
   configured with other AS-BRs that peer to the same AS or (2) it can
   lookup in its BGP table to find an other entry such that the AS-path
   has the same AS next hop as the currently selected entry. Option (1)
   is feasible because the number of links between 2 ASs is usually
   limited to only a small number of links.


   It could be possible that the primary egress AS-BR is the same router
   as the secondary egress AS-BR and that the primary ingress AS-BR is
   the same router as the secondary ingress AS-BR. In this particular
   case when there are multiple links between the AS-BRs, the detour LSP
   must simply use an inter-AS link that is not the one used by the
   working LSP, and no path computation has to be done at the egress
   AS-BR.


   The use of the LSP-Merge subobject, defined in Appendix A, is
   optional to provide link protection. This is an ERO subobject that
   forces the merging at the next node in the ERO and it makes sure that
   this merging node can switch traffic coming from the merging detour
   LSP to the originating detour LSP. See Appendix A for a description
   and see Section 5.3.1 for more details on where this subobject is
   mandatory to use (in case of SRLG protection).


  5.1.2 Procedures for the ingress AS-BR


   No extra procedures are required.


   The detour LSP may merge with the working LSP at this node.


  5.1.3 Procedures for the secondary egress AS-BR


   The secondary egress AS-BR completes the path in the ERO by selecting
   a secondary ingress AS-BR in the downstream AS. If there is no ERO
   present, then the tunnel end point address in the Session object has
   to be used to route the Path message.


  5.1.4 Procedures for the secondary ingress AS-BR


   The secondary ingress AS-BR completes the ERO with a path towards the
   next subobject in the ERO. The LSP should merge with the working LSP
   at the node that processes the LSP-Merge subobject (if that subobject
   is present), if it was not yet merged at this point. If no ERO is




De Cnodder, Pelsser       Expires January 2005                  [Page 8]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   present inside the Path message of the detour LSP, the path is
   computed based on the tunnel end point address.


 5.2 Node protection with detour LSPs


   The procedures and recommendations are the same for the protection of
   an ingress AS-BR failure as for link protection, with the exception
   that the egress AS-BR has to include an XRO object or an EXRS
   subobject [XRO] with the ingress AS-BR to exclude.


   For the protection of the egress AS-BR, the same holds except that
   the procedure applies to the router on the path of the working LSP
   preceding the egress AS-BR. The method to determine a secondary
   egress AS-BR is the same as for link protection: either manual
   configuration or by using BGP routing information, if it is
   available. Note that the first solution requires more configuration
   as for link protection in case this router peers with more than one
   AS-BR.


 5.3 SRLG protection with detour LSPs


   Similar procedures as for link protection apply for SRLG protection.
   In addition, the secondary egress AS-BR must be an AS-BR that peers
   with the downstream AS of the working LSP. And, the detour LSP must
   merge in that AS. The former condition is necessary because only the
   two peering ASs know the SRLGs of the inter-AS link and the latter
   condition implies that the LSP-Merge subobject must be used. This
   subobject is inserted inside the ERO to indicate the node where
   merging needs to be done (see appendix A). The next subsections
   describe in more details the procedures to be performed at the nodes
   involved in the establishment of such detour LSP.


  5.3.1 Procedures for the egress AS-BR


   The egress AS-BR has to include an XRO object or an EXRS subobject to
   exclude the SRLGs of the inter-AS link. The XRO or the EXRS must
   include a list of SRLGs (defined for the AS containing the PLR)
   corresponding to the inter-AS link as well as a reference to this
   link. If the egress AS-BR can calculate a strict path to reach the
   secondary egress AS-BR, then the list of SRLGs may be removed. Only
   the reference to the link for which the detour LSP has to be SRLG
   disjoint is then required (see section 5.3.2). The secondary ingress
   AS-BR has to use the information in the XRO or EXRS to further
   calculate a path for the detour LSP.


   To ensure merging inside the downstream AS, the LSP-Merge subobject
   (see Appendix A) has to be included in the ERO by the egress AS-BR.
   The LSR where the detour LSP is merged with the working LSP has to




De Cnodder, Pelsser       Expires January 2005                  [Page 9]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   ensure that it can perform a switch-over from the incoming detour LSP
   containing the LSP-Merge subobject to its originating detour LSP in
   case the next link has an SRLG in common with the inter-AS link. This
   is because in this case, both links can fail at the same time such
   that both detour LSPs will be activated at the same time. In other
   words, the PLR has to send the traffic from the main LSP or the
   incoming detour LSP on the departing detour LSP protecting the
   failure of the downstream resources, when protection is in use.


  5.3.2 Procedures for the secondary egress AS-BR


   The secondary egress AS-BR selects a next hop and the XRO or EXRS
   contains a reference to the link for which the detour LSP has to be
   SRLG disjoint. No list of SRLGs should be included because the SRLG
   IDs are local to an AS, which means that if a list of SRLG IDs would
   be sent to the next hop, then this node would not understand the IDs.
   Therefore only the reference to the inter-AS link is useful. This
   link is referenced by means of its IP address, see [XRO]. The
   secondary egress AS-BR thus removes the list of SRLGs related to the
   inter-AS link, if such a list of SRLGs was present.


  5.3.3 Procedures for the ingress AS-BR


   No extra procedures required.


  5.3.4 Procedures for the secondary ingress AS-BR


   If the secondary ingress AS-BR cannot compute a full path towards the
   node immediately preceeding the LSP-merge subobject, then the
   secondary ingress AS-BR adds the list of SRLGs of the inter-AS link
   to the received XRO object or EXRS subobject, respectively, if not
   already present. These SRLGs are known by the nodes inside this AS.
   This is required because the LSP can cross nodes inside the AS which
   do not know the SRLGs of the inter-AS link, but only the SRLGs of
   intra-area links, hence just a reference to a link whose SRLGs have
   to be excluded is not sufficient. An alternative would be to
   distribute inter-AS links and their SRLGs inside the IGP.


  5.3.5 Path calculation


   To allow the egress AS-BR and the secondary ingress AS-BR to
   calculate a path, the SRLGs of the inter-AS links towards the same
   downstream AS (upstream AS, respectively) as the working LSP have to
   be known. This could be achieved through manual configuration of the
   SRLGs of other inter-AS links to the same downstream/upstream AS at
   each AS-BR. For instance, in Figure 2, at R14 and R23, the SRLGs of
   R12-R21 can be configured such that they are known for the path
   calculation, and at R12, R16, R21 and R25, the SRLGs of R14-R23 can




De Cnodder, Pelsser       Expires January 2005                 [Page 10]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   be configured. An other option is to flood this information via BGP
   extensions to be defined or to distribute these links and their SRLGs
   inside the IGP. It is not assumed that nodes other than AS-BRs having
   a link to the same downstream/upstream AS know the SRLGs of these
   inter-AS links. If this would be the case, then the procedures above
   can be simplified, e.g., the egress AS-BR in Section 5.3.1 does not
   have to include a list of SRLGs anymore when only a
    partial path can be computed.


   Also the secondary egress AS-BR has to know the SRLGs of the inter-AS
   link used by the working LSP. This is to allow the egress AS-BR to
   select a link in case there are multiple links towards the downstream
   AS, and to check if the link is indeed SRLG disjoint from the inter-
   AS link used by the working LSP.


  5.3.6 SRLG and node protection


   In this section we consider the protection of the egress AS-BR and of
   the SRLGs of the link preceding this AS-BR. The SRLG protection of
   the other intra-domain links and their downstream node is solved by
   [FRR]. Protection of the egress AS-BR and SRLG protection of the link
   preceding the egress AS-BR is best solved by using two detour LSPs at
   the node on the path of the working LSP preceding the egress AS-BR: a
   detour to protect against the SRLGs of the intra-AS link and a second
   detour LSP that is established using the procedures for node
   protection as described in the previous section. The detour
   protecting against the SRLGs has to merge in the same AS, i.e. it has
   to merge with the working LSP at the egress AS-BR. This is because
   other ASs do not know this intra-AS link, nor its SRLGs. To ensure
   that merging occurs at the egress AS-BR, the RRO of the working LSP
   should be fully included in the ERO of the detour LSP together with
   the LSP-Merge subobject. The ERO should be further prepended by a
   path, which is SRLG disjoint with the downstream link of the PLR on
   the working LSP (i.e. the intra-AS link), computed towards the egress
   AS-BR. This could only be a partial path towards the egress AS-BR in
   which case an XRO object or an EXRS subobject, containing the SRLGs
   to avoid, has to be added. It has to be ensured that these 2 detour
   LSPs do not merge, which means that at least one of the detour LSP
   should be a sender-template specific detour LSP.


   The egress AS-BR must ensure that it can do a switch-over from the
   incoming detour LSP protecting against a failure of the preceding
   link to its originating detour LSP. This is because the preceding
   link and the inter-AS link can belong to the same SRLG, hence they
   can fail at the same time. For this reason, the LSP-Merge subobject
   must be used in this case.


   If protection of the ingress AS-BR is requested, in addition to SRLG




De Cnodder, Pelsser       Expires January 2005                 [Page 11]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   protection, the egress AS-BR also has to put the ingress AS-BR in the
   XRO or EXRS like it was done for node protection.


   The use of 2 detour LSPs (one for SRLG protection and the other for
   node protection) is also recommended when the ingress AS-BR is to be
   protected. In this case, if only 1 detour LSP is used, and the LSP
   only crosses 1 hop in the downstream AS (i.e. ingress AS-BR and
   egress AS-BR in the downstream AS are the same router), the detour
   LSP setup would not be able to provide SRLG protection. This is
   because the detour LSP crosses 3 ASs in this case: the AS where it
   originates, the single-hop AS (the hop to be protected), and the AS
   where it merges again, and the latter AS is not anymore aware of the
   SRLGs of the link to be protected because that link is between the
   first two ASs. This is illustrated in Figure 4. The working LSP
   traverses R12-R22-R32-R24 and node R22 together with the SRLGs of
   R12-R22 has to be protected. A single detour LSP protecting the SRLGs
   and R22 would traverse R12-R11-R21-R31 but R31 in AS3 cannot further
   expand the ERO of the detour LSP because it does not know the SRLGs
   or the SRLG IDs of R12-R22 between AS1 and AS2 (assuming local
   SRLGs). Therefore, 2 detour LSPs must be used: a detour LSP
   traversing R12-R11-R21-R22 for SRLG protection, and a detour LSP
   traversing for instance R12-R11-R21-R31-R32 to protect R22.


           AS1       AS2          AS3
         /-----\  /-----\  /--------------\


          +---+    +---+    +---+    +---+
    ------|R11|----|R21|----|R31|----|R33|------
          +---+    +---+    +---+    +---+
            |        |        |        |
            |        |        |        |
            |        |        |        |
          +---+    +---+    +---+    +---+
    ------|R12|----|R22|----|R32|----|R24|------
          +---+    +---+    +---+    +---+


                 Figure 4: a single-hop AS



   In case of node and SRLG protection or in case of SRLG protection
   only, it is required to use sender-template specific detour LSPs to
   avoid that detour LSPs merge with each other.


6. Protection with bypass tunnels


   The problem of protection by means of bypass tunnels can be split
   into two parts:





De Cnodder, Pelsser       Expires January 2005                 [Page 12]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   a) The bypass tunnel has to be signaled over a path that is disjoint
   with the network resources that it protects.


   b) After the bypass tunnels are established, an appropriate bypass
   tunnel has to be selected for each particular working LSP such that
   the protection requirements for that LSP are met.


   The first part is very similar to the establishement of detour LSPs:
   an XRO object or an EXRS subobject can be used to signal the bypass
   tunnel such that it is disjoint from the network resources used by
   the working LSP. The same recommendations as for detour LSPs apply,
   i.e. it is recommended that the downstream AS of the bypass tunnel
   and the working LSP are the same AS.  Additionally, as two detour
   LSPs are required for SRLG protection of the upstream link of an
   egress ASBR and the egress ASBR itself, two bypass tunnels are also
   required to protect these resources. Note that the LSP-Merge
   subobject is not used for bypass tunnels as it was the case for
   detour LSPs because bypass tunnels do not merge with the working LSP
   at the far-end of the bypass tunnel, but they are terminated at that
   node.


   The difficulty in providing protection with bypass tunnels lies in
   the selection of appropriate bypasses for the protection of given
   resources.


   To select a bypass tunnel, the PLR has to take a bypass tunnel that
   it originates and that fulfills the following requirements:


   a) The bypass tunnel must fulfill the appropriate constraints
   (bandwidth, link affinities, ...).


   b) The bypass tunnel must be disjoint with the link/node/SRLGs to be
   protected.


   c) The destination of the bypass tunnel must be the next-hop node
   (resp. next-next-hop node) of the working LSP, or a node further
   downstream on the path of the working LSP, in case of link protection
   (resp. node protection).


   The first two requirements can be achieved since all required
   information is locally available in the PLR. This is because the PLR
   has established the candidate bypass tunnels, hence it knows the
   bandwidth and the resources protected by the bypass tunnel. Complying
   with the third requirement is more difficult. Generally, the PLR must
   check if the destination of the bypass tunnel belongs to one of the
   nodes listed in the RRO of the Resv message of the working LSP.
   Usually the RRO contains interface addresses and the destination of a
   bypass tunnel may be a different interface address or the node-id of




De Cnodder, Pelsser       Expires January 2005                 [Page 13]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   a router. This means that the PLR has to map the addresses listed in
   the RRO of the working LSP to the destination address of the bypass
   tunnel. In an intra-area environment this is possible since this
   information is available in the IGP topology, but in the inter-AS
   case, this information is not anymore available locally in the PLR.
   There are multiple methods to solve this problem:


   Solution A: use [NODEID] where the node-id of the routers are put in
   the RRO of the Resv message of the working LSP and the node-id is
   also put in the RRO of the Resv message of the bypass tunnel if the
   destination was not the node-id. In this way, the PLR simply has to
   compare the node-ids in the RRO of the working LSP with the
   destination of the bypass tunnel or with the node-id in the RRO of
   the bypass tunnel.


   Solution B: use the interface address that would be recorded in the
   RRO of the working LSP as destination of the bypass tunnel. For
   instance, when the link between ASBR1 and ASBR2 is to be protected,
   the destination address would be the address of the interface on
   ASBR2 towards ASBR1. If this link is unnumbered, the destination
   address used is the node-id that is mentioned in the RRO of the
   working LSP. This is sufficient to identify the common node on the
   working LSP and the bypass tunnel. When node protection is to be
   provided and the destination of the Bypass Tunnel is the next-hop of
   the protected node (next-next hop from the PLR point of view), the
   destination of the bypass tunnel should be the address of the
   interface on the next-next-hop router that goes towards the node
   being protected. Multiple bypass tunnels must be used in case of
   parallel links. Although the interface is used as destination, the
   bypass tunnel enters the node via another link and a failure of the
   interface used as destination of the bypass tunnel must not lead to
   the failure of the bypass tunnel itself (this is in particular
   important for link protection).


   Until now, we supposed that the bypass tunnels were manually
   configured, with the destination being part of the configuration.
   But, bypass tunnels can also be signaled automatically when the first
   working LSP is established. Therefore, we have to determine the
   destination of these dynamically established bypass tunnels. In case
   of solution B, the information about the interface addresses in the
   RRO of the working LSP can be used as a destination address. In case
   the node-id is put in the RRO, then this node-id can be used.


7. Security Considerations


   TBD


Acknowledgments




De Cnodder, Pelsser       Expires January 2005                 [Page 14]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   This work was partially supported by the DGTRE in the framework of
   the TOTEM project. The authors would like to thank Olivier
   Bonaventure, Adrian Farrel, Cheng-Yin Lee, Dimitri Papadimitriou, and
   Vishal Sharma for their useful comments and interesting discussions.


References


   [RFC2026]  Bradner, S., "The Internet Standards Process -- Revision
   3", BCP 9, RFC 2026, October 1996.


   [RFC3209]  Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V.,
   Swallow, G., "RSVP-TE: Extensions to RSVP for LSP Tunnels", RFC 3209,
   December 2001.


   [ASREQ]  Zhang, R., Vasseur, JP., (Editors), "MPLS Inter-AS Traffic
   Engineering requirements", draft-ietf-tewg-interas-mpls-te-req-
   07.txt, work in progress.


   [FRR]  Pan, P., Atlas, A. (Editors), "Fast Reroute Extensions to
   RSVP-TE for LSP Tunnels", draft-ietf-mpls-rsvp-lsp-fastreroute-
   03.txt, work in progress.


   [XRO]  Lee, CY., Farrel, A., De Cnodder, S., "Exclude Routes -
   Extension to RSVP-TE", draft-ietf-ccamp-rsvp-te-exclude-route-00.txt,
   work in progress.


   [HIER]  Kompella, K., Rekhter, Y., "LSP Hierarchy with Generalized
   MPLS TE", draft-ietf-mpls-lsp-hierarchy-08.txt, work in progress.


   [NODEID]  Vasseur, J.-P., Ali, Z., Sivabalan, S., "Definition of an
   RRO node-id subobject", draft-ietf-mpls-nodeid-subobject-01.txt, work
   in progress.


Authors Addresses


   Stefaan De Cnodder
   Alcatel
   Francis Wellesplein 1
   B-2018 Antwerpen
   Belgium


   Email: stefaan.de_cnodder@alcatel.be


   Cristel Pelsser
   INGI
   Place Sainte Barbe, 2
   B-1348, Louvain-La-Neuve
   Belgium




De Cnodder, Pelsser       Expires January 2005                 [Page 15]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   Email: cpe@info.ucl.ac.be



















































De Cnodder, Pelsser       Expires January 2005                 [Page 16]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



Appendix A: LSP-Merge subobject


   The LSP-Merge subobject is a new subobject in the Explicit Route
   Object (ERO). The procedures defined in [RFC3209] section 4.3.4.1 to
   select the next hop are modified as follows: if after step 3 of the
   next hop selection process the node finds an LSP-Merge subobject in
   front of the ERO, i.e. the LSP-Merge subobject is the first subobject
   in the ERO after removing the subobjects belonging to the local
   abstract node, then the LSP has to merge with an LSP with the same
   Session object and LSP ID at the current node, if such an LSP exists.
   If no such LSP exists, then the detour LSP is rejected and a ResvErr
   with errorcode TBD is sent to the originating node.


   The LSP with which the LSP containing the LSP-Merge subobject merges
   must be a working LSP, i.e. it may not contain a DETOUR object. In
   addition the abstract node where the merging occurs must ensure that
   in case of a failure, the traffic can be switched from the LSP con-
   taining the LSP-Merge subobject to a recovery LSP that was esta-
   blished by the merging node to protect the working LSP. If these
   merging conditions cannot be met, the "SRLG protection available"
   flag inside RRO subobjects, of appendix B, is set to zero. This indi-
   cates to the source that SRLG protection is not provided for the
   working LSP.



     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |L|    Type     |   Length      |            Resvd              |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


      L


         Set to zero.


      Type



         TBD.


      Length


         The length field is set to 4.


      Resvd


         Set to zero on transmission and ignored on reception.





De Cnodder, Pelsser       Expires January 2005                 [Page 17]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



Appendix B: SRLG protection desired


   Currently [FRR] does not specify how SRLG protection can be requested
   by the Head-End LSR. One way to do this is to define an "SRLG protec-
   tion desired" flag in session attribute object. We will not further
   investigate this since it is outside the scope of this document.


   In case two detours or bypass tunnels are available to provide SRLG
   and node protection, then the "local protection available" flag is
   set in the corresponding RRO subobject. Similarly, the "bandwidth
   protection" flag of the RRO subobject is set when both detours or
   bypass tunnels provide the requested bandwidth. Note that in case of
   SRLG protection, it is required to use sender-template specific
   detour LSP to avoid merging with other detour LSPs of the working
   LSP.


Intellectual Property Considerations


   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights. Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.


   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this specifica-
   tion can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.


   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard. Please address the information to the IETF at ietf-
   ipr@ietf.org.


Full Copyright Statement


   Copyright (C) The Internet Society (2002). All Rights Reserved.


   Copyright (C) The Internet Society (2004).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.





De Cnodder, Pelsser       Expires January 2005                 [Page 18]


Internet Draft  draft-decnodder-ccamp-interas-protection      April 2003



   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFOR-
   MATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES
   OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.













































De Cnodder, Pelsser       Expires January 2005                 [Page 19]