CCAMP Working Group
Internet Draft
                                                           Zafar Ali
                                               Jean-Philippe Vasseur
                                                         Anca Zamfir
                                                 Cisco Systems, Inc.
                                                     Jonathan Newton
                                                  Cable and Wireless

Category: Informational
Expires: April 27, 2009                             October 28, 2008



           draft-ietf-ccamp-mpls-graceful-shutdown-07.txt

           Graceful Shutdown in MPLS and Generalized MPLS
                    Traffic Engineering Networks


Status of this Memo

   By submitting this Internet-Draft, each author represents that
   any applicable patent or other IPR claims of which he or she is
   aware have been or will be disclosed, and any of which he or she
   becomes aware will be disclosed, in accordance with Section 6 of
   BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other
   documents at any time.  It is inappropriate to use Internet-
   Drafts as reference material or to cite them other than as "work
   in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on January 03, 2009.

Copyright Notice

   Copyright (C) The IETF Trust (2008).




                          Expires April 2009               [Page 1]


      draft-ietf-ccamp-mpls-graceful-shutdown-07.txt     October 07


   Abstract

   MPLS-TE Graceful Shutdown is a method for explicitly notifying
   the nodes in a Traffic Engineering (TE) enabled network that the
   TE capability on a link or on an entire Label Switching Router
   (LSR) is going to be disabled. MPLS-TE graceful shutdown
   mechanisms are tailored toward addressing planned outage in the
   network.

   This document provides requirements and protocol mechanisms to
   reduce/eliminate traffic disruption in the event of a planned
   shutdown of a network resource. These operations are equally
   applicable to both MPLS and its Generalized MPLS (GMPLS)
   extensions.

Table of Contents

1. Introduction....................................................2
2. Terminology.....................................................3
3. Requirements for Graceful Shutdown..............................4
4. Mechanisms for Graceful Shutdown................................5
 4.1 OSPF/ ISIS Mechanisms for graceful shutdown..................5
 4.2 RSVP-TE Signaling Mechanisms for graceful shutdown...........6
5. Security Considerations.........................................8
6. IANA Considerations.............................................8
7. Acknowledgments.................................................8
8. Reference.......................................................8
 8.1 Normative Reference..........................................8
 8.2 Informative Reference........................................9
9. Authors' Address:..............................................10
10. Intellectual Property Considerations..........................10
11. Disclaimer of Validity........................................11
12. Copyright Statement...........................................11


1. Introduction

   When outages in a network are planned (e.g. for maintenance
   purpose), some mechanisms can be used to avoid traffic
   disruption. This is in contrast with unplanned network element
   failure, where traffic disruption can be minimized thanks to
   recovery mechanisms but may not be avoided. Hence, a Service
   Provider may desire to gracefully (temporarily or indefinitely)
   remove a TE Link, a group of TE Links or an entire node for
   administrative reasons such as link maintenance,
   software/hardware upgrade at a node or significant TE
   configuration changes. In all these cases, the goal is to
   minimize the impact on the traffic carried over TE LSPs in the
   network by triggering notifications so as to gracefully reroute


                         Expires April 2008               [Page 2]


      draft-ietf-ccamp-mpls-graceful-shutdown-07.txt     October 07


   such flows before the administrative procedures are started.
   These operations are equally applicable to both MPLS and its
   Generalized MPLS (GMPLS) extensions.

   Graceful shutdown of a resource may require several steps. These
   steps can be broadly divided into two sets: disabling the
   resource in the control plane and removing the resource for
   forwarding. The node initiating the graceful shutdown condition
   is expected to introduce a delay between disabling the resource
   in the control plane and removing the resource for forwarding.
   This is to allow the control plane to gracefully divert the
   traffic away from the resource being gracefully shutdown. The
   trigger for the graceful shutdown event is a local matter at the
   node initiating the graceful shutdown. Typically, graceful
   shutdown is triggered for administrative reasons, such as link
   maintenance or software/hardware upgrade.

   This document describes the mechanisms that can be used to
   gracefully shutdown MPLS/ GMPLS Traffic Engineering on a
   resource. As mentioned earlier, the graceful shutdown of the
   Traffic Engineering capability on a resource could be
   incorporated in the shutdown operation of an interface, but it is
   a separate step that is taken before the IGP on the link is
   brought down and before the interface is brought down at
   different layers. This document only addresses TE nodes and TE
   resources.

2. Terminology

   LSR - Label Switching Router. The terms node and LSR are used
   interchangeably in this document.

   GMPLS - The term GMPLS is used in this document to refer to
   packet MPLS-TE, as well as GMPLS extensions to MPLS-TE.

   LSP - An MPLS-TE/ GMPLS-TE Label Switched Path.

   Head-end node: Ingress LSR that initiated signaling for the Path.

   Border node: Ingress LSR of an LSP segment (S-LSP).

   Path Computation Element (PCE): An entity that computes the
   routes on behalf of its clients (PCC).

   TE Link - The term TE link refers to single or a bundle of
   physical link(s) or FA-LSP(s) on which traffic engineering is
   enabled [RFC4206], [RFC4201].

   Last resort resource: If a path to a destination from a given
   head-end node cannot be found upon removal of a resource (e.g.,

                         Expires April 2008               [Page 3]


      draft-ietf-ccamp-mpls-graceful-shutdown-07.txt     October 07


   TE link, TE node), the resource is called last resort to reach
   that destination from the given head-end node.


3. Requirements for Graceful Shutdown

   This section lists the requirements for graceful shutdown in the
   context of GMPLS Traffic Engineering.

   - Graceful shutdown is required to address graceful removal of
   one TE link, one component link within a bundled TE link, a set
   of TE links, a set of component links, label resource(s) or an
   entire node.

   - Once an operator has initiated graceful shutdown of a network
   resource, no new TE LSPs may be set up that use the resource.
   Any signaling message for a new LSP that explicitly specifies the
   resource, or that would require the use of the resource due to
   local constraints, is required to be rejected as if the resource
   were unavailable.

   - It is desirable for new LSP setup attempts that would be
   rejected because of graceful shutdown of a resource (as described
   in the previous requirement) to avoid any attempt to use the
   resource by selecting an alternate route or other resources.


   - If the resource being shutdown is a last resort, it can be
   used. Time or decision for removal of the resource being shutdown
   is based on a local decision at the node initiating the graceful
   shutdown procedure.

   - It is required to give the ingress node the opportunity to take
   actions in order to reduce/eliminate traffic disruption on the
   LSP(s) that are using the network resources which are about to be
   shutdown.

   - Graceful shutdown mechanisms are equally applicable to intra-
   domain and TE LSPs spanning multiple domains. Here, a domain is
   defined as either an IGP area or an Autonomous System [RFC4726].

   - Graceful shutdown is equally applicable to GMPLS-TE, as well as
   packet-based (MPLS) TE LSPs.

   - In order to make rerouting effective, it is required that when
     a node initiates the graceful shutdown of a resource, it
     identifies to all other network nodes the TE resource under
     graceful shutdown.
   - Depending on switching technology, it may be possible to
     shutdown a label resource, e.g., shutting down a lambda in a
     Lambda Switch Capable (LSC) node.


                         Expires April 2008               [Page 4]


      draft-ietf-ccamp-mpls-graceful-shutdown-07.txt     October 07



4. Mechanisms for Graceful Shutdown

   An IGP only solution based on [RFC3630], [RFC3784], [RFC4203] and
   [RFC4205] are not applicable when dealing with Inter-area and
   Inter-AS traffic engineering, as IGP LSA/LSP flooding is
   restricted to IGP areas/levels. Consequently, RSVP based
   mechanisms are required to cope with TE LSPs spanning multiple
   domains. At the same time, RSVP mechanisms only convey the
   information for the transiting LSPs to the router along the
   upstream Path and not to all nodes in the network. Furthermore,
   graceful shutdown notification via IGP flooding is required to
   discourage a node from establishing new LSPs through the
   resources being shutdown. In the following sections the
   complementary mechanisms for RSVP-TE and IGP for Graceful
   Shutdown are described.

   A node where a link or the whole node is being shutdown may first
   trigger the IGP updates as described in Section 4.1, introduce a
   delay to allow network convergence and only then use the
   signaling mechanism described in Section 4.2.


4.1 OSPF/ ISIS Mechanisms for graceful shutdown

   The procedures provided in this section are equally applicable to
   OSPF and ISIS.

   OSPF and ISIS procedure for graceful shutdown of TE link(s) is
   similar to graceful restart of OSPF and ISIS as described in
   [RFC4203] and [RFC4205], respectively. Specifically, the node
   where graceful-shutdown of a link is desired originates the TE
   LSA/LSP containing Link TLV for the link under graceful shutdown
   with Traffic Engineering metric set to 0xffffffff, 0 as
   unreserved bandwidth, and if the link has LSC or FSC as its
   Switching Capability then also with 0 as Max LSP Bandwidth. A
   node may also specify a value for Minimum LSP bandwidth which is
   greater than the available bandwidth. This would discourage new
   LSP establishment through the link under graceful shutdown.

   If graceful shutdown procedure is performed for a component link
   within a TE Link bundle and it is not the last component link
   available within the TE link, the link attributes associated with
   the TE link are recomputed. Similarly, If graceful shutdown
   procedure is performed on a label resource within a TE Link, the
   link attributes associated with the TE link are recomputed. If
   the removal of the component link or label resource results in a
   significant bandwidth change event, a new LSA is originated with
   the new traffic parameters. If the last component link is being
   shutdown, the routing procedure related to TE link removal is
   used.


                          Expires April 2008               [Page 5]


      draft-ietf-ccamp-mpls-graceful-shutdown-07.txt     October 07


   Neighbors of the node where graceful shutdown procedure is in
   progress continues to advertise the actual unreserved bandwidth
   of the TE links from the neighbors to that node, without any
   routing adjacency change.

   When graceful shutdown at node level is desired, the node in
   question follows the procedure specified in the previous section
   for all TE Links.


4.2 RSVP-TE Signaling Mechanisms for graceful shutdown

   As discussed in Section 3, one of the requirements for the
   signaling mechanism for graceful shutdown is to carry information
   about the resource under graceful shutdown. For this purpose the
   Graceful Shutdown uses LSP rerouting mechanism as defined in
   [LSP-REROUTE]. Specifically, the node where graceful shutdown of
   an unbundled TE link or an entire bundled TE link is desired
   triggers a PathErr message with the error code "Reroute" and an
   error value of "TE link Graceful Shutdown required" for all
   affected LSPs. Similarly, the node that is being gracefully
   shutdown triggers a PathErr message with the error code "Reroute"
   and an error value of "Node Graceful Shutdown required" for all
   LSPs.

   MPLS TE Link Bundling [RFC4201] requires that an LSP is pinned
   down to a component link. Consequently, graceful shutdown of a
   component link in a bundled TE link differs from graceful
   shutdown of unbundled TE link or entire bundled TE link.
   Specifically, in the former case, when only a subset of component
   links and not the entire TE bundled link is being shutdown, the
   remaining component links of the bundled TE link may still be
   able to admit new LSPs. The node where graceful shutdown of a
   component link is desired triggers a PathErr message with the
   error code "Reroute" and the new error value of "Component link
   Graceful Shutdown required" for all affected LSPs. The PathErr
   message includes in the ERROR_SPEC the TE Link ID address. If the
   last component link is being shutdown, procedure for gracefully
   shutdown entire bundled TE link outlined above is be used,
   instead.

   If graceful shutdown of a label resource is desired, the node
   initiating this action triggers a PathErr message with the error
   code "Reroute" and the new error value of "Label resource
   Graceful Shutdown required" for the affected LSP. The PathErr
   message includes in the ERROR_SPEC the TE Link ID address.

   The "Reroute" error code for the ERROR SPEC object is defined in
   [LSP-REROUTE]. This document defines following four error value
   for the "Reroute" error code [To Be Confirmed (TBC) by IANA upon
   publication of this document]:


                         Expires April 2008               [Page 6]


      draft-ietf-ccamp-mpls-graceful-shutdown-07.txt     October 07


   Error-value  Meaning                                    Reference
   2 (TBC)      Node Graceful Shutdown required            This doc
   3 (TBC)      TE link Graceful Shutdown required         This doc
   4 (TBC)      Component link Graceful Shutdown required  This doc
   5 (TBC)      Label resource Graceful Shutdown required  This doc

   The PathErr message includes in the ERROR_SPEC the TE Link ID
   address.

   If unbundled TE link, component link of a bundled TE link, entire
   bundled TE link, or label resource of a TE link is being
   gracefully shutdown, the PathErr message includes the ERROR_SPEC
   object containing IP address of the TE Link being gracefully
   shutdown. If TE link is unnumbered, the PathErr message includes
   the ERROR_SPEC object containing unnumbered ID and TE node ID for
   the TE Link being gracefully shutdown. Similarly, if the TE node
   is being gracefully shutdown, the PathErr message includes in the
   ERROR_SPEC object the MPLS-TE node ID address.

   When a head-end node, or border node receives a PathErr message
   with "Reroute" error code and error value of "Node Graceful
   Shutdown required" or "TE link Graceful Shutdown required", or
   "Component link Graceful Shutdown required", or "Label resource
   Graceful Shutdown required" it follows the procedures defined in
   [LSP-REROUTE]. When performing path computation for the new LSP,
   the head-end node, or border node avoids using the TE resources
   identified by the IP address contained in the PathErr. If PCE is
   used for path computation, head-end node or border node acts as
   PCC to request the PCE via PCEP for path computation avoiding
   resource being gracefully shutdown. The amount of time the head-
   end node, or border node avoid using the TE resources identified
   by the IP address contained in the PathErr is based on a local
   decision at head-end node or border node.

   If node initiating the graceful shutdown procedure received path
   setup request for a new tunnel using resource being gracefully
   shutdown, it sends a Path Error message with "Reroute" error code
   in the ERROR SPEC object and an error value consistent with the
   type of resource being gracefully shutdown. However, based on a
   local decision, if node initiating the graceful shutdown
   procedure received path setup request for an existing tunnel, it
   may allow signaling for it. This is to allow resource being
   gracefully shutdown as a "last resort". The node initiating the
   graceful shutdown procedure can distinguish between new and
   existing tunnels based on the tunnel ID in the SESSION object.

   Time or decision for removal of the resource being shutdown from
   forwarding is based on a local decision at the node initiating
   the graceful shutdown procedure.




                         Expires April 2008               [Page 7]


      draft-ietf-ccamp-mpls-graceful-shutdown-07.txt     October 07


5. Security Considerations

   This document introduces two new error values for "Reroute" error
   code of the ERROR SPEC object defined in [LSP-REROUTE]. This
   document also introduces ways to make resources unavailable for
   the control plane. It is therefore recommended that procedures in
   [RFC2747], which provides mechanisms to protect against external
   agents compromising the RSVP signaling state in an RSVP agent, be
   used.  Specifically, [RFC2747] mechanisms provide some degree of
   protection to the head-end node or border node RSVP agent against
   making resources unavailable for control plan from an external
   agent sending Path Error messages with existing or new error code
   and error values. In summary, existing security considerations
   specified in [LSP-REROUTE], [RFC2747], [RFC2205], [RFC3209],
   [RFC4736], [RFC3471], [RFC3473] and [MPLS-GMPLS-SECURITY] remain
   relevant and suffice.

   This document relies on existing procedures for advertisement of
   TE LSA/LSP containing Link TLV. Tampering with TE LSAs may have
   an effect on traffic engineering computations, and it is
   suggested that any mechanisms used for securing the transmission
   of normal OSPF LSAs/ ISIS LSPs be applied equally to all Opaque
   LSAs/ LSPs this document uses.  In summary, existing security
   considerations specified in [RFC3630], [RFC3784], [RFC4203],
   [RFC4205] and [MPLS-GMPLS-SECURITY] remain relevant and suffice.

6. IANA Considerations

   The "Reroute" error code for the ERROR SPEC object is defined in
   [LSP-REROUTE]. This document defines following four error value
   for the "Reroute" error code [To Be Confirmed (TBC) by IANA upon
   publication of this document]:

   Error-value  Meaning                                   Reference
   2 (TBC)      Node Graceful Shutdown required            This doc
   3 (TBC)      TE link Graceful Shutdown required         This doc
   4 (TBC)      Component link Graceful Shutdown required  This doc
   5 (TBC)      Label resource Graceful Shutdown required  This doc

7. Acknowledgments

   The authors would like to thank Adrian Farrel for his detailed
   comments and suggestions. The authors would also like to
   acknowledge useful comments from David Ward, Sami Boutros, and
   Dimitri Papadimitriou.

8. Reference

8.1 Normative Reference


                         Expires April 2008               [Page 8]


      draft-ietf-ccamp-mpls-graceful-shutdown-07.txt     October 07


   [RFC3209] Awduche D., Berger, L., Gan, D., Li T., Srinivasan, V.,
   Swallow, G., "RSVP-TE: Extensions to RSVP for LSP Tunnels", RFC
   3209, December 2001.

   [RFC4736] Jean-Philippe Vasseur, et al "Reoptimization of MPLS
   Traffic Engineering loosely routed LSP paths", RFC 4736, November
   2006.

   [LSP-REROUTE] Berger, L., Papadimitriou, D., and J. Vasseur,
   "PathErr Message Triggered MPLS and GMPLS LSP Reroute", draft-
   ietf-mpls-gmpls-lsp-reroute-01 (work in progress) September 2008.

8.2 Informative Reference

   [RFC3630] Katz D., Kompella K., Yeung D., "Traffic Engineering
   (TE) Extensions to OSPF Version 2", RFC 3630, September 2003.

   [RFC3784] Smit, H. and T. Li, "Intermediate System to
   Intermediate System (IS-IS) Extensions for Traffic Engineering
   (TE)", RFC 3784, June 2004.

   [RFC4203] Kompella, K., Ed., and Y. Rekhter, Ed., "OSPF
   Extensions in Support of Generalized Multi-Protocol Label
   Switching (GMPLS)", RFC 4203, October 2005.

   [RFC4205]  Kompella, K., Ed., and Y. Rekhter, Ed., "Intermediate
   System to Intermediate System (IS-IS) Extensions in Support of
   Generalized Multi-Protocol Label Switching (GMPLS)", RFC 4205,
   October 2005.

   [RFC2205] Braden, R. Ed. et al, "Resource ReSerVation Protocol
   (RSVP) Version 1, Functional Specification", RFC 2205, December
   1997.

   [RFC3471]  Berger, L., "Generalized Multi-Protocol Label
   Switching (GMPLS) Signaling Functional Description", RFC 3471,
   January 2003.

   [RFC3473]  Berger, L., "Generalized Multi-Protocol Label
   Switching (GMPLS) Signaling Resource ReserVation Protocol-Traffic
   Engineering (RSVP-TE) Extensions", RFC 3473, January 2003.


   [RFC4726] Farrel A, Vasseur, J.-P., Ayyangar A., "A Framework for
   Inter-Domain MPLS Traffic Engineering", RFC 4726, November 2006.

   [RFC4201] Kompella, K., Rekhter, Y., Berger, L., "Link Bundling
   in MPLS Traffic Engineering", RFC 4201, October 2005.

   [RFC4206] Kompella K., Rekhter Y., "Label Switched Paths (LSP)
   Hierarchy with Generalized Multi-Protocol Label Switching (GMPLS)
   Traffic Engineering (TE)", RFC 4206, October 2005.

                         Expires April 2008               [Page 9]


      draft-ietf-ccamp-mpls-graceful-shutdown-07.txt     October 07



   [RFC2747]  Baker, F., Lindell, B., and M. Talwar, "RSVP
   Cryptographic Authentication", RFC 2747, January 2000.
   [MPLS-GMPLS-SECURITY] Fang, L. et al, "Security Framework for
   MPLS and GMPLS Networks", draft-fang-mpls-gmpls-security-
   framework-01.txt, work in progress.


9. Authors' Address:

   Zafar Ali
   Cisco systems, Inc.,
   2000 Innovation Drive
   Kanata, Ontario, K2K 3E8
   Canada.
   Email: zali@cisco.com

   Jean Philippe Vasseur
   Cisco Systems, Inc.
   300 Beaver Brook Road
   Boxborough , MA - 01719
   USA
   Email: jpv@cisco.com

   Anca Zamfir
   Cisco Systems, Inc.
   2000 Innovation Drive
   Kanata, Ontario, K2K 3E8
   Canada
   Email: ancaz@cisco.com

   Jonathan Newton
   Cable and Wireless
   jonathan.newton@cw.com

10. Intellectual Property Considerations

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be
   claimed to pertain to the implementation or use of the technology
   described in this document or the extent to which any license
   under such rights might or might not be available; nor does it
   represent that it has made any independent effort to identify any
   such rights.  Information on the procedures with respect to
   rights in RFC documents can be found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the
   use of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR
   repository at http://www.ietf.org/ipr.

                          Expires April 2008               [Page 10]


      draft-ietf-ccamp-mpls-graceful-shutdown-07.txt     October 07



   The IETF invites any interested party to bring to its attention
   any copyrights, patents or patent applications, or other
   proprietary rights that may cover technology that may be required
   to implement this standard.  Please address the information to
   the IETF at ietf-ipr@ietf.org.

11. Disclaimer of Validity

   This document and the information contained herein are provided
   on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE
   IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
   WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
   WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE
   ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
   FITNESS FOR A PARTICULAR PURPOSE.

12. Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.




























                         Expires April 2008               [Page 11]