PCE Working Group | C. Barth |
Internet-Draft | Juniper Networks, Inc. |
Intended status: Standards Track | M. Koldychev |
Expires: September 6, 2019 | S. Sivabalan |
Cisco Systems, Inc. | |
C. Li | |
Huawei Technologies | |
March 05, 2019 |
PCEP extension to support Segment Routing Policy Candidate Paths
draft-barth-pce-segment-routing-policy-cp-02
This document introduces a mechanism to specify an Segment Routing (SR) policy, as a collection of SR candidate paths. An SR policy is identified by <headend, color, end-point> tuple. An SR policy can contain one or more candidate paths where each candidate path is identified in PCEP via an PLSP-ID. This document proposes extension to PCEP to support association among candidate paths of a given SR policy. The mechanism proposed in this document is applicable to both MPLS and IPv6 data planes of SR.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 6, 2019.
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Path Computation Element (PCE) Communication Protocol (PCEP) [RFC5440] enables the communication between a Path Computation Client (PCC) and a Path Control Element (PCE), or between two PCEs based on the PCE architecture [RFC4655].
PCEP Extensions for the Stateful PCE Model [RFC8231] describes a set of extensions to PCEP to enable active control of Multiprotocol Label Switching Traffic Engineering (MPLS-TE) and Generalized MPLS (GMPLS) tunnels. [RFC8281] describes the setup and teardown of PCE-initiated LSPs under the active stateful PCE model, without the need for local configuration on the PCC, thus allowing for dynamic centralized control of a network.
PCEP Extensions for Segment Routing [I-D.ietf-pce-segment-routing] specifies extensions to the Path Computation Element Protocol (PCEP) that allow a stateful PCE to compute and initiate Traffic Engineering (TE) paths, as well as a PCC to request a path subject to certain constraint(s) and optimization criteria in SR networks.
PCEP Extensions for Establishing Relationships Between Sets of LSPs [I-D.ietf-pce-association-group] introduces a generic mechanism to create a grouping of LSPs which can then be used to define associations between a set of LSPs and a set of attributes (such as configuration parameters or behaviors) and is equally applicable to stateful PCE (active and passive modes) and stateless PCE.
Segment Routing Policy for Traffic Engineering [I-D.ietf-spring-segment-routing-policy] details the concepts of SR Policy and approaches to steering traffic into an SR Policy.
An SR policy contains one or more candidate paths where one or more such paths can be computed via PCE. This document specifies PCEP extensions to signal additional information to map candidate paths to their SR policies. Each candidate path maps to a unique PLSP-ID in PCEP. By associating multiple candidate paths together, a PCE becomes aware of the hierarchical structure of an SR policy. Thus the PCE can take computation and control decisions about the candidate paths, with the additional knowledge that these candidate paths belong to the same SR policy. This is accomplished via the use of the existing PCEP Association object, by defining a new association type specifically for associating SR candidate paths into a single SR policy.
[Editor's Note- Currently it is assumed that each candidate path has only one ERO (SID-List) within the scope of this document. A future update or another document will deal with a way to allow multiple ERO/SID-Lists for a candidate path within PCEP.]
The following terminologies are used in this document:
The new Association Type (SR Policy Association) and the new TLVs for the ASSOCIATION object, defined in this document, allow a PCEP peer to exchange additional parameters of SR candidate paths and of their parent SR policy. For the SR policy, the parameters are: color and endpoint. For the candidate path, the parameters are: protocol origin, originator, discriminator and preference. [I-D.ietf-spring-segment-routing-policy] describes the concept of SR Policy and these parameters.
The motivation for signaling these parameters is summarized in the following subsections.
Since each candidate path of an SR policy appears as a different LSP (identified via a PLSP-ID) in PCEP, it is useful to group together all the candidate paths that belong to the same SR policy. Furthermore, it is useful for the PCE to have knowledge of the SR candidate path parameters such as color, protocol origin, discriminator, and preference.
A PCE may want to instantiate one or more candidate paths on the PCC, as specified in [RFC8281]. In this scenario, the PCE needs to signal to a PCC <headend, color, end-point, originator, discriminator, preference> tuple using which the PCC can instantiate a candidate path for the SR policy identified. Current PCEP standards (as of the time of this writing) do not provide a way to signal color and preference. Although end-point can be signaled via the PCEP END-POINTS object, this object may not be suitable because the end-point to which the path is computed is not required to be the same IPv4/IPv6 address as the actual endpoint of the SR policy. Thus, a separate way to specify SR policy's end-point is provided in this document.
When a PCE knows that a given set of candidate paths all belong to the same SR policy, then path computation MAY be done on only the highest preference candidate-path(s). Path computation for lower preference paths is not necessary if one or two higher preference paths are already computed. Since computing their paths will not affect traffic steering, it MAY be postponed until the higher preference paths become invalid, thus saving computation resources on the PCE.
When an SR policy contains multiple candidate paths computed by a PCE, such candidate paths can be created, updated and deleted independently of each other. This is achieved by making each candidate path correspond to a unique LSP (identified via PLSP-ID). For example, if an SR policy has 4 candidate paths, then if the PCE wants to update one of those candidate paths, only one set of PCUpd and PCRpt messages needs to be exchanged.
As per [I-D.ietf-pce-association-group], LSPs are placed into an association group. In this document, each LSP corresponds to a candidate path of an SR policy, and the association group corresponds to the SR policy itself. Segment-lists within a candidate path are not represented by different LSPs (and identified via PLSP-IDs).
[Editor's Note - The subject of encoding multiple segment lists within a candidate path is left to a future document and is not specified in this document. It is not a good idea to have each segment-list correspond to a different LSP/PLSP-ID, because when the PCC wants to get a path, it must know in advance how many multipaths (i.e., segment-lists) there will be and create that many LSPs/PLSP-IDs. For example, if the PCC supports 32 multipaths, then it must delegate 32 LSPs/PLSP-IDs for every candidate path, which may not be scalable.]
A new Association Type is defined in this document, based on the generic ASSOCIATION object. Association type = TBD1 "SR Policy Association Type" for SR Policy Association Group (SRPAG).
The SRPAG Association is only meant to be used for SR LSPs and with PCEP peers which advertise SR capability.
An Association object of SRPAG group contains TLVs that carry Association Information. The association information can be subdivided into three parts: Policy identifiers, Candidate path identifiers, and Candidate path attributes.
Policy Identifiers uniquely identify the SR policy to which a given LSP belongs, within the context of the head-end. Policy Identifiers MUST be the same for all candidate paths in the same SRPAG. Policy Identifiers MUST NOT change for a given LSP during its lifetime. Policy Identifiers MUST be different for different SRPAG associations. When these rules are not satisfied, the PCE MUST send a PCErr message with Error Code = 26 "Association Error", Error Type = TBD5 "Conflicting SRPAG TLV". Policy Identifiers consist of:
Candidate Path Identifiers uniquely identify the SR candidate path within the context of an SR policy. Candidate path Identifiers MUST NOT change for a given LSP during its lifetime. Candidate path Identifiers MUST be different for different LSPs within the same SRPAG. When these rules are not satisfied, the PCE MUST send a PCErr message with Error Code = 26 "Association Error", Error Type = TBD5 "Conflicting SRPAG TLV". Candidate path Identifiers consist of:
Candidate Path Attributes MUST NOT be used to identify the candidate path. Candidate path attributes carry additional information about the candidate path and MAY change during the lifetime of the LSP. Candidate path Attributes consist of:
As described in [RFC8231], an LSP is uniquely identified in PCEP via PLSP-ID.
A mapping between the Association Parameters (see Section 2) and Policy Identifiers (the Color and End-point) needs to be maintained. The mapping is left up to the implementation. An implementation MAY choose Association Parameters in such a way that every possible Color and End-point maps to a unique value of Association Parameters, which may require the use of Extended Association ID TLV. Alternatively, an implementation MAY implement a lookup table to generate Association Parameters incrementally as new Color and End-point values are created, which may not require the use of Extended Association ID TLV.
As per the processing rules specified in section 5.4 of [I-D.ietf-pce-association-group], if a PCEP speaker does not support the SRPAG association type, it MUST return a PCErr message with Error-Type 26 (Early allocation by IANA) "Association Error" and Error-Value 1 "Association-type is not supported". Please note that the corresponding PCEP session is not reset.
Two ASSOCIATION object types for IPv4 and IPv6 are defined in [I-D.ietf-pce-association-group]. The ASSOCIATION object includes "Association type" indicating the type of the association group. This document adds a new Association type.
Association type = TBD1 "SR Policy Association Type" for SR Policy Association Group (SRPAG).
The operator configured Association Range SHOULD NOT be set for this association type and MUST be ignored.
SRPAG MUST carry additional TLVs to communicate Association Information. This document specifies three new TLVs to carry Association Information: SRPAG-POL-ID-TLV, SRPAG-CPATH-ID-TLV, SRPAG-CPATH-ATTR-TLV. These three TLVs encode the Policy Identifiers, Candidate path Identifiers and Candidate path Attributes, respectively. When any of the mandatory TLVs are missing from the SRPAG association object, the PCE MUST send a PCErr message with Error Code = 26 "Association Error", Error Type = TBD6 "Missing mandatory SRPAG TLV".
A given LSP MUST belong to at most one SRPAG, since a candidate path cannot belong to multiple SR policies. If a PCEP speaker receives a PCEP message with more than one SRPAG for an LSP, then the PCEP speaker MUST send a PCErr message with Error-Type 26 "Association Error" and Error-Value TBD7 "Multiple SRPAG for one LSP". If the message is a PCRpt message, then the PCEP speaker MUST close the PCEP connection. Closing the PCEP connection is necessary because ignoring PCRpt messages may lead to inconsistent LSP DB state between the two PCEP peers.
If the PCEP speaker receives the SRPAG association when the SR capability (as per [I-D.ietf-pce-segment-routing] or [I-D.negi-pce-segment-routing-ipv6]) was not exchanged, the PCEP speaker MUST send a PCErr message with Error-Type 26 "Association Error" and Error-Value TBD8 "Use of SRPAG without SR capability exchange". If the Path Setup Type (PST) of the LSP in SRPAG is not set to SR or SRv6, then the PCEP speaker MUST send a PCErr message with Error-Type 26 "Association Error" and Error-Value TBD9 "non-SR LSP in SRPAG".
The SRPOLICY-POL-ID TLV is a mandatory TLV for the SRPAG Association. Only one SRPOLICY-POL-ID TLV can be carried and only the first occurrence is processed and any others MUST be ignored.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Color | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ End-point ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: The SRPOLICY-POL-ID TLV format
Type: TBD2 for "SRPOLICY-POL-ID" TLV.
Length: 8 or 20, depending on length of End-point (IPv4 or IPv6)
Color: any unsigned 32-bit number.
End-point: can be either IPv4 or IPv6, depending on whether the policy endpoint has IPv4 or IPv6 address. This value may be different from the one contained in the END-POINTS object, or in the LSP IDENTIFIERS TLV of the LSP object. Endpoint is meant to strictly correspond to the endpoint of the SR policy, as it is defined in [I-D.ietf-spring-segment-routing-policy].
The SRPOLICY-CPATH-ID TLV is a mandatory TLV for the SRPAG Association. Only one SRPOLICY-CPATH-ID TLV can be carried and only the first occurrence is processed and any others MUST be ignored.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Proto. Origin | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Originator ASN | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Originator Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Discriminator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: The SRPOLICY-CPATH-ID TLV format
Type: TBD3 for "SRPOLICY-CPATH-ID" TLV.
Length: 28.
Protocol Origin: 8-bit value that encodes the protocol origin, as specified in [I-D.ietf-spring-segment-routing-policy] Section 2.3.
Reserved: MUST be set to zero on transmission and ignored on receipt.
Originator ASN: Represented as 4 byte number, part of the originator identifier, as specified in [I-D.ietf-spring-segment-routing-policy] Section 2.4.
Originator Address: Represented as 128 bit value where IPv4 address are encoded in lowest 32 bits, part of the originator identifier, as specified in [I-D.ietf-spring-segment-routing-policy] Section 2.4.
Discriminator: 32-bit value that encodes the Discriminator of the candidate path.
The SRPOLICY-CPATH-ATTR TLV is an optional TLV for the SRPAG Association. Only one SRPOLICY-CPATH-ATTR TLV can be carried and only the first occurrence is processed and any others MUST be ignored.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Preference | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: The SRPOLICY-CPATH-ATTR TLV format
Type: TBD4 for "SRPOLICY-CPATH-ATTR" TLV.
Length: 4.
Preference: Numerical preference of the candidate path, as specified in [I-D.ietf-spring-segment-routing-policy] Section 2.7.
If the TLV is missing, a default preference of 100 as specified in [I-D.ietf-spring-segment-routing-policy] is used.
PCReq and PCRep messages are exchanged in the following sequence:
PCRpt and PCUpd messages are exchanged in the following sequence:
PCReq and PCRep messages are exchanged using the sequence specified in section 6.1 with individual query for each candidate-path.
PCRpt and PCUpd messages are exchanged in the following sequence:
A candidate-path is created using the following steps:
A candidate-path is deleted using the following steps:
A candidate-path is created using the following steps:
A candidate path is deleted using the following steps:
This document defines a new association type: SR Policy Association Group (SRPAG). IANA is requested to make the assignment of a new value for the sub-registry "ASSOCIATION Type Field" (request to be created in [I-D.ietf-pce-association-group]), as follows:
+----------------------+-------------------------+------------------+ | Association Type | Association Name | Reference | | Value | | | +----------------------+-------------------------+------------------+ | TBD1 | SR Policy Association | This document | +----------------------+-------------------------+------------------+
This document defines three new Error-Values within the "Association Error" Error-Type. IANA is requested to allocate new error values within the "PCEP-ERROR Object Error Types and Values" sub-registry of the PCEP Numbers registry, as follows:
+-------+----------+-----------------------------+------------------+ | Error | Error | Meaning | Reference | | Type | Value | | | +-------+----------+-----------------------------+------------------+ | 29 | TBD5 | Conflicting SRPAG TLV | This document | +-------+----------+-----------------------------+------------------+ | 29 | TBD6 | Missing mandatory SRPAG TLV | This document | +-------+----------+-----------------------------+------------------+ | 29 | TBD7 | Multiple SRPAG for one LSP | This document | +-------+----------+-----------------------------+------------------+ | 29 | TBD8 | Use of SRPAG without SR | This document | | | | capability exchange | | +-------+----------+-----------------------------+------------------+ | 29 | TBD9 | non-SR LSP in SRPAG | This document | +-------+----------+-----------------------------+------------------+
This document defines three new TLVs for carrying additional information about SR policy and SR candidate paths. IANA is requested to make the assignment of a new value for the existing "PCEP TLV Type Indicators" registry as follows:
+------------+-----------------------------------+------------------+ | TLV Type | TLV Name | Reference | | Value | | | +------------+-----------------------------------+------------------+ | TBD2 | SRPOLICY-POL-ID | This document | +------------+-----------------------------------+------------------+ | TBD3 | SRPOLICY-CPATH-ID | This document | +------------+-----------------------------------+------------------+ | TBD4 | SRPOLICY-CPATH-ATTR | This document | +------------+-----------------------------------+------------------+
This document defines one new type for association, which do not add any new security concerns beyond those discussed in [RFC5440], [RFC8231], [I-D.ietf-pce-segment-routing], [I-D.negi-pce-segment-routing-ipv6] and [I-D.ietf-pce-association-group] in itself.
The information carried in the SRPAG Association object, as per this document is related to SR Policy. It often reflects information that can also be derived from the SR Database, but association provides a much easier grouping of related LSPs and messages. The SRPAG association could provides an adversary with the opportunity to eavesdrop on the relationship between the LSPs. Thus securing the PCEP session using Transport Layer Security (TLS) [RFC8253], as per the recommendations and best current practices in [RFC7525], is RECOMMENDED.
[RFC4655] | Farrel, A., Vasseur, J. and J. Ash, "A Path Computation Element (PCE)-Based Architecture", RFC 4655, DOI 10.17487/RFC4655, August 2006. |
[RFC7525] | Sheffer, Y., Holz, R. and P. Saint-Andre, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May 2015. |
[RFC8253] | Lopez, D., Gonzalez de Dios, O., Wu, Q. and D. Dhody, "PCEPS: Usage of TLS to Provide a Secure Transport for the Path Computation Element Communication Protocol (PCEP)", RFC 8253, DOI 10.17487/RFC8253, October 2017. |
[I-D.negi-pce-segment-routing-ipv6] | Negi, M., Li, C., Sivabalan, S. and P. Kaladharan, "PCEP Extensions for Segment Routing leveraging the IPv6 data plane", Internet-Draft draft-negi-pce-segment-routing-ipv6-04, February 2019. |
Dhruv Dhody Huawei Technologies Divyashree Techno Park, Whitefield Bangalore, Karnataka 560066 India Email: dhruv.ietf@gmail.com