The Per-Segment Service Instruction (PSSI) Option
draft-bonica-6man-seg-end-opt-06

Abstract

SRm6 encodes Per-Segment Service Instructions (PSSI) in a new IPv6 option, called the PSSI Option. This document describes the PSSI Option.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on May 23, 2020.

Copyright Notice

Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

• 1. Introduction
• 2. Requirements Language
• 3. PSSI Identifiers
• 4. Option Format
• 5. Security Considerations
• 6. ICMPv6 Considerations
• 7. IANA Considerations
• 8. Acknowledgements
• 9. Normative References
• Authors' Addresses

1. Introduction

An SRm6 path provides unidirectional connectivity from its ingress node to its egress node. While an SRm6 path can follow the least cost path from ingress to egress, it can also follow any other path.

An SRm6 path contains one or more segments. A segment provides unidirectional connectivity from its ingress node to its egress node.

SRm6 paths are programmable. They support several instruction types, including Per-Segment Service Instructions (PSSI). The following are examples of PSSIs:

• Expose a packet to a firewall policy.
• Expose a packet to a sampling policy.

PSSIs are executed at segment egress nodes and can be used to implement limited service chains. However, they do not provide an alternative to the Network Service Header (NSH).

SRm6 encodes PSSIs in a new IPv6 option, called the PSSI Option. This document describes the PSSI Option.

2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. PSSI Identifiers

PSSI Identifiers identify PSSIs. They have domain-wide significance. When a controller creates a limited service chain, also allocates a PSSI Identifier. It then distributes the following information to each node that contributes to the limited service chain:

• The PSSI Identifier.
• The PSSI that the node should execute when it receives a packet that has the PSSI Identifier encoded within it.

4. Option Format

The PSSI Option contains the following fields:

• Option Type: 8-bit selector. PSSI option. Value TBD by IANA. (Suggested value: 0x10). See Note below.
• Opt Data Len - 8-bit unsigned integer. Length of the option, in octets, excluding the Option Type and Option Length fields. This field MUST be set to 4.
• PSSI identifier - (32-bit selector). Identifies a PSSI.

The PSSI option MAY appear in any Destination Options header, regardless of whether that Destination Options header precedes a Routing header or an upper-layer header. The PSSI option MUST NOT appear in a Hop-by-hop Options header.

NOTE : The highest-order two bits of the Option Type (i.e., the "act" bits) are 00. These bits specify the action taken by a destination node that does not recognize the option. The required action is to skip over this option and continue processing the header.

The third highest-order bit of the Option Type (i.e., the "chg" bit) is 0. This indicates that Option Data cannot be modified along the path between the packet's source and its destination.

5. Security Considerations

The PSSI option shares many security concerns with IPv6 routing headers. In particular, any boundary filtering protecting a domain from external routing headers should also protect against external PSSI options being processed inside a domain. This occurs naturally if encapsulation is used to add routing headers to a packet. If external routing headers are allowed, then protections must also include ensuring that any provided PSSI option is properly protected, e.g. with an IPSEC AH header or other suitable means.

As with Routing headers, the security assumption within a domain is that the domain is trusted to provide, and to avoid improperly modifying, the PSSI Option.

6. ICMPv6 Considerations

SRm6 implementations MUST comply with the ICMPv6 processing rules specified in Section 2.4 of [RFC4443]. For example:

• An SRm6 implementation MUST NOT originate an ICMPv6 error message in response to another ICMPv6 error message.
• An SRm6 implementation MUST rate limit the ICMPv6 messages that it originates.

7. IANA Considerations

IANA is requested to allocate a cod epoint from the Destination Options and Hop-by-hop Options registry (https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#ipv6-parameters-2). This option is called "PSSI". The "act" bits are 00 and the "chg" bit is 0. (Suggested value: 0x10).

8. Acknowledgements

Thanks to Fred Baker, Shizhang Bi and Reji Thomas for their careful review of this document.

9. Normative References

Authors' Addresses