| Network Working Group | X. Xu |
| Internet-Draft | Alibaba, Inc |
| Intended status: Standards Track | S. Bryant |
| Expires: November 11, 2019 | Huawei |
| A. Farrel | |
| Old Dog Consulting | |
| S. Hassan | |
| Cisco | |
| W. Henderickx | |
| Nokia | |
| Z. Li | |
| Huawei | |
| May 10, 2019 |
SR-MPLS over IP
draft-ietf-mpls-sr-over-ip-05
MPLS Segment Routing (SR-MPLS) is an MPLS data plane-based source routing paradigm in which the sender of a packet is allowed to partially or completely specify the route the packet takes through the network by imposing stacked MPLS labels on the packet. SR-MPLS can be leveraged to realize a source routing mechanism across MPLS, IPv4, and IPv6 data planes by using an MPLS label stack as a source routing instruction set while making no changes to SR-MPLS specifications and interworking with SR-MPLS implementations.
This document describes how SR-MPLS capable routers and IP-only routers can seamlessly co-exist and interoperate through the use of SR-MPLS label stacks and IP encapsulation/tunneling such as MPLS-in-UDP as defined in RFC 7510.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 11, 2019.
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
MPLS Segment Routing (SR-MPLS) [I-D.ietf-spring-segment-routing-mpls] is an MPLS data plane-based source routing paradigm in which the sender of a packet is allowed to partially or completely specify the route the packet takes through the network by imposing stacked MPLS labels on the packet. SR-MPLS uses an MPLS label stack to encode a source routing instruction set. This can be used to realize a source routing mechanism that can operate across MPLS, IPv4, and IPv6 data planes. This approach makes no changes to SR-MPLS specifications and allows interworking with SR-MPLS implementations. More specifically, the source routing instruction set information contained in a source routed packet could be uniformly encoded as an MPLS label stack no matter whether the underlay is IPv4, IPv6, or MPLS.
This document describes how SR-MPLS capable routers and IP-only routers can seamlessly co-exist and interoperate through the use of SR-MPLS label stacks and IP encapsulation/tunneling such as MPLS-in-UDP [RFC7510].
Section 2 describes various use cases for the tunneling SR-MPLS over IP. Section 3 describes a typical application scenario and how the packet forwarding happens.
This memo makes use of the terms defined in [RFC3031] and [I-D.ietf-spring-segment-routing-mpls].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
Tunneling SR-MPLS using IPv4 and/or IPv6 tunnels is useful at least in the use cases listed below. In all cases, this can be enabled using an IP tunneling mechanism such as MPLS-in-UDP as described in [RFC7510]. The tunnel selected MUST have its remote end point (destination) address equal to the address of the next SR-MPLS capable node identified as being on the SR path (i.e., the egress of the active node segment). The local end point (source) address is set to an address of the encapsulating node. [RFC7510] gives further advice on how to set the source address if the UDP zero-checksum mode is used with MPLS-in-UDP.
________________________
_______ ( ) _______
( ) ( IP Network ) ( )
( SR-MPLS ) ( ) ( SR-MPLS )
( Network ) ( ) ( Network )
( -------- -------- )
( | Border | SR-in-UDP Tunnel | Border | )
( | Router |========================| Router | )
( | R1 | | R2 | )
( -------- -------- )
( ) ( ) ( )
( ) ( ) ( )
(_______) ( ) (_______)
(________________________)
Figure 1: SR-MPLS in UDP to Tunnel Between SR-MPLS Sites
__________________________________
__( IP Network )__
__( )__
( -- -- -- )
-------- -- -- |SR| -- |SR| -- |SR| -- --------
| Ingress| |IR| |IR| | | |IR| | | |IR| | | |IR| | Egress |
--->| Router |===========| |======| |======| |======| Router |--->
| SR | | | | | | | | | | | | | | | | | | SR |
-------- -- -- | | -- | | -- | | -- --------
(__ -- -- -- __)
(__ __)
(__________________________________)
Key:
IR : IP-only Router
SR : SR-MPLS-capable Router
== : SR-MPLS in UDP Tunnel
Figure 2: SR-MPLS Enabled Within an IP Network
This section describes the construction of forwarding information base (FIB) entries and the forwarding behavior that allow the deployment of SR-MPLS when some routers in the network are IP only (i.e., do not support SR-MPLS). Note that the examples in Section 3.1.1 and Section 3.2 assume that OSPF or ISIS is enabled: in fact, other mechanisms of discovery and advertisement could be used including other routing protocols (such as BGP) or a central controller.
This sub-section describes the how to construct the forwarding information base (FIB) entry on an SR-MPLS-capable router when some or all of the next-hops along the shortest path towards a prefix Segment Identifier (prefix-SID) are IP-only routers. Section 3.1.1 provides a concrete example of how the process applies when using OSPF or ISIS.
Consider router A that receives a labeled packet with top label L(E) that corresponds to the prefix-SID SID(E) of prefix P(E) advertised by router E. Suppose the i-th next-hop router (termed NHi) along the shortest path from router A toward SID(E) is not SR-MPLS capable while both routers A and E are SR-MPLS capable. The following processing steps apply:
Once constructed, the FIB can be used by a router to tell it how to process packets. It encapsulates the packets according to the appropriate encapsulation advertised for the segment and then it sends the packets towards the next hop NHi.
This section is non-normative and provides a worked example of how a FIB might be constructed using OSPF and ISIS extensions. It is based on the process described in Section 3.1.
When forwarding the packet according to the constructed FIB entry the router encapsulates the packet according to the encapsulation as advertised using the mechanisms described in [I-D.ietf-isis-encapsulation-cap] or [I-D.ietf-ospf-encapsulation-cap]). It then sends the packets towards the next hop NHi.
[RFC7510] specifies an IP-based encapsulation for MPLS, i.e., MPLS-in-UDP. This approach is applicable where IP-based encapsulation for MPLS is required and further fine-grained load balancing of MPLS packets over IP networks over Equal-Cost Multipath (ECMP) and/or Link Aggregation Groups (LAGs) is also required. This section provides details about the forwarding procedure when UDP encapsulation is adopted for SR-MPLS over IP. Other encapsulation and tunnelling mechanisms can be applied using similar techniques, but for clarity this section uses UDP encapsulation as the exemplar.
Nodes that are SR-MPLS capable can process SR-MPLS packets. Not all of the nodes in an SR-MPLS domain are SR-MPLS capable. Some nodes may be "legacy routers" that cannot handle SR-MPLS packets but can forward IP packets. An SR-MPLS-capable node MAY advertise its capabilities using the IGP as described in Section 3. There are six types of node in an SR-MPLS domain:
The description in this section assumes that the label associated with each prefix-SID is advertised by the owner of the prefix-SID as a Penultimate Hop Popping (PHP) label. That is, if one of the IGP flooding mechanisms is used, the NP flag in OSPF or the P flag in ISIS associated with the prefix-SID is not set.
+-----+ +-----+ +-----+ +-----+ +-----+
| A +-------+ B +-------+ C +-------+ D +-------+ H |
+-----+ +--+--+ +--+--+ +--+--+ +-----+
| | |
| | |
+--+--+ +--+--+ +--+--+
| E +-------+ F +-------+ G |
+-----+ +-----+ +-----+
+--------+
|IP(A->E)|
+--------+ +--------+ +--------+
| UDP | |IP(E->G)| |IP(G->H)|
+--------+ +--------+ +--------+
| L(G) | | UDP | | UDP |
+--------+ +--------+ +--------+
| L(H) | | L(H) | |Exp Null|
+--------+ +--------+ +--------+
| Packet | ---> | Packet | ---> | Packet |
+--------+ +--------+ +--------+
Figure 3: Packet Forwarding Example with PHP
In the example shown in Figure 3, assume that routers A, E, G and H are SR-MPLS-capable while the remaining routers (B, C, D and F) are only capable of forwarding IP packets. Routers A, E, G, and H advertise their Segment Routing related information, such as via IS-IS or OSPF.
Now assume that router A (the Domain ingress) wants to send a packet to router H (the Domain egress) via the explicit path {E->G->H}. Router A will impose an MPLS label stack on the packet that corresponds to that explicit path. Since the next hop toward router E is only IP-capable (B is a legacy transit node), router A replaces the top label (that indicated router E) with a UDP-based tunnel for MPLS (i.e., MPLS-over-UDP [RFC7510]) to router E and then sends the packet. In other words, router A pops the top label and then encapsulates the MPLS packet in a UDP tunnel to router E.
When the IP-encapsulated MPLS packet arrives at router E (which is an SR-MPLS-capable transit node), router E strips the IP-based tunnel header and then processes the decapsulated MPLS packet. The top label indicates that the packet must be forwarded toward router G. Since the next hop toward router G is only IP-capable, router E replaces the current top label with an MPLS-over-UDP tunnel toward router G and sends it out. That is, router E pops the top label and then encapsulates the MPLS packet in a UDP tunnel to router G.
When the packet arrives at router G, router G will strip the IP-based tunnel header and then process the decapsulated MPLS packet. The top label indicates that the packet must be forwarded toward router H. Since the next hop toward router H is only IP-capable (D is a legacy transit router), router G would replace the current top label with an MPLS-over-UDP tunnel toward router H and send it out. However, since router G reaches the bottom of the label stack (G is the penultimate SR-MPLS capable node on the path) this would leave the original packet that router A wanted to send to router H encapsulated in UDP as if it was MPLS (i.e., with a UDP header and destination port indicating MPLS) even though the original packet could have been any protocol. That is, the final SR-MPLS has been popped exposing the payload packet.
To handle this, when a router (here it is router G) pops the final SR-MPLS label, it inserts an explicit null label [RFC3032] before encapsulating the packet in an MPLS-over-UDP tunnel toward router H and sending it out. That is, router G pops the top label, discovers it has reached the bottom of stack, pushes an explicit null label, and then encapsulates the MPLS packet in a UDP tunnel to router H.
Figure 4 demonstrates the packet walk in the case where the label associated with each prefix-SID advertised by the owner of the prefix-SID is not a Penultimate Hop Popping (PHP) label (e.g., the the NP flag in OSPF or the P flag in ISIS associated with the prefix-SID is set). Apart from the PHP function the roles of the routers is unchanged from Section 3.2.1.
+-----+ +-----+ +-----+ +-----+ +-----+
| A +-------+ B +-------+ C +--------+ D +--------+ H |
+-----+ +--+--+ +--+--+ +--+--+ +-----+
| | |
| | |
+--+--+ +--+--+ +--+--+
| E +-------+ F +--------+ G |
+-----+ +-----+ +-----+
+--------+
|IP(A->E)|
+--------+ +--------+
| UDP | |IP(E->G)|
+--------+ +--------+ +--------+
| L(E) | | UDP | |IP(G->H)|
+--------+ +--------+ +--------+
| L(G) | | L(G) | | UDP |
+--------+ +--------+ +--------+
| L(H) | | L(H) | | L(H) |
+--------+ +--------+ +--------+
| Packet | ---> | Packet | ---> | Packet |
+--------+ +--------+ +--------+
Figure 4: Packet Forwarding Example without PHP
As can be seen from the figure, the SR-MPLS label for each segment is left in place until the end of the segment where it is popped and the next instruction is processed.
This document makes no requests for IANA action.
The security consideration of [RFC8354] (which redirects the reader to [RFC5095]) and [RFC7510] apply. DTLS [RFC6347] SHOULD be used where security is needed on an MPLS-SR-over-UDP segment including when the IP segment crosses the public Internet or some other untrusted environment. [RFC8402] provides security considerations for Segment Routing, and Section 8.1 of that document is particularly applicable to SR-MPLS.
It is difficult for an attacker to pass a raw MPLS encoded packet into a network and operators have considerable experience at excluding such packets at the network boundaries, for example by excluding all packets that are revealed to be carrying an MPLS packet as the payload of IP tunnels. Further discussion of MPLS security is found in [RFC5920].
It is easy for a network ingress node to detect any attempt to smuggle an IP packet into the network since it would see that the UDP destination port was set to MPLS, and such filtering SHOULD be applied. SR packets not having a destination address terminating in the network would be transparently carried and would pose no different security risk to the network under consideration than any other traffic.
Where control plane techniques are used (as described in Section 3), it is important that these protocols are adequately secured for the environment in which they are run as discussed in [RFC6862] and [RFC5920].
Ahmed Bashandy
Individual
Email: abashandy.ietf@gmail.com
Clarence Filsfils
Cisco
Email: cfilsfil@cisco.com
John Drake
Juniper
Email: jdrake@juniper.net
Shaowen Ma
Mellanox Technologies
Email: mashaowen@gmail.com
Mach Chen
Huawei
Email: mach.chen@huawei.com
Hamid Assarpour
Broadcom
Email:hamid.assarpour@broadcom.com
Robert Raszuk
Bloomberg LP
Email: robert@raszuk.net
Uma Chunduri
Huawei
Email: uma.chunduri@gmail.com
Luis M. Contreras
Telefonica I+D
Email: luismiguel.contrerasmurillo@telefonica.com
Luay Jalil
Verizon
Email: luay.jalil@verizon.com
Gunter Van De Velde
Nokia
Email: gunter.van_de_velde@nokia.com
Tal Mizrahi
Marvell
Email: talmi@marvell.com
Jeff Tantsura
Individual
Email: jefftant@gmail.com
Thanks to Joel Halpern, Bruno Decraene, Loa Andersson, Ron Bonica, Eric Rosen, Jim Guichard, Gunter Van De Velde, Andy Malis, Robert Sparks, and Al Morton for their insightful comments on this draft.
Additional thanks to Mirja Kuehlewind, Alvaro Retana, Spencer Dawkins, Benjamin Kaduk, and Martin Vigoureux for careful reviews and resulting comments.
| [I-D.ietf-6man-segment-routing-header] | Filsfils, C., Previdi, S., Leddy, J., Matsushima, S. and d. daniel.voyer@bell.ca, "IPv6 Segment Routing Header (SRH)", Internet-Draft draft-ietf-6man-segment-routing-header-18, April 2019. |
| [I-D.ietf-bess-datacenter-gateway] | Farrel, A., Drake, J., Rosen, E., Patel, K. and L. Jalil, "Gateway Auto-Discovery and Route Advertisement for Segment Routing Enabled Domain Interconnection", Internet-Draft draft-ietf-bess-datacenter-gateway-02, February 2019. |
| [I-D.ietf-isis-encapsulation-cap] | Xu, X., Decraene, B., Raszuk, R., Chunduri, U., Contreras, L. and L. Jalil, "Advertising Tunnelling Capability in IS-IS", Internet-Draft draft-ietf-isis-encapsulation-cap-01, April 2017. |
| [I-D.ietf-isis-segment-routing-extensions] | Previdi, S., Ginsberg, L., Filsfils, C., Bashandy, A., Gredler, H. and B. Decraene, "IS-IS Extensions for Segment Routing", Internet-Draft draft-ietf-isis-segment-routing-extensions-24, April 2019. |
| [I-D.ietf-mpls-spring-entropy-label] | Kini, S., Kompella, K., Sivabalan, S., Litkowski, S., Shakir, R. and J. Tantsura, "Entropy label for SPRING tunnels", Internet-Draft draft-ietf-mpls-spring-entropy-label-12, July 2018. |
| [I-D.ietf-ospf-encapsulation-cap] | Xu, X., Decraene, B., Raszuk, R., Contreras, L. and L. Jalil, "The Tunnel Encapsulations OSPF Router Information", Internet-Draft draft-ietf-ospf-encapsulation-cap-09, October 2017. |
| [I-D.ietf-ospf-segment-routing-extensions] | Psenak, P., Previdi, S., Filsfils, C., Gredler, H., Shakir, R., Henderickx, W. and J. Tantsura, "OSPF Extensions for Segment Routing", Internet-Draft draft-ietf-ospf-segment-routing-extensions-27, December 2018. |
| [RFC2983] | Black, D., "Differentiated Services and Tunnels", RFC 2983, DOI 10.17487/RFC2983, October 2000. |
| [RFC4023] | Worster, T., Rekhter, Y. and E. Rosen, "Encapsulating MPLS in IP or Generic Routing Encapsulation (GRE)", RFC 4023, DOI 10.17487/RFC4023, March 2005. |
| [RFC5920] | Fang, L., "Security Framework for MPLS and GMPLS Networks", RFC 5920, DOI 10.17487/RFC5920, July 2010. |
| [RFC6790] | Kompella, K., Drake, J., Amante, S., Henderickx, W. and L. Yong, "The Use of Entropy Labels in MPLS Forwarding", RFC 6790, DOI 10.17487/RFC6790, November 2012. |
| [RFC6862] | Lebovitz, G., Bhatia, M. and B. Weis, "Keying and Authentication for Routing Protocols (KARP) Overview, Threats, and Requirements", RFC 6862, DOI 10.17487/RFC6862, March 2013. |
| [RFC8085] | Eggert, L., Fairhurst, G. and G. Shepherd, "UDP Usage Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, March 2017. |
| [RFC8354] | Brzozowski, J., Leddy, J., Filsfils, C., Maglione, R. and M. Townsley, "Use Cases for IPv6 Source Packet Routing in Networking (SPRING)", RFC 8354, DOI 10.17487/RFC8354, March 2018. |