Segment Routing Policy Extension for Network Resource Partition

Introduction A Segment Routing Policy (SR Policy) is a set of candidate paths, each consisting of one or more segment lists and the associated information. The headend node is said to steer a flow into an SR Policy. The packets steered into an SR Policy have an ordered list of segments associated with that SR Policy written into them. describes the representation and processing of this ordered list of segments as an MPLS label stack for SR-MPLS, while and describe the same for Segment Routing over IPv6 (SRv6) with the use of the Segment Routing Header (SRH). provides the definition of IETF network slice for use within the IETF and discusses the general framework for requesting and operating IETF Network Slices, their characteristics, and the necessary system components and interfaces. It also introduces the concept Network Resource Partition (NRP), which is a subset of the resources and associated policies in the underlay network. In SR networks, an NRP can be realized using NRP-specific resource-aware segments as defined in . With this approach, for each NRP, a separate set of resource-aware SIDs need to be assigned, thus the amount of SR SIDs would be proportional to the number of NRPs. As described in , one scalable data plane approach to support network slicing is to carry a dedicated NRP Selector ID in the data packet to identify the NRP the packet belongs to, so that the packet can be processed and forwarded using the subset of network resources allocated to the NRP. In SR networks with multiple NRPs, an SR Policy can be associated with a particular NRP. In that case, SR Policy can be used for steering and forwarding traffic which is mapped to the NRP, so that the packets can be processed with the subset of network resources and policy of the NRP for guaranteed performance. Thus the association between SR Policy and NRP needs to be specified. This document defines extensions to the SR Policy Architecture for associating SR Policy with NRP.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Use Case

In each NRP for network slices, the connectivity among PEs is achieved by SR Policies. The segment lists of these SR Policies composed with segments associated with the dedicated data plane NRP Selector ID. Traffics are steered into the SR Policies, so that the resources allocated to the corresponding NRPs will be used for forwarding.

>>>>> Queue 1-1: NRP-1, 100Mbps >>>>>>| |>>>>>> Queue 1-2: NRP-2, 200Mbps >>>>>>| |>>>>>> ... >>>>>>| |=======================================| | | | Layer-3 Sub-interface 1-2: 2Gbps | |====================================== | |>>>>>> Queue 1-1: NRP-1, 100Mbps >>>>>>| |>>>>>> Queue 1-2: NRP-2, 200Mbps >>>>>>| |>>>>>> ... >>>>>>| |=======================================| | | +---------------------------------------+ Underlay Network ]]> As shown in the example in Figure 2, the bandwidth resource of a physical interface is partitioned in two NRPs. The NRPs are sliced by HQoS queues with dedicated bandwidth under the layer-3 sub-interface. NRP needs to be identified by using an extra dimension. On both MPLS-SR and SRv6 data plane, there are several options for realizing NRP Selector ID, such as , , and . As mentioned above, the traffics of network slice are forwarded according to the segment list of SR Policy. Firstly, the outgoing interface associated segment will be the layer-3 sub-interface. Then, the HQoS queue will be selected according to the NRP Selector ID carried in the packets, and the bandwidth resource of NRP will be used.

SR Policy Extension for NRP As defined in , an SR Policy is associated with one or more candidate paths. A candidate path is the unit for signaling of an SR Policy to a headend via protocol extensions like the Path Computation Element Communication Protocol (PCEP) or BGP SR Policy . A candidate path consists of one or multiple segment lists. The segment lists are used for load balancing purpose. When an SR Policy is associated with an NRP, the SR Policy is instantiated using candidate paths which are built within a particular NRP. Hence the association between SR Policy and NRP is specified at the candidate path level. All the segment lists of the candidate path are associated with the same NRP and share the set of resources of the NRP. The candidate paths of an SR Policy determine the path that packets will traverse, while NRP reserves resources along the candidate path designated by the SR Policy. Through the integration of SR Policy and NRP, it ensures both the forwarding path and resource reservation along the candidate path.

NRP Selector ID of a Candidate Path The NRP Selector ID of a candidate path is utilized to identify the resources corresponding to the forwarding paths of all segment lists within an SR Policy. It is a 32-bit value serving as an identifier for the Network Resource Partition. The NRP Selector ID associated with a candidate path of an SR Policy from a specific Protocol-Origin as specified below:

When provisioning is via configuration, it is specific to the implementation's configuration model.
When signaling is via PCEP, the method to uniquely signal an individual candidate path along with its NRP Selector ID is described in .
When signaling is via BGP SR Policy, the method to uniquely signal an individual candidate path along with its NRP Selector ID is described in . It can be collected via BGP-LS .

Under the same Candidate Path, all segment lists must share the same NRP Selector ID. When a candidate path of an SR Policy is instantiated within an NRP, a network-wide data plane NRP Selector ID is used to identify the resources of the NRP. While different candidate paths can share the same NRP Selector IDs, the proposed mechanism allows for different candidate paths within a single SR Policy to be associated with different NRPs. However, in typical network scenarios, it is generally expected that the association between an SR Policy and an NRP remains consistent. In such cases, all candidate paths of a single SR Policy SHOULD be associated with the same NRP. By associating NRP Selector IDs with Candidate Paths, the assurance of both the SR Policy's path and its resources is achieved. The process involves the following steps:

Planning the network topology resources and assigning NRP Selector IDs.
At the headend node, performing path arrangement. During the path planning process of the SR Policy, resources are considered for different candidate paths, and NRP Selector IDs are configured under each Candidate path to establish the association between the path and resources.

Candidate Path Validity Verification A candidate path is considered usable when it is valid, with the validation rules outlined in Section 5 of [RFC9256]. When a Candidate Path contains an NRP Selector ID, a segment list of a candidate path may be declared invalid if the resources corresponding to the NRP Selector ID on the segment list path do not exist. The successful reservation of NRP resources along the entire path can be verified through OAM (Operations, Administration, and Maintenance) detection mechanisms. Additionally, if the head-end is unable to perform path resolution for the first SID into one or more outgoing interfaces and next-hops, along with the corresponding NRP Selector ID resources, the status of that segment list is set to invalid. When running fast detection protocols, such as Bidirectional Forwarding Detection (BFD), the headend may compute and validate backup candidate paths and provision them into the forwarding plane as a backup for the active path. In such cases, it is necessary to include NRP encapsulation to detect the NRP resources along the path, ensuring the availability of both the path and resources.

Summary For an SR Policy associated with an NRP, each of its candidate paths must be associated with an NRP. The NRP Selector ID linked to each candidate path can be the same or different. All segment lists of the candidate path are associated with the same NRP and share the set of resources allocated to that NRP. In summary, the information model is the following: , Weight 1 Segment List 2 , Weight 1 Segment List 3 , Weight 1 Candidate Path CP2 Preference 100 NRP Selector ID 200 Segment List 4 , Weight 1 Segment List 5 , Weight 1 Segment List 6 , Weight 1 ]]> SR Policy POL1 has two Candidate Paths, CP1 and CP2. CP1 is the active candidate path (valid and with the highest Preference). NRP Selector ID 100 is configured under CP1, while NRP Selector ID 200 is configured under CP2. The three segment lists of CP1 with NRP Selector ID 100 are installed as the forwarding instantiation of SR Policy POL1. NRP Selector ID 100 needs to be configured and resources reserved on the paths traversed by segment list 1, segment list 2, and segment list 3. When traffic is steered on POL1 and flow-based hashed on segment list [SID11...SID1i], NRP-100 is added into the data packet, and forwarding is based on the resources pointed to by NRP-100.

Steering into an SR Policy with NRP The method of traffic steering aligns with the description in Section 8 of . If the SR Policy candidate path selected as the best candidate path is associated with an NRP, the headend node of the SR Policy SHOULD encapsulate both the segment list and the data plane identifier of the associated NRP Selector ID to the header of packets steered to the SR Policy. The segment list is used to instruct the path the packets need to traverse, and the NRP Selector ID is used by each node along the path to identify the set of local network resources allocated to the NRP for the processing of the packet. When an SR policy's active path contains an NRP Selector ID, specific handling is necessary, as follows:

When steering traffic to the SR policy through Per-Destination Steering or Policy-Based Routing, after adding the corresponding segment list encapsulation for the SR policy, NRP encapsulation is also required. The specific NRP encapsulation details are outside the scope of this document.
Similarly, When steering traffic to the SR policy via the BindingSID, after adding the segment list encapsulation for the SR policy, NRP encapsulation is required. The specific NRP encapsulation details are outside the scope of this document.

Operational Considerations Operators can choose to deploy network slices at varying scales. The use of either base NRP Selector ID or resource-aware SR segments for specific service is based on operators' local policy. Resource-aware segments require to introduce additional SR-MPLS SIDs or SRv6 Locators/SIDs for different subsets of network resources. This would increase the amount of SR SIDs to be managed, and would also increase the amount of state to be maintained by network nodes. Althougth with the SR paradigmn, per-path state can be avoided in the network, operators need to be aware of the additional cost of introducing resource-aware segments, and provide careful planning of the resource groups, so that the resource-aware segments can meet the service requirements without introducing unacceptable complexity to network operation and management. As the number of required network slice services increases, more NRPs may be needed, and when data plane scalability is a primary concern, a dedicated NRP Selector ID can be introduced in the data packet to decouple the resource-specific identifiers from the topology and path-specific identifiers in the data plane, thereby reducing the number of IP addresses or SR SIDs needed to support a large number of NRPs.

Security Considerations By default, SR operates within a trusted domain. The security considerations described in and apply to this document. The NRP to which an SR Policy is associated with is critical for network resource isolation. Misconfiguration or error in setting the NRP ID of an SR Policy can result in the forwarding of packets in an undesired NRP, which may lead to the compromise in network resource isolation. When the NRP related information is advertised via the control plane (e.g., in BGP, BGP-LS, or PCEP), it is important to make sure the NRP information is not exposed to unwanted entities, otherwise it could lead to attacks that compromise network resource isolation and may impact the services carried using the SR Policy associated with the NRP.

This document has no IANA actions.

The following people have contributed to this document: