Export of Segment Routing Policy Attributes in IP Flow Information Export (IPFIX)

Segment Routing (SR) and Segment Routing over IPv6 (SRv6) have become widely deployed technologies for source routing and traffic engineering in modern networks. SR Policy provides a mechanism to steer traffic through an ordered list of segments to meet Service Level Agreements (SLAs) and other operational requirements. An SR Policy is uniquely identified by the tuple Headend, Color, Endpoint]]>, where:

Headend: The node where the policy is instantiated.
Color: A 32-bit numerical value representing the policy intent or class.
Endpoint: The destination address of the policy (IPv4 or IPv6).

While network operators can monitor traffic flows using IP Flow Information Export (IPFIX) and observe which SR policies are configured in the network, there has been no standardized way to correlate individual IP flows with the specific SR policies that carry them. This correlation is essential for:

Service Assurance: Verifying that traffic is being forwarded according to the intended policy.
Troubleshooting: Identifying which flows are affected when a policy fails.
Routing Planning: Understanding traffic forwarding patterns per policy class.
Security Monitoring: Detecting policy bypass or hijacking attempts.

This document defines new IPFIX Information Elements (IEs) to export SR and SRv6 policy attributes (color, endpoint, and type) associated with observed IP flows. These IEs enable Exporting Processes to report which SR policy was applied to each flow, providing crucial visibility into the relationship between traffic and network policies.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document makes use of the terms defined in , and . The following terms are used as defined in :

IPFIX
IPFIX Information Elements

The following terms are used as defined in :

Segment Routing (SR)
SR-MPLS
SRv6

This section defines new IPFIX IEs for exporting SR Policy attributes. The color value of the SR Policy applied to the flow. The color is a 32-bit unsigned integer that identifies the intent or class of the SR Policy. The 32-bit IPv4 endpoint address of the SR Policy applied to the flow. The 128-bit IPv6 endpoint address of the SR Policy applied to the flow. The type of SR Policy applied to the flow. It is used to distinguish between SR-MPLS and SRv6 policies.

For srPolicyColor IE, a value of 0 indicates that no SR Policy was applied to the flow (i.e., the flow was forwarded using conventional routing). Color values are locally significant to the headend node but are often coordinated network-wide to represent consistent service classes. For srPolicyEndpointIPv4 and srPolicyEndpointIPv6 IE, A value of 0.0.0.0 for IPv4 address and ::0 for IPv6 address indicates that no SR Policy with an IPv4 or IPv6 endpoint was applied, or the endpoint is unknown. When these IEs is used with srPolicyColor IE, this pair uniquely identifies an SR Policy from the perspective of the headend node. When multiple SR Policies could apply to a flow (e.g., through policy nesting), these IEs defined in this document SHOULD report the value of the outermost or primary policy. These IEs are most meaningfully reported by the headend node of the SR Policy - that is, the node where the policy is instantiated and where packets enter the SR Policy path. To identify the headend node of an SR Policy, the exporterIPv4Address (130) and exporterIPv6Address (131) IEs can be used. These IEs about SR Policy attributes complement existing IPFIX IEs. When reporting SR Policy attributes, Exporting Processes SHOULD also include basic flow identification IEs such as source/destination addresses, protocol, and ports to provide context for the policy application.

The Security Considerations for IPFIX apply to this document as well. SR Policy attributes reveal network engineering decisions and traffic steering policies. Unauthorized access to this information could aid in traffic analysis or network reconnaissance. Export of these IEs SHOULD be protected using IPFIX over TLS or DTLS . Manipulation of SR Policy attributes in flow records could mislead network operators about traffic paths, potentially hiding policy violations or attacks. Collecting Processes SHOULD verify data integrity when possible. While SR Policy attributes themselves don't directly identify individuals, they could be combined with other flow data to infer sensitive information about network usage patterns. Exporting additional IEs increases the size of flow records and template definitions. Exporting Processes SHOULD implement appropriate rate limiting and resource controls. The ability to correlate flows with policies enables verification that traffic is following intended paths, which can help detect policy bypass attacks or configuration errors.

This document specifies new IPFIX IEs to enable export of SR Policy Attributes along with other flow information. This document requests IANA to add these IPFIX IEs to the "IPFIX Information Elements" registry available at . Table 1 lists the new IPFIX IEs for SR Policy Attributes:

Name:: srPolicyColor

Element ID:: TBD1

Description:: The color value of the SR Policy applied to the flow. The color is a 32-bit unsigned integer that identifies the intent or class of the SR Policy. A value of 0 indicates that no SR Policy was applied to the flow.

Abstract Data Type:: unsigned32

Data Type Semantics:: identifier

Status:: current

Reference:: [this document]

Name:: srPolicyEndpointIPv4

Element ID:: TBD2

Description:: The IPv4 endpoint address of the Segment Routing Policy applied to the flow. A value of 0.0.0.0 indicates that no SR Policy with an IPv4 endpoint was applied, or the endpoint is unknown.

Abstract Data Type:: ipv4Address

Data Type Semantics:: identifier

Status:: current

Reference:: [this document]

Name:: srPolicyEndpointIPv6

Element ID:: TBD3

Description:: The IPv6 endpoint address of the Segment Routing Policy applied to the flow. The ::0 address indicates that no SR Policy with an IPv6 endpoint was applied, or the endpoint is unknown.

Abstract Data Type:: ipv6Address

Data Type Semantics:: identifier

Status:: current

Reference:: [this document]

Name:: srPolicyType

Element ID:: TBD4

Description:: The type of Segment Routing Policy applied to the flow. A value of 0 indicates the policy type is unknown or not applicable. Values are defined in the "SR Policy Types" sub-registry

Abstract Data Type:: unsigned8

Data Type Semantics:: identifier

Status:: current

Reference:: [this document]

IANA is requested to create a new sub-registry titled "SR Policy Types" under the "IPFIX Information Elements" registry.