idnits 2.17.00 (12 Aug 2021) /tmp/idnits65214/draft-clad-spring-srv6-srh-compression-illus-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 117: '... bits of the SID MUST be zero. A loca...' Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document date (19 April 2022) is 25 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 401 Summary: 3 errors (**), 0 flaws (~~), 0 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SPRING F. Clad, Ed. 3 Internet-Draft D. Dukes, Ed. 4 Intended status: Informational Cisco Systems, Inc. 5 Expires: 21 October 2022 19 April 2022 7 Illustrations for Compressed SRv6 Segment List Encoding in SRH 8 draft-clad-spring-srv6-srh-compression-illus-01 10 Abstract 12 This document provides illustrations for compressed SRv6 Segment List 13 Encoding in the Segment Routing Header (SRH). 15 Status of This Memo 17 This Internet-Draft is submitted in full conformance with the 18 provisions of BCP 78 and BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF). Note that other groups may also distribute 22 working documents as Internet-Drafts. The list of current Internet- 23 Drafts is at https://datatracker.ietf.org/drafts/current/. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 This Internet-Draft will expire on 21 October 2022. 32 Copyright Notice 34 Copyright (c) 2022 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 39 license-info) in effect on the date of publication of this document. 40 Please review these documents carefully, as they describe your rights 41 and restrictions with respect to this document. Code Components 42 extracted from this document must include Revised BSD License text as 43 described in Section 4.e of the Trust Legal Provisions and are 44 provided without warranty as described in the Revised BSD License. 46 Table of Contents 48 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 49 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 50 2.1. From RFC 8402 . . . . . . . . . . . . . . . . . . . . . . 2 51 2.2. From RFC 8754 . . . . . . . . . . . . . . . . . . . . . . 3 52 2.3. From RFC 8986 . . . . . . . . . . . . . . . . . . . . . . 3 53 3. Intra-SR-Domain Deployment Model . . . . . . . . . . . . . . 3 54 3.1. Securing the SR Domain . . . . . . . . . . . . . . . . . 3 55 4. General Addressing . . . . . . . . . . . . . . . . . . . . . 4 56 5. NEXT-C-SID Flavor . . . . . . . . . . . . . . . . . . . . . . 4 57 5.1. Addressing and SRv6 SID allocation . . . . . . . . . . . 5 58 5.2. Routing . . . . . . . . . . . . . . . . . . . . . . . . . 5 59 5.3. Case 1: Intra-domain Traffic Engineering . . . . . . . . 5 60 5.4. Case 2: ICMPv6 error generation at a transit node . . . . 9 61 5.5. Case 3: Ping a SID . . . . . . . . . . . . . . . . . . . 9 62 6. REPLACE-C-SID Flavor . . . . . . . . . . . . . . . . . . . . 10 63 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 65 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 66 8.2. Informative References . . . . . . . . . . . . . . . . . 10 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 69 1. Introduction 71 This document provides illustrations for 72 [I-D.filsfilscheng-spring-srv6-srh-compression] compressed SRv6 73 Segment List Encoding in the Segment Routing Header (SRH). 75 2. Terminology 77 This document leverages the terminology introduced in [RFC8402], 78 [RFC8754], and [RFC8986]. The definition of the most important terms 79 is reproduced in this section for convenience. 81 2.1. From RFC 8402 83 Segment Routing domain (SR domain): the set of nodes participating in 84 the source-based routing model. These nodes may be connected to the 85 same physical infrastructure (e.g., a Service Provider's network). 86 They may as well be remotely connected to each other (e.g., an 87 enterprise VPN or an overlay). If multiple protocol instances are 88 deployed, the SR domain most commonly includes all of the protocol 89 instances in a network. However, some deployments may wish to 90 subdivide the network into multiple SR domains, each of which 91 includes one or more protocol instances. It is expected that all 92 nodes in an SR domain are managed by the same administrative entity. 94 2.2. From RFC 8754 96 SR Source Node (section 3.1): A SR source node is any node that 97 originates an IPv6 packet with a segment (i.e., SRv6 SID) in the 98 destination address of the IPv6 header. 100 Transit Node (section 3.2): A transit node is any node forwarding an 101 IPv6 packet where the destination address of that packet is not 102 locally configured as a segment or a local interface. A transit node 103 is not required to be capable of processing a segment or SRH. 105 SR Segment Endpoint Node (section 3.3): An SR segment endpoint node 106 is any node receiving an IPv6 packet where the destination address of 107 that packet is locally configured as a segment or local interface. 109 2.3. From RFC 8986 111 SID Format: This document defines an SRv6 SID as consisting of 112 LOC:FUNCT:ARG, where a locator (LOC) is encoded in the L most 113 significant bits of the SID, followed by F bits of function (FUNCT) 114 and A bits of arguments (ARG). L, the locator length, is flexible, 115 and an operator is free to use the locator length of their choice. F 116 and A may be any value as long as L+F+A <= 128. When L+F+A is less 117 than 128, then the remaining bits of the SID MUST be zero. A locator 118 may be represented as B:N where B is the SRv6 SID block (IPv6 prefix 119 allocated for SRv6 SIDs by the operator) and N is the identifier of 120 the parent node instantiating the SID. 122 3. Intra-SR-Domain Deployment Model 124 (The content of this section is a partial reproduction of section 5 125 for [RFC8754].) 127 The use of the SIDs exclusively within the SR domain and solely for 128 packets of the SR domain is an important deployment model. 130 This enables the SR domain to act as a single routing system. 132 3.1. Securing the SR Domain 134 (The reader can easily understand that the dual measures provided can 135 prevent SR packets from leaving the SR domain.) 137 Nodes outside the SR domain are not trusted: they cannot directly use 138 the SIDs of the domain. This is enforced by two levels of access 139 control lists: 141 * Any packet entering the SR domain and destined to a SID within the 142 SR domain is dropped. This may be realized with the following 143 logic. Other methods with equivalent outcome are considered 144 compliant: 146 - Allocate all the SIDs from a block S/s 148 - Configure each external interface of each edge node of the 149 domain with an inbound infrastructure access list (IACL) that 150 drops any incoming packet with a destination address in S/s 152 - Failure to implement this method of ingress filtering exposes 153 the SR domain to source-routing attacks, as described and 154 referenced in [RFC5095] 156 * The distributed protection in #1 is complemented with per-node 157 protection, dropping packets to SIDs from source addresses outside 158 the SR domain. This may be realized with the following logic. 159 Other methods with equivalent outcome are considered compliant: 161 - Assign all interface addresses from prefix A/a 163 - At node k, all SIDs local to k are assigned from prefix Sk/sk 165 - Configure each internal interface of each SR node k in the SR 166 domain with an inbound IACL that drops any incoming packet with 167 a destination address in Sk/sk if the source address is not in 168 A/a. 170 4. General Addressing 172 The illustrations in this document use the IPv6 documentation prefix 173 2001:db8::/32. 175 Loopback interface addresses are allocated from the prefix 176 2001:db8:a::/48. 178 SRv6 SIDs are allocated from the prefix 2001:db8:b::/48. 180 An operator deploying this solution could instead select any sub- 181 prefix out of the prefix allocated by their Regional Internet 182 Registry (RIR) to this operator or from the Unique Local Unicast 183 (ULA) prefix. ULA provides the uniqueness and privacy 184 characteristics defined in Section 1 of [RFC4193]. 186 5. NEXT-C-SID Flavor 187 + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 188 N11 N13 N15 N17 | 189 | 190 N10 N19| 191 | 192 N12 N14 N16 N18 | 193 + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 194 SR domain 196 Figure 1: Reference topology 198 N10 to N19 represent the potential SR source and SR segment endpoint 199 nodes in the SR domain. 201 The SR domain may include any number of transit nodes (not shown) 202 between the nodes that are represented in this figure. 204 5.1. Addressing and SRv6 SID allocation 206 Nodes N10 to N19 have a loopback interface configured with the 207 address 2001:db8:a:NN00::, where NN is the node identifier. 209 Nodes N10 to N19 instantiate the SID 2001:db8:b:NN00::, where NN is 210 the node identifier, with Locator-Block length (LBL) = 48, Locator- 211 Node length (LNL)= 16, Function length (FL) = 0, Argument length (AL) 212 = 64, and bound to the End behavior with the NEXT-C-SID and USD 213 flavors. 215 The "Endpoint" (or "End") behavior is the most basic operation that 216 can be performed by an SR segment endpoint node (i.e., a node that 217 identifies the destination address of a received packet as matching a 218 locally instantiated SID). It updates the destination address of the 219 packet with the next SID in the segment list. The pseudocode of the 220 End behavior with the NEXT-C-SID and USD flavors is specified in 221 section 4.1.1 of [I-D.filsfilscheng-spring-srv6-srh-compression]. 223 5.2. Routing 225 Nodes N10 to N19 advertise the prefixes 2001:db8:a:NN00::/64 and 226 2001:db8:b:NN00::/64, where NN is the node identifier, in the IGP. 228 5.3. Case 1: Intra-domain Traffic Engineering 230 Let us assume that a centralized controller programs N11 to classify 231 the traffic from 2001:db8:a:1000:: to 2001:db8:a:1900:: into an SR 232 Policy encoded through an IPv6 encapsulation with: 234 * IPv6 235 - Source address 2001:db8:a:1100:: 237 - Destination address 2001:db8:b:1200:1300:1400:1500:1600 239 - Next Header = 43 (Routing header) 241 * SRH 243 - Segment List < 2001:db8:b:1200:1300:1400:1500:1600, 244 2001:db8:b:1700:1800:: > 246 - Segments Left = 1 248 - Next Header = 41 (IPv6) 250 For illustration purposes, we use SID allocation that allows for a 251 straightforward human reading of a compressed segment list. Indeed, 252 < 2001:db8:b:1200:1300:1400:1500:1600, 2001:db8:b:1700:1800:: > 253 means: within the domain 2001:db8:b::, go first through node N12 then 254 N13, N14, N15, and N16, then retrieve the next segment list entry 255 from the SRH and go through node N17 before decapsulating the packet 256 at node N18. 258 This is compliant with the [RFC8986] because the SID meets the 259 Locator:Function:Argument format definition (Section 3.1 of 260 [RFC8986]). For example, the packet sent by node N11 has a 261 destination address 2001:db8:b:1200:1300:1400:1500:1600 where 262 2001:db8:b:1200/64 is the Locator and 0x1300140015001600 is the 263 Argument. 265 A packet in transit towards a given SID (e.g. 266 2001:db8:b:1200:1300:1400:1500:1600), is forwarded by transit nodes 267 via a longest-match lookup on the destination address of the packet. 268 This results in a match of the SID locator (in this case, 269 2001:db8:b:1200::/64), the transit node then forwards the packet 270 accordingly. The SID function and argument bits are opaque to 271 transit nodes. The function is only identified at the SR segment 272 endpoint node (represented by the SID locator in the destination 273 address) which further processes the argument. 275 Also note the source N11 performs IPv6 header encapsulation with SRH, 276 and the selected SID list containing function/arguments to be 277 processed at some endpoints, because we are in a source routed domain 278 within a secured SR domain. 280 The remainder of this section details the packet journey. 282 The packet Px transmitted by a node Nn is identified as "@Nn Px". 284 @N10 P1:(IPv6 2001:db8:a:1000::, 2001:db8:a:1900::) 286 N11 (as programmed by the centralized controller) encapsulates the 287 packet P1 and submits the updated packet (P2) to the IPv6 module for 288 transmission. It performs an IP lookup on the destination address, 289 matching an entry for the prefix 2001:db8:b:1200::/64 advertised by 290 N12. N11 forwards the packet on its shortest path towards to node 291 N12. 293 @N11 P2:(IPv6 2001:db8:a:1100::, 2001:db8:b:1200:1300:1400:1500:1600) 294 (SRH 2001:db8:b:1700:1800::, 295 2001:db8:b:1200:1300:1400:1500:1600; 296 SL=1) 297 (IPv6 2001:db8:a:1000::, 2001:db8:a:1900::) 299 The transit nodes between N11 and N12 forward P1 as per their route 300 2001:db8:b:1200::/64 to N12. Similarly, the transit nodes between 301 each subsequent pair of consecutive SR segment endpoint nodes 302 forwards the packet as per their IPv6 routes for the destination 303 address. Those transit nodes are plain IPv6 routers with the plain 304 IPv6 dataplane, they do not need to have any knowledge of SRv6. 306 The hop limit of packet P1 is decremented at every transit node and 307 every SR segment endpoint node. 309 When the packet reaches the first SR segment endpoint node N12 (i.e., 310 the first TE waypoint), this performs a longest-prefix-match lookup 311 on the IPv6 destination address. This lookup returns a FIB entry 312 that represents a locally instantiated SRv6 SID bound to the End 313 behavior with the NEXT-C-SID flavor. N12 processes the packet 314 accordingly, resulting in a new destination address. It then submits 315 the updated packet to the IPv6 module for transmission. This 316 triggers an IP lookup on the destination address, matching an entry 317 for the prefix 2001:db8:b:1300::/64 advertised by N13. The packet is 318 forwarded on the shortest path towards N13. 320 @N12 P2:(IPv6 2001:db8:a:1100::, 2001:db8:b:1300:1400:1500:1600:0000) 321 (SRH 2001:db8:b:1700:1800::, 322 2001:db8:b:1200:1300:1400:1500:1600; 323 SL=1) 324 (IPv6 2001:db8:a:1000::, 2001:db8:a:1900::) 326 The subsequent SR segment endpoint nodes N13 to N17 process the 327 packet similarly. 329 @N13 P2:(IPv6 2001:db8:a:1100::, 2001:db8:b:1400:1500:1600:0000:0000) 330 (SRH 2001:db8:b:1700:1800::, 331 2001:db8:b:1200:1300:1400:1500:1600; 332 SL=1) 333 (IPv6 2001:db8:a:1000::, 2001:db8:a:1900::) 335 @N14 P2:(IPv6 2001:db8:a:1100::, 2001:db8:b:1500:1600:0000:0000:0000) 336 (SRH 2001:db8:b:1700:1800::, 337 2001:db8:b:1200:1300:1400:1500:1600; 338 SL=1) 339 (IPv6 2001:db8:a:1000::, 2001:db8:a:1900::) 341 @N15 P2:(IPv6 2001:db8:a:1100::, 2001:db8:b:1600:0000:0000:0000:0000) 342 (SRH 2001:db8:b:1700:1800::, 343 2001:db8:b:1200:1300:1400:1500:1600; 344 SL=1) 345 (IPv6 2001:db8:a:1000::, 2001:db8:a:1900::) 347 When the packet is processed by the SR segment endpoint node N16, the 348 SID argument value is 0. As per the pseudocode of the End behavior 349 with the NEXT-C-SID and USD flavors, N16 retrieves the next SID by 350 decrementing the value of segments left in the SRH and copying the 351 next entry from the SRH segment list into the destination address. 353 @N16 P2:(IPv6 2001:db8:a:1100::, 2001:db8:b:1700:1800::) 354 (SRH 2001:db8:b:1700:1800::, 355 2001:db8:b:1200:1300:1400:1500:1600; 356 SL=0) 357 (IPv6 2001:db8:a:1000::, 2001:db8:a:1900::) 359 @N17 P2:(IPv6 2001:db8:a:1100::, 2001:db8:b:1800:0000::) 360 (SRH 2001:db8:b:1700:1800::, 361 2001:db8:b:1200:1300:1400:1500:1600; 362 SL=0) 363 (IPv6 2001:db8:a:1000::, 2001:db8:a:1900::) 365 When the packet reaches the final SR segment endpoint node N18, both 366 the SID argument value and the segments left value in the SRH are 0. 367 As per the pseudocode of the End behavior with the NEXT-C-SID and USD 368 flavors, N18 decapsulates the packet and sends the inner packet P1 369 towards its destination 2001:db8:a:1900::. 371 @N18 P1:(IPv6 2001:db8:a:1000::, 2001:db8:a:1900::) 373 5.4. Case 2: ICMPv6 error generation at a transit node 375 Let us assume in the previous example that the hop limit expires on a 376 transit node N141, located on the path between the SR segment 377 endpoint nodes N14 and N15. 379 The packet sent by node N14 is as follows (reproduced from the 380 previous section). 382 @N14 P2:(IPv6 2001:db8:a:1100::, 2001:db8:b:1500:1600:0000:0000:0000) 383 (SRH 2001:db8:b:1700:1800::, 384 2001:db8:b:1200:1300:1400:1500:1600; 385 SL=1) 386 (IPv6 2001:db8:a:1000::, 2001:db8:a:1900::) 388 Node N141 generates an ICMPv6 time exceeded error message as follows. 390 @N141 P3: (IPv6 , 2001:db8:a:1100::) 391 (ICMPv6 time exceeded error 392 (IPv6 2001:db8:a:1100::, 393 2001:db8:b:1500:1600:0000:0000:0000) 394 (SRH 2001:db8:b:1700:1800::, 395 2001:db8:b:1200:1300:1400:1500:1600; 396 SL=1) 397 (IPv6 2001:db8:a:1000::, 2001:db8:a:1900::)) 399 Node N11 receives the ICMP error packet transmitted by N141. 400 Section 5.4 of [RFC8754] indicates that a destination address of the 401 invoking packet is determined by looking at Segment List[0]. 403 5.5. Case 3: Ping a SID 405 The operator wants to ping the End with NEXT-C-SID flavor SID 406 2001:db8:b:1200:: of N12 from the SR source node N10. 408 The ICMP echo request is sent by N10 as follows. 410 @N10 P1:(IPv6 2001:db8:a:1000::, 2001:db8:b:1200::) 411 (ICMPv6 echo request) 413 This results in an ICMP echo reply from N12 to N10. 415 @N12 P2:(IPv6 2001:db8:b:1200::, 2001:db8:a:1000::) 416 (ICMPv6 echo reply) 418 6. REPLACE-C-SID Flavor 420 TBD 422 7. Acknowledgements 424 TBD 426 8. References 428 8.1. Normative References 430 [I-D.filsfilscheng-spring-srv6-srh-compression] 431 Cheng, W., Filsfils, C., Li, Z., Decraene, B., Cai, D., 432 Voyer, D., Clad, F., Zadok, S., Guichard, J. N., Aihua, 433 L., Raszuk, R., and C. Li, "Compressed SRv6 Segment List 434 Encoding in SRH", Work in Progress, Internet-Draft, draft- 435 filsfilscheng-spring-srv6-srh-compression-02, 28 July 436 2021, . 439 [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., 440 Decraene, B., Litkowski, S., and R. Shakir, "Segment 441 Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, 442 July 2018, . 444 [RFC8754] Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J., 445 Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header 446 (SRH)", RFC 8754, DOI 10.17487/RFC8754, March 2020, 447 . 449 [RFC8986] Filsfils, C., Ed., Camarillo, P., Ed., Leddy, J., Voyer, 450 D., Matsushima, S., and Z. Li, "Segment Routing over IPv6 451 (SRv6) Network Programming", RFC 8986, 452 DOI 10.17487/RFC8986, February 2021, 453 . 455 8.2. Informative References 457 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 458 Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, 459 . 461 [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation 462 of Type 0 Routing Headers in IPv6", RFC 5095, 463 DOI 10.17487/RFC5095, December 2007, 464 . 466 Authors' Addresses 468 Francois Clad (editor) 469 Cisco Systems, Inc. 470 France 471 Email: fclad@cisco.com 473 Darren Dukes (editor) 474 Cisco Systems, Inc. 475 Canada 476 Email: ddukes@cisco.com