idnits 2.17.00 (12 Aug 2021) /tmp/idnits36731/draft-ietf-mpls-sr-over-ip-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 16, 2019) is 1063 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: draft-ietf-spring-segment-routing-mpls has been published as RFC 8660 ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) == Outdated reference: draft-ietf-6man-segment-routing-header has been published as RFC 8754 == Outdated reference: draft-ietf-bess-datacenter-gateway has been published as RFC 9125 == Outdated reference: draft-ietf-isis-segment-routing-extensions has been published as RFC 8667 == Outdated reference: draft-ietf-mpls-spring-entropy-label has been published as RFC 8662 == Outdated reference: draft-ietf-ospf-encapsulation-cap has been published as RFC 9013 == Outdated reference: draft-ietf-ospf-segment-routing-extensions has been published as RFC 8665 Summary: 1 error (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group X. Xu 3 Internet-Draft Alibaba, Inc 4 Intended status: Standards Track S. Bryant 5 Expires: December 18, 2019 Huawei 6 A. Farrel 7 Old Dog Consulting 8 S. Hassan 9 Cisco 10 W. Henderickx 11 Nokia 12 Z. Li 13 Huawei 14 June 16, 2019 16 SR-MPLS over IP 17 draft-ietf-mpls-sr-over-ip-07 19 Abstract 21 MPLS Segment Routing (SR-MPLS) is an MPLS data plane-based source 22 routing paradigm in which the sender of a packet is allowed to 23 partially or completely specify the route the packet takes through 24 the network by imposing stacked MPLS labels on the packet. SR-MPLS 25 can be leveraged to realize a source routing mechanism across MPLS, 26 IPv4, and IPv6 data planes by using an MPLS label stack as a source 27 routing instruction set while making no changes to SR-MPLS 28 specifications and interworking with SR-MPLS implementations. 30 This document describes how SR-MPLS capable routers and IP-only 31 routers can seamlessly co-exist and interoperate through the use of 32 SR-MPLS label stacks and IP encapsulation/tunneling such as MPLS-in- 33 UDP as defined in RFC 7510. 35 Status of This Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at https://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on December 18, 2019. 51 Copyright Notice 53 Copyright (c) 2019 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents 58 (https://trustee.ietf.org/license-info) in effect on the date of 59 publication of this document. Please review these documents 60 carefully, as they describe your rights and restrictions with respect 61 to this document. Code Components extracted from this document must 62 include Simplified BSD License text as described in Section 4.e of 63 the Trust Legal Provisions and are provided without warranty as 64 described in the Simplified BSD License. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 69 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 70 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 3 71 3. Procedures of SR-MPLS over IP . . . . . . . . . . . . . . . . 5 72 3.1. Forwarding Entry Construction . . . . . . . . . . . . . . 5 73 3.1.1. FIB Construction Example . . . . . . . . . . . . . . 6 74 3.2. Packet Forwarding Procedures . . . . . . . . . . . . . . 8 75 3.2.1. Packet Forwarding with Penultimate Hop Popping . . . 9 76 3.2.2. Packet Forwarding without Penultimate Hop Popping . . 10 77 3.2.3. Additional Forwarding Procedures . . . . . . . . . . 11 78 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 79 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 80 6. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 13 81 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 82 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 83 8.1. Normative References . . . . . . . . . . . . . . . . . . 15 84 8.2. Informative References . . . . . . . . . . . . . . . . . 16 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 87 1. Introduction 89 MPLS Segment Routing (SR-MPLS) [I-D.ietf-spring-segment-routing-mpls] 90 is an MPLS data plane-based source routing paradigm in which the 91 sender of a packet is allowed to partially or completely specify the 92 route the packet takes through the network by imposing stacked MPLS 93 labels on the packet. SR-MPLS uses an MPLS label stack to encode a 94 source routing instruction set. This can be used to realize a source 95 routing mechanism that can operate across MPLS, IPv4, and IPv6 data 96 planes. This approach makes no changes to SR-MPLS specifications and 97 allows interworking with SR-MPLS implementations. More specifically, 98 the source routing instruction set information contained in a source 99 routed packet could be uniformly encoded as an MPLS label stack no 100 matter whether the underlay is IPv4, IPv6 (including Segment Routing 101 for IPv6 (SRv6) [RFC8354]), or MPLS. 103 This document describes how SR-MPLS capable routers and IP-only 104 routers can seamlessly co-exist and interoperate through the use of 105 SR-MPLS label stacks and IP encapsulation/tunneling such as MPLS-in- 106 UDP [RFC7510]. 108 Section 2 describes various use cases for the tunneling SR-MPLS over 109 IP. Section 3 describes a typical application scenario and how the 110 packet forwarding happens. 112 1.1. Terminology 114 This memo makes use of the terms defined in [RFC3031] and 115 [I-D.ietf-spring-segment-routing-mpls]. 117 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 118 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 119 "OPTIONAL" in this document are to be interpreted as described in BCP 120 14 [RFC2119] [RFC8174] when, and only when, they appear in all 121 capitals, as shown here. 123 2. Use Cases 125 Tunneling SR-MPLS using IPv4 and/or IPv6 (including SRv6) tunnels is 126 useful at least in the use cases listed below. In all cases, this 127 can be enabled using an IP tunneling mechanism such as MPLS-in-UDP as 128 described in [RFC7510]. The tunnel selected MUST have its remote end 129 point (destination) address equal to the address of the next SR-MPLS 130 capable node identified as being on the SR path (i.e., the egress of 131 the active segment). The local end point (source) address is set to 132 an address of the encapsulating node. [RFC7510] gives further advice 133 on how to set the source address if the UDP zero-checksum mode is 134 used with MPLS-in-UDP. Using UDP as the encapsulation may be 135 particularly beneficial because it is agnostic of the underlying 136 transport. 138 o Incremental deployment of the SR-MPLS technology may be 139 facilitated by tunneling SR-MPLS packets across parts of a network 140 that are not SR-MPLS as shown in Figure 1. This demonstrates how 141 islands of SR-MPLS may be connected across a legacy network. It 142 may be particularly useful for joining sites (such as data 143 centers). 145 ________________________ 146 _______ ( ) _______ 147 ( ) ( IP Network ) ( ) 148 ( SR-MPLS ) ( ) ( SR-MPLS ) 149 ( Network ) ( ) ( Network ) 150 ( -------- -------- ) 151 ( | Border | SR-in-UDP Tunnel | Border | ) 152 ( | Router |========================| Router | ) 153 ( | R1 | | R2 | ) 154 ( -------- -------- ) 155 ( ) ( ) ( ) 156 ( ) ( ) ( ) 157 (_______) ( ) (_______) 158 (________________________) 160 Figure 1: SR-MPLS in UDP to Tunnel Between SR-MPLS Sites 162 o If encoding of entropy ([RFC6790] is desired, IP tunneling 163 mechanisms that allow encoding of entropy, such as MPLS-in-UDP 164 encapsulation [RFC7510] where the source port of the UDP header is 165 used as an entropy field, may be used to maximize the utilization 166 of ECMP and/or LAG, especially when it is difficult to make use of 167 the entropy label mechanism. This is to be contrasted with 168 [RFC4023] where MPLS-in-IP does not provide for an entropy 169 mechanism. Refer to [I-D.ietf-mpls-spring-entropy-label]) for 170 more discussion about using entropy labels in SR-MPLS. 172 o Tunneling MPLS over IP provides a technology that enables SR in an 173 IPv4 and/or IPv6 network where the routers do not support SRv6 174 capabilities [I-D.ietf-6man-segment-routing-header] and where MPLS 175 forwarding is not an option. This is shown in Figure 2. 177 __________________________________ 178 __( IP Network )__ 179 __( )__ 180 ( -- -- -- ) 181 -------- -- -- |SR| -- |SR| -- |SR| -- -------- 182 | Ingress| |IR| |IR| | | |IR| | | |IR| | | |IR| | Egress | 183 --->| Router |===========| |======| |======| |======| Router |---> 184 | SR | | | | | | | | | | | | | | | | | | SR | 185 -------- -- -- | | -- | | -- | | -- -------- 186 (__ -- -- -- __) 187 (__ __) 188 (__________________________________) 190 Key: 191 IR : IP-only Router 192 SR : SR-MPLS-capable Router 193 == : SR-MPLS in UDP Tunnel 195 Figure 2: SR-MPLS Enabled Within an IP Network 197 3. Procedures of SR-MPLS over IP 199 This section describes the construction of forwarding information 200 base (FIB) entries and the forwarding behavior that allow the 201 deployment of SR-MPLS when some routers in the network are IP only 202 (i.e., do not support SR-MPLS). Note that the examples in 203 Section 3.1.1 and Section 3.2 assume that OSPF or ISIS is enabled: in 204 fact, other mechanisms of discovery and advertisement could be used 205 including other routing protocols (such as BGP) or a central 206 controller. 208 3.1. Forwarding Entry Construction 210 This sub-section describes the how to construct the forwarding 211 information base (FIB) entry on an SR-MPLS-capable router when some 212 or all of the next-hops along the shortest path towards a prefix 213 Segment Identifier (prefix-SID) are IP-only routers. Section 3.1.1 214 provides a concrete example of how the process applies when using 215 OSPF or ISIS. 217 Consider router A that receives a labeled packet with top label L(E) 218 that corresponds to the prefix-SID SID(E) of prefix P(E) advertised 219 by router E. Suppose the i-th next-hop router (termed NHi) along the 220 shortest path from router A toward SID(E) is not SR-MPLS capable 221 while both routers A and E are SR-MPLS capable. The following 222 processing steps apply: 224 o Router E is SR-MPLS capable, so it advertises a Segment Routing 225 Global Block (SRGB). The SRGB is defined in [RFC8402]. There are 226 a number of ways that the advertisement can be achieved including 227 IGPs, BGP, configuration/management protocols. For example, see 228 [I-D.ietf-bess-datacenter-gateway]. 230 o When Router E advertises the prefix-SID SID(E) of prefix P(E) it 231 MUST also advertise the encapsulation endpoint and the tunnel type 232 of any tunnel used to reach E. This information is flooded domain 233 wide. 235 o If A and E are in different routing domains then the information 236 MUST be flooded into both domains. How this is achieved depends 237 on the advertisement mechanism being used. The objective is that 238 router A knows the characteristics of router E that originated the 239 advertisement of SID(E). 241 o Router A programs the FIB entry for prefix P(E) corresponding to 242 the SID(E) according to whether a pop or swap action is advertised 243 for the prefix. The resulting action may be: 245 * pop the top label 247 * swap the top label to a value equal to SID(E) plus the lower 248 bound of the SRGB of E 250 Once constructed, the FIB can be used by a router to tell it how to 251 process packets. It encapsulates the packets according to the 252 appropriate encapsulation advertised for the segment and then it 253 sends the packets towards the next hop NHi. 255 3.1.1. FIB Construction Example 257 This section is non-normative and provides a worked example of how a 258 FIB might be constructed using OSPF and ISIS extensions. It is based 259 on the process described in Section 3.1. 261 o Router E is SR-MPLS capable, so it advertises a Segment Routing 262 Global Block (SRGB) using 263 [I-D.ietf-ospf-segment-routing-extensions] or 264 [I-D.ietf-isis-segment-routing-extensions]. 266 o When Router E advertises the prefix-SID SID(E) of prefix P(E) it 267 also advertises the encapsulation endpoint and the tunnel type of 268 any tunnel used to reach E using [I-D.ietf-isis-encapsulation-cap] 269 or [I-D.ietf-ospf-encapsulation-cap]. 271 o If A and E are in different domains then the information is 272 flooded into both domains and any intervening domains. 274 * The OSPF Tunnel Encapsulation TLV 275 [I-D.ietf-ospf-encapsulation-cap] or the ISIS Tunnel 276 Encapsulation sub-TLV [I-D.ietf-isis-encapsulation-cap] is 277 flooded domain-wide. 279 * The OSPF SID/label range TLV 280 [I-D.ietf-ospf-segment-routing-extensions] or the ISIS SR- 281 Capabilities Sub-TLV [I-D.ietf-isis-segment-routing-extensions] 282 is advertised domain-wide so that router A knows the 283 characteristics of router E. 285 * When router E advertises the prefix P(E): 287 + If router E is running ISIS it uses the extended 288 reachability TLV (TLVs 135, 235, 236, 237) and associates 289 the IPv4/IPv6 or IPv4/IPv6 source router ID sub-TLV(s) 290 [RFC7794]. 292 + If router E is running OSPF it uses the OSPFv2 Extended 293 Prefix Opaque LSA [RFC7684] and sets the flooding scope to 294 AS-wide. 296 * If router E is running ISIS and advertises the ISIS capability 297 TLV (TLV 242) [RFC7981], it sets the "router-ID" field to a 298 valid value or includes an IPV6 TE router-ID sub-TLV (TLV 12), 299 or does both. The "S" bit (flooding scope) of the ISIS 300 capability TLV (TLV 242) is set to "1" . 302 o Router A programs the FIB entry for prefix P(E) corresponding to 303 the SID(E) according to whether a pop or swap action is advertised 304 for the prefix as follows: 306 * If the NP flag in OSPF or the P flag in ISIS is clear: 308 pop the top label 310 * If the NP flag in OSPF or the P flag in ISIS is set: 312 swap the top label to a value equal to SID(E) plus the lower 313 bound of the SRGB of E 315 When forwarding the packet according to the constructed FIB entry the 316 router encapsulates the packet according to the encapsulation as 317 advertised using the mechanisms described in 318 [I-D.ietf-isis-encapsulation-cap] or 320 [I-D.ietf-ospf-encapsulation-cap]). It then sends the packets 321 towards the next hop NHi. 323 Note that [RFC7510] specifies the use of port number 6635 to indicate 324 that the payload of a UDP packet is MPLS, and port number 6636 for 325 MPLS-in-UDP utilizing DTLS. However, 326 [I-D.ietf-isis-encapsulation-cap] and 327 [I-D.ietf-ospf-encapsulation-cap] provide dynamic protocol mechanisms 328 to configure the use any Dynamic Port for a tunnel that uses UDP 329 encapsulation. Nothing in this document prevents the use of an IGP 330 or any other mechanism to negotiate the use of a Dynamic Port when 331 UDP encapsulation is used for SR-MPLS, but if no such mechanism is 332 used then the port numbers specified in [RFC7510] are used. 334 3.2. Packet Forwarding Procedures 336 [RFC7510] specifies an IP-based encapsulation for MPLS, i.e., MPLS- 337 in-UDP. This approach is applicable where IP-based encapsulation for 338 MPLS is required and further fine-grained load balancing of MPLS 339 packets over IP networks over Equal-Cost Multipath (ECMP) and/or Link 340 Aggregation Groups (LAGs) is also required. This section provides 341 details about the forwarding procedure when UDP encapsulation is 342 adopted for SR-MPLS over IP. Other encapsulation and tunnelling 343 mechanisms can be applied using similar techniques, but for clarity 344 this section uses UDP encapsulation as the exemplar. 346 Nodes that are SR-MPLS capable can process SR-MPLS packets. Not all 347 of the nodes in an SR-MPLS domain are SR-MPLS capable. Some nodes 348 may be "legacy routers" that cannot handle SR-MPLS packets but can 349 forward IP packets. An SR-MPLS-capable node MAY advertise its 350 capabilities using the IGP as described in Section 3. There are six 351 types of node in an SR-MPLS domain: 353 o Domain ingress nodes that receive packets and encapsulate them for 354 transmission across the domain. Those packets may be any payload 355 protocol including native IP packets or packets that are already 356 MPLS encapsulated. 358 o Legacy transit nodes that are IP routers but that are not SR-MPLS 359 capable (i.e., are not able to perform segment routing). 361 o Transit nodes that are SR-MPLS capable but that are not identified 362 by a SID in the SID stack. 364 o Transit nodes that are SR-MPLS capable and need to perform SR-MPLS 365 routing because they are identified by a SID in the SID stack. 367 o The penultimate SR-MPLS capable node on the path that processes 368 the last SID on the stack on behalf of the domain egress node. 370 o The domain egress node that forwards the payload packet for 371 ultimate delivery. 373 3.2.1. Packet Forwarding with Penultimate Hop Popping 375 The description in this section assumes that the label associated 376 with each prefix-SID is advertised by the owner of the prefix-SID as 377 a Penultimate Hop Popping (PHP) label. That is, if one of the IGP 378 flooding mechanisms is used, the NP flag in OSPF or the P flag in 379 ISIS associated with the prefix-SID is not set. 381 +-----+ +-----+ +-----+ +-----+ +-----+ 382 | A +-------+ B +-------+ C +-------+ D +-------+ H | 383 +-----+ +--+--+ +--+--+ +--+--+ +-----+ 384 | | | 385 | | | 386 +--+--+ +--+--+ +--+--+ 387 | E +-------+ F +-------+ G | 388 +-----+ +-----+ +-----+ 390 +--------+ 391 |IP(A->E)| 392 +--------+ +--------+ +--------+ 393 | UDP | |IP(E->G)| |IP(G->H)| 394 +--------+ +--------+ +--------+ 395 | L(G) | | UDP | | UDP | 396 +--------+ +--------+ +--------+ 397 | L(H) | | L(H) | |Exp Null| 398 +--------+ +--------+ +--------+ 399 | Packet | ---> | Packet | ---> | Packet | 400 +--------+ +--------+ +--------+ 402 Figure 3: Packet Forwarding Example with PHP 404 In the example shown in Figure 3, assume that routers A, E, G and H 405 are SR-MPLS-capable while the remaining routers (B, C, D and F) are 406 only capable of forwarding IP packets. Routers A, E, G, and H 407 advertise their Segment Routing related information, such as via IS- 408 IS or OSPF. 410 Now assume that router A (the Domain ingress) wants to send a packet 411 to router H (the Domain egress) via the explicit path {E->G->H}. 412 Router A will impose an MPLS label stack on the packet that 413 corresponds to that explicit path. Since the next hop toward router 414 E is only IP-capable (B is a legacy transit node), router A replaces 415 the top label (that indicated router E) with a UDP-based tunnel for 416 MPLS (i.e., MPLS-over-UDP [RFC7510]) to router E and then sends the 417 packet. In other words, router A pops the top label and then 418 encapsulates the MPLS packet in a UDP tunnel to router E. 420 When the IP-encapsulated MPLS packet arrives at router E (which is an 421 SR-MPLS-capable transit node), router E strips the IP-based tunnel 422 header and then processes the decapsulated MPLS packet. The top 423 label indicates that the packet must be forwarded toward router G. 424 Since the next hop toward router G is only IP-capable, router E 425 replaces the current top label with an MPLS-over-UDP tunnel toward 426 router G and sends it out. That is, router E pops the top label and 427 then encapsulates the MPLS packet in a UDP tunnel to router G. 429 When the packet arrives at router G, router G will strip the IP-based 430 tunnel header and then process the decapsulated MPLS packet. The top 431 label indicates that the packet must be forwarded toward router H. 432 Since the next hop toward router H is only IP-capable (D is a legacy 433 transit router), router G would replace the current top label with an 434 MPLS-over-UDP tunnel toward router H and send it out. However, since 435 router G reaches the bottom of the label stack (G is the penultimate 436 SR-MPLS capable node on the path) this would leave the original 437 packet that router A wanted to send to router H encapsulated in UDP 438 as if it was MPLS (i.e., with a UDP header and destination port 439 indicating MPLS) even though the original packet could have been any 440 protocol. That is, the final SR-MPLS has been popped exposing the 441 payload packet. 443 To handle this, when a router (here it is router G) pops the final 444 SR-MPLS label, it inserts an explicit null label [RFC3032] before 445 encapsulating the packet in an MPLS-over-UDP tunnel toward router H 446 and sending it out. That is, router G pops the top label, discovers 447 it has reached the bottom of stack, pushes an explicit null label, 448 and then encapsulates the MPLS packet in a UDP tunnel to router H. 450 3.2.2. Packet Forwarding without Penultimate Hop Popping 452 Figure 4 demonstrates the packet walk in the case where the label 453 associated with each prefix-SID advertised by the owner of the 454 prefix-SID is not a Penultimate Hop Popping (PHP) label (e.g., the 455 the NP flag in OSPF or the P flag in ISIS associated with the prefix- 456 SID is set). Apart from the PHP function the roles of the routers is 457 unchanged from Section 3.2.1. 459 +-----+ +-----+ +-----+ +-----+ +-----+ 460 | A +-------+ B +-------+ C +--------+ D +--------+ H | 461 +-----+ +--+--+ +--+--+ +--+--+ +-----+ 462 | | | 463 | | | 464 +--+--+ +--+--+ +--+--+ 465 | E +-------+ F +--------+ G | 466 +-----+ +-----+ +-----+ 468 +--------+ 469 |IP(A->E)| 470 +--------+ +--------+ 471 | UDP | |IP(E->G)| 472 +--------+ +--------+ +--------+ 473 | L(E) | | UDP | |IP(G->H)| 474 +--------+ +--------+ +--------+ 475 | L(G) | | L(G) | | UDP | 476 +--------+ +--------+ +--------+ 477 | L(H) | | L(H) | | L(H) | 478 +--------+ +--------+ +--------+ 479 | Packet | ---> | Packet | ---> | Packet | 480 +--------+ +--------+ +--------+ 482 Figure 4: Packet Forwarding Example without PHP 484 As can be seen from the figure, the SR-MPLS label for each segment is 485 left in place until the end of the segment where it is popped and the 486 next instruction is processed. 488 3.2.3. Additional Forwarding Procedures 490 Non-MPLS Interfaces: Although the description in the previous two 491 sections is based on the use of prefix-SIDs, tunneling SR-MPLS 492 packets is useful when the top label of a received SR-MPLS packet 493 indicates an adjacency-SID and the corresponding adjacent node to 494 that adjacency-SID is not capable of MPLS forwarding but can still 495 process SR-MPLS packets. In this scenario the top label would be 496 replaced by an IP tunnel toward that adjacent node and then 497 forwarded over the corresponding link indicated by the adjacency- 498 SID. 500 When to use IP-based Tunnels: The description in the previous two 501 sections is based on the assumption that MPLS-over-UDP tunnel is 502 used when the nexthop towards the next segment is not MPLS- 503 enabled. However, even in the case where the nexthop towards the 504 next segment is MPLS-capable, an MPLS-over-UDP tunnel towards the 505 next segment could still be used instead due to local policies. 506 For instance, in the example as described in Figure 4, assume F is 507 now an SR-MPLS-capable transit node while all the other 508 assumptions remain unchanged: since F is not identified by a SID 509 in the stack and an MPLS-over-UDP tunnel is preferred to an MPLS 510 LSP according to local policies, router E replaces the current top 511 label with an MPLS-over-UDP tunnel toward router G and send it 512 out. (Note that if an MPLS LSP was preferred, the packet would be 513 forwarded as native SR-MPLS.) 515 IP Header Fields: When encapsulating an MPLS packet in UDP, the 516 resulting packet is further encapsulated in IP for transmission. 517 IPv4 or IPv6 may be used according to the capabilities of the 518 network. The address fields are set as described in Section 2. 519 The other IP header fields (such as the ECN field [RFC6040], the 520 DSCP code point [RFC2983], or IPv6 Flow Label) on each UDP- 521 encapsulated segment SHOULD be configurable according to the 522 operator's policy: they may be copied from the header of the 523 incoming packet; they may be promoted from the header of the 524 payload packet; they may be set according to instructions 525 programmed to be associated with the SID; or they may be 526 configured dependent on the outgoing interface and payload. The 527 TTL field setting in the encapsulating packet header is handled as 528 described in [RFC7510] which refers to [RFC4023]. 530 Entropy and ECMP: When encapsulating an MPLS packet with an IP 531 tunnel header that is capable of encoding entropy (such as 532 [RFC7510]), the corresponding entropy field (the source port in 533 the case of a UDP tunnel) MAY be filled with an entropy value that 534 is generated by the encapsulator to uniquely identify a flow. 535 However, what constitutes a flow is locally determined by the 536 encapsulator. For instance, if the MPLS label stack contains at 537 least one entropy label and the encapsulator is capable of reading 538 that entropy label, the entropy label value could be directly 539 copied to the source port of the UDP header. Otherwise, the 540 encapsulator may have to perform a hash on the whole label stack 541 or the five-tuple of the SR-MPLS payload if the payload is 542 determined as an IP packet. To avoid re-performing the hash or 543 hunting for the entropy label each time the packet is encapsulated 544 in a UDP tunnel it MAY be desirable that the entropy value 545 contained in the incoming packet (i.e., the UDP source port value) 546 is retained when stripping the UDP header and is re-used as the 547 entropy value of the outgoing packet. 549 Congestion Considerations: Section 5 of [RFC7510] provides a 550 detailed analysis of the implications of congestion in MPLS-over- 551 UDP systems and builds on section 3.1.3 of [RFC8085] that 552 describes the congestion implications of UDP tunnels. All of 553 those considerations apply to SR-MPLS-over-UDP tunnels as 554 described in this document. In particular, it should be noted 555 that the traffic carried in SR-MPLS flows is likely to be IP 556 traffic. 558 4. IANA Considerations 560 This document makes no requests for IANA action. 562 5. Security Considerations 564 The security consideration of [RFC8354] (which redirects the reader 565 to [RFC5095]) and [RFC7510] apply. DTLS [RFC6347] SHOULD be used 566 where security is needed on an MPLS-SR-over-UDP segment including 567 when the IP segment crosses the public Internet or some other 568 untrusted environment. [RFC8402] provides security considerations 569 for Segment Routing, and Section 8.1 of that document is particularly 570 applicable to SR-MPLS. 572 It is difficult for an attacker to pass a raw MPLS encoded packet 573 into a network and operators have considerable experience at 574 excluding such packets at the network boundaries, for example by 575 excluding all packets that are revealed to be carrying an MPLS packet 576 as the payload of IP tunnels. Further discussion of MPLS security is 577 found in [RFC5920]. 579 It is easy for a network ingress node to detect any attempt to 580 smuggle an IP packet into the network since it would see that the UDP 581 destination port was set to MPLS, and such filtering SHOULD be 582 applied. If, however, the mechanisms described in 583 [I-D.ietf-ospf-segment-routing-extensions] or 584 [I-D.ietf-isis-segment-routing-extensions] are applied, a wider 585 variety of UDP port numbers might be in use making port filtering 586 harder. 588 SR packets not having a destination address terminating in the 589 network would be transparently carried and would pose no different 590 security risk to the network under consideration than any other 591 traffic. 593 Where control plane techniques are used (as described in Section 3), 594 it is important that these protocols are adequately secured for the 595 environment in which they are run as discussed in [RFC6862] and 596 [RFC5920]. 598 6. Contributors 600 Ahmed Bashandy 601 Individual 602 Email: abashandy.ietf@gmail.com 603 Clarence Filsfils 604 Cisco 605 Email: cfilsfil@cisco.com 607 John Drake 608 Juniper 609 Email: jdrake@juniper.net 611 Shaowen Ma 612 Mellanox Technologies 613 Email: mashaowen@gmail.com 615 Mach Chen 616 Huawei 617 Email: mach.chen@huawei.com 619 Hamid Assarpour 620 Broadcom 621 Email:hamid.assarpour@broadcom.com 623 Robert Raszuk 624 Bloomberg LP 625 Email: robert@raszuk.net 627 Uma Chunduri 628 Huawei 629 Email: uma.chunduri@gmail.com 631 Luis M. Contreras 632 Telefonica I+D 633 Email: luismiguel.contrerasmurillo@telefonica.com 635 Luay Jalil 636 Verizon 637 Email: luay.jalil@verizon.com 639 Gunter Van De Velde 640 Nokia 641 Email: gunter.van_de_velde@nokia.com 643 Tal Mizrahi 644 Marvell 645 Email: talmi@marvell.com 647 Jeff Tantsura 648 Individual 649 Email: jefftant@gmail.com 651 7. Acknowledgements 653 Thanks to Joel Halpern, Bruno Decraene, Loa Andersson, Ron Bonica, 654 Eric Rosen, Jim Guichard, Gunter Van De Velde, Andy Malis, Robert 655 Sparks, and Al Morton for their insightful comments on this draft. 657 Additional thanks to Mirja Kuehlewind, Alvaro Retana, Spencer 658 Dawkins, Benjamin Kaduk, Martin Vigoureux, Suresh Krishnan, and Eric 659 Vyncke for careful reviews and resulting comments. 661 8. References 663 8.1. Normative References 665 [I-D.ietf-spring-segment-routing-mpls] 666 Bashandy, A., Filsfils, C., Previdi, S., Decraene, B., 667 Litkowski, S., and R. Shakir, "Segment Routing with MPLS 668 data plane", draft-ietf-spring-segment-routing-mpls-22 669 (work in progress), May 2019. 671 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 672 Requirement Levels", BCP 14, RFC 2119, 673 DOI 10.17487/RFC2119, March 1997, 674 . 676 [RFC3031] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol 677 Label Switching Architecture", RFC 3031, 678 DOI 10.17487/RFC3031, January 2001, 679 . 681 [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., 682 Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack 683 Encoding", RFC 3032, DOI 10.17487/RFC3032, January 2001, 684 . 686 [RFC4023] Worster, T., Rekhter, Y., and E. Rosen, Ed., 687 "Encapsulating MPLS in IP or Generic Routing Encapsulation 688 (GRE)", RFC 4023, DOI 10.17487/RFC4023, March 2005, 689 . 691 [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation 692 of Type 0 Routing Headers in IPv6", RFC 5095, 693 DOI 10.17487/RFC5095, December 2007, 694 . 696 [RFC6040] Briscoe, B., "Tunnelling of Explicit Congestion 697 Notification", RFC 6040, DOI 10.17487/RFC6040, November 698 2010, . 700 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 701 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 702 January 2012, . 704 [RFC7510] Xu, X., Sheth, N., Yong, L., Callon, R., and D. Black, 705 "Encapsulating MPLS in UDP", RFC 7510, 706 DOI 10.17487/RFC7510, April 2015, 707 . 709 [RFC7684] Psenak, P., Gredler, H., Shakir, R., Henderickx, W., 710 Tantsura, J., and A. Lindem, "OSPFv2 Prefix/Link Attribute 711 Advertisement", RFC 7684, DOI 10.17487/RFC7684, November 712 2015, . 714 [RFC7794] Ginsberg, L., Ed., Decraene, B., Previdi, S., Xu, X., and 715 U. Chunduri, "IS-IS Prefix Attributes for Extended IPv4 716 and IPv6 Reachability", RFC 7794, DOI 10.17487/RFC7794, 717 March 2016, . 719 [RFC7981] Ginsberg, L., Previdi, S., and M. Chen, "IS-IS Extensions 720 for Advertising Router Information", RFC 7981, 721 DOI 10.17487/RFC7981, October 2016, 722 . 724 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 725 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 726 May 2017, . 728 [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., 729 Decraene, B., Litkowski, S., and R. Shakir, "Segment 730 Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, 731 July 2018, . 733 8.2. Informative References 735 [I-D.ietf-6man-segment-routing-header] 736 Filsfils, C., Dukes, D., Previdi, S., Leddy, J., 737 Matsushima, S., and d. daniel.voyer@bell.ca, "IPv6 Segment 738 Routing Header (SRH)", draft-ietf-6man-segment-routing- 739 header-21 (work in progress), June 2019. 741 [I-D.ietf-bess-datacenter-gateway] 742 Farrel, A., Drake, J., Rosen, E., Patel, K., and L. Jalil, 743 "Gateway Auto-Discovery and Route Advertisement for 744 Segment Routing Enabled Domain Interconnection", draft- 745 ietf-bess-datacenter-gateway-02 (work in progress), 746 February 2019. 748 [I-D.ietf-isis-encapsulation-cap] 749 Xu, X., Decraene, B., Raszuk, R., Chunduri, U., Contreras, 750 L., and L. Jalil, "Advertising Tunnelling Capability in 751 IS-IS", draft-ietf-isis-encapsulation-cap-01 (work in 752 progress), April 2017. 754 [I-D.ietf-isis-segment-routing-extensions] 755 Previdi, S., Ginsberg, L., Filsfils, C., Bashandy, A., 756 Gredler, H., and B. Decraene, "IS-IS Extensions for 757 Segment Routing", draft-ietf-isis-segment-routing- 758 extensions-25 (work in progress), May 2019. 760 [I-D.ietf-mpls-spring-entropy-label] 761 Kini, S., Kompella, K., Sivabalan, S., Litkowski, S., 762 Shakir, R., and J. Tantsura, "Entropy label for SPRING 763 tunnels", draft-ietf-mpls-spring-entropy-label-12 (work in 764 progress), July 2018. 766 [I-D.ietf-ospf-encapsulation-cap] 767 Xu, X., Decraene, B., Raszuk, R., Contreras, L., and L. 768 Jalil, "The Tunnel Encapsulations OSPF Router 769 Information", draft-ietf-ospf-encapsulation-cap-09 (work 770 in progress), October 2017. 772 [I-D.ietf-ospf-segment-routing-extensions] 773 Psenak, P., Previdi, S., Filsfils, C., Gredler, H., 774 Shakir, R., Henderickx, W., and J. Tantsura, "OSPF 775 Extensions for Segment Routing", draft-ietf-ospf-segment- 776 routing-extensions-27 (work in progress), December 2018. 778 [RFC2983] Black, D., "Differentiated Services and Tunnels", 779 RFC 2983, DOI 10.17487/RFC2983, October 2000, 780 . 782 [RFC5920] Fang, L., Ed., "Security Framework for MPLS and GMPLS 783 Networks", RFC 5920, DOI 10.17487/RFC5920, July 2010, 784 . 786 [RFC6790] Kompella, K., Drake, J., Amante, S., Henderickx, W., and 787 L. Yong, "The Use of Entropy Labels in MPLS Forwarding", 788 RFC 6790, DOI 10.17487/RFC6790, November 2012, 789 . 791 [RFC6862] Lebovitz, G., Bhatia, M., and B. Weis, "Keying and 792 Authentication for Routing Protocols (KARP) Overview, 793 Threats, and Requirements", RFC 6862, 794 DOI 10.17487/RFC6862, March 2013, 795 . 797 [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage 798 Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, 799 March 2017, . 801 [RFC8354] Brzozowski, J., Leddy, J., Filsfils, C., Maglione, R., 802 Ed., and M. Townsley, "Use Cases for IPv6 Source Packet 803 Routing in Networking (SPRING)", RFC 8354, 804 DOI 10.17487/RFC8354, March 2018, 805 . 807 Authors' Addresses 809 Xiaohu Xu 810 Alibaba, Inc 812 Email: xiaohu.xxh@alibaba-inc.com 814 Stewart Bryant 815 Huawei 817 Email: stewart.bryant@gmail.com 819 Adrian Farrel 820 Old Dog Consulting 822 Email: adrian@olddog.co.uk 824 Syed Hassan 825 Cisco 827 Email: shassan@cisco.com 829 Wim Henderickx 830 Nokia 832 Email: wim.henderickx@nokia.com 834 Zhenbin Li 835 Huawei 837 Email: lizhenbin@huawei.com