idnits 2.17.00 (12 Aug 2021) /tmp/idnits11574/draft-ietf-teas-rsvp-ingress-protection-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The backup ingress may be off-path or on-path of an LSP. If a backup ingress is not any node of the LSP, it is off-path. If a backup ingress is a next-hop of the primary ingress of the LSP, it is on-path. When a backup ingress for protecting the primary ingress is configured, the backup ingress MUST not be on the LSP except for it is the next hop of the primary ingress. If it is on-path, the primary forwarding state associated with the primary LSP SHOULD be clearly separated from the backup LSP(s) state. -- The document date (March 18, 2018) is 1518 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Missing Reference: 'Ib' is mentioned on line 189, but not defined == Missing Reference: 'L3' is mentioned on line 189, but not defined == Missing Reference: 'RFC2205' is mentioned on line 364, but not defined == Missing Reference: 'RFC3936' is mentioned on line 365, but not defined == Unused Reference: 'RFC2119' is defined on line 1109, but no explicit reference was found in the text == Unused Reference: 'RFC3031' is defined on line 1114, but no explicit reference was found in the text == Unused Reference: 'RFC3209' is defined on line 1119, but no explicit reference was found in the text == Unused Reference: 'RFC4875' is defined on line 1129, but no explicit reference was found in the text == Unused Reference: 'RFC6378' is defined on line 1138, but no explicit reference was found in the text Summary: 0 errors (**), 0 flaws (~~), 12 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force H. Chen, Ed. 3 Internet-Draft Huawei Technologies 4 Intended status: Experimental R. Torvi, Ed. 5 Expires: September 19, 2018 Juniper Networks 6 March 18, 2018 8 Extensions to RSVP-TE for LSP Ingress FRR Protection 9 draft-ietf-teas-rsvp-ingress-protection-17.txt 11 Abstract 13 This document describes extensions to Resource Reservation Protocol - 14 Traffic Engineering (RSVP-TE) for locally protecting the ingress node 15 of a Point-to-Point (P2P) or Point-to-Multipoint (P2MP) Traffic 16 Engineered (TE) Label Switched Path (LSP). It extends the fast- 17 reroute (FRR) protection for transit nodes of an LSP to the ingress 18 node of the LSP. The procedures described in this document are 19 experimental. 21 Status of this Memo 23 This Internet-Draft is submitted to IETF in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on September 19, 2018. 38 Copyright Notice 40 Copyright (c) 2018 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 1.1. Ingress Local Protection Example . . . . . . . . . . . . . 4 57 1.2. Ingress Local Protection Overview . . . . . . . . . . . . 5 58 2. Ingress Failure Detection . . . . . . . . . . . . . . . . . . 6 59 2.1. Source Detects Failure . . . . . . . . . . . . . . . . . . 6 60 2.2. Backup and Source Detect Failure . . . . . . . . . . . . . 7 61 3. Backup Forwarding State . . . . . . . . . . . . . . . . . . . 7 62 3.1. Forwarding State for Backup LSP . . . . . . . . . . . . . 8 63 4. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 8 64 4.1. INGRESS_PROTECTION Object . . . . . . . . . . . . . . . . 8 65 4.1.1. Class Number and Class Type . . . . . . . . . . . . . 9 66 4.1.2. Object Format . . . . . . . . . . . . . . . . . . . . 9 67 4.1.3. Subobject: Backup Ingress IPv4 Address . . . . . . . . 10 68 4.1.4. Subobject: Backup Ingress IPv6 Address . . . . . . . . 11 69 4.1.5. Subobject: Ingress IPv4 Address . . . . . . . . . . . 11 70 4.1.6. Subobject: Ingress IPv6 Address . . . . . . . . . . . 12 71 4.1.7. Subobject: Traffic Descriptor . . . . . . . . . . . . 12 72 4.1.8. Subobject: Label-Routes . . . . . . . . . . . . . . . 13 73 5. Behavior of Ingress Protection . . . . . . . . . . . . . . . . 13 74 5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 13 75 5.1.1. Relay-Message Method . . . . . . . . . . . . . . . . . 13 76 5.1.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 14 77 5.2. Ingress Behavior . . . . . . . . . . . . . . . . . . . . . 15 78 5.2.1. Relay-Message Method . . . . . . . . . . . . . . . . . 16 79 5.2.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 16 80 5.3. Backup Ingress Behavior . . . . . . . . . . . . . . . . . 18 81 5.3.1. Backup Ingress Behavior in Off-path Case . . . . . . . 18 82 5.3.2. Backup Ingress Behavior in On-path Case . . . . . . . 20 83 5.3.3. Failure Detection and Refresh PATH Messages . . . . . 21 84 5.4. Revertive Behavior . . . . . . . . . . . . . . . . . . . . 21 85 5.4.1. Revert to Primary Ingress . . . . . . . . . . . . . . 22 86 5.4.2. Global Repair by Backup Ingress . . . . . . . . . . . 22 87 6. Security Considerations . . . . . . . . . . . . . . . . . . . 22 88 7. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 22 89 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 90 9. Co-authors and Contributors . . . . . . . . . . . . . . . . . 23 91 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 25 92 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 93 11.1. Normative References . . . . . . . . . . . . . . . . . . . 25 94 11.2. Informative References . . . . . . . . . . . . . . . . . . 26 95 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26 97 1. Introduction 99 For a MPLS TE LSP, protecting the failures of its transit nodes using 100 fast-reroute (FRR) is covered in RFC 4090 for P2P LSP and RFC 4875 101 for P2MP LSP. However, protecting the failure of its ingress node 102 using FRR is not covered in either RFC 4090 or RFC 4875. The MPLS 103 Transport Profile (MPLS-TP) Linear Protection described in RFC 6378 104 can provide a protection against the failure of any transit node of a 105 LSP between the ingress node and the egress node of the LSP, but 106 cannot protect against the failure of the ingress node. 108 To protect against the failure of the (primary) ingress node of a 109 primary end to end P2MP (or P2P) TE LSP, a typical existing solution 110 is to set up a secondary backup end to end P2MP (or P2P) TE LSP. The 111 backup LSP is from a backup ingress node to backup egress nodes (or 112 node). The backup ingress node is different from the primary ingress 113 node. The backup egress nodes (or node) are (or is) different from 114 the primary egress nodes (or node) of the primary LSP. For a P2MP TE 115 LSP, on each of the primary (and backup) egress nodes, a P2P LSP is 116 created from the egress node to its primary (backup) ingress node and 117 configured with BFD. This is used to detect the failure of the 118 primary (backup) ingress node for the receiver to switch to the 119 backup (or primary) egress node to receive the traffic after the 120 primary (or backup) ingress node fails when both the primary LSP and 121 the secondary LSP carry the traffic. In addition, FRR may be used to 122 provide protections against the failures of the transit nodes and the 123 links of the primary and secondary end to end TE LSPs. 125 There are a number of issues in this solution: 127 o It consumes lots of network resources. Double states need to be 128 maintained in the network since two end to end TE LSPs are 129 created. Double link bandwidth is reserved and used when both the 130 primary and the secondary end to end TE LSPs carry the traffic at 131 the same time. 133 o More operations are needed, which include the configuration of two 134 end to end TE LSPs and BFDs from each of the egress nodes to its 135 corresponding ingress node. 137 o The detection of the failure of the ingress node may not be 138 reliable. Any failure on the path of the BFD from an egress node 139 to an ingress node may cause the BFD to indicate the failure of 140 the ingress node. 142 o The speed of protection against the failure of the ingress node 143 may be slow. 145 This specification defines a simple extension to RSVP-TE for local 146 protection (FRR) of the ingress node of a P2MP or P2P LSP to resolve 147 these issues. Ingress local protection and ingress FRR protection 148 will be used exchangeably. 150 Note that this document is experimental. Two different approaches 151 are proposed to transfer the information for ingress protection. 152 They both use the same new INGRESS_PROTECTION object, which is sent 153 in both PATH and RESV messages between a primary ingress and a backup 154 ingress. One approach is Relay-Message Method (refer to section 155 5.1.1 and 5.2.1), the other is Proxy-Ingress Method (refer to section 156 5.1.2 and 5.2.2). Each of them has its advantages and disadvantages. 157 It is hard to decide which one is used as a standard approach now. 158 It is expected that the experiment on the ingress local protection 159 with these two approaches provides quantities to help choose one. 160 The quantities include the numbers on control traffic, states, codes 161 and operations. After one approach is selected, the document will be 162 revised to reflect that selection and any other items learned from 163 the experiment. The revised document is expected to be submitted for 164 publication on the standards track. 166 1.1. Ingress Local Protection Example 168 Figure 1 shows an example of using a backup P2MP LSP to locally 169 protect the ingress of a primary P2MP LSP, which is from ingress Ia 170 to three egresses: L1, L2 and L3. The backup LSP is from backup 171 ingress Ib to the next hops R2 and R4 of ingress Ia. 173 ******* ******* S Source 174 [R2]-----[R3]-----[L1] Ix Ingress 175 */ & Rx Transit 176 */ & Lx Egress 177 */ & *** Primary LSP 178 */ & &&& Backup LSP across 179 */ & logical hop 180 */ & 181 */ ******** ******** ******* 182 [S]---[Ia]--------[R4]------[R5]-----[L2] 183 \ | & & *\ 184 \ | & & *\ 185 \ | & & *\ 186 \ | & & *\ 187 \ | & & *\ 188 \ |& & *\ 189 [Ib]&&& [L3] 191 Figure 1: Ingress Local Protection 193 In normal operations, source S sends the traffic to primary ingress 194 Ia. Ia imports the traffic into the primary LSP. 196 When source S detects the failure of Ia, it switches the traffic to 197 backup ingress Ib, which imports the traffic from S into the backup 198 LSP to Ia's next hops R2 and R4, where the traffic is merged into the 199 primary LSP, and then sent to egresses L1, L2 and L3. 201 Note that the backup ingress is one logical hop away from the 202 ingress. A logical hop is a direct link or a tunnel such as a GRE 203 tunnel, over which RSVP-TE messages may be exchanged. 205 1.2. Ingress Local Protection Overview 207 There are four parts in ingress local protection: 209 o Setting up the necessary backup LSP forwarding state based on the 210 information received for ingress local protection; 212 o Detecting the primary ingress failure and providing the fast 213 repair (as discussed in Sections 2 and 3); 215 o Maintaining the RSVP-TE control plane state until a global repair 216 is done; and 218 o Performing the global repair(see Section 5.4.2). 220 The primary ingress of a primary LSP sends the backup ingress the 221 information for ingress protection in a PATH message with a new 222 INGRESS_PROTECTION object. The backup ingress sets up the backup 223 LSP(s) and forwarding state after receiving the necessary information 224 for ingress protection. And then it sends the primary ingress the 225 status of ingress protection in a RESV message with a new 226 INGRESS_PROTECTION object. 228 When the primary ingress fails, the backup ingress sends or refreshes 229 the next hops of the primary ingress the PATH messages without any 230 INGRESS_PROTECTION object after verifying the failure. Thus the 231 RSVP-TE control plane state of the primary LSP is maintained. 233 2. Ingress Failure Detection 235 Exactly how to detect the failure of the ingress is out of scope. 236 However, it is necessary to discuss different modes for detecting the 237 failure because they determine what is the required behavior for the 238 source and backup ingress. 240 2.1. Source Detects Failure 242 Source Detects Failure or Source-Detect for short means that the 243 source is responsible for fast detecting the failure of the primary 244 ingress of an LSP. Fast detecting the failure means detecting the 245 failure in a few or tens of milliseconds. The backup ingress is 246 ready to import the traffic from the source into the backup LSP(s) 247 after the backup LSP(s) is up. 249 In normal operations, the source sends the traffic to the primary 250 ingress. When the source detects the failure of the primary ingress, 251 it switches the traffic to the backup ingress, which delivers the 252 traffic to the next hops of the primary ingress through the backup 253 LSP(s), where the traffic is merged into the primary LSP. 255 For an LSP, after the primary ingress fails, the backup ingress MUST 256 use a method to verify the failure of the primary ingress before the 257 PATH message for the LSP expires at the next hop of the primary 258 ingress. After verifying the failure, the backup ingress sends/ 259 refreshes the PATH message to the next hop through the backup LSP as 260 needed. The method may verify the failure of the primary ingress 261 slowly such as in seconds. 263 After the primary ingress fails, it will not be reachable after 264 routing convergence. Thus checking whether the primary ingress 265 (address) is reachable is a possible method. 267 When the previously failed primary ingress of a primary LSP becomes 268 available again and the primary LSP has recovered from its primary 269 ingress, the source may switch the traffic to the primary ingress 270 from the backup ingress. A operator may control the traffic switch 271 through using a command on the source node after seeing that the 272 primary LSP has recovered. 274 2.2. Backup and Source Detect Failure 276 Backup and Source Detect Failure or Backup-Source-Detect for short 277 means that both the backup ingress and the source are concurrently 278 responsible for fast detecting the failure of the primary ingress. 280 Note that one of the differences between Source-Detect and Backup- 281 Source-Detect is: in the former, the backup ingress verifies the 282 failure of the primary ingress slowly such as in seconds; in the 283 latter, the backup ingress detects the failure fast such as in a few 284 or tens of milliseconds. 286 In normal operations, the source sends the traffic to the primary 287 ingress. It switches the traffic to the backup ingress when it 288 detects the failure of the primary ingress. 290 The backup ingress does not import any traffic from the source into 291 the backup LSP in normal operations. When it detects the failure of 292 the primary ingress, it imports the traffic from the source into the 293 backup LSP to the next hops of the primary ingress, where the traffic 294 is merged into the primary LSP. 296 The source-detect is preferred. It is simpler than the backup- 297 source-detect, which needs both the source and the backup ingress 298 detect the ingress failure quickly. 300 3. Backup Forwarding State 302 Before the primary ingress fails, the backup ingress is responsible 303 for creating the necessary backup LSPs. These LSPs might be multiple 304 bypass P2P LSPs that avoid the ingress. Alternately, the backup 305 ingress could choose to use a single backup P2MP LSP as a bypass or 306 detour to protect the primary ingress of a primary P2MP LSP. 308 The backup ingress may be off-path or on-path of an LSP. If a backup 309 ingress is not any node of the LSP, it is off-path. If a backup 310 ingress is a next-hop of the primary ingress of the LSP, it is on- 311 path. When a backup ingress for protecting the primary ingress is 312 configured, the backup ingress MUST not be on the LSP except for it 313 is the next hop of the primary ingress. If it is on-path, the 314 primary forwarding state associated with the primary LSP SHOULD be 315 clearly separated from the backup LSP(s) state. 317 3.1. Forwarding State for Backup LSP 319 A forwarding entry for a backup LSP is created on the backup ingress 320 after the LSP is set up. Depending on the failure-detection mode 321 (e.g., source-detect), it may be used to forward received traffic or 322 simply be inactive (e.g., backup-source-detect) until required. In 323 either case, when the primary ingress fails, this entry is used to 324 import the traffic into the backup LSP to the next hops of the 325 primary ingress, where the traffic is merged into the primary LSP. 327 The forwarding entry for a backup LSP is a local implementation 328 issue. In one device, it may have an inactive flag. This inactive 329 forwarding entry is not used to forward any traffic normally. When 330 the primary ingress fails, it is changed to active, and thus the 331 traffic from the source is imported into the backup LSP. 333 4. Protocol Extensions 335 A new object INGRESS_PROTECTION is defined for signaling ingress 336 local protection. The primary ingress of a primary LSP sends the 337 backup ingress this object in a PATH message. In this case, the 338 object contains the information needed to set up ingress protection. 339 The information includes: 341 o Backup ingress IP address indicating the backup ingress, 343 o Traffic Descriptor describing the traffic that the primary LSP 344 transports, this traffic is imported into the backup LSP(s) on the 345 backup ingress when the primary ingress fails, 347 o Label and Routes indicating the first hops of the primary LSP, 348 each of which is paired with its label, and 350 o Desire options on ingress protection such as P2MP option 351 indicating a desire to use a backup P2MP LSP to protect the 352 primary ingress of a primary P2MP LSP. 354 The backup ingress sends the primary ingress this object in a RESV 355 message. In this case, the object contains the information about the 356 status on the ingress protection. 358 4.1. INGRESS_PROTECTION Object 359 4.1.1. Class Number and Class Type 361 The Class Number for the INGRESS_PROTECTION object MUST be of the 362 form 0bbbbbbb to enable implementations that do not recognize the 363 object to reject the entire message and return an "Unknown Object 364 Class" error [RFC2205]. It is suggested that a Class Number value 365 from the Private Use range (124-127) [RFC3936] specified for the 366 0bbbbbbb octet be chosen for this experiment. It is also suggested 367 that a Class Type value of 1 be used for this object in this 368 experiment. 370 The INGRESS_PROTECTION object with the FAST_REROUTE object in a PATH 371 message is used to control the backup for protecting the primary 372 ingress of a primary LSP. The primary ingress MUST insert this 373 object into the PATH message to be sent to the backup ingress for 374 protecting the primary ingress. 376 4.1.2. Object Format 378 The INGRESS_PROTECTION object has the following format: 380 0 1 2 3 381 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 382 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 383 | Length (bytes) | Class-Num | C-Type | 384 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 385 | Reserved (zero) | NUB | Flags | Options | 386 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 387 ~ (Subobjects) ~ 388 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 389 NUB Number of Unprotected Branches 390 Flags 391 0x01 Ingress local protection available 392 0x02 Ingress local protection in use 393 0x04 Bandwidth protection 395 Options 396 0x01 Revert to Ingress 397 0x02 P2MP Backup 399 For protecting the ingress of a P2MP LSP, if the backup ingress 400 doesn't have a backup LSP to each of the next hops of the primary 401 ingress, it SHOULD clear "Ingress local protection available" and set 402 NUB to the number of the next hops to which there is no backup LSP. 404 The flags are used to communicate status information from the backup 405 ingress to the primary ingress. 407 o Ingress local protection available: The backup ingress MUST set 408 this flag after backup LSPs are up and ready for locally 409 protecting the primary ingress. The backup ingress sends this to 410 the primary ingress to indicate that the primary ingress is 411 locally protected. 413 o Ingress local protection in use: The backup ingress MUST set this 414 flag when it detects a failure in the primary ingress and actively 415 redirects the traffic into the backup LSPs. The backup ingress 416 records this flag and does not send any RESV message with this 417 flag to the primary ingress since the primary ingress is down. 419 o Bandwidth protection: The backup ingress MUST set this flag if the 420 backup LSPs guarantee to provide desired bandwidth for the 421 protected LSP against the primary ingress failure. 423 The options are used by the primary ingress to specify the desired 424 behavior to the backup ingress. 426 o Revert to Ingress: The primary ingress sets this option indicating 427 that the traffic for the primary LSP successfully re-signaled will 428 be switched back to the primary ingress from the backup ingress 429 when the primary ingress is restored. 431 o P2MP Backup: This option is set to ask for the backup ingress to 432 use backup P2MP LSP to protect the primary ingress. 434 The INGRESS_PROTECTION object may contain some subobjects of 435 following format: 437 0 1 2 3 438 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 439 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 440 | Type | Length |Reserved (zero)| 441 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 442 | Contents/Body of subobject | 443 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 445 where Type is the type of a subobject, Length is the total size of 446 the subobject in bytes, including Type, Length and Contents fields. 448 4.1.3. Subobject: Backup Ingress IPv4 Address 450 When the primary ingress of a protected LSP sends a PATH message with 451 an INGRESS_PROTECTION object to the backup ingress, the object MUST 452 have a Backup Ingress IPv4 Address subobject containing an IPv4 453 address belonging to the backup ingress if IPv4 is used. The Type of 454 the subobject is 1, and the body of the subobject is given below: 456 0 1 2 3 457 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 458 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 459 | Backup ingress IPv4 address (4 bytes) | 460 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 462 Backup ingress IPv4 address: An IPv4 host address of backup ingress 464 4.1.4. Subobject: Backup Ingress IPv6 Address 466 When the primary ingress of a protected LSP sends a PATH message with 467 an INGRESS_PROTECTION object to the backup ingress, the object MUST 468 have a Backup Ingress IPv6 Address subobject containing an IPv6 469 address belonging to the backup ingress if IPv6 is used. The Type of 470 the subobject is 2, the body of the subobject is given below: 472 0 1 2 3 473 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 474 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 475 | Backup ingress IPv6 address (16 bytes) | 476 ~ ~ 477 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 479 Backup ingress IPv6 address: An IPv6 host address of backup ingress 481 4.1.5. Subobject: Ingress IPv4 Address 483 The INGRESS_PROTECTION object may have an Ingress IPv4 Address 484 subobject containing an IPv4 address belonging to the primary ingress 485 if IPv4 is used. The Type of the subobject is 3. The subobject has 486 the following body: 488 0 1 2 3 489 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 490 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 491 | Ingress IPv4 address (4 bytes) | 492 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 494 Ingress IPv4 address: An IPv4 host address of ingress 496 4.1.6. Subobject: Ingress IPv6 Address 498 The INGRESS_PROTECTION object may have an Ingress IPv6 Address 499 subobject containing an IPv6 address belonging to the primary ingress 500 if IPv6 is used. The Type of the subobject is 4. The subobject has 501 the following body: 503 0 1 2 3 504 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 505 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 506 | Ingress IPv6 address (16 bytes) | 507 ~ ~ 508 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 510 Ingress IPv6 address: An IPv6 host address of ingress 512 4.1.7. Subobject: Traffic Descriptor 514 The INGRESS_PROTECTION object may have a Traffic Descriptor subobject 515 describing the traffic to be mapped to the backup LSP on the backup 516 ingress for locally protecting the primary ingress. The subobject 517 types for Interface, IPv4 Prefix, IPv6 Prefix and Application 518 Identifier are 5, 6, 7 and 8 respectively. The subobject has the 519 following body: 521 0 1 2 3 522 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 523 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 524 | Traffic Element 1 | 525 ~ ~ 526 | Traffic Element n | 527 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 529 The Traffic Descriptor subobject may contain multiple Traffic 530 Elements of same type as follows: 532 o Interface Traffic: Each of the Traffic Elements is a 32 bit index 533 of an interface, from which the traffic is imported into the 534 backup LSP. 536 o IPv4 Prefix Traffic: Each of the Traffic Elements is an IPv4 537 prefix, containing an 8-bit prefix length followed by an IPv4 538 address prefix, whose length, in bits, is specified by the prefix 539 length, padded to a byte boundary. 541 o IPv6 Prefix Traffic: Each of the Traffic Elements is an IPv6 542 prefix, containing an 8-bit prefix length followed by an IPv6 543 address prefix, whose length, in bits, is specified by the prefix 544 length, padded to a byte boundary. 546 o Application Traffic: Each of the Traffic Elements is a 32 bit 547 identifier of an application, from which the traffic is imported 548 into the backup LSP. 550 4.1.8. Subobject: Label-Routes 552 The INGRESS_PROTECTION object in a PATH message from the primary 553 ingress to the backup ingress may have a Label-Routes subobject 554 containing the labels and routes that the next hops of the ingress 555 use. The Type of the subobject is 9. The subobject has the 556 following body: 558 0 1 2 3 559 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 560 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 561 ~ Subobjects ~ 562 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 564 The Subobjects in the Label-Routes are copied from those in the 565 RECORD_ROUTE objects in the RESV messages that the primary ingress 566 receives from its next hops for the primary LSP. They MUST contain 567 the first hops of the LSP, each of which is paired with its label. 569 5. Behavior of Ingress Protection 571 5.1. Overview 573 There are two different proposed signaling approaches to transfer the 574 information for ingress protection. They both use the same new 575 INGRESS_PROTECTION object. The object is sent in both PATH and RESV 576 messages. 578 5.1.1. Relay-Message Method 580 The primary ingress relays the information for ingress protection of 581 an LSP to the backup ingress via PATH messages. Once the LSP is 582 created, the ingress of the LSP sends the backup ingress a PATH 583 message with an INGRESS_PROTECTION object with Label-Routes 584 subobject, which is populated with the next-hops and labels. This 585 provides sufficient information for the backup ingress to create the 586 appropriate forwarding state and backup LSP(s). 588 The ingress also sends the backup ingress all the other PATH messages 589 for the LSP with an empty INGRESS_PROTECTION object. An 590 INGRESS_PROTECTION object without any Traffic-Descriptor subobject is 591 called an empty INGRESS_PROTECTION object. Thus, the backup ingress 592 has access to all the PATH messages needed for modification to 593 refresh control-plane state after a failure. 595 The empty INGRESS_PROTECTION object is for efficient processing of 596 ingress protection for a P2MP LSP. For a P2MP LSP, its primary 597 ingress may have more than one PATH messages, each of which is sent 598 to a next hop along a branch of the P2MP LSP. The PATH message along 599 a branch will be selected and sent to the backup ingress with an 600 INGRESS_PROTECTION object containing the Traffic-Descriptor 601 subobject; all the PATH messages along the other branches will be 602 sent to the backup ingress containing an INGRESS_PROTECTION object 603 without any Traffic-Descriptor subobject (empty INGRESS_PROTECTION 604 object). For a P2MP LSP, the backup ingress only needs one Traffic- 605 Descriptor. 607 5.1.2. Proxy-Ingress Method 609 Conceptually, a proxy ingress is created that starts the RSVP 610 signaling. The explicit path of the LSP goes from the proxy ingress 611 to the backup ingress and then to the real ingress. The behavior and 612 signaling for the proxy ingress is done by the real ingress; the use 613 of a proxy ingress address avoids problems with loop detection. Note 614 that the proxy ingress MUST reside within the same router as the real 615 ingress. 617 [ traffic source ] *** Primary LSP 618 $ $ --- Backup LSP 619 $ $ $$ Link 620 $ $ 621 [ proxy ingress ] [ backup ] 622 [ & ingress ] | 623 * | 624 *****[ MP ]----| 626 Figure 2: Example Protected LSP with Proxy Ingress Node 628 The backup ingress MUST know the merge points or next-hops and their 629 associated labels. This is accomplished by having the RSVP PATH and 630 RESV messages go through the backup ingress, although the forwarding 631 path need not go through the backup ingress. If the backup ingress 632 fails, the ingress simply removes the INGRESS_PROTECTION object and 633 forwards the PATH messages to the LSP's next-hop(s). If the ingress 634 has its LSP configured for ingress protection, then the ingress can 635 add the backup ingress and itself to the ERO and start forwarding the 636 PATH messages to the backup ingress. 638 Slightly different behavior can apply for the on-path and off-path 639 cases. In the on-path case, the backup ingress is a next hop node 640 after the ingress for the LSP. In the off-path, the backup ingress 641 is not any next-hop node after the ingress for all associated sub- 642 LSPs. 644 The key advantage of this approach is that it minimizes the special 645 handling code required. Because the backup ingress is on the 646 signaling path, it can receive various notifications. It easily has 647 access to all the PATH messages needed for modification to be sent to 648 refresh control-plane state after a failure. 650 5.2. Ingress Behavior 652 The primary ingress MUST be configured with a couple of pieces of 653 information for ingress protection. 655 o Backup Ingress Address: The primary ingress MUST know the IP 656 address of the backup ingress it wants to be used before it can 657 use the INGRESS_PROTECTION object. 659 o Proxy-Ingress-Id (only needed for Proxy-Ingress Method): The 660 Proxy-Ingress-Id is only used in the Record Route Object for 661 recording the proxy-ingress. If no proxy-ingress-id is specified, 662 then a local interface address that will not otherwise be included 663 in the Record Route Object can be used. A similar technique is 664 used in [RFC4090 Sec 6.1.1]. 666 o Application Traffic Identifier: The primary ingress and backup 667 ingress MUST both know what application traffic should be directed 668 into the LSP. If a list of prefixes in the Traffic Descriptor 669 subobject will not suffice, then a commonly understood Application 670 Traffic Identifier can be sent between the primary ingress and 671 backup ingress. The exact meaning of the identifier should be 672 configured similarly at both the primary ingress and backup 673 ingress. The Application Traffic Identifier is understood within 674 the unique context of the primary ingress and backup ingress. 676 o A connection between backup ingress and primary ingress: If there 677 is not any direct link between the primary ingress and the backup 678 ingress, a tunnel MUST be configured between them. 680 With this additional information, the primary ingress can create and 681 signal the necessary RSVP extensions to support ingress protection. 683 5.2.1. Relay-Message Method 685 To protect the primary ingress of an LSP, the primary ingress MUST do 686 the following after the LSP is up. 688 1. Select a PATH message P0 for the LSP. 690 2. If the backup ingress is off-path (the backup ingress is not the 691 next hop of the primary ingress for P0), then send it a PATH 692 message P0' with the content from P0 and an INGRESS_PROTECTION 693 object; else (the backup ingress is a next hop, i.e., on-path 694 case) add an INGRESS_PROTECTION object into the existing PATH 695 message to the backup ingress (i.e., the next hop). The object 696 contains the Traffic-Descriptor subobject, the Backup Ingress 697 Address subobject and the Label-Routes subobject. The options is 698 set to indicate whether a Backup P2MP LSP is desired. The Label- 699 Routes subobject contains the next-hops of the primary ingress 700 and their labels. Note that for on-path case, there is an 701 existing PATH message to the backup ingress (i.e., the next hop), 702 and we just add an INGRESS_PROTECTION object into the existing 703 PATH message to be sent to the backup ingress. We do not send a 704 separate PATH message to the backup ingress for this existing 705 PATH message. 707 3. For each Pi of the other PATH messages for the LSP, send the 708 backup ingress a PATH message Pi' with the content copied from Pi 709 and an empty INGRESS_PROTECTION object. 711 For every PATH message Pj' (i.e., P0'/Pi') to be sent to the backup 712 ingress, it has the same SESSION as Pj (i.e., P0/Pi). If the backup 713 ingress is off-path, the primary ingress updates Pj' according to the 714 backup ingress as its next hop before sending it. It adds the backup 715 ingress to the beginning of the ERO, and sets RSVP_HOP based on the 716 interface to the backup ingress. The primary ingress MUST NOT set up 717 any forwarding state to the backup ingress if the backup ingress is 718 off-path. 720 5.2.2. Proxy-Ingress Method 722 The primary ingress is responsible for starting the RSVP signaling 723 for the proxy-ingress node. To do this, the following MUST be done 724 for the RSVP PATH message. 726 1. Compute the EROs for the LSP as normal for the ingress. 728 2. If the selected backup ingress node is not the first node on the 729 path (for all sub-LSPs), then insert at the beginning of the ERO 730 first the backup ingress node and then the ingress node. 732 3. In the PATH RRO, instead of recording the ingress node's address, 733 replace it with the Proxy-Ingress-Id. 735 4. Leave the HOP object populated as usual with information for the 736 ingress-node. 738 5. Add the INGRESS_PROTECTION object to the PATH message. Include 739 the Backup Ingress Address (IPv4 or IPv6) subobject and the 740 Traffic-Descriptor subobject. Set or clear the options 741 indicating that a Backup P2MP LSP is desired. 743 6. Optionally, add the FAST-REROUTE object [RFC4090] to the Path 744 message. Indicate whether one-to-one backup is desired. 745 Indicate whether facility backup is desired. 747 7. The RSVP PATH message is sent to the backup node as normal. 749 If the ingress detects that it can't communicate with the backup 750 ingress, then the ingress SHOULD instead send the PATH message to the 751 next-hop indicated in the ERO computed in step 1. Once the ingress 752 detects that it can communicate with the backup ingress, the ingress 753 SHOULD follow the steps 1-7 to obtain ingress failure protection. 755 When the ingress node receives an RSVP PATH message with an 756 INGRESS_PROTECTION object and the object specifies that node as the 757 ingress node and the PHOP as the backup ingress node, the ingress 758 node SHOULD remove the INGRESS_PROTECTION object from the PATH 759 message before sending it out. Additionally, the ingress node MUST 760 store that it will install ingress forwarding state for the LSP 761 rather than midpoint forwarding. 763 When an RSVP RESV message is received by the ingress, it uses the 764 NHOP to determine whether the message is received from the backup 765 ingress or from a different node. The stored associated PATH message 766 contains an INGRESS_PROTECTION object that identifies the backup 767 ingress node. If the RESV message is not from the backup node, then 768 ingress forwarding state SHOULD be set up, and the INGRESS_PROTECTION 769 object MUST be added to the RESV before it is sent to the NHOP, which 770 SHOULD be the backup node. If the RESV message is from the backup 771 node, then the LSP SHOULD be considered available for use. 773 If the backup ingress node is on the forwarding path, then a RESV is 774 received with an INGRESS_PROTECTION object and an NHOP that matches 775 the backup ingress. In this case, the ingress node's address will 776 not appear after the backup ingress in the RRO. The ingress node 777 SHOULD set up ingress forwarding state, just as is done if the LSP 778 weren't ingress-node protected. 780 5.3. Backup Ingress Behavior 782 An LER determines that the ingress local protection is requested for 783 an LSP if the INGRESS_PROTECTION object is included in the PATH 784 message it receives for the LSP. The LER can further determine that 785 it is the backup ingress if one of its addresses is in the Backup 786 Ingress Address subobject of the INGRESS_PROTECTION object. The LER 787 as the backup ingress will assume full responsibility of the ingress 788 after the primary ingress fails. In addition, the LER determines 789 that it is off-path if it is not any node of the LSP. The LER 790 determines whether it uses Relay-Message Method or Proxy-Ingress 791 Method according to configurations. 793 5.3.1. Backup Ingress Behavior in Off-path Case 795 The backup ingress considers itself as a PLR and the primary ingress 796 as its next hop and provides a local protection for the primary 797 ingress. It behaves very similarly to a PLR providing fast-reroute 798 where the primary ingress is considered as the failure-point to 799 protect. Where not otherwise specified, the behavior given in 800 [RFC4090] for a PLR applies. 802 The backup ingress MUST follow the control-options specified in the 803 INGRESS_PROTECTION object and the flags and specifications in the 804 FAST-REROUTE object. This applies to providing a P2MP backup if the 805 "P2MP backup" is set, a one-to-one backup if "one-to-one desired" is 806 set, facility backup if the "facility backup desired" is set, and 807 backup paths that support the desired bandwidth, and administrative 808 groups that are requested. 810 If multiple non empty INGRESS_PROTECTION objects have been received 811 via multiple PATH messages for the same LSP, then the most recent one 812 MUST be the one used. 814 The backup ingress creates the appropriate forwarding state for the 815 backup LSP tunnel(s) to the merge point(s). 817 When the backup ingress sends a RESV message to the primary ingress, 818 it MUST add an INGRESS_PROTECTION object into the message. It MUST 819 set or clear the flags in the object to report "Ingress local 820 protection available", "Ingress local protection in use", and 821 "bandwidth protection". 823 If the backup ingress doesn't have a backup LSP tunnel to each of the 824 merge points, it SHOULD clear "Ingress local protection available" 825 and set NUB to the number of the merge points to which there is no 826 backup LSP. 828 When the primary ingress fails, the backup ingress redirects the 829 traffic from a source into the backup P2P LSPs or the backup P2MP LSP 830 transmitting the traffic to the next hops of the primary ingress, 831 where the traffic is merged into the protected LSP. 833 In this case, the backup ingress MUST keep the PATH message with the 834 INGRESS_PROTECTION object received from the primary ingress and the 835 RESV message with the INGRESS_PROTECTION object to be sent to the 836 primary ingress. The backup ingress MUST set the "local protection 837 in use" flag in the RESV message, indicating that the backup ingress 838 is actively redirecting the traffic into the backup P2P LSPs or the 839 backup P2MP LSP for locally protecting the primary ingress failure. 841 Note that the RESV message with this piece of information will not be 842 sent to the primary ingress because the primary ingress has failed. 844 If the backup ingress has not received any PATH message from the 845 primary ingress for an extended period of time (e.g., a cleanup 846 timeout interval) and a confirmed primary ingress failure did not 847 occur, then the standard RSVP soft-state removal SHOULD occur. The 848 backup ingress SHALL remove the state for the PATH message from the 849 primary ingress, and tear down the one-to-one backup LSPs for 850 protecting the primary ingress if one-to-one backup is used or unbind 851 the facility backup LSPs if facility backup is used. 853 When the backup ingress receives a PATH message from the primary 854 ingress for locally protecting the primary ingress of a protected 855 LSP, it MUST check to see if any critical information has been 856 changed. If the next hops of the primary ingress are changed, the 857 backup ingress SHALL update its backup LSP(s) accordingly. 859 5.3.1.1. Relay-Message Method 861 When the backup ingress receives a PATH message with an non empty 862 INGRESS_PROTECTION object, it examines the object to learn what 863 traffic associated with the LSP. It determines the next-hops to be 864 merged to by examining the Label-Routes subobject in the object. 866 The backup ingress MUST store the PATH message received from the 867 primary ingress, but NOT forward it. 869 The backup ingress responds with a RESV message to the PATH message 870 received from the primary ingress. If the backup ingress is off- 871 path, the LABEL object in the RESV message contains IMPLICIT-NULL. 872 If the INGRESS_PROTECTION object is not "empty", the backup ingress 873 SHALL send the RESV message with the state indicating protection is 874 available after the backup LSP(s) are successfully established. 876 5.3.1.2. Proxy-Ingress Method 878 The backup ingress determines the next-hops to be merged to by 879 collecting the set of the pair of (IPv4/IPv6 subobject, Label 880 subobject) from the Record Route Object of each RESV that are closest 881 to the top and not the Ingress router; this should be the second to 882 the top pair. If a Label-Routes subobject is included in the 883 INGRESS_PROTECTION object, the included IPv4/IPv6 subobjects are used 884 to filter the set down to the specific next-hops where protection is 885 desired. A RESV message MUST have been received before the Backup 886 Ingress can create or select the appropriate backup LSP. 888 When the backup ingress receives a PATH message with the 889 INGRESS_PROTECTION object, the backup ingress examines the object to 890 learn what traffic associated with the LSP. The backup ingress 891 forwards the PATH message to the ingress node with the normal RSVP 892 changes. 894 When the backup ingress receives a RESV message with the 895 INGRESS_PROTECTION object, the backup ingress records an IMPLICIT- 896 NULL label in the RRO. Then the backup ingress forwards the RESV 897 message to the ingress node, which is acting for the proxy ingress. 899 5.3.2. Backup Ingress Behavior in On-path Case 901 An LER as the backup ingress determines that it is on-path if one of 902 its addresses is a next hop of the primary ingress (and for Proxy- 903 Ingress Method the primary ingress is not its next hop via checking 904 the PATH message with the INGRESS_PROTECTION object received from the 905 primary ingress). The LER on-path MUST send the corresponding PATH 906 messages without any INGRESS_PROTECTION object to its next hops. It 907 creates a number of backup P2P LSPs or a backup P2MP LSP from itself 908 to the other next hops (i.e., the next hops other than the backup 909 ingress) of the primary ingress. The other next hops are from the 910 Label-Routes subobject. 912 It also creates a forwarding entry, which sends/multicasts the 913 traffic from the source to the next hops of the backup ingress along 914 the protected LSP when the primary ingress fails. The traffic is 915 described by the Traffic-Descriptor. 917 After the forwarding entry is created, all the backup P2P LSPs or the 918 backup P2MP LSP is up and associated with the protected LSP, the 919 backup ingress MUST send the primary ingress the RESV message with 920 the INGRESS_PROTECTION object containing the state of the local 921 protection such as "local protection available" flag set to one, 922 which indicates that the primary ingress is locally protected. 924 When the primary ingress fails, the backup ingress sends/multicasts 925 the traffic from the source to its next hops along the protected LSP 926 and imports the traffic into each of the backup P2P LSPs or the 927 backup P2MP LSP transmitting the traffic to the other next hops of 928 the primary ingress, where the traffic is merged into protected LSP. 930 During the local repair, the backup ingress MUST continue to send the 931 PATH messages to its next hops as before, keep the PATH message with 932 the INGRESS_PROTECTION object received from the primary ingress and 933 the RESV message with the INGRESS_PROTECTION object to be sent to the 934 primary ingress. It MUST set the "local protection in use" flag in 935 the RESV message. 937 5.3.3. Failure Detection and Refresh PATH Messages 939 As described in [RFC4090], it is necessary to refresh the PATH 940 messages via the backup LSP(s). The Backup Ingress MUST wait to 941 refresh the PATH messages until it can accurately detect that the 942 ingress node has failed. An example of such an accurate detection 943 would be that the IGP has no bi-directional links to the ingress node 944 or a BFD session to the primary ingress' loopback address has failed 945 and stayed failed after the network has reconverged. 947 As described in [RFC4090 Section 6.4.3], the backup ingress, acting 948 as PLR, MUST modify and send any saved PATH messages associated with 949 the primary LSP to the corresponding next hops through backup LSP(s). 950 Any PATH message sent will not contain any INGRESS_PROTECTION object. 951 The RSVP_HOP object in the message contains an IP source address 952 belonging to the backup ingress. The sender template object has the 953 backup ingress address as its tunnel sender address. 955 5.4. Revertive Behavior 957 Upon a failure event in the (primary) ingress of a protected LSP, the 958 protected LSP is locally repaired by the backup ingress. There are a 959 couple of basic strategies for restoring the LSP to a full working 960 path. 962 - Revert to Primary Ingress: When the primary ingress is restored, 963 it re-signals each of the LSPs that start from the primary 964 ingress. The traffic for every LSP successfully re-signaled is 965 switched back to the primary ingress from the backup ingress. 967 - Global Repair by Backup Ingress: After determining that the 968 primary ingress of an LSP has failed, the backup ingress computes 969 a new optimal path, signals a new LSP along the new path, and 970 switches the traffic to the new LSP. 972 5.4.1. Revert to Primary Ingress 974 If "Revert to Primary Ingress" is desired for a protected LSP, the 975 (primary) ingress of the LSP SHOULD re-signal the LSP that starts 976 from the primary ingress after the primary ingress restores. After 977 the LSP is re-signaled successfully, the traffic SHOULD be switched 978 back to the primary ingress from the backup ingress on the source 979 node and redirected into the LSP starting from the primary ingress. 981 The primary ingress can specify the "Revert to Ingress" control- 982 option in the INGRESS_PROTECTION object in the PATH messages to the 983 backup ingress. After receiving the "Revert to Ingress" control- 984 option, the backup ingress MUST stop sending/refreshing PATH messages 985 for the protected LSP. 987 5.4.2. Global Repair by Backup Ingress 989 When the backup ingress has determined that the primary ingress of 990 the protected LSP has failed (e.g., via the IGP), it can compute a 991 new path and signal a new LSP along the new path so that it no longer 992 relies upon local repair. To do this, the backup ingress MUST use 993 the same tunnel sender address in the Sender Template Object and 994 allocate a LSP ID different from the one of the old LSP as the LSP-ID 995 of the new LSP. This allows the new LSP to share resources with the 996 old LSP. Alternately, the Backup Ingress can create a new LSP with 997 no bandwidth reservation that duplicates the path(s) of the protected 998 LSP, move traffic to the new LSP, delete the protected LSP, and then 999 resignal the new LSP with bandwidth. 1001 6. Security Considerations 1003 In principle this document does not introduce new security issues. 1004 The security considerations pertaining to RFC 4090, RFC 4875, RFC 1005 2205 and RFC 3209 remain relevant. 1007 7. Compatibility 1009 This extension reuses and extends semantics and procedures defined in 1010 RFC 2205, RFC 3209, RFC 4090 and RFC 4875 to support ingress 1011 protection. The new object defined to indicate ingress protection 1012 has a class number of the form 0bbbbbbb. Per RFC 2205, a node not 1013 supporting this extension will not recognize the new class number and 1014 should respond with an "Unknown Object Class" error. The error 1015 message will propagate to the ingress, which can then take action to 1016 avoid the incompatible node as a backup ingress or may simply 1017 terminate the session. 1019 8. IANA Considerations 1021 This document does not request any IANA actions. 1023 9. Co-authors and Contributors 1025 1. Co-authors 1027 Autumn Liu 1028 Ciena 1029 USA 1030 Email: hliu@ciena.com 1032 Zhenbin Li 1033 Huawei Technologies 1034 Email: zhenbin.li@huawei.com 1036 Yimin Shen 1037 Juniper Networks 1038 10 Technology Park Drive 1039 Westford, MA 01886 1040 USA 1041 Email: yshen@juniper.net 1043 Tarek Saad 1044 Cisco Systems 1045 Email: tsaad@cisco.com 1046 Fengman Xu 1047 Verizon 1048 2400 N. Glenville Dr 1049 Richardson, TX 75082 1050 USA 1051 Email: fengman.xu@verizon.com 1053 2. Contributors 1055 Ning So 1056 Tata Communications 1057 2613 Fairbourne Cir. 1058 Plano, TX 75082 1059 USA 1060 Email: ningso01@gmail.com 1062 Mehmet Toy 1063 Verizon 1064 USA 1065 Email: mehmet.toy@verizon.com 1067 Lei Liu 1068 USA 1069 Email: liulei.kddi@gmail.com 1071 Renwei Li 1072 Huawei Technologies 1073 2330 Central Expressway 1074 Santa Clara, CA 95050 1075 USA 1076 Email: renwei.li@huawei.com 1078 Quintin Zhao 1079 Huawei Technologies 1080 Boston, MA 1081 USA 1082 Email: quintin.zhao@huawei.com 1083 Boris Zhang 1084 Telus Communications 1085 200 Consilium Pl Floor 15 1086 Toronto, ON M1H 3J3 1087 Canada 1088 Email: Boris.Zhang@telus.com 1090 Markus Jork 1091 Juniper Networks 1092 10 Technology Park Drive 1093 Westford, MA 01886 1094 USA 1095 Email: mjork@juniper.net 1097 10. Acknowledgement 1099 The authors would like to thank Nobo Akiya, Rahul Aggarwal, Eric 1100 Osborne, Ross Callon, Loa Andersson, Daniel King, Michael Yue, Alia 1101 Atlas, Olufemi Komolafe, Rob Rennison, Neil Harrison, Kannan Sampath, 1102 Gregory Mirsky, and Ronhazli Adam for their valuable comments and 1103 suggestions on this draft. 1105 11. References 1107 11.1. Normative References 1109 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1110 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 1111 RFC2119, March 1997, 1112 . 1114 [RFC3031] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol 1115 Label Switching Architecture", RFC 3031, DOI 10.17487/ 1116 RFC3031, January 2001, 1117 . 1119 [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., 1120 and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP 1121 Tunnels", RFC 3209, DOI 10.17487/RFC3209, December 2001, 1122 . 1124 [RFC4090] Pan, P., Ed., Swallow, G., Ed., and A. Atlas, Ed., "Fast 1125 Reroute Extensions to RSVP-TE for LSP Tunnels", RFC 4090, 1126 DOI 10.17487/RFC4090, May 2005, 1127 . 1129 [RFC4875] Aggarwal, R., Ed., Papadimitriou, D., Ed., and S. 1130 Yasukawa, Ed., "Extensions to Resource Reservation 1131 Protocol - Traffic Engineering (RSVP-TE) for Point-to- 1132 Multipoint TE Label Switched Paths (LSPs)", RFC 4875, 1133 DOI 10.17487/RFC4875, May 2007, 1134 . 1136 11.2. Informative References 1138 [RFC6378] Weingarten, Y., Ed., Bryant, S., Osborne, E., Sprecher, 1139 N., and A. Fulignoli, Ed., "MPLS Transport Profile 1140 (MPLS-TP) Linear Protection", RFC 6378, DOI 10.17487/ 1141 RFC6378, October 2011, 1142 . 1144 Authors' Addresses 1146 Huaimo Chen (editor) 1147 Huawei Technologies 1148 Boston, MA 1149 USA 1151 Email: huaimo.chen@huawei.com 1153 Raveendra Torvi (editor) 1154 Juniper Networks 1155 10 Technology Park Drive 1156 Westford, MA 01886 1157 USA 1159 Email: rtorvi@juniper.net