MPLS Segment Routing over IPAlibaba, Incxiaohu.xxh@alibaba-inc.comFuturewei Technologiesstewart.bryant@gmail.comOld Dog Consultingadrian@olddog.co.ukCiscoshassan@cisco.comNokiawim.henderickx@nokia.comHuaweilizhenbin@huawei.comMPLS-SR-over-IP, SR-MPLS-over-IP, MPLS-SR-over-UDP, SR-MPLS-over-UDPMPLS Segment Routing (SR-MPLS) is a method of source routing a packet
through an MPLS data plane by imposing a stack of MPLS labels on the
packet to specify the path together with any packet-specific
instructions to be executed on it.
SR-MPLS can be leveraged to realize a source-routing mechanism across
MPLS, IPv4, and IPv6 data planes by using an MPLS label stack as a
source-routing instruction set while making no changes to SR-MPLS
specifications and interworking with SR-MPLS implementations.This document describes how SR-MPLS-capable routers and IP-only
routers can seamlessly coexist and interoperate through the use of
SR-MPLS label stacks and IP encapsulation/tunneling such as MPLS-over-UDP
as defined in RFC 7510.Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
. Introduction
. Terminology
. Use Cases
. Procedures of SR-MPLS-over-IP
. Forwarding Entry Construction
. FIB Construction Example
. Packet-Forwarding Procedures
. Packet Forwarding with Penultimate Hop Popping
. Packet Forwarding without Penultimate Hop Popping
. Additional Forwarding Procedures
. IANA Considerations
. Security Considerations
. References
. Normative References
. Informative References
Acknowledgements
Contributors
Authors' Addresses
IntroductionMPLS Segment Routing (SR-MPLS) is a method of source routing a packet through an
MPLS data plane. This is achieved by the sender imposing a stack of MPLS
labels that partially or completely specify the path that the packet is
to take and any instructions to be executed on the packet as it passes
through the network.
SR-MPLS uses an MPLS label stack to encode a sequence of source-routing
instructions. This can be used to realize a source-routing mechanism
that can operate across MPLS, IPv4, and IPv6 data planes. This approach
makes no changes to SR-MPLS specifications and allows interworking with
SR-MPLS implementations. More specifically, the source-routing
instructions in a source-routed packet could be
uniformly encoded as an MPLS label stack regardless of whether the
underlay is IPv4, IPv6 (including Segment Routing for IPv6 (SRv6) ), or MPLS.This document describes how SR-MPLS-capable routers and IP-only
routers can seamlessly coexist and interoperate through the use of
SR-MPLS label stacks and IP encapsulation/tunneling such as MPLS-over-UDP
. describes various use
cases for tunneling SR-MPLS over IP. describes a typical application scenario and how the
packet forwarding happens.TerminologyThis memo makes use of the terms defined in and .
The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT",
"RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be
interpreted as described in BCP 14 when, and only when, they appear in all capitals, as
shown here.
Use CasesTunneling SR-MPLS using IPv4 and/or IPv6 (including SRv6) tunnels is
useful at least in the use cases listed below. In all cases, this can be
enabled using an IP tunneling mechanism such as MPLS-over-UDP as described
in . The tunnel selected MUST have its remote
endpoint (destination) address equal to the address of the next
node capable of SR-MPLS identified as being on the SR path (i.e., the
egress of the active segment). The local endpoint (source) address is
set to an address of the encapsulating node.
gives further advice on how to set the source address if the UDP
zero-checksum mode is used with MPLS-over-UDP. Using UDP as the
encapsulation may be particularly beneficial because it is agnostic of
the underlying transport.
Incremental deployment of the SR-MPLS technology may be
facilitated by tunneling SR-MPLS packets across parts of a network
that are not SR-MPLS as shown in . This
demonstrates how islands of SR-MPLS may be connected across a legacy
network. It may be particularly useful for joining sites (such as
data centers).
If the encoding of entropy is desired, IP-tunneling mechanisms that allow the
encoding of entropy, such as MPLS-over-UDP encapsulation where the source port of the UDP
header is used as an entropy field, may be used to maximize the
utilization of Equal-Cost Multipath (ECMP) and/or Link Aggregation
Groups (LAGs), especially when it is difficult to make use of the
entropy-label mechanism. This is to be contrasted with where MPLS-over-IP does not provide
for an entropy mechanism. Refer to ) for more discussion about using entropy labels in
SR-MPLS.
Tunneling MPLS over IP provides a technology that enables Segment
Routing (SR) in an IPv4 and/or IPv6 network where the routers do not
support SRv6 capabilities and
where MPLS forwarding is not an option. This is shown in .
Procedures of SR-MPLS-over-IPThis section describes the construction of forwarding information
base (FIB) entries and the forwarding behavior that allow the deployment
of SR-MPLS when some routers in the network are IP only (i.e., do not
support SR-MPLS). Note that the examples in Sections and assume that
OSPF or IS-IS is enabled; in fact, other mechanisms of discovery and
advertisement could be used including other routing protocols (such as
BGP) or a central controller.Forwarding Entry ConstructionThis subsection describes how to construct the forwarding
information base (FIB) entry on an SR-MPLS-capable router when some or
all of the next hops along the shortest path towards a prefix Segment
Identifier (Prefix-SID) are IP-only routers.
provides a concrete example of how the process applies when using OSPF
or IS-IS.Consider router A that receives a labeled packet with top label
L(E) that corresponds to the Prefix-SID SID(E) of prefix P(E)
advertised by router E. Suppose the i-th next-hop router (termed NHi)
along the shortest path from router A toward SID(E) is not SR-MPLS
capable while both routers A and E are SR-MPLS capable. The following
processing steps apply:
Router E is SR-MPLS capable, so it advertises a Segment Routing
Global Block (SRGB). The SRGB is defined in .
There are a number of ways that the advertisement can be achieved
including IGPs, BGP, and configuration/management protocols. For
example, see .
When Router E advertises the Prefix-SID SID(E) of prefix P(E), it MUST
also advertise the egress endpoint address and the encapsulation type of any
tunnel used to reach E. This information is flooded domain wide.
If A and E are in different routing domains, then the information MUST
be flooded into both domains. How this is achieved depends on the
advertisement mechanism being used. The objective is that router A
knows the characteristics of router E that originated the
advertisement of SID(E).
Router A programs the FIB entry for prefix P(E) corresponding
to the SID(E) according to whether a pop or swap action is advertised
for the prefix. The resulting action may be:
pop the top label
swap the top label to a value equal to SID(E) plus the
lower bound of the SRGB of E
Once constructed, the FIB can be used by a router to tell it how to
process packets. It encapsulates the packets according to the
appropriate encapsulation advertised for the segment and then sends
the packets towards the next hop NHi.FIB Construction ExampleThis section is non-normative and provides a worked example of how
a FIB might be constructed using OSPF and IS-IS extensions. It is based
on the process described in .
Router E is SR-MPLS capable, so it advertises a Segment Routing
Global Block (SRGB) using
or
.
When Router E advertises the Prefix-SID SID(E) of prefix P(E),
it also advertises the encapsulation endpoint address and the tunnel
type of any tunnel used to reach E using
or
.
If A and E are in different domains, then the information is
flooded into both domains and any intervening domains.
The OSPF Tunnel Encapsulations TLV
or the IS-IS
Tunnel Encapsulation Type sub-TLV
is flooded
domain wide.
The OSPF SID/Label Range TLV
or
the IS-IS SR-Capabilities sub-TLV
is
advertised domain wide so that router A knows the
characteristics of router E.
When router E advertises the prefix P(E):
If router E is running IS-IS, it uses the extended
reachability TLV (TLVs 135, 235, 236, 237) and associates
the IPv4/IPv6 or IPv4/IPv6 Source Router ID sub-TLV(s)
.
If router E is running OSPF, it uses the OSPFv2 Extended
Prefix Opaque Link-State Advertisement (LSA) and sets the
flooding scope to Autonomous System (AS) wide.
If router E is running IS-IS and advertises the IS-IS
Router CAPABILITY TLV (TLV 242) , it sets the
"Router ID" field to a valid value or includes an IPv6
TE Router ID sub-TLV (TLV 12), or it does both. The "S" bit
(flooding scope) of the IS-IS Router CAPABILITY TLV (TLV 242) is set
to "1".
Router A programs the FIB entry for prefix P(E) corresponding
to the SID(E) according to whether a pop or swap action is advertised
for the prefix as follows:
If the No-PHP (NP) Flag in OSPF or the Persistent (P) Flag in IS-IS is clear:
pop the top label
If the No-PHP (NP) Flag in OSPF or the Persistent (P) Flag in IS-IS is set:
swap the top label to a value equal to SID(E) plus the
lower bound of the SRGB of E
When forwarding the packet according to the constructed FIB entry, the
router encapsulates the packet according to the encapsulation as advertised
using the mechanisms described in
or . It then sends the
packets towards the next hop NHi.Note that specifies the use of port number 6635
to indicate that the payload of a UDP packet is MPLS, and port number 6636 for
MPLS-over-UDP utilizing DTLS. However,
and provide dynamic protocol
mechanisms to configure the use of any Dynamic Port for a tunnel that uses UDP
encapsulation. Nothing in this document prevents the use of an IGP or any other
mechanism to negotiate the use of a Dynamic Port when UDP encapsulation is used
for SR-MPLS, but if no such mechanism is used, then the port numbers specified in
are used.Packet-Forwarding Procedures specifies an IP-based encapsulation for
MPLS, i.e., MPLS-over-UDP. This approach is applicable where IP-based
encapsulation for MPLS is required and further fine-grained load
balancing of MPLS packets over IP networks over
ECMP and/or LAGs is also required. This
section provides details about the forwarding procedure when
UDP encapsulation is adopted for SR-MPLS-over-IP. Other encapsulation
and tunneling mechanisms can be applied using similar techniques,
but for clarity, this section uses UDP encapsulation as the exemplar.Nodes that are SR-MPLS capable can process SR-MPLS packets. Not all
of the nodes in an SR-MPLS domain are SR-MPLS capable. Some nodes may
be "legacy routers" that cannot handle SR-MPLS packets but can forward
IP packets. A node capable of SR-MPLS MAY advertise its capabilities
using the IGP as described in . There are six
types of nodes in an SR-MPLS domain:
Domain ingress nodes that receive packets and encapsulate them
for transmission across the domain. Those packets may be any
payload protocol including native IP packets or packets that are
already MPLS encapsulated.
Legacy transit nodes that are IP routers but that are not
SR-MPLS capable (i.e., are not able to perform Segment
Routing).
Transit nodes that are SR-MPLS capable but that are not
identified by a SID in the SID stack.
Transit nodes that are SR-MPLS capable and need to perform
SR-MPLS routing because they are identified by a SID in the SID
stack.
The penultimate node capable of SR-MPLS on the path that processes
the last SID on the stack on behalf of the domain egress node.
The domain egress node that forwards the payload packet for
ultimate delivery.
Packet Forwarding with Penultimate Hop PoppingThe description in this section assumes that the label associated
with each Prefix-SID is advertised by the owner of the Prefix-SID as
a Penultimate Hop-Popping (PHP) label. That is, if one of the IGP
flooding mechanisms is used, the NP-Flag in OSPF or the P-Flag in
IS-IS associated with the Prefix-SID is not set.In the example shown in , assume that
routers A, E, G, and H are capable of SR-MPLS while the remaining
routers (B, C, D, and F) are only capable of forwarding IP packets.
Routers A, E, G, and H advertise their Segment Routing related
information, such as via IS-IS or OSPF.Now assume that router A (the Domain ingress) wants to send a
packet to router H (the Domain egress) via the explicit path
{E->G->H}. Router A will impose an MPLS label stack on the
packet that corresponds to that explicit path. Since the next hop
toward router E is only IP capable (B is a legacy transit node),
router A replaces the top label (that indicated router E) with a
UDP-based tunnel for MPLS (i.e., MPLS-over-UDP ) to router E and then sends the packet. In other
words, router A pops the top label and then encapsulates the MPLS
packet in a UDP tunnel to router E.When the IP-encapsulated MPLS packet arrives at router E (which
is a transit node capable of SR-MPLS), router E strips the IP-based
tunnel header and then processes the decapsulated MPLS packet. The top
label indicates that the packet must be forwarded toward router G.
Since the next hop toward router G is only IP capable, router E
replaces the current top label with an MPLS-over-UDP tunnel toward
router G and sends it out. That is, router E pops the top label and
then encapsulates the MPLS packet in a UDP tunnel to router G.When the packet arrives at router G, router G will strip the
IP-based tunnel header and then process the decapsulated MPLS
packet. The top label indicates that the packet must be forwarded
toward router H. Since the next hop toward router H is only
IP capable (D is a legacy transit router), router G would replace
the current top label with an MPLS-over-UDP tunnel toward router H
and send it out. However, since router G reaches the bottom of the
label stack (G is the penultimate node capable of SR-MPLS on the path),
this would leave the original packet that router A wanted to send to
router H encapsulated in UDP as if it was MPLS (i.e., with a UDP
header and destination port indicating MPLS) even though the
original packet could have been any protocol. That is, the final
SR-MPLS has been popped exposing the payload packet.To handle this, when a router (here it is router G) pops the
final SR-MPLS label, it inserts an explicit NULL label before encapsulating the packet in an
MPLS-over-UDP tunnel toward router H and sending it out. That is,
router G pops the top label, discovers it has reached the bottom of
stack, pushes an explicit NULL label, and then encapsulates the MPLS
packet in a UDP tunnel to router H.Packet Forwarding without Penultimate Hop Popping demonstrates the packet walk in the
case where the label associated with each Prefix-SID advertised by
the owner of the Prefix-SID is not a Penultimate Hop-Popping (PHP)
label (e.g., the NP-Flag in OSPF or the P-Flag in IS-IS
associated with the Prefix-SID is set). Apart from the PHP function,
the roles of the routers are unchanged from .As can be seen from the figure, the SR-MPLS label for each
segment is left in place until the end of the segment where it is
popped and the next instruction is processed.Additional Forwarding Procedures
Non-MPLS Interfaces:
Although the description in
the previous two sections is based on the use of Prefix-SIDs,
tunneling SR-MPLS packets is useful when the top label of a
received SR-MPLS packet indicates an Adjacency SID and the
corresponding adjacent node to that Adjacency SID is not capable
of MPLS forwarding but can still process SR-MPLS packets. In
this scenario, the top label would be replaced by an IP tunnel
toward that adjacent node and then forwarded over the
corresponding link indicated by the Adjacency SID.
When to Use IP-Based Tunnels:
The description in
the previous two sections is based on the assumption that
an MPLS-over-UDP tunnel is used when the next hop towards the next
segment is not MPLS enabled. However, even in the case where the
next hop towards the next segment is MPLS capable, an
MPLS-over-UDP tunnel towards the next segment could still be
used instead due to local policies. For instance, in the example
as described in , assume F is now a
transit node capable of SR-MPLS while all the other assumptions
remain unchanged; since F is not identified by a SID in the stack
and an MPLS-over-UDP tunnel is preferred to an MPLS LSP
according to local policies, router E replaces the current
top label with an MPLS-over-UDP tunnel toward router G and sends
it out. (Note that if an MPLS LSP was preferred, the packet
would be forwarded as native SR-MPLS.)
IP Header Fields:
When encapsulating an MPLS
packet in UDP, the resulting packet is further encapsulated in
IP for transmission. IPv4 or IPv6 may be used according to the
capabilities of the network. The address fields are set as
described in . The other IP header
fields (such as the ECN field , the
Differentiated Services Code Point (DSCP) , or IPv6 Flow Label) on each UDP-encapsulated
segment SHOULD be configurable according to the operator's
policy; they may be copied from the header of the incoming
packet; they may be promoted from the header of the payload
packet; they may be set according to instructions programmed to
be associated with the SID; or they may be configured dependent
on the outgoing interface and payload. The TTL field setting in
the encapsulating packet header is handled as described in
, which refers to .
Entropy and ECMP:
When encapsulating an MPLS
packet with an IP tunnel header that is capable of encoding
entropy (such as ), the corresponding
entropy field (the source port in the case of a UDP tunnel) MAY
be filled with an entropy value that is generated by the
encapsulator to uniquely identify a flow. However, what
constitutes a flow is locally determined by the encapsulator. For
instance, if the MPLS label stack contains at least one entropy
label and the encapsulator is capable of reading that entropy
label, the entropy label value could be directly copied to the
source port of the UDP header. Otherwise, the encapsulator may
have to perform a hash on the whole label stack or the five-tuple
of the SR-MPLS payload if the payload is determined as an IP packet.
To avoid recalculating the hash or hunting for the entropy label
each time the packet is encapsulated in a UDP tunnel, it MAY be
desirable that the entropy value contained in the incoming
packet (i.e., the UDP source port value) is retained when
stripping the UDP header and is reused as the entropy value of
the outgoing packet.
Congestion Considerations:
provides a detailed analysis of the
implications of congestion in MPLS-over-UDP systems and builds
on , which describes
the congestion implications of UDP tunnels. All of those
considerations apply to SR-MPLS-over-UDP tunnels as described
in this document. In particular, it should be noted that the
traffic carried in SR-MPLS flows is likely to be IP traffic.
IANA ConsiderationsThis document has no IANA actions.Security ConsiderationsThe security consideration of (which redirects
the reader to ) and
apply. DTLS SHOULD be used where security is
needed on an SR-MPLS-over-UDP segment including when the IP segment crosses
the public Internet or some other untrusted environment.
provides security considerations for Segment Routing, and is particularly applicable to SR-MPLS.It is difficult for an attacker to pass a raw MPLS-encoded packet
into a network, and operators have considerable experience in excluding
such packets at the network boundaries, for example, by excluding all
packets that are revealed to be carrying an MPLS packet as the payload
of IP tunnels. Further discussion of MPLS security is found in
.It is easy for a network ingress node to detect any attempt to smuggle an IP
packet into the network since it would see that the UDP destination port
was set to MPLS, and such filtering SHOULD be applied. If, however, the
mechanisms described in
or are applied,
a wider variety of UDP port numbers might be in use making port filtering
harder.SR packets not having a destination address terminating in the network
would be transparently carried and would pose no different security risk to
the network under consideration than any other traffic.Where control-plane techniques are used (as described in ), it is important that these protocols are adequately
secured for the environment in which they are run as discussed in
and .ReferencesNormative ReferencesKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Multiprotocol Label Switching ArchitectureThis document specifies the architecture for Multiprotocol Label Switching (MPLS). [STANDARDS-TRACK]MPLS Label Stack EncodingThis document specifies the encoding to be used by an LSR in order to transmit labeled packets on Point-to-Point Protocol (PPP) data links, on LAN data links, and possibly on other data links as well. This document also specifies rules and procedures for processing the various fields of the label stack encoding. [STANDARDS-TRACK]Encapsulating MPLS in IP or Generic Routing Encapsulation (GRE)Various applications of MPLS make use of label stacks with multiple entries. In some cases, it is possible to replace the top label of the stack with an IP-based encapsulation, thereby enabling the application to run over networks that do not have MPLS enabled in their core routers. This document specifies two IP-based encapsulations: MPLS-in-IP and MPLS-in-GRE (Generic Routing Encapsulation). Each of these is applicable in some circumstances. [STANDARDS-TRACK]Deprecation of Type 0 Routing Headers in IPv6The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic. This document updates the IPv6 specification to deprecate the use of IPv6 Type 0 Routing Headers, in light of this security concern. [STANDARDS-TRACK]Tunnelling of Explicit Congestion NotificationThis document redefines how the explicit congestion notification (ECN) field of the IP header should be constructed on entry to and exit from any IP-in-IP tunnel. On encapsulation, it updates RFC 3168 to bring all IP-in-IP tunnels (v4 or v6) into line with RFC 4301 IPsec ECN processing. On decapsulation, it updates both RFC 3168 and RFC 4301 to add new behaviours for previously unused combinations of inner and outer headers. The new rules ensure the ECN field is correctly propagated across a tunnel whether it is used to signal one or two severity levels of congestion; whereas before, only one severity level was supported. Tunnel endpoints can be updated in any order without affecting pre-existing uses of the ECN field, thus ensuring backward compatibility. Nonetheless, operators wanting to support two severity levels (e.g., for pre-congestion notification -- PCN) can require compliance with this new specification. A thorough analysis of the reasoning for these changes and the implications is included. In the unlikely event that the new rules do not meet a specific need, RFC 4774 gives guidance on designing alternate ECN semantics, and this document extends that to include tunnelling issues. [STANDARDS-TRACK]Datagram Transport Layer Security Version 1.2This document specifies version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document updates DTLS 1.0 to work with TLS version 1.2. [STANDARDS-TRACK]Encapsulating MPLS in UDPThis document specifies an IP-based encapsulation for MPLS, called MPLS-in-UDP for situations where UDP (User Datagram Protocol) encapsulation is preferred to direct use of MPLS, e.g., to enable UDP-based ECMP (Equal-Cost Multipath) or link aggregation. The MPLS- in-UDP encapsulation technology must only be deployed within a single network (with a single network operator) or networks of an adjacent set of cooperating network operators where traffic is managed to avoid congestion, rather than over the Internet where congestion control is required. Usage restrictions apply to MPLS-in-UDP usage for traffic that is not congestion controlled and to UDP zero checksum usage with IPv6.OSPFv2 Prefix/Link Attribute AdvertisementOSPFv2 requires functional extension beyond what can readily be done with the fixed-format Link State Advertisements (LSAs) as described in RFC 2328. This document defines OSPFv2 Opaque LSAs based on Type-Length-Value (TLV) tuples that can be used to associate additional attributes with prefixes or links. Depending on the application, these prefixes and links may or may not be advertised in the fixed-format LSAs. The OSPFv2 Opaque LSAs are optional and fully backward compatible.IS-IS Prefix Attributes for Extended IPv4 and IPv6 ReachabilityThis document introduces new sub-TLVs to support advertisement of IPv4 and IPv6 prefix attribute flags and the source router ID of the router that originated a prefix advertisement.IS-IS Extensions for Advertising Router InformationThis document defines a new optional Intermediate System to Intermediate System (IS-IS) TLV named CAPABILITY, formed of multiple sub-TLVs, which allows a router to announce its capabilities within an IS-IS level or the entire routing domain. This document obsoletes RFC 4971.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Segment Routing ArchitectureSegment Routing (SR) leverages the source routing paradigm. A node steers a packet through an ordered list of instructions, called "segments". A segment can represent any instruction, topological or service based. A segment can have a semantic local to an SR node or global within an SR domain. SR provides a mechanism that allows a flow to be restricted to a specific topological path, while maintaining per-flow state only at the ingress node(s) to the SR domain.SR can be directly applied to the MPLS architecture with no change to the forwarding plane. A segment is encoded as an MPLS label. An ordered list of segments is encoded as a stack of labels. The segment to process is on the top of the stack. Upon completion of a segment, the related label is popped from the stack.SR can be applied to the IPv6 architecture, with a new type of routing header. A segment is encoded as an IPv6 address. An ordered list of segments is encoded as an ordered list of IPv6 addresses in the routing header. The active segment is indicated by the Destination Address (DA) of the packet. The next active segment is indicated by a pointer in the new routing header.Segment Routing with the MPLS Data PlaneInformative ReferencesGateway Auto-Discovery and Route Advertisement for Segment Routing Enabled Domain InterconnectionData centers are critical components of the infrastructure used by network operators to provide services to their customers. Data centers are attached to the Internet or a backbone network by gateway routers. One data center typically has more than one gateway for commercial, load balancing, and resiliency reasons. Segment Routing is a popular protocol mechanism for use within a data center, but also for steering traffic that flows between two data center sites. In order that one data center site may load balance the traffic it sends to another data center site, it needs to know the complete set of gateway routers at the remote data center, the points of connection from those gateways to the backbone network, and the connectivity across the backbone network. Segment Routing may also be operated in other domains, such as access networks. Those domains also need to be connected across backbone networks through gateways. This document defines a mechanism using the BGP Tunnel Encapsulation attribute to allow each gateway router to advertise the routes to the prefixes in the Segment Routing domains to which it provides access, and also to advertise on behalf of each other gateway to the same Segment Routing domain.Work in ProgressIPv6 Segment Routing Header (SRH)Segment Routing can be applied to the IPv6 data plane using a new type of Routing Extension Header called the Segment Routing Header. This document describes the Segment Routing Header and how it is used by Segment Routing capable nodes.Work in ProgressAdvertising Tunnelling Capability in IS-ISSome networks use tunnels for a variety of reasons. A large variety of tunnel types are defined and the ingress needs to select a type of tunnel which is supported by the egress. This document defines how to advertise egress tunnel capabilities in IS-IS Router Capability TLV.Work in ProgressThe Tunnel Encapsulations OSPF Router InformationNetworks use tunnels for a variety of reasons. A large variety of tunnel types are defined and the tunnel encapsulator router needs to select a type of tunnel which is supported by the tunnel decapsulator router. This document defines how to advertise, in OSPF Router Information Link State Advertisement (LSAs), the list of tunnel encapsulations supported by the tunnel decapsulator.Work in ProgressDifferentiated Services and TunnelsThis document considers the interaction of Differentiated Services (diffserv) with IP tunnels of various forms. This memo provides information for the Internet community.Security Framework for MPLS and GMPLS NetworksThis document provides a security framework for Multiprotocol Label Switching (MPLS) and Generalized Multiprotocol Label Switching (GMPLS) Networks. This document addresses the security aspects that are relevant in the context of MPLS and GMPLS. It describes the security threats, the related defensive techniques, and the mechanisms for detection and reporting. This document emphasizes RSVP-TE and LDP security considerations, as well as inter-AS and inter-provider security considerations for building and maintaining MPLS and GMPLS networks across different domains or different Service Providers. This document is not an Internet Standards Track specification; it is published for informational purposes.The Use of Entropy Labels in MPLS ForwardingLoad balancing is a powerful tool for engineering traffic across a network. This memo suggests ways of improving load balancing across MPLS networks using the concept of "entropy labels". It defines the concept, describes why entropy labels are useful, enumerates properties of entropy labels that allow maximal benefit, and shows how they can be signaled and used for various applications. This document updates RFCs 3031, 3107, 3209, and 5036. [STANDARDS-TRACK]Keying and Authentication for Routing Protocols (KARP) Overview, Threats, and RequirementsDifferent routing protocols employ different mechanisms for securing protocol packets on the wire. While most already have some method for accomplishing cryptographic message authentication, in many cases the existing methods are dated, vulnerable to attack, and employ cryptographic algorithms that have been deprecated. The "Keying and Authentication for Routing Protocols" (KARP) effort aims to overhaul and improve these mechanisms. This document does not contain protocol specifications. Instead, it defines the areas where protocol specification work is needed. This document is a companion document to RFC 6518, "Keying and Authentication for Routing Protocols (KARP) Design Guidelines"; together they form the guidance and instruction KARP design teams will use to review and overhaul routing protocol transport security.UDP Usage GuidelinesThe User Datagram Protocol (UDP) provides a minimal message-passing transport that has no inherent congestion control mechanisms. This document provides guidelines on the use of UDP for the designers of applications, tunnels, and other protocols that use UDP. Congestion control guidelines are a primary focus, but the document also provides guidance on other topics, including message sizes, reliability, checksums, middlebox traversal, the use of Explicit Congestion Notification (ECN), Differentiated Services Code Points (DSCPs), and ports.Because congestion control is critical to the stable operation of the Internet, applications and other protocols that choose to use UDP as an Internet transport must employ mechanisms to prevent congestion collapse and to establish some degree of fairness with concurrent traffic. They may also need to implement additional mechanisms, depending on how they use UDP.Some guidance is also applicable to the design of other protocols (e.g., protocols layered directly on IP or via IP-based tunnels), especially when these protocols do not themselves provide congestion control.This document obsoletes RFC 5405 and adds guidelines for multicast UDP usage.Use Cases for IPv6 Source Packet Routing in Networking (SPRING)The Source Packet Routing in Networking (SPRING) architecture describes how Segment Routing can be used to steer packets through an IPv6 or MPLS network using the source routing paradigm. This document illustrates some use cases for Segment Routing in an IPv6-only environment.Entropy Label for Source Packet Routing in Networking (SPRING) TunnelsOSPF Extensions for Segment RoutingIS-IS Extensions for Segment RoutingAcknowledgementsThanks to Joel Halpern, Bruno Decraene, Loa Andersson,
Ron Bonica, Eric Rosen, Jim Guichard, Gunter Van De Velde,
Andy Malis, Robert Sparks, and Al Morton for their insightful
comments on this document.Additional thanks to Mirja Kuehlewind, Alvaro Retana, Spencer Dawkins,
Benjamin Kaduk, Martin Vigoureux, Suresh Krishnan, and Eric Vyncke
for careful reviews and resulting comments.Contributors
Ahmed Bashandy
Individual
Email: abashandy.ietf@gmail.com
Clarence Filsfils
Cisco
Email: cfilsfil@cisco.com
John Drake
Juniper
Email: jdrake@juniper.net
Shaowen Ma
Mellanox Technologies
Email: mashaowen@gmail.com
Mach Chen
Huawei
Email: mach.chen@huawei.com
Hamid Assarpour
Broadcom
Email:hamid.assarpour@broadcom.com
Robert Raszuk
Bloomberg LP
Email: robert@raszuk.net
Uma Chunduri
Huawei
Email: uma.chunduri@gmail.com
Luis M. Contreras
Telefonica I+D
Email: luismiguel.contrerasmurillo@telefonica.com
Luay Jalil
Verizon
Email: luay.jalil@verizon.com
Gunter Van De Velde
Nokia
Email: gunter.van_de_velde@nokia.com
Tal Mizrahi
Marvell
Email: talmi@marvell.com
Jeff Tantsura
Apstra, Inc.
Email: jefftant.ietf@gmail.com
Authors' AddressesAlibaba, Incxiaohu.xxh@alibaba-inc.comFuturewei Technologiesstewart.bryant@gmail.comOld Dog Consultingadrian@olddog.co.ukCiscoshassan@cisco.comNokiawim.henderickx@nokia.comHuaweilizhenbin@huawei.com