SR-MPLS over IPAlibabaxiaohu.xxh@alibaba-inc.comHuaweistewart.bryant@gmail.comJuniperafarrel@juniper.netCiscoshassan@cisco.comNokiawim.henderickx@nokia.comHuaweilizhenbin@huawei.comMPLS Segment Routing (SR-MPLS in short) is an MPLS data plane-based
source routing paradigm in which the sender of a packet is allowed to
partially or completely specify the route the packet takes through the
network by imposing stacked MPLS labels on the packet. SR-MPLS could be
leveraged to realize a source routing mechanism across MPLS, IPv4, and
IPv6 data planes by using an MPLS label stack as a source routing
instruction set while preserving backward compatibility with
SR-MPLS.This document describes how SR-MPLS capable routers and IP-only
routers can seamlessly co-exist and interoperate through the use of
SR-MPLS label stacks and IP encapsulation/tunneling such as MPLS-in-UDP
as defined in RFC 7510.MPLS Segment Routing (SR-MPLS in short) is an MPLS data
plane-based source routing paradigm in which the sender of a packet is
allowed to partially or completely specify the route the packet takes
through the network by imposing stacked MPLS labels on the packet.
SR-MPLS could be leveraged to realize a source routing mechanism across
MPLS, IPv4, and IPv6 data planes by using an MPLS label stack as a
source routing instruction set while preserving backward compatibility
with SR-MPLS. More specifically, the source routing instruction set
information contained in a source routed packet could be uniformly
encoded as an MPLS label stack no matter whether the underlay is IPv4,
IPv6, or MPLS.This document describes how SR-MPLS capable routers and IP-only
routers can seamlessly co-exist and interoperate through the use of
SR-MPLS label stacks and IP encapsulation/tunneling such as MPLS-in-UDP
.Although the source routing instructions are encoded as MPLS labels,
this is a hardware convenience rather than an indication that the whole
MPLS protocol stack needs to be deployed. In particular, the MPLS
control protocols are not used in this or any other form of SR-MPLS. describes various use cases for the
tunneling SR-MPLS over IP. describes a typical
application scenario and how the packet forwarding happens.This memo makes use of the terms defined in
and .The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and only when,
they appear in all capitals, as shown here.Tunneling SR-MPLS using IPv4 and/or IPv6 tunnels is useful at least
in the following use cases:Incremental deployment of the SR-MPLS technology may be
facilitated by tunneling SR-MPLS packets across parts of a network
that are not SR-MPLS enabled using an IP tunneling mechanism such as
MPLS-in-UDP . The tunnel destination address
is the address of the next SR-MPLS-capable node along the path
(i.e., the egress of the active node segment). This is shown in
. If encoding of entropy is desired, IP tunneling mechanisms that
allow encoding of entropy, such as MPLS-in-UDP encapsulation where the source port of the UDP header is used
as an entropy field, may be used to maximize the utilization of ECMP
and/or UCMP, specially when it is difficult to make use of entropy
label mechanism. Refer to ) for more discussion
about using entropy label in SR-MPLS.Tunneling MPLS into IP provides a technology that enables SR in
an IPv4 and/or IPv6 network where the routers do not support SRv6
capabilities
and where MPLS forwarding is not an option. This is shown in Figure
. This section describes the construction of forwarding information
base (FIB) entries and the forwarding behavior that allow the deployment
of SR-MPLS when some routers in the network are IP only (i.e., do not
support SR-MPLS). Note that the examples described in and assume that OSPF or ISIS is
enabled: in fact, other mechanisms of discovery and advertisement could
be used including other routing protocols (such as BGP) or a central
controller.This sub-section describes the how to construct the forwarding
information base (FIB) entry on an SR-MPLS-capable router when some or
all of the next-hops along the shortest path towards a prefix-SID are
IP-only routers.Consider router A that receives a labeled packet with top label
L(E) that corresponds to the prefix-SID SID(E) of prefix P(E)
advertised by router E. Suppose the ith next-hop router (termed NHi)
along the shortest path from router A toward SID(E) is not SR-MPLS
capable while both routers A and E are SR-MPLS capable. The following
processing steps apply:Router E is SR-MPLS capable so it advertises the
SR-Capabilities sub-TLV including the SRGB as described in and .Router E advertises the prefix-SID SID(E) of prefix P(E) so
MUST also advertise the encapsulation endpoint and the tunnel type
of any tunnel used to reach E. It does this using the mechanisms
described in or
.If A and E are in different IGP areas/levels, then: The OSPF Tunnel Encapsulation TLV or the ISIS Tunnel
Encapsulation sub-TLV is flooded
domain-wide.The OSPF SID/label range TLV or the
ISIS SR-Capabilities Sub-TLV is
advertised domain-wide. This way router A knows the
characteristics of the router that originated the
advertisement of SID(E) (i.e., router E).When router E advertises the prefix P(E): If router E is running ISIS it uses the extended
reachability TLV (TLVs 135, 235, 236, 237) and associates
the IPv4/IPv6 or IPv4/IPv6 source router ID sub-TLV(s)
.If router E is running OSPF it uses the OSPFv2 Extended
Prefix Opaque LSA and sets the
flooding scope to AS-wide.If router E is running ISIS and advertises the ISIS
capabilities TLV (TLV 242) , it MUST
set the "router-ID" field to a valid value or include an IPV6
TE router-ID sub-TLV (TLV 12), or do both. The "S" bit
(flooding scope) of the ISIS capabilities TLV (TLV 242) MUST
be set to "1" .Router A programs the FIB entry for prefix P(E) corresponding
to the SID(E) as follows: If the NP flag in OSPF or the P flag in ISIS is clear:
pop the top labelIf the NP flag in OSPF or the P flag in ISIS is set: swap the top label to a value equal to SID(E) plus the
lower bound of the SRGB of EEncapsulate the packet according to the encapsulation
advertised in
or Send the packet towards the next hop NHi. specifies an IP-based encapsulation for
MPLS, i.e., MPLS-in-UDP, which is applicable in some circumstances
where IP-based encapsulation for MPLS is required and further
fine-grained load balancing of MPLS packets over IP networks over
Equal-Cost Multipath (ECMP) and/or Link Aggregation Groups (LAGs) is
required as well. This section provides details about the forwarding
procedure when when UDP encapsulation is adopted for SR-MPLS over
IP.Nodes that are SR-MPLS capable can process SR-MPLS packets. Not all
of the nodes in an SR-MPLS domain are SR-MPLS capable. Some nodes may
be "legacy routers" that cannot handle SR-MPLS packets but can forward
IP packets. An SR-MPLS-capable node may advertise its capabilities
using the IGP as described in . There are six
types of node in an SR-MPLS domain: Domain ingress nodes that receive packets and encapsulate them
for transmission across the domain. Those packets may be any
payload protocol including native IP packets or packets that are
already MPLS encapsulated.Legacy transit nodes that are IP routers but that are not
SR-MPLS capable (i.e., are not able to perform segment
routing).Transit nodes that are SR-MPLS capable but that are not
identified by a SID in the SID stack.Transit nodes that are SR-MPLS capable and need to perform
SR-MPLS routing because they are identified by a SID in the SID
stack.The penultimate SR-MPLS capable node on the path that processes
the last SID on the stack on behalf of the domain egress node.The domain egress node that forwards the payload packet for
ultimate delivery.The description in this section assumes that the label associated
with each prefix-SID is advertised by the owner of the prefix-SID is
a Penultimate Hop Popping (PHP) label. That is, the NP flag in OSPF
or the P flag in ISIS associated with the prefix SID is not set.In the example shown in , assume that
routers A, E, G and H are SR-MPLS-capable while the remaining
routers (B, C, D and F) are only capable of forwarding IP packets.
Routers A, E, G, and H advertise their Segment Routing related
information via IS-IS or OSPF.Now assume that router A (the Domain ingress) wants to send a
packet to router H (the Domain egress) via the explicit path
{E->G->H}. Router A will impose an MPLS label stack on the
packet that corresponds to that explicit path. Since the next hop
toward router E is only IP-capable (B is a legacy transit node),
router A replaces the top label (that indicated router E) with a
UDP-based tunnel for MPLS (i.e., MPLS-over-UDP ) to router E and then sends the packet. In other
words, router A pops the top label and then encapsulates the MPLS
packet in a UDP tunnel to router E.When the IP-encapsulated MPLS packet arrives at router E (which
is an SR-MPLS-capable transit node), router E strips the IP-based
tunnel header and then process the decapsulated MPLS packet. The top
label indicates that the packet must be forwarded toward router G.
Since the next hop toward router G is only IP-capable, router E
replaces the current top label with an MPLS-over-UDP tunnel toward
router G and sends it out. That is, router E pops the top label and
then encapsulates the MPLS packet in a UDP tunnel to router G.When the packet arrives at router G, router G will strip the
IP-based tunnel header and then process the decapsulated MPLS
packet. The top label indicates that the packet must be forwarded
toward router H. Since the next hop toward router H is only
IP-capable (D is a legacy transit router), router G would replace
the current top label with an MPLS-over-UDP tunnel toward router H
and send it out. However, since router G reaches the bottom of the
label stack (G is the penultimate SR-MPLS capable node on the path)
this would leave the original packet that router A wanted to send to
router H encapsulated in UDP as if it was MPLS (i.e., with a UDP
header and destination port indicating MPLS) even though the
original packet could have been any protocol. That is, the final
SR-MPLS has been popped exposing the payload packet.To handle this, when a router (here it is router G) pops the
final SR-MPLS label, it inserts an explicit null label before encapsulating the packet in an
MPLS-over-UDP tunnel toward router H and sending it out. That is,
router G pops the top label, discovers it has reached the bottom of
stack, pushes an explicit null label, and then encapsulates the MPLS
packet in a UDP tunnel to router H. demonstrates the packet walk in the
case where the label associated with each prefix-SID advertised by
the owner of the prefix-SID is not a Penultimate Hop Popping (PHP)
label (i.e., the the NP flag in OSPF or the P flag in ISIS
associated with the prefix SID is set). Apart from the PHP function
the roles of the routers is unchanged from .As can be seen from the figure, the SR-MPLS label for each
segment is left in place until the end of the segment where it is
popped and the next instruction is processed.Although the description in
the previous two sections is based on the use of prefix-SIDs,
tunneling SR-MPLS packets is useful when the top label of a
received SR-MPLS packet indicates an adjacency-SID and the
corresponding adjacent node to that adjacency-SID is not capable
of MPLS forwarding but can still process SR-MPLS packets. In
this scenario the top label would be replaced by an IP tunnel
toward that adjacent node and then forwarded over the
corresponding link indicated by the adjacency-SID.The description in
the previous two sections is based on the assumption that
MPLS-over-UDP tunnel is used when the nexthop towards the next
segment is not MPLS-enabled. However, even in the case where the
nexthop towards the next segment is MPLS-capable, an
MPLS-over-UDP tunnel towards the next segment could still be
used instead due to local policies. For instance, in the example
as described in , assume F is now an
SR-MPLS-capable transit node while all the other assumptions
keep unchanged, since F is not identified by a SID in the stack
and an MPLS-over-UDP tunnel is preferred to an MPLS LSP
according to local policies, router E would replace the current
top label with an MPLS-over-UDP tunnel toward router G and send
it out.When encapsulating an MPLS
packet in UDP, the resulting packet is further encapsulated in
IP for transmission. IPv4 or IPv6 may be used according to the
capabilities of the network. The address fields are set as
described in . The other IP header
fields (such as DSCP code point, or IPv6 Flow Label) on each
UDP-encapsulated segment can be set according to the operator's
policy: they may be copied from the header of the incoming
packet; they may be promoted from the header of the payload
packet; they may be set according to instructions programmed to
be associated with the SID; or they may be configured dependent
on the outgoing interface and payload.When encapsulating an MPLS
packet with an IP tunnel header that is capable of encoding
entropy (such as ), the corresponding
entropy field (the source port in case UDP tunnel) MAY be filled
with an entropy value that is generated by the encapsulator to
uniquely identify a flow. However, what constitutes a flow is
locally determined by the encapsulator. For instance, if the
MPLS label stack contains at least one entropy label and the
encapsulator is capable of reading that entropy label, the
entropy label value could be directly copied to the source port
of the UDP header. Otherwise, the encapsulator may have to
perform a hash on the whole label stack or the five-tuple of the
SR-MPLS payload if the payload is determined as an IP packet. To
avoid re-performing the hash or hunting for the entropy label
each time the packet is encapsulated in a UDP tunnel it MAY be
desirable that the entropy value contained in the incoming
packet (i.e., the UDP source port value) is retained when
stripping the UDP header and is re-used as the entropy value of
the outgoing packet.This document makes no requests for IANA action.The security consideration of and apply. DTLS SHOULD be used
where security is needed on an MPLS-SR-over-UDP segment.It is difficult for an attacker to pass a raw MPLS encoded packet
into a network and operators have considerable experience at excluding
such packets at the network boundaries.It is easy for an ingress node to detect any attempt to smuggle an IP
packet into the network since it would see that the UDP destination port
was set to MPLS. SR packets not having a destination address terminating
in the network would be transparently carried and would pose no security
risk to the network under consideration.Where control plane techniques are used (as described in it is important that these protocols are adequately
secured for the environment in which they are run.Thanks to Joel Halpern, Bruno Decraene, Loa Andersson, Ron Bonica,
Eric Rosen, Jim Guichard, and Gunter Van De Velde for their insightful
comments on this draft.