idnits 2.17.1 draft-bashandy-rtgwg-segment-routing-ti-lfa-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet has text resembling RFC 2119 boilerplate text. == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 19, 2018) is 2288 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: 'Adjacency' on line 396 -- Looks like a reference, but probably isn't: 'Node' on line 396 == Unused Reference: '3' is defined on line 518, but no explicit reference was found in the text == Outdated reference: A later version (-15) exists of draft-ietf-spring-segment-routing-08 == Outdated reference: A later version (-16) exists of draft-bashandy-rtgwg-segment-routing-uloop-00 == Outdated reference: A later version (-15) exists of draft-ietf-spring-segment-routing-11 -- Duplicate reference: draft-ietf-spring-segment-routing, mentioned in '6', was also mentioned in '1'. Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group A. Bashandy 2 Internet Draft C. Filsfils 3 Intended status: Standard Track Cisco Systems 4 Expires: July 2018 Bruno Decraene 5 Stephane Litkowski 6 Orange 7 Pierre Francois 8 Individual Contributor 9 January 19, 2018 11 Topology Independent Fast Reroute using Segment Routing 12 draft-bashandy-rtgwg-segment-routing-ti-lfa-02 14 Abstract 16 This document presents Topology Independent Loop-free Alternate Fast 17 Re-route (TI-LFA), aimed at providing protection of node and 18 adjacency segments within the Segment Routing (SR) framework. This 19 Fast Re-route (FRR) behavior builds on proven IP-FRR concepts being 20 LFAs, remote LFAs (RLFA), and remote LFAs with directed forwarding 21 (DLFA). It extends these concepts to provide guaranteed coverage in 22 any IGP network. A key aspect of TI-LFA is the FRR path selection 23 approach establishing protection over post-convergence paths from 24 the point of local repair, dramatically reducing the operational 25 need to control the tie-breaks among various FRR options. 27 Status of this Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 This document may contain material from IETF Documents or IETF 33 Contributions published or made publicly available before November 34 10, 2008. The person(s) controlling the copyright in some of this 35 material may not have granted the IETF Trust the right to allow 36 modifications of such material outside the IETF Standards Process. 37 Without obtaining an adequate license from the person(s) 38 controlling the copyright in such materials, this document may not 39 be modified outside the IETF Standards Process, and derivative 40 works of it may not be created outside the IETF Standards Process, 41 except to format it for publication as an RFC or to translate it 42 into languages other than English. 44 Internet-Drafts are working documents of the Internet Engineering 45 Task Force (IETF), its areas, and its working groups. Note that 46 other groups may also distribute working documents as Internet- 47 Drafts. 49 Internet-Drafts are draft documents valid for a maximum of six 50 months and may be updated, replaced, or obsoleted by other 51 documents at any time. It is inappropriate to use Internet-Drafts 52 as reference material or to cite them other than as "work in 53 progress." 55 The list of current Internet-Drafts can be accessed at 56 http://www.ietf.org/ietf/1id-abstracts.txt 58 The list of Internet-Draft Shadow Directories can be accessed at 59 http://www.ietf.org/shadow.html 61 This Internet-Draft will expire on January 19, 2016. 63 Copyright Notice 65 Copyright (c) 2017 IETF Trust and the persons identified as the 66 document authors. All rights reserved. 68 This document is subject to BCP 78 and the IETF Trust's Legal 69 Provisions Relating to IETF Documents 70 (http://trustee.ietf.org/license-info) in effect on the date of 71 publication of this document. Please review these documents 72 carefully, as they describe your rights and restrictions with 73 respect to this document. Code Components extracted from this 74 document must include Simplified BSD License text as described in 75 Section 4.e of the Trust Legal Provisions and are provided without 76 warranty as described in the Simplified BSD License. 78 Table of Contents 80 1. Introduction...................................................3 81 1.1. Conventions used in this document.........................5 82 2. Terminology....................................................5 83 3. Intersecting P-Space and Q-Space with post-convergence paths...6 84 3.1. P-Space property computation for a resource X.............6 85 3.2. Q-Space property computation for a link S-F, over post- 86 convergence paths..............................................6 87 3.3. Q-Space property computation for a set of links adjacent to 88 S, over post-convergence paths.................................6 89 3.4. Q-Space property computation for a node F, over post- 90 convergence paths..............................................7 91 4. TI-LFA Repair Tunnel...........................................7 92 4.1. The repair node is a direct neighbor......................7 93 4.2. The repair node is a PQ node..............................7 94 4.3. The repair is a Q node, neighbor of the last P node.......7 95 4.4. Connecting distant P and Q nodes along post-convergence 96 paths..........................................................8 98 5. Protecting segments............................................8 99 5.1. The active segment is a node segment......................8 100 5.2. The active segment is an adjacency segment................8 101 5.2.1. Protecting [Adjacency, Adjacency] segment lists......8 102 5.2.2. Protecting [Adjacency, Node] segment lists...........9 103 5.3. Protecting SR policy midpoints against node failure.......9 104 5.3.1. Protecting {F, T, D} or {S->F, T, D}.................9 105 5.3.2. Protecting {F, F->T, D} or {S->F, F->T, D}..........10 106 6. Security Considerations.......................................11 107 7. IANA Considerations...........................................11 108 8. Conclusions...................................................11 109 9. References....................................................11 110 9.1. Normative References.....................................11 111 9.2. Informative References...................................11 112 10. Acknowledgments..............................................12 114 1. Introduction 116 Segment Routing aims at supporting services with tight SLA 117 guarantees [1]. By relying on segment routing this document 118 provides a local repair mechanism for standard IGP shortest path 119 capable of restoring end-to-end connectivity in the case of a 120 sudden directly connected failure of a network component. Non-SR 121 mechanisms for local repair are beyond the scope of this document. 122 Non-local failures are addressed in a separate document [5]. 124 For each destination in the network, TI-LFA prepares a data-plane 125 switch-over to be activated upon detection of the failure of a 126 link used to reach the destination. TI-LFA provides protection in 127 the event of any one of the following: single link failure, 128 single node failure, or single local SRLG failure. In link 129 failure mode, the destination is protected assuming the failure of 130 the link. In node protection mode, the destination is protected 131 assuming that the neighbor connected to the primary link has 132 failed. In local SRLG protecting mode, the destination is 133 protected assuming that a configured set of links sharing fate 134 with the primary link has failed (e.g. a linecard). 136 Protection applies to traffic which traverses the PLR. Traffic 137 which does NOT traverse the PLR remains unaffected. 139 Using segment routing, there is no need to establish TLDP sessions 140 with remote nodes in order to take advantage of the applicability 141 of remote LFAs (RLFA) or remote LFAs with directed forwarding 142 (DLFA)[2]. As a result, preferring LFAs over RLFAs or DLFAs, as 143 well as minimizing the number of RLFA or DLFA repair nodes is not 144 required. This allows for a protection path selection approach 145 meeting operational needs rather than a topologically constrained 146 one. 148 Using SR, there is no need to create state in the network in order 149 to enforce an explicit FRR path. As a result, we can use 150 optimized detour paths for each specific destination and for each 151 type of failure without creating additional forwarding state. 152 Also, the mode of protection (link, node, SRLG) is not constrained 153 to be network wide or node wide, but can be managed on a per 154 interface basis. 156 Building on such an easier forwarding environment, the FRR 157 behavior suggested in this document tailors the repair paths over 158 the post-convergence path from the PLR to the protected 159 destination, given the enabled protection mode for the interface. 161 As the capacity of the post-convergence path is typically planned 162 by the operator to support the post-convergence routing of the 163 traffic for any expected failure, there is much less need for the 164 operator to tune the decision among which protection path to 165 choose. The protection path will automatically follow the natural 166 backup path that would be used after local convergence. This also 167 helps to reduce the amount of path changes and hence service 168 transients: one transition (pre-convergence to post-convergence) 169 instead of two (pre-convergence to FRR and then post-convergence). 171 L ____ 172 S----F--{____}----D 173 /\ | / 174 | | | _______ / 175 |__}---Q{_______} 177 Figure 1 TI-LFA Protection 179 We use Figure 1 to illustrate the TI-LFA approach. 181 The Point of Local Repair (PLR), S, needs to find a node Q (a repair 182 node) that is capable of safely forwarding the traffic to a 183 destination D affected by the failure of the protected link L, a set 184 of adjacent links including L (local SRLG), or the node F itself. 185 The PLR also needs to find a way to reach Q without being affected 186 by the convergence state of the nodes over the paths it wants to use 187 to reach Q. 189 In Section 2 we define the main notations used in the document. 190 They are in line with [2]. 192 In Section 3, we suggest to compute the P-Space and Q-Space 193 properties defined in Section 2, for the specific case of nodes 194 lying over the post-convergence paths towards the protected 195 destinations. 197 Using the properties defined in Section 3, we describe how to 198 compute protection lists that encode a loopfree post-convergence 199 towards the destination, in Section 4. 201 Finally, we define the segment operations to be applied by the PLR 202 to ensure consistency with the forwarding state of the repair node, 203 in Section 5. 205 1.1. Conventions used in this document 207 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL 208 NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" 209 in this document are to be interpreted as described in RFC-2119 211 In this document, these words will appear with that interpretation 212 only when in ALL CAPS. Lower case uses of these words are not to 213 be interpreted as carrying RFC-2119 significance. 215 2. Terminology 217 We define the main notations used in this document as the following. 219 We refer to "old" and "new" topologies as the LSDB state before and 220 after the considered failure. 222 SPT_old(R) is the Shortest Path Tree rooted at node R in the initial 223 state of the network. 225 SPT_new(R, X) is the Shortest Path Tree rooted at node R in the 226 state of the network after the resource X has failed. 228 Dist_old(A,B) is the distance from node A to node B in SPT_old(A). 230 Dist_new(A,B, X) is the distance from node A to node B in 231 SPT_new(A,X). 233 Similarly to [4], we rely on the concept of P-Space and Q-Space for 234 TI-LFA. 236 The P-Space P(R,X) of a node R w.r.t. a resource X (e.g. a link S-F, 237 a node F, or a local SRLG) is the set of nodes that are reachable 238 from R without passing through X. It is the set of nodes that are 239 not downstream of X in SPT_old(R). 241 The Extended P-Space P'(R,X) of a node R w.r.t. a resource X is the 242 set of nodes that are reachable from R or a neighbor of R, without 243 passing through X. 245 The Q-Space Q(D,X) of a destination node D w.r.t. a resource X is 246 the set of nodes which do not use X to reach D in the initial state 247 of the network. In other words, it is the set of nodes which have D 248 in their P-Space w.r.t. S-F, F, or a set of links adjacent to S). 250 A symmetric network is a network such that the IGP metric of each 251 link is the same in both directions of the link. 253 3. Intersecting P-Space and Q-Space with post-convergence paths 255 In this section, we suggest to determine the P-Space and Q-Space 256 properties of the nodes along the post-convergence paths from the 257 PLR to the protected destination and compute an SR-based explicit 258 path from P to Q when they are not adjacent. Such properties will 259 be used in Section 4 to compute the TI-LFA repair list. 261 3.1. P-Space property computation for a resource X 263 A node N is in P(R, X) if it is not downstream of X in SPT_old(R). 264 X can be a link, a node, or a set of links adjacent to the PLR. A 265 node N is in P'(R,X) if it is not downstream of X in SPT_old(N), 266 for at least one neighbor N of R. 268 3.2. Q-Space property computation for a link S-F, over post- 269 convergence paths 271 We want to determine which nodes on the post-convergence path from 272 the PLR to the destination D are in the Q-Space of destination D 273 w.r.t. link S-F. 275 This can be found by intersecting the post-convergence path to D, 276 assuming the failure of S-F, with Q(D, S-F). 278 3.3. Q-Space property computation for a set of links adjacent to S, 279 over post-convergence paths 281 We want to determine which nodes on the post-convergence path from 282 the PLR to the destination D are in the Q-Space of destination D 283 w.r.t. a set of links adjacent to S (S being the PLR). That is, we 284 aim to find the set of nodes on the post-convergence path that use 285 none of the members of the protected set of links, to reach D. 287 This can be found by intersecting the post-convergence path to D, 288 assuming the failure of the set of links, with the intersection 289 among Q(D, S->X) for all S->X belonging to the set of links. 291 3.4. Q-Space property computation for a node F, over post-convergence 292 paths 294 We want to determine which nodes on the post-convergence from the 295 PLR to the destination D are in the Q-Space of destination D w.r.t. 296 node F. 298 This can be found by intersecting the post-convergence path to D, 299 assuming the failure of F, with Q(D, F). 301 4. TI-LFA Repair Tunnel 303 The TI-LFA repair tunnel consists of an outgoing interface and a 304 list of segments (repair list) to insert on the SR header. The 305 repair list encodes the explicit post-convergence path to the 306 destination, which avoids the protected resource X. 308 The TI-LFA repair tunnel is found by intersecting P(S,X) and Q(D,X) 309 with the post-convergence path to D and computing the explicit SR- 310 based path EP(P, Q) from P to Q when these nodes are not adjacent 311 along the post convergence path. The TI-LFA repair list is 312 expressed generally as (Node_SID(P), EP(P, Q)). 314 Most often, the TI-LFA repair list has a simpler form, as described 315 in the following sections. 317 4.1. The repair node is a direct neighbor 319 When the repair node is a direct neighbor, the outgoing interface is 320 set to that neighbor and the repair segment list is empty. 322 This is comparable to a post-convergence LFA FRR repair. 324 4.2. The repair node is a PQ node 326 When the repair node is in P(S,X), the repair list is made of a 327 single node segment to the repair node. 329 This is comparable to a post-convergence RLFA repair tunnel. 331 4.3. The repair is a Q node, neighbor of the last P node 333 When the repair node is adjacent to P(S,X), the repair list is made 334 of two segments: A node segment to the adjacent P node, and an 335 adjacency segment from that node to the repair node. 337 This is comparable to a post-convergence DLFA repair tunnel. 339 4.4. Connecting distant P and Q nodes along post-convergence paths 341 In some cases, there is no adjacent P and Q node along the post- 342 convergence path. However, the PLR can perform additional 343 computations to compute a list of segments that represent a loopfree 344 path from P to Q. 346 5. Protecting segments 348 In this section, we explain how a protecting router S processes the 349 active segment of a packet upon the failure of its primary outgoing 350 interface for the packet, S-F. 352 The behavior depends on the type of active segment to be protected. 354 5.1. The active segment is a node segment 356 The active segment is kept on the SR header, unchanged (1). The 357 repair list is inserted at the head of the list. The active segment 358 becomes the first segment of the inserted repair list. 360 Note (1): If the SRGB at the repair node is different from the SRGB 361 at the PLR, then the active segment must be updated to fit the SRGB 362 of the repair node. 364 In Section 5.3, we describe the node protection behavior of PLR S, 365 for the specific case where the active segment is a prefix segment 366 for the neighbor F itself. 368 5.2. The active segment is an adjacency segment 370 We define hereafter the FRR behavior applied by S for any packet 371 received with an active adjacency segment S-F for which protection 372 was enabled. We distinguish the case where this active segment is 373 followed by another adjacency segment from the case where it is 374 followed by a node segment. 376 5.2.1. Protecting [Adjacency, Adjacency] segment lists 378 If the next segment in the list is an Adjacency segment, then the 379 packet has to be conveyed to F. 381 To do so, S applies a "NEXT" operation on Adj(S-F) and then two 382 consecutive "PUSH" operations: first it pushes a node segment for F, 383 and then it pushes a protection list allowing to reach F while 384 bypassing S-F. For details on the "NEXT" and "PUSH" operations, 385 refer to [6]. 387 Upon failure of S-F, a packet reaching S with a segment list 388 matching [adj(S-F),adj(M),...] will thus leave S with a segment list 389 matching [RT(F),node(F),adj(M)], where RT(F) is the repair tunnel 390 for destination F. 392 In Section 5.3.2, we describe the TI-LFA behavior of PLR S when 393 node protection is applied and the two first segments are Adjacency 394 Segments. 396 5.2.2. Protecting [Adjacency, Node] segment lists 398 If the next segment in the stack is a node segment, say for node T, 399 the packet segment list matches [adj(S-F),node(T),...]. 401 A first solution would consist in steering the packet back to F 402 while avoiding S-F. To do so, S applies a "NEXT" operation on 403 Adj(S-F) and then two consecutive "PUSH" operations: first it pushes 404 a node segment for F, and then it pushes a repair list allowing to 405 reach F while bypassing S-F. 407 Upon failure of S-F, a packet reaching S with a segment list 408 matching [adj(S-F),node(T),...] will thus leave S with a segment 409 list matching [RT(F),node(F),node(T)]. 411 Another solution is to not steer the packet back via F but rather 412 follow the new shortest path to T. In this case, S just needs to 413 apply a "NEXT" operation on the Adjacency segment related to S-F, 414 and push a repair list redirecting the traffic to a node Q, whose 415 path to node segment T is not affected by the failure. 417 Upon failure of S-F, packets reaching S with a segment list matching 418 [adj(L), node(T), ...], would leave S with a segment list matching 419 [RT(Q),node(T), ...]. Note that this second behavior is the one 420 followed for node protection, as described in Section 5.3.1. 422 5.3. Protecting SR policy midpoints against node failure 424 As planned in the previous version of this document, we describe the 425 behavior of a node S configured to interpret the failure of link S- 426 >F as the node failure of F, in the specific case where the active 427 segment of the packet received by S is a Prefix SID of F represented 428 as "F"), or an Adjacency SID for the link S-F (represented as "S- 429 >F"). 431 5.3.1. Protecting {F, T, D} or {S->F, T, D} 433 We describe the protection behavior of S when 434 1. the active segment is a prefix SID for a neighbor F, or an 435 adjacency segment S->F 437 2. the primary interface used to forward the packet failed 439 3. the segment following the active segment is a prefix SID (for 440 node T) 442 4. node protection is active for that interface. 444 The TILFA Node FRR behavior becomes equivalent to: 446 1. Pop; the segment F or S->F is removed 448 2. Confirm that the next segment is in the SRGB of F, meaning that 449 the next segment is a prefix segment, e.g. for node T 451 3. Identify T (as per the SRGB of F) 453 4. Pop the next segment and push T's segment based on the local SRGB 455 5. forward the packet according to T. 457 5.3.2. Protecting {F, F->T, D} or {S->F, F->T, D} 459 We describe the protection behavior of S when 461 1. the active segment is a prefix SID for a neighbor F, or an 462 adjacency segment S->F 464 2. the primary interface used to forward the packet failed 466 3. the segment following the active segment is an adjacency SID (F- 467 >T) 469 4. node protection is active for that interface. 471 The TILFA Node FRR behavior becomes equivalent to: 473 1. Pop; the segment F or S->F is removed 475 2. Confirm that the next segment is an adjacency SID of F, say F->T 477 3. Identify T (as per the set of Adjacency Segments of F) 479 4. Pop the next segment and push T's segment based on the local SRGB 481 5. forward the packet according to T. 483 6. Security Considerations 485 The techniques described in this document are internal 486 functionality to a router that result in the ability to guarantee 487 an upper bound on the time taken to restore traffic flow upon the 488 failure of a directly connected link or node. As these techniques 489 steer traffic to the post-convergence path as quickly as possible, 490 this serves to minimize the disruption associated with a local 491 failure which can be seen as a modest security enhancement. 493 7. IANA Considerations 495 No requirements for IANA 497 8. Conclusions 499 This document proposes a mechanism that is able to pre-calculate a 500 backup path for every primary path so as to be able to protect 501 against the failure of a directly connected link, node, or SRLG. 502 The mechanism is able to calculate the backup path irrespective of 503 the topology as long as the topology is sufficiently redundant. 505 9. References 507 9.1. Normative References 509 9.2. Informative References 511 [1] Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., and R. 512 Shakir, "Segment Routing Architecture", draft-ietf-spring- 513 segment-routing-08 (work in progress), May 2016. 515 [2] Shand, M. and S. Bryant, "IP Fast Reroute Framework", RFC 516 5714, January 2010. 518 [3] Filsfils, C., Francois, P., Shand, M., Decraene, B., Uttaro, 519 J., Leymann, N., and M. Horneffer, "Loop-Free Alternate (LFA) 520 Applicability in Service Provider (SP) Networks", RFC 6571, 521 June 2012. 523 [4] Bryant, S., Filsfils, C., Previdi, S., Shand, M., and N. So, 524 "Remote Loop-Free Alternate (LFA) Fast Reroute (FRR)", RFC 525 7490, DOI 10.17487/RFC7490, April 2015, . 528 [5] Bashandy, A., Filsfils, C., and Litkowski, S., " Loop 529 avoidance using Segment Routing", draft-bashandy-rtgwg- 530 segment-routing-uloop-00, (work in progress), May 2017 532 [6] Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., and 533 Shakir, R, "Segment Routing Architecture", draft-ietf-spring- 534 segment-routing-11 (work in progress), February 2017 536 10. Acknowledgments 538 We would like to give Les Ginsberg special thanks for the valuable 539 comments and contribution 541 This document was prepared using 2-Word-v2.0.template.dot. 543 Authors' Addresses 545 Pierre Francois 546 pfrpfr@gmail.com 548 Ahmed Bashandy 549 Cisco Systems 550 170 West Tasman Dr, San Jose, CA 95134, USA 551 Email: bashandy@cisco.com 553 Clarence Filsfils 554 Cisco Systems 555 Brussels, Belgium 556 Email: cfilsfil@cisco.com 558 Bruno Decraene 559 Orange 560 Issy-les-Moulineaux 561 FR 562 Email: bruno.decraene@orange.com 564 Stephane Litkowski 565 Orange 566 FR 567 Email: stephane.litkowski@orange.com