idnits 2.17.1 draft-chen-mpls-p2mp-ingress-protection-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Authors' Addresses Section. ** There are 22 instances of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (December 26, 2013) is 3774 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'S' is mentioned on line 132, but not defined == Missing Reference: 'Ra' is mentioned on line 135, but not defined == Missing Reference: 'Rb' is mentioned on line 135, but not defined == Missing Reference: 'L3' is mentioned on line 135, but not defined == Unused Reference: 'RFC1700' is defined on line 1155, but no explicit reference was found in the text == Unused Reference: 'RFC2119' is defined on line 1158, but no explicit reference was found in the text == Unused Reference: 'RFC3692' is defined on line 1161, but no explicit reference was found in the text == Unused Reference: 'RFC2205' is defined on line 1164, but no explicit reference was found in the text == Unused Reference: 'RFC3031' is defined on line 1168, but no explicit reference was found in the text == Unused Reference: 'RFC3209' is defined on line 1171, but no explicit reference was found in the text == Unused Reference: 'RFC3473' is defined on line 1175, but no explicit reference was found in the text == Unused Reference: 'RFC4461' is defined on line 1183, but no explicit reference was found in the text == Unused Reference: 'P2MP-FRR' is defined on line 1192, but no explicit reference was found in the text == Unused Reference: 'RFC2702' is defined on line 1199, but no explicit reference was found in the text == Unused Reference: 'RFC3032' is defined on line 1203, but no explicit reference was found in the text ** Obsolete normative reference: RFC 1700 (Obsoleted by RFC 3232) ** Downref: Normative reference to an Informational RFC: RFC 4461 -- Possible downref: Normative reference to a draft: ref. 'P2MP-FRR' Summary: 4 errors (**), 0 flaws (~~), 17 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force H. Chen, Ed. 3 Internet-Draft Huawei Technologies 4 Intended status: Standards Track R. Torvi, Ed. 5 Expires: June 29, 2014 Juniper Networks 6 December 26, 2013 8 Extensions to RSVP-TE for LSP Ingress Local Protection 9 draft-chen-mpls-p2mp-ingress-protection-10.txt 11 Abstract 13 This document describes extensions to Resource Reservation Protocol - 14 Traffic Engineering (RSVP-TE) for locally protecting the ingress node 15 of a Traffic Engineered (TE) Label Switched Path (LSP) in a Multi- 16 Protocol Label Switching (MPLS) and Generalized MPLS (GMPLS) network. 18 Status of this Memo 20 This Internet-Draft is submitted to IETF in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on June 29, 2014. 35 Copyright Notice 37 Copyright (c) 2013 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Co-authors . . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2.1. An Example of Ingress Local Protection . . . . . . . . . . 3 55 2.2. Ingress Local Protection with FRR . . . . . . . . . . . . 4 56 3. Ingress Failure Detection . . . . . . . . . . . . . . . . . . 4 57 3.1. Backup and Source Detect Failure . . . . . . . . . . . . . 4 58 3.2. Backup Detects Failure . . . . . . . . . . . . . . . . . . 5 59 3.3. Source Detects Failure . . . . . . . . . . . . . . . . . . 5 60 3.4. Next Hops Detect Failure . . . . . . . . . . . . . . . . . 5 61 3.5. Comparing Different Detection Modes . . . . . . . . . . . 6 62 4. Backup Forwarding State . . . . . . . . . . . . . . . . . . . 6 63 4.1. Forwarding State for Backup LSP . . . . . . . . . . . . . 7 64 4.2. Forwarding State on Next Hops . . . . . . . . . . . . . . 7 65 5. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 7 66 5.1. INGRESS_PROTECTION Object . . . . . . . . . . . . . . . . 7 67 5.1.1. Subobject: Backup Ingress IPv4/IPv6 Address . . . . . 10 68 5.1.2. Subobject: Ingress IPv4/IPv6 Address . . . . . . . . . 11 69 5.1.3. Subobject: Traffic Descriptor . . . . . . . . . . . . 12 70 5.1.4. Subobject: Label-Routes . . . . . . . . . . . . . . . 12 71 6. Behavior of Ingress Protection . . . . . . . . . . . . . . . . 13 72 6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 13 73 6.1.1. Relay-Message Method . . . . . . . . . . . . . . . . . 13 74 6.1.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 14 75 6.1.3. Comparing Two Methods . . . . . . . . . . . . . . . . 15 76 6.2. Ingress Behavior . . . . . . . . . . . . . . . . . . . . . 15 77 6.2.1. Relay-Message Method . . . . . . . . . . . . . . . . . 16 78 6.2.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 16 79 6.3. Backup Ingress Behavior . . . . . . . . . . . . . . . . . 18 80 6.3.1. Backup Ingress Behavior in Off-path Case . . . . . . . 18 81 6.3.2. Backup Ingress Behavior in On-path Case . . . . . . . 20 82 6.3.3. Failure Detection . . . . . . . . . . . . . . . . . . 21 83 6.4. Merge Point Behavior . . . . . . . . . . . . . . . . . . . 22 84 6.5. Revertive Behavior . . . . . . . . . . . . . . . . . . . . 22 85 6.5.1. Revert to Primary Ingress . . . . . . . . . . . . . . 23 86 6.5.2. Global Repair by Backup Ingress . . . . . . . . . . . 23 87 7. Security Considerations . . . . . . . . . . . . . . . . . . . 24 88 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 89 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 24 90 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 25 91 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 92 11.1. Normative References . . . . . . . . . . . . . . . . . . . 25 93 11.2. Informative References . . . . . . . . . . . . . . . . . . 26 94 A. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 26 96 1. Co-authors 98 Ning So, Autumn Liu, Alia Atlas, Yimin Shen, Fengman Xu, Mehmet Toy, 99 Lei Liu 101 2. Introduction 103 For MPLS LSPs it is important to have a fast-reroute method for 104 protecting its ingress node as well as transit nodes. This is not 105 covered either in the fast-reroute method defined in [RFC4090] or in 106 the P2MP fast-reroute extensions to fast-reroute in [RFC4875]. 108 An alternate approach to local protection (fast-reroute) is to use 109 global protection and set up a second backup LSP (whether P2MP or 110 P2P) from a backup ingress to the egresses. The main disadvantage of 111 this is that the backup LSP may reserve additional network bandwidth. 113 This specification defines a simple extension to RSVP-TE for local 114 protection of the ingress node of a P2MP or P2P LSP. 116 2.1. An Example of Ingress Local Protection 118 Figure 1 shows an example of using a backup P2MP LSP to locally 119 protect the ingress of a primary P2MP LSP, which is from ingress R1 120 to three egresses: L1, L2 and L3. The backup LSP is from backup 121 ingress Ra to the next hops R2 and R4 of ingress R1. The backup 122 egress must be only one logical hop away from the ingress. 124 [R2]******[R3]*****[L1] 125 * | **** Primary LSP 126 * | ---- Backup LSP 127 * / .... BFD Session 128 * / $ Link 129 [R1]*******[R4]****[R5]*****[L2] $ 130 $ . / / * $ 131 $ . / / * 132 [S] . / / * 133 $ . / / * 134 $ ./ / * 135 [Ra]----[Rb] [L3] 137 Figure 1: Backup P2MP LSP for Locally Protecting Ingress 139 Source S may send the traffic simultaneously to both primary ingress 140 R1 and backup ingress Ra. R1 imports the traffic into the primary 141 LSP. Ra normally does not put the traffic into the backup LSP. 143 Ra must be able to detect the failure of R1 and switch the traffic 144 within 10s of ms. The exact method by which Ra does so is out of 145 scope. Different options are discussed in this draft. 147 When Ra detects the failure of R1, it imports the traffic from S into 148 the backup LSP to R1's next hops R2 and R4, where the traffic is 149 merged into the primary LSP, and then sent to egresses L1, L2 and L3. 151 2.2. Ingress Local Protection with FRR 153 Through using the ingress local protection and the FRR, we can 154 locally protect the ingress node, all the links and the intermediate 155 nodes of an LSP. The traffic switchover time is within tens of 156 milliseconds whenever the ingress, any of the links and the 157 intermediate nodes of the LSP fails. 159 The ingress node of the LSP can be locally protected through using 160 the ingress local protection. All the links and all the intermediate 161 nodes of the LSP can be locally protected through using the FRR. 163 3. Ingress Failure Detection 165 Exactly how the failure of the ingress (e.g. R1 in Figure 1) is 166 detected is out of scope for this document. However, it is necessary 167 to discuss different modes for detecting the failure because they 168 determine what must be signaled and what is the required behavior for 169 the traffic source, backup ingress, and merge-points. 171 3.1. Backup and Source Detect Failure 173 Backup and Source Detect Failure or Backup-Source-Detect for short 174 means that both the backup ingress and the source are concurrently 175 responsible for detecting the failures of the primary ingress. 177 In normal operations, the source sends the traffic to the primary 178 ingress. It switches the traffic to the backup ingress when it 179 detects the failure of the primary ingress. 181 The backup ingress does not import any traffic from the source into 182 the backup LSP in normal operations. When it detects the failure of 183 the primary ingress, it imports the traffic from the source into the 184 backup LSP to the next hops of the primary ingress, where the traffic 185 is merged into the primary LSP. 187 Note that the source may locally distinguish between the failure of 188 the primary ingress and that of the link between the source and the 189 primary ingress. When the source detects the failure of the link, it 190 may continue to send the traffic to the primary ingress via another 191 link between the source and the primary ingress if there is one. 193 3.2. Backup Detects Failure 195 Backup Detects Failure or Backup-Detect means that the backup ingress 196 is responsible for detecting the failure of the primary ingress of an 197 LSP. The source SHOULD send the traffic simultaneously to both the 198 primary ingress and backup ingress. 200 The backup ingress does not import any traffic from the source into 201 the backup LSP in normal operations. When it detects the failure of 202 the primary ingress, it imports the traffic from the source into the 203 backup LSP to the next hops of the primary ingress, where the traffic 204 is merged into the primary LSP. 206 Note that the backup ingress may locally distinguish between the 207 failure of the primary ingress and that of the link between the 208 backup ingress and the primary ingress through two BFDs between the 209 backup ingress and the primary ingress. One is through the link, and 210 the other is not. If the first BFD is down and the second is up, the 211 link fails and the primary ingress does not. 213 3.3. Source Detects Failure 215 Source Detects Failure or Source-Detect means that the source is 216 responsible for detecting the failure of the primary ingress of an 217 LSP. The backup ingress is ready to import the traffic from the 218 source into the backup LSP after the backup LSP is up. 220 In normal operations, the source sends the traffic to the primary 221 ingress. When the source detects the failure of the primary ingress, 222 it switches the traffic to the backup ingress, which delivers the 223 traffic to the next hops of the primary ingress through the backup 224 LSP, where the traffic is merged into the primary LSP. 226 3.4. Next Hops Detect Failure 228 Next Hops Detect Failure or Next-Hop-Detect means that each of the 229 next hops of the primary ingress of an LSP is responsible for 230 detecting the failure of the primary ingress. 232 In normal operations, the source sends the traffic to both the 233 primary ingress and the backup ingress. Both ingresses deliver the 234 traffic to the next hops of the primary ingress. Each of the next 235 hops selects the traffic from the primary ingress and sends the 236 traffic to the destinations of the LSP. 238 When each of the next hops detects the failure of the primary 239 ingress, it switches to receive the traffic from the backup ingress 240 and then sends the traffic to the destinations. 242 3.5. Comparing Different Detection Modes 244 +----------+--------------+----------------+--------+-------------------+ 245 |Protection|Traffic Always|Backup Ingress |Next-Hop|Incorrect Failure | 246 |Mode |Sent to |Activation of |Select |Detection Cause | 247 | |Backup Ingress|Forwarding Entry|Stream |Traffic Duplication| 248 | | | | |(Ingress does FRR) | 249 +----------+--------------+----------------+--------+-------------------+ 250 |Backup- | | | | | 251 |Source- | No | Yes | No | No | 252 |Detect | | | | | 253 +----------+--------------+----------------+--------+-------------------+ 254 |Backup- | Yes | Yes | No | Yes | 255 |Detect | | | | | 256 +----------+--------------+----------------+--------+-------------------+ 257 |Source- | No | No | No | No | 258 |Detect | | (Always Active)| | | 259 +----------+--------------+----------------+--------+-------------------+ 260 |Next-Hop- | Yes | No | Yes |(If Ingress-Next- | 261 |Detect | | (Always Active)| |Hop link fails, | 262 | | | | |stream selection | 263 | | | | |at Next-Next-Hops | 264 | | | | |can mitigate) | 265 +----------+--------------+----------------+--------+-------------------+ 267 A primary goal of failure detection and FRR protection is to avoid 268 traffic duplication, particularly along the P2MP. A reasonable 269 assumption when this ingress protection is in use is that the ingress 270 is also trying to provide link and node protection. When the failure 271 cannot be accurately identified as that of the ingress, this can lead 272 to the ingress sending traffic on bypass to the next-next-hop(s) for 273 node-protection while the backup ingress is sending traffic to its 274 next-hop(s) if Next-Hop-Detect mode is used. RSVP Path messages sent 275 through the bypass tunnels may help to eventually resolve this by 276 changing the PHOP through which traffic should be received. 278 4. Backup Forwarding State 280 Before the primary ingress fails, the backup ingress is responsible 281 for creating the necessary backup LSPs to the next hops of the 282 ingress. These LSPs might be multiple bypass P2P LSPs that avoid the 283 ingress. Alternately, the backup ingress could choose to use a 284 single backup P2MP LSP as a bypass or detour to protect the primary 285 ingress of a primary P2MP LSP. 287 The backup ingress may be off-path (i.e., not a next-hop of the 288 primary ingress) or on-path (i.e., a next-hop of the primary 289 ingress). If the backup ingress is on-path, the primary forwarding 290 state associated with the primary LSP SHOULD be clearly separated 291 from the backup LSP(s) state. Specifically in Backup-Detect mode, 292 the backup ingress will receive traffic from the primary ingress and 293 from the traffic source; only the former should be forwarded until 294 failure is detected even if the backup ingress is the only next-hop. 296 4.1. Forwarding State for Backup LSP 298 A forwarding entry for a backup LSP is created on the backup ingress 299 after the LSP is set up. Depending on the failure-detection mode 300 (e.g., source-detect), it may be set up to forward received traffic 301 or simply be inactive (e.g., backup-detect) until required. In 302 either case, when the primary ingress fails, this forwarding entry is 303 used to import the traffic into the backup LSP to the primary 304 ingress' next hops, where the traffic is merged into the primary LSP. 306 The forwarding entry for a backup LSP is a local implementation 307 issue. In one device, it may have an inactive flag. This inactive 308 forwarding entry is not used to forward any traffic normally. When 309 the primary ingress fails, it is changed to active, and thus the 310 traffic from the source is imported into the backup LSP. 312 4.2. Forwarding State on Next Hops 314 When Next-Hop-Detect is used, a forwarding entry for a backup LSP is 315 created on each of the next hops of the primary ingress of the LSP. 316 This forwarding entry does not forward any traffic normally. When 317 the primary ingress fails, it is used to import/select the traffic 318 from the backup LSP into the primary LSP. 320 5. Protocol Extensions 322 A new object INGRESS_PROTECTION is defined for signaling ingress 323 local protection. It is backward compatible. 325 5.1. INGRESS_PROTECTION Object 327 The INGRESS_PROTECTION object with the FAST_REROUTE object in a PATH 328 message is used to control the backup for protecting the primary 329 ingress of a primary LSP. The primary ingress MUST insert this 330 object into the PATH message to be sent to the backup ingress for 331 protecting the primary ingress. It has the following format: 333 Class-Num = TBD C-Type = TBD 335 0 1 2 3 336 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 337 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 338 | Length (bytes) | Class-Num | C-Type | 339 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 340 | Secondary LSP ID | Flags | Options | DM | 341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 342 | | 343 ~ (Subobjects) ~ 344 | | 345 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 347 Flags 348 0x01 Ingress local protection available 349 0x02 Ingress local protection in use 350 0x04 Bandwidth protection 352 Options 353 0x01 Revert to Ingress 354 0x02 Force to Backup 355 0x04 P2MP Backup 357 DM (Detection Mode) 358 0x00 Backup-Source-Detect 359 0x01 Backup-Detect 360 0x02 Source-Detect 361 0x03 Next-Hop-Detect 363 For backward compatible, the two high-order bits of the Class-Num in 364 the object are set as follows: 366 o Class-Num = 0bbbbbbb for the object in a message not on LSP path. 367 The entire message should be rejected and an "Unknown Object 368 Class" error returned. 370 o Class-Num = 10bbbbbb for the object in a message on LSP path. The 371 node should ignore the object, neither forwarding it nor sending 372 an error message. 374 The Secondary LSP ID in the object is an LSP ID that the primary 375 ingress has allocated for a protected LSP tunnel. The backup ingress 376 will use this LSP ID to set up a new LSP from the backup ingress to 377 the destinations of the protected LSP tunnel. This allows the new 378 LSP to share resources with the old one. 380 The flags are used to communicate status information from the backup 381 ingress to the primary ingress. 383 o Ingress local protection available: The backup ingress sets this 384 flag after backup LSPs are up and ready for locally protecting the 385 primary ingress. The backup ingress sends this to the primary 386 ingress to indicate that the primary ingress is locally protected. 388 o Ingress local protection in use: The backup ingress sets this flag 389 when it detects a failure in the primary ingress. The backup 390 ingress keeps it and does not send it to the primary ingress since 391 the primary ingress is down. 393 o Bandwidth protection: The backup ingress sets this flag if the 394 backup LSPs guarantee to provide desired bandwidth for the 395 protected LSP against the primary ingress failure. 397 The options are used by the primary ingress to specify the desired 398 behavior to the backup ingress and next-hops. 400 o Revert to Ingress: The primary ingress sets this option indicating 401 that the traffic for the primary LSP successfully re-signaled will 402 be switched back to the primary ingress from the backup ingress 403 when the primary ingress is restored. 405 o Force to Backup: If the backup ingress receives an object with 406 this option set for an LSP, it should activate its backup 407 forwarding state; otherwise, it should deactivate its backup 408 forwarding state. 410 o P2MP Backup: This option is set to ask for the backup ingress to 411 use P2MP backup LSP to protect the primary ingress. Note that one 412 spare bit of the flags in the FAST-REROUTE object can be used to 413 indicate whether P2MP or P2P backup LSP is desired for protecting 414 an ingress and intermediate node. 416 The DM (Detection Mode) is used by the primary ingress to specify a 417 desired failure detection mode. 419 o Backup-Source-Detect (0x00): The backup ingress and the source are 420 concurrently responsible for detecting the failure involving the 421 primary ingress and redirecting the traffic. 423 o Backup-Detect (0x01): The backup ingress is responsible for 424 detecting the failure and redirecting the traffic. 426 o Source-Detect (0x02): The source is responsible for detecting the 427 failure and redirecting the traffic. 429 o Next-Hop-Detect (0x03): The next hops of the primary ingress are 430 responsible for detecting the failure and selecting the traffic. 432 The INGRESS_PROTECTION object may contain some of the sub objects 433 described below. 435 5.1.1. Subobject: Backup Ingress IPv4/IPv6 Address 437 When the primary ingress of a protected LSP sends a PATH message with 438 an INGRESS_PROTECTION object to the backup ingress, the object may 439 have a Backup Ingress IPv4/IPv6 Address sub object containing an 440 IPv4/IPv6 address belonging to the backup ingress. The formats of 441 the sub object for Backup Ingress IPv4/IPv6 Address is given below: 443 0 1 2 3 444 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 445 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 446 | Type | Length | Reserved (zeros) | 447 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 448 | IPv4 address | 449 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 451 Type: 0x01 Backup Ingress IPv4 Address 452 Length: Total length of the subobject in bytes, including 453 the Type and Length fields. The Length is always 8. 454 Reserved: Reserved two bytes are set to zeros. 455 IPv4 address: A 32-bit unicast, host address. 457 0 1 2 3 458 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 459 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 460 | Type | Length | Reserved (zeros) | 461 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 462 | | 463 ~ IPv6 address (16 bytes) ~ 464 | | 465 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 467 Type: 0x02 Backup Ingress IPv6 Address 468 Length: Total length of the subobject in bytes, including 469 the Type and Length fields. The Length is always 20. 470 Reserved: Reserved two bytes are set to zeros. 472 IPv6 address: A 128-bit unicast, host address. 474 This sub object is optional. If there is not any Backup Ingress 475 Address sub object in the INGRESS_PROTECTION object of the PATH 476 message to the backup ingress, the backup ingress SHOULD use the 477 destination address of the message as the backup ingress address. 479 5.1.2. Subobject: Ingress IPv4/IPv6 Address 481 The INGRESS_PROTECTION object in a PATH message from the primary 482 ingress to the backup ingress may have an Ingress IPv4/IPv6 Address 483 sub object containing an IPv4/IPv6 address belonging to the primary 484 ingress. The sub object has the following format: 486 0 1 2 3 487 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 488 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 489 | Type | Length | Reserved (zeros) | 490 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 491 | IPv4 address | 492 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 494 Type: 0x03 Ingress IPv4 Address 495 Length: Total length of the subobject in bytes, including 496 the Type and Length fields. The Length is always 8. 497 Reserved: Reserved two bytes are set to zeros. 498 IPv4 address: A 32-bit unicast, host address. 500 0 1 2 3 501 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 502 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 503 | Type | Length | Reserved (zeros) | 504 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 505 | | 506 ~ IPv6 address (16 bytes) ~ 507 | | 508 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 510 Type: 0x04 Backup Ingress IPv6 Address 511 Length: Total length of the subobject in bytes, including 512 the Type and Length fields. The Length is always 20. 513 Reserved: Reserved two bytes are set to zeros. 514 IPv6 address: A 128-bit unicast, host address. 516 This sub object is optional. If there is not any Ingress Address sub 517 object in the INGRESS_PROTECTION object of the PATH message to the 518 backup ingress, the backup ingress SHOULD use the address in the 519 RSVP_HOP object of the message as the ingress address. 521 5.1.3. Subobject: Traffic Descriptor 523 The INGRESS_PROTECTION object in a PATH message from the primary 524 ingress to the backup ingress may have a Traffic Descriptor sub 525 object describing the traffic to be mapped to the backup LSP on the 526 backup ingress for locally protecting the primary ingress. The sub 527 object has the following format: 529 0 1 2 3 530 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 531 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 532 | Type | Length | Reserved (zeros) | 533 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 534 | Traffic Element 1 | 535 ~ ~ 536 | Traffic Element n | 537 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 539 Type: 0x05/06/07 Interface/IPv4/6 Prefix 540 Length: Total length of the subobject in bytes, including 541 the Type and Length fields. 542 Reserved: Reserved two bytes are set to zeros. 544 The Traffic Descriptor sub object may contain multiple Traffic 545 Elements of same type as follows. 547 o Interface Traffic (Type 5): Each of the Traffic Elements is a 32 548 bit index of an interface, from which the traffic is imported into 549 the backup LSP. 551 o IPv4/6 Prefix Traffic (Type 6/7): Each of the Traffic Elements is 552 an IPv4/6 prefix, containing an 8-bit prefix length followed by an 553 IPv4/6 address prefix, whose length, in bits, was specified by the 554 prefix length, padded to a byte boundary. 556 5.1.4. Subobject: Label-Routes 558 The INGRESS_PROTECTION object in a PATH message from the primary 559 ingress to the backup ingress will have a Label-Routes sub object 560 containing the labels and routes that the next hops of the ingress 561 use. The sub object has the following format: 563 0 1 2 3 564 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 565 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 566 | Type | Length | Reserved (zeros) | 567 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 568 | | 569 ~ (Subobjects) ~ 570 | | 571 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 573 Type: 0x08 Label-Routes 574 Length: Total length of the subobject in bytes, including 575 the Type and Length fields. 576 Reserved: Reserved two bytes are set to zeros. 578 The Subobjects in the Label-Routes are copied from the Subobjects in 579 the RECORD_ROUTE objects contained in the RESV messages that the 580 primary ingress receives from its next hops for the protected LSP. 581 They MUST contain the first hops of the LSP, each of which is paired 582 with its label. 584 6. Behavior of Ingress Protection 586 6.1. Overview 588 There are four parts of ingress protection: 1) setting up the 589 necessary backup LSP forwarding state; 2) identifying the failure and 590 providing the fast repair (as discussed in Sections 2 and 3); 3) 591 maintaining the RSVP-TE control plane state until a global repair can 592 be done; and 4) performing the global repair(see Section 5.5). 594 There are two different proposed signaling approaches to obtain 595 ingress protection. They both use the same new INGRESS-PROTECTION 596 object. The object is sent in both PATH and RESV messages. 598 6.1.1. Relay-Message Method 600 The primary ingress relays the information for ingress protection of 601 an LSP to the backup ingress via PATH messages. Once the LSP is 602 created, the ingress of the LSP sends the backup ingress a PATH 603 message with an INGRESS-PROTECTION object with Label-Routes 604 subobject, which is populated with the next-hops and labels. This 605 provides sufficient information for the backup ingress to create the 606 appropriate forwarding state and backup LSP(s). 608 The ingress also sends the backup ingress all the other PATH messages 609 for the LSP with an empty INGRESS-PROTECTION object. Thus, the 610 backup ingress has access to all the PATH messages needed for 611 modification to be sent to refresh control-plane state after a 612 failure. 614 The advantages of this method include: 1) the primary LSP is 615 independent of the backup ingress; 2) simple; 3) less configuration; 616 and 4) less control traffic. 618 6.1.2. Proxy-Ingress Method 620 Conceptually, a proxy ingress is created that starts the RSVP 621 signaling. The explicit path of the LSP goes from the proxy ingress 622 to the backup ingress and then to the real ingress. The behavior and 623 signaling for the proxy ingress is done by the real ingress; the use 624 of a proxy ingress address avoids problems with loop detection. 626 The backup ingress must be only one logical hop away from the 627 ingress, whether that be via a direct link or a tunnel. 629 [ traffic source ] *** Primary LSP 630 $ $ --- Backup LSP 631 $ $ $$ Link 632 $ $ 633 [ proxy ingress ] [ backup ] 634 [ & ingress ] | 635 * | 636 *****[ MP ]----| 638 Figure 2: Example Protected LSP with Proxy Ingress Node 640 The backup ingress must know the merge points or next-hops and their 641 associated labels. This is accomplished by having the RSVP PATH and 642 RESV messages go through the backup ingress, although the forwarding 643 path need not go through the backup ingress. If the backup ingress 644 fails, the ingress simply removes the INGRESS-PROTECTION object and 645 forwards the PATH messages to the LSP's next-hop(s). If the ingress 646 has its LSP configured for ingress protection, then the ingress can 647 add the backup ingress and itself to the ERO and start forwarding the 648 PATH messages to the backup ingress. 650 Slightly different behavior can apply for the on-path and off-path 651 cases. In the on-path case, the backup ingress is already the only 652 immediate node after the ingress for the LSP. In the off-path, the 653 backup ingress is not the immediate node after the ingress for all 654 associated sub-LSPs. 656 The key advantage of this approach is that it minimizes the special 657 handling code requires. Because the backup ingress is on the 658 signaling path, it can receive various notifications. It easily has 659 access to all the PATH messages needed for modification to be sent to 660 refresh control-plane state after a failure. 662 6.1.3. Comparing Two Methods 664 +-------+-----------+------+--------+-----------------+---------+ 665 | |Primary LSP|Simple|Config |PATH Msg from |Reuse | 666 |Method |Depends on | |Proxy- |Backup to primary|Some of | 667 | |Backup | |Ingress-|RESV Msg from |Existing | 668 | |Ingress | |ID |Primary to backup|Functions| 669 +-------+-----------+------+--------+-----------------+---------+ 670 |Relay- | No |Yes | No | No | Yes- | 671 |Message| | | | | | 672 +-------+-----------+------+--------+-----------------+---------+ 673 |Proxy- | Yes |Yes- | Yes | Yes | Yes | 674 |Ingress| | | | | | 675 +-------+-----------+------+--------+-----------------+---------+ 677 6.2. Ingress Behavior 679 The primary ingress must be configured with four pieces of 680 information for ingress protect. 682 o Backup Ingress Address: The primary ingress must know an IP 683 address for it to be included in the INGRESS-PROTECTION object. 685 o Failure Detection Mode: The primary ingress must know what failure 686 detection mode is to be used: Backup-Source-Detect, Backup-Detect, 687 Source-Detect, or Next-Hop-Detect. 689 o Proxy-Ingress-Id (only needed for Proxy-Ingress Method): The 690 Proxy-Ingress-Id is only used in the Record Route Object for 691 recording the proxy-ingress. If no proxy-ingress-id is specified, 692 then a local interface address that will not otherwise be included 693 in the Record Route Object can be used. A similar technique is 694 used in [RFC4090 Sec 6.1.1]. 696 o Application Traffic Identifier: The primary ingress and backup 697 ingress must both know what application traffic should be directed 698 into the LSP. If a list of prefixes in the Traffic Descriptor 699 sub-object will not suffice, then a commonly understood 700 Application Traffic Identifier can be sent between the primary 701 ingress and backup ingress. The exact meaning of the identifier 702 should be configured similarly at both the primary ingress and 703 backup ingress. The Application Traffic Identifier is understood 704 within the unique context of the primary ingress and backup 705 ingress. 707 With this additional information, the primary ingress can create and 708 signal the necessary RSVP extensions to support ingress protection. 710 6.2.1. Relay-Message Method 712 To protect the ingress of an LSP, the ingress does the following 713 after the LSP is up. 715 1. Select a PATH message. 717 2. If the backup ingress is not a next hop of the primary ingress 718 (i.e., off-path case), then send the backup ingress a PATH 719 message with the content from the selected PATH message and an 720 INGRESS-PROTECTION object; else (the backup ingress is a next 721 hop, i.e., on-path case) add an INGRESS-PROTECTION object into 722 the existing PATH message to the backup ingress (i.e., the next 723 hop). The INGRESS-PROTECTION object contains the Traffic- 724 Descriptor sub-object, the Backup Ingress Address sub-object and 725 the Label-Routes sub-object. The DM (Detection Mode) in the 726 object is set to indicate the failure detection mode desired. 727 The flags is set to indicate whether a Backup P2MP LSP is 728 desired. If not yet allocated, allocate a second LSP-ID to be 729 used in the INGRESS-PROTECTION object. The Label-Routes sub- 730 object contains the next-hops of the ingress and their labels. 732 3. For each of the other PATH messages, if the node to which the 733 message is sent is not the backup ingress, then send the backup 734 ingress a PATH message with the content copied from the message 735 to the node and an empty INGRESS-PROTECTION object; else send the 736 node the message with an empty INGRESS-PROTECTION object. 738 6.2.2. Proxy-Ingress Method 740 The primary ingress is responsible for starting the RSVP signaling 741 for the proxy-ingress node. To do this, the following is done for 742 the RSVP PATH message. 744 1. Compute the EROs for the LSP as normal for the ingress. 746 2. If the selected backup ingress node is not the first node on the 747 path (for all sub-LSPs), then insert at the beginning of the ERO 748 first the backup ingress node and then the ingress node. 750 3. In the PATH RRO, instead of recording the ingress node's address, 751 replace it with the Proxy-Ingress-Id. 753 4. Leave the HOP object populated as usual with information for the 754 ingress-node. 756 5. Add the INGRESS-PROTECTION object to the PATH message. Allocate 757 a second LSP-ID to be used in the INGRESS-PROTECTION object. 758 Include the Backup Ingress Address (IPv4 or IPv6) sub-object and 759 the Traffic-Descriptor sub-object. Set the control-options to 760 indicate the failure detection mode desired. Set or clear the 761 flag indicating that a Backup P2MP LSP is desired. 763 6. Optionally, add the FAST-REROUTE object [RFC4090] to the Path 764 message. Indicate whether one-to-one backup is desired. 765 Indicate whether facility backup is desired. 767 7. The RSVP PATH message is sent to the backup node as normal. 768 Since the backup ingress node must be only one logical hop away 769 from the ingress, normal RSVP signaling can be used. 771 If the ingress detects that it can't communicate with the backup 772 ingress, then the ingress should instead send the PATH message to the 773 next-hop indicated in the ERO computed in step 1. Once the ingress 774 detects that it can communicate with the backup ingress, the ingress 775 SHOULD follow the steps 1-7 to obtain ingress failure protection. 777 When the ingress node receives an RSVP PATH message with an INGRESS- 778 PROTECTION object and the object specifies that node as the ingress 779 node and the PHOP as the backup ingress node, the ingress node SHOULD 780 check the Failure Scenario specified in the INGRESS-PROTECTION object 781 and, if it is not the Next-Hop-Detect, then the ingress node SHOULD 782 remove the INGRESS-PROTECTION object from the PATH message before 783 sending it out. Additionally, the ingress node must store that it 784 will install ingress forwarding state for the LSP rather than 785 midpoint forwarding. 787 When an RSVP RESV message is received by the ingress, it uses the 788 NHOP to determine whether the message is received from the backup 789 ingress or from a different node. The stored associated PATH message 790 contains an INGRESS-PROTECTION object that identifies the backup 791 ingres node. If the RESV message is not from the backup node, then 792 ingress forwarding state should be set up, and the INGRESS-PROTECTION 793 object MUST be added to the RESV before it is sent to the NHOP, which 794 should be the backup node. If the RESV message is from the backup 795 node, then the LSP should be considered available for use. 797 If the backup ingress node is on the forwarding path, then a RESV is 798 received with an INGRESS-PROTECTION object and an NHOP that matches 799 the backup ingress. In this case, the ingress node's address will 800 not appear after the backup ingress in the RRO. The ingress node 801 should set up ingress forwarding state, just as is done if the LSP 802 weren't ingress-node protected. 804 6.3. Backup Ingress Behavior 806 An LER determines that the ingress local protection is requested for 807 an LSP if the INGRESS_PROTECTION object is included in the PATH 808 message it receives for the LSP. The LER can further determine that 809 it is the backup ingress if one of its addresses is in the Backup 810 Ingress Address sub-object of the INGRESS-PROTECTION object. In 811 addition, the LER determines that it is off-path if it is not a next 812 hop of the primary ingress. 814 6.3.1. Backup Ingress Behavior in Off-path Case 816 The backup ingress considers itself as a PLR and the primary ingress 817 as its next hop and provides a local protection for the primary 818 ingress. It behaves very similarly to a PLR providing fast-reroute 819 where the primary ingress is considered as the failure-point to 820 protect. Where not otherwise specified, the behavior given in 821 [RFC4090] for a PLR should apply. 823 The backup ingress SHOULD follow the control-options specified in the 824 INGRESS-PROTECTION object and the flags and specifications in the 825 FAST-REROUTE object. This applies to providing a P2MP backup if the 826 "P2MP backup" is set, a one-to-one backup if "one-to-one desired" is 827 set, facility backup if the "facility backup desired" is set, and 828 backup paths that support the desired bandwidth, and administrative- 829 colors that are requested. 831 If multiple INGRESS-PROTECTION objects have been received via 832 multiple PATH messages for the same LSP, then the most recent one 833 that specified a Traffic-Descriptor sub-object MUST be the one used. 835 The backup ingress creates the appropriate forwarding state based on 836 failure detection mode specified. For the Source-Detect and Next- 837 Hop-Detect, this means that the backup ingress forwards any received 838 identified traffic into the backup LSP tunnel(s) to the merge 839 point(s). For the Backup-Detect and Backup-Source-Detect, this means 840 that the backup ingress creates state to quickly determine the 841 primary ingress has failed and switch to sending any received 842 identified traffic into the backup LSP tunnel(s) to the merge 843 point(s). 845 When the backup ingress sends a RESV message to the primary ingress, 846 it should add an INGRESS-PROTECTION object into the message. It 847 SHOULD set or clear the flags in the object to report "Ingress local 848 protection available", "Ingress local protection in use", and 849 "bandwidth protection". 851 If the backup ingress doesn't have a backup LSP tunnel to all the 852 merge points, it SHOULD clear "Ingress local protection available". 853 [Editor Note: It is possible to indicate the number or which are 854 unprotected via a sub-object if desired.] 856 When the primary ingress fails, the backup ingress redirects the 857 traffic from a source into the backup P2P LSPs or the backup P2MP LSP 858 transmitting the traffic to the primary ingress' next hops, where the 859 traffic is merged into the protected LSP. 861 In this case, the backup ingress keeps the PATH message with the 862 INGRESS_PROTECTION object received from the primary ingress and the 863 RESV message with the INGRESS_PROTECTION object to be sent to the 864 primary ingress. The backup ingress sets the "local protection in 865 use" flag in the RESV message, indicating that the backup ingress is 866 actively redirecting the traffic into the backup P2P LSPs or the 867 backup P2MP LSP for locally protecting the primary ingress failure. 869 Note that the RESV message with this piece of information will not be 870 sent to the primary ingress because the primary ingress has failed. 872 If the backup ingress has not received any PATH message from the 873 primary ingress for an extended period of time (e.g., a cleanup 874 timeout interval) and a confirmed primary ingress failure did not 875 occur, then the standard RSVP soft-state removal SHOULD occur. The 876 backup ingress SHALL remove the state for the PATH message from the 877 primary ingress, and tear down the one-to-one backup LSPs for 878 protecting the primary ingress if one-to-one backup is used or unbind 879 the facility backup LSPs if facility backup is used. 881 When the backup ingress receives a PATH message from the primary 882 ingress for locally protecting the primary ingress of a protected 883 LSP, it checks to see if any critical information has been changed. 884 If the next hops of the primary ingress are changed, the backup 885 ingress SHALL update its backup LSP(s). 887 6.3.1.1. Relay-Message Method 889 When the backup ingress receives a PATH message with the INGRESS- 890 PROTECTION object, it examines the object to learn what traffic 891 associated with the LSP and what ingress failure detection mode is 892 being used. It determines the next-hops to be merged to by examining 893 the Label-Routes sub-object in the object. If the Traffic-Descriptor 894 sub-object isn't included, this object is considered "empty". 896 The backup ingress stores the PATH message received from the primary 897 ingress, but does NOT forward it. 899 The backup ingress MUST respond with a RESV to the PATH message 900 received from the primary ingress. If the INGRESS-PROTECTION object 901 is not "empty", the backup ingress SHALL send the RESV message with 902 the state indicating protection is available after the backup LSP(s) 903 are successfully established. 905 6.3.1.2. Proxy-Ingress Method 907 The backup ingress determines the next-hops to be merged to by 908 collecting the set of the pair of (IPv4/IPv6 sub-object, Label sub- 909 object) from the Record Route Object of each RESV that are closest to 910 the top and not the Ingress router; this should be the second to the 911 top pair. If a Label-Routes sub-object is included in the INGRESS- 912 PROTECTION object, the included IPv4/IPv6 sub-objects are used to 913 filter the set down to the specific next-hops where protection is 914 desired. A RESV message must have been received before the Backup 915 Ingress can create or select the appropriate backup LSP. 917 When the backup ingress receives a PATH message with the INGRESS- 918 PROTECTION object, the backup ingress examines the object to learn 919 what traffic associated with the LSP and what ingress failure 920 detection mode is being used. The backup ingress forwards the PATH 921 message to the ingress node with the normal RSVP changes. 923 When the backup ingress receives a RESV message with the INGRESS- 924 PROTECTION object, the backup ingress records an IMPLICIT-NULL label 925 in the RRO. Then the backup ingress forwards the RESV message to the 926 ingress node, which is acting for the proxy ingress. 928 6.3.2. Backup Ingress Behavior in On-path Case 930 An LER as the backup ingress determines that it is on-path if one of 931 its addresses is a next hop of the primary ingress and the primary 932 ingress is not its next hop via checking the PATH message with the 933 INGRESS_PROTECTION object received from the primary ingress. The LER 934 on-path sends the corresponding PATH messages without any 935 INGRESS_PROTECTION object to its next hops. It creates a number of 936 backup P2P LSPs or a backup P2MP LSP from itself to the other next 937 hops (i.e., the next hops other than the backup ingress) of the 938 primary ingress. The other next hops are from the Label-Routes sub 939 object. 941 It also creates a forwarding entry, which sends/multicasts the 942 traffic from the source to the next hops of the backup ingress along 943 the protected LSP when the primary ingress fails. The traffic is 944 described by the Traffic-Descriptor. 946 After the forwarding entry is created, all the backup P2P LSPs or the 947 backup P2MP LSP is up and associated with the protected LSP, the 948 backup ingress sends the primary ingress the RESV message with the 949 INGRESS_PROTECTION object containing the state of the local 950 protection such as "local protection available" flag set to one, 951 which indicates that the primary ingress is locally protected. 953 When the primary ingress fails, the backup ingress sends/multicasts 954 the traffic from the source to its next hops along the protected LSP 955 and imports the traffic into each of the backup P2P LSPs or the 956 backup P2MP LSP transmitting the traffic to the other next hops of 957 the primary ingress, where the traffic is merged into protected LSP. 959 During the local repair, the backup ingress continues to send the 960 PATH messages to its next hops as before, keeps the PATH message with 961 the INGRESS_PROTECTION object received from the primary ingress and 962 the RESV message with the INGRESS_PROTECTION object to be sent to the 963 primary ingress. It sets the "local protection in use" flag in the 964 RESV message. 966 6.3.3. Failure Detection 968 Failure detection happens much faster than RSVP, whether via a link- 969 level notification or BFD. As discussed, there are different modes 970 for detecting it. The backup ingress MUST have properly set up its 971 forwarding state to either always forward the specified traffic into 972 the backup LSP(s) for the Source-Detect and Next-Hop-Detect modes or 973 to swap from discarding to forwarding when a failure is detected for 974 the Backup-Source-Detect and Backup-Detect modes. 976 For facility backup LSPs, the correct inner MPLS label to use must be 977 determined. For the ingress-proxy method, that MPLS label comes 978 directly from the RRO of the RESV. For the relay-message method, 979 that MPLS label comes from the Label-Routes sub-object in the non- 980 empty INGRESS-PROTECTION object. 982 As described in [RFC4090], it is necessary to refresh the PATH 983 messages via the backup LSP(s). The Backup Ingress MUST wait to 984 refresh the backup PATH messages until it can accurately detect that 985 the ingress node has failed. An example of such an accurate 986 detection would be that the IGP has no bi-directional links to the 987 ingress node and the last change was long enough in the past that 988 changes should have been received (i.e., an IGP network convergence 989 time or approximately 2-3 seconds) or a BFD session to the primary 990 ingress' loopback address has failed and stayed failed after the 991 network has reconverged. 993 As described in [RFC4090 Section 6.4.3], the backup ingress, acting 994 as PLR, SHOULD modify - including removing any INGRESS-PROTECTION and 995 FAST-REROUTE objects - and send any saved PATH messages associated 996 with the primary LSP. 998 6.4. Merge Point Behavior 1000 An LSR that is serving as a Merge Point may need to support the 1001 INGRESS-PROTECTION object and functionality defined in this 1002 specification if the LSP is ingress-protected where the failure 1003 scenario is Next-Hop-Detect. An LSR can determine that it must be a 1004 merge point if it is not the ingress, it is not the backup ingress 1005 (determined by examining the Backup Ingress Address (IPv4 or IPv6) 1006 sub-object in the INGRESS-PROTECTION object), and the PHOP is the 1007 ingress node. 1009 In that case, when the LSR receives a PATH message with an INGRESS- 1010 PROTECTION object, the LSR MUST remove the INGRESS-PROTECTION object 1011 before forwarding on the PATH message. If the failure scenario 1012 specified is Next-Hop-Detect, the MP must connect up the fast-failure 1013 detection (as configured) to accepting backup traffic received from 1014 the backup node. There are a number of different ways that the MP 1015 can enforce not forwarding traffic normally received from the backup 1016 node. For instance, first, any LSPs set up from the backup node 1017 should not be signaled with an IMPLICIT NULL label and second, the 1018 associated label for the ingress- protected LSP could be set to 1019 normally discard inside that context. 1021 When the MP receives a RESV message whose matching PATH state had an 1022 INGRESS-PROTECTION object, the MP SHOULD add the INGRESS-PROTECTION 1023 object to the RESV message before forwarding it. The Backup PATH 1024 handling is as described in [RFC4090] and [RFC4875]. 1026 6.5. Revertive Behavior 1028 Upon a failure event in the (primary) ingress of a protected LSP, the 1029 protected LSP is locally repaired by the backup ingress. There are a 1030 couple of basic strategies for restoring the LSP to a full working 1031 path. 1033 - Revert to Primary Ingress: When the primary ingress is restored, 1034 it re-signals each of the LSPs that start from the primary 1035 ingress. The traffic for every LSP successfully re-signaled is 1036 switched back to the primary ingress from the backup ingress. 1038 - Global Repair by Backup Ingress: After determining that the 1039 primary ingress of an LSP has failed, the backup ingress computes 1040 a new optimal path, signals a new LSP along the new path, and 1041 switches the traffic to the new LSP. 1043 6.5.1. Revert to Primary Ingress 1045 If "Revert to Primary Ingress" is desired for a protected LSP, the 1046 (primary) ingress of the LSP re-signals the LSP that starts from the 1047 primary ingress after the primary ingress restores. When the LSP is 1048 re-signaled successfully, the traffic is switched back to the primary 1049 ingress from the backup ingress and redirected into the LSP starting 1050 from the primary ingress. 1052 It is possible that the Ingress failure was inaccurately detected, 1053 that the Ingress recovers before the Backup Ingress does Global 1054 Repair, or that the Ingress has the ability to take over an LSP based 1055 on receiving the associated RESVs. 1057 If the ingress can resignal the PATH messages for the LSP, then the 1058 ingress can specify the "Revert to Ingress" control-option in the 1059 INGRESS-PROTECTION object. Doing so may cause a duplication of 1060 traffic while the Ingress starts sending traffic again before the 1061 Backup Ingress stops; the alternative is to drop traffic for a short 1062 period of time. 1064 Additionally, the Backup Ingress can set the "Revert To Ingress" 1065 control-option as a request for the Ingress to take over. 1067 6.5.2. Global Repair by Backup Ingress 1069 When the backup ingress has determined that the primary ingress of 1070 the protected LSP has failed (e.g., via the IGP), it can compute a 1071 new path and signal a new LSP along the new path so that it no longer 1072 relies upon local repair. To do this, the backup ingress uses the 1073 same tunnel sender address in the Sender Template Object and uses the 1074 previously allocated second LSP-ID in the INGRESS-PROTECTION object 1075 of the PATH message as the LSP-ID of the new LSP. This allows the 1076 new LSP to share resources with the old LSP. 1078 When the backup ingress has determined that the primary ingress of 1079 the protected LSP has failed (e.g., via the IGP), it can compute a 1080 new path and signal a new LSP along the new path so that it no longer 1081 relies upon local repair. To do this, the backup ingress uses the 1082 same tunnel sender address in the Sender Template Object and uses the 1083 previously allocated second LSP-ID in the INGRESS-PROTECTION object 1084 of the PATH message as the LSP-ID of the new LSP. This allows the 1085 new LSP to share resources with the old LSP. In addition, if the 1086 Ingress recovers, the Backup Ingress SHOULD send it RESVs with the 1087 INGRESS-PROTECTION object where either the "Force to Backup" or 1088 "Revert to Ingress" is specified. The Secondary LSP ID should be the 1089 unused LSP ID - while the LSP ID signaled in the RESV will be that 1090 currently active. The Ingress can learn from the RESVs what to 1091 signal. Even if the Ingress does not take over, the RESVs notify it 1092 that the particular LSP IDs are in use. The Backup Ingress can 1093 reoptimize the new LSP as necessary until the Ingress recovers. 1094 Alternately, the Backup Ingress can create a new LSP with no 1095 bandwidth reservation that duplicates the path(s) of the protected 1096 LSP, move traffic to the new LSP, delete the protected LSP, and then 1097 resignal the new LSP with bandwidth. 1099 7. Security Considerations 1101 In principle this document does not introduce new security issues. 1102 The security considerations pertaining to RFC 4090, RFC 4875 and 1103 other RSVP protocols remain relevant. 1105 8. IANA Considerations 1107 TBD 1109 9. Contributors 1111 Renwei Li 1112 Huawei Technologies 1113 2330 Central Expressway 1114 Santa Clara, CA 95050 1115 USA 1116 Email: renwei.li@huawei.com 1118 Quintin Zhao 1119 Huawei Technologies 1120 Boston, MA 1121 USA 1122 Email: quintin.zhao@huawei.com 1123 Zhenbin Li 1124 Huawei Technologies 1125 2330 Central Expressway 1126 Santa Clara, CA 95050 1127 USA 1128 Email: zhenbin.li@huawei.com 1130 Boris Zhang 1131 Telus Communications 1132 200 Consilium Pl Floor 15 1133 Toronto, ON M1H 3J3 1134 Canada 1135 Email: Boris.Zhang@telus.com 1137 Markus Jork 1138 Juniper Networks 1139 10 Technology Park Drive 1140 Westford, MA 01886 1141 USA 1142 Email: mjork@juniper.net 1144 10. Acknowledgement 1146 The authors would like to thank Rahul Aggarwal, Eric Osborne, Ross 1147 Callon, Loa Andersson, Michael Yue, Olufemi Komolafe, Rob Rennison, 1148 Neil Harrison, Kannan Sampath, and Ronhazli Adam for their valuable 1149 comments and suggestions on this draft. 1151 11. References 1153 11.1. Normative References 1155 [RFC1700] Reynolds, J. and J. Postel, "Assigned Numbers", RFC 1700, 1156 October 1994. 1158 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1159 Requirement Levels", BCP 14, RFC 2119, March 1997. 1161 [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers 1162 Considered Useful", BCP 82, RFC 3692, January 2004. 1164 [RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S. 1165 Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 1166 Functional Specification", RFC 2205, September 1997. 1168 [RFC3031] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol 1169 Label Switching Architecture", RFC 3031, January 2001. 1171 [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., 1172 and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP 1173 Tunnels", RFC 3209, December 2001. 1175 [RFC3473] Berger, L., "Generalized Multi-Protocol Label Switching 1176 (GMPLS) Signaling Resource ReserVation Protocol-Traffic 1177 Engineering (RSVP-TE) Extensions", RFC 3473, January 2003. 1179 [RFC4090] Pan, P., Swallow, G., and A. Atlas, "Fast Reroute 1180 Extensions to RSVP-TE for LSP Tunnels", RFC 4090, 1181 May 2005. 1183 [RFC4461] Yasukawa, S., "Signaling Requirements for Point-to- 1184 Multipoint Traffic-Engineered MPLS Label Switched Paths 1185 (LSPs)", RFC 4461, April 2006. 1187 [RFC4875] Aggarwal, R., Papadimitriou, D., and S. Yasukawa, 1188 "Extensions to Resource Reservation Protocol - Traffic 1189 Engineering (RSVP-TE) for Point-to-Multipoint TE Label 1190 Switched Paths (LSPs)", RFC 4875, May 2007. 1192 [P2MP-FRR] 1193 Le Roux, J., Aggarwal, R., Vasseur, J., and M. Vigoureux, 1194 "P2MP MPLS-TE Fast Reroute with P2MP Bypass Tunnels", 1195 draft-leroux-mpls-p2mp-te-bypass , March 1997. 1197 11.2. Informative References 1199 [RFC2702] Awduche, D., Malcolm, J., Agogbua, J., O'Dell, M., and J. 1200 McManus, "Requirements for Traffic Engineering Over MPLS", 1201 RFC 2702, September 1999. 1203 [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., 1204 Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack 1205 Encoding", RFC 3032, January 2001. 1207 Appendix A. Authors' Addresses 1208 Huaimo Chen 1209 Huawei Technologies 1210 Boston, MA 1211 USA 1212 Email: huaimo.chen@huawei.com 1214 Ning So 1215 Tata Communications 1216 2613 Fairbourne Cir. 1217 Plano, TX 75082 1218 USA 1219 Email: ning.so@tatacommunications.com 1221 Autumn Liu 1222 Ericsson 1223 300 Holger Way 1224 San Jose, CA 95134 1225 USA 1226 Email: autumn.liu@ericsson.com 1228 Raveendra Torvi 1229 Juniper Networks 1230 10 Technology Park Drive 1231 Westford, MA 01886 1232 USA 1233 Email: rtorvi@juniper.net 1235 Alia Atlas 1236 Juniper Networks 1237 10 Technology Park Drive 1238 Westford, MA 01886 1239 USA 1240 Email: akatlas@juniper.net 1241 Yimin Shen 1242 Juniper Networks 1243 10 Technology Park Drive 1244 Westford, MA 01886 1245 USA 1246 Email: yshen@juniper.net 1248 Fengman Xu 1249 Verizon 1250 2400 N. Glenville Dr 1251 Richardson, TX 75082 1252 USA 1253 Email: fengman.xu@verizon.com 1255 Mehmet Toy 1256 Comcast 1257 1800 Bishops Gate Blvd. 1258 Mount Laurel, NJ 08054 1259 USA 1260 Email: mehmet_toy@cable.comcast.com 1262 Lei Liu 1263 UC Davis 1264 USA 1265 Email: liulei.kddi@gmail.com