idnits 2.17.1 draft-dawra-idr-srv6-vpn-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 13, 2017) is 2573 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-6man-segment-routing-header' is defined on line 349, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-isis-segment-routing-extensions' is defined on line 392, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-spring-segment-routing' is defined on line 399, but no explicit reference was found in the text == Outdated reference: A later version (-06) exists of draft-filsfils-spring-segment-routing-policy-00 == Outdated reference: A later version (-07) exists of draft-filsfils-spring-srv6-network-programming-00 == Outdated reference: A later version (-26) exists of draft-ietf-6man-segment-routing-header-06 ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 3107 (Obsoleted by RFC 8277) == Outdated reference: A later version (-27) exists of draft-ietf-idr-bgp-prefix-sid-04 == Outdated reference: A later version (-25) exists of draft-ietf-isis-segment-routing-extensions-11 == Outdated reference: A later version (-15) exists of draft-ietf-spring-segment-routing-11 -- Obsolete informational reference (is this intentional?): RFC 5549 (Obsoleted by RFC 8950) Summary: 2 errors (**), 0 flaws (~~), 10 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Inter-Domain Routing 3 Internet-Draft 4 Intended status: Standards Track G. Dawra, Ed. 5 Expires: September 14, 2017 C. Filsfils 6 D. Dukes 7 P. Brissette 8 P. Camarilo 9 Cisco Systems 10 J. Leddy 11 Comcast 12 D. Voyer 13 D. Bernier 14 Bell Canada 15 D. Steinberg 16 Steinberg Consulting 17 R. Raszuk 18 Bloomberg LP 19 B. Decraene 20 Orange 21 S. Matsushima 22 SoftBank 23 March 13, 2017 25 BGP Signaling of IPv6-Segment-Routing-based VPN Networks 26 draft-dawra-idr-srv6-vpn-00.txt 28 Abstract 30 This draft defines procedures and messages for BGP SRv6-based EVPNs 31 and L3 VPNs. It builds on RFC7432 "BGP MPLS-Based Ethernet VPN" and 32 RFC4364 "BGP/MPLS IP Virtual Private Networks (VPNs)" to provide a 33 migration path from MPLS-based VPNs to SRv6 based VPNs. 35 Status of This Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at http://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on September 14, 2017. 51 Copyright Notice 53 Copyright (c) 2017 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents 58 (http://trustee.ietf.org/license-info) in effect on the date of 59 publication of this document. Please review these documents 60 carefully, as they describe your rights and restrictions with respect 61 to this document. Code Components extracted from this document must 62 include Simplified BSD License text as described in Section 4.e of 63 the Trust Legal Provisions and are provided without warranty as 64 described in the Simplified BSD License. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 69 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 70 3. BGP for SRv6-L3VPN . . . . . . . . . . . . . . . . . . . . . 3 71 3.1. SRv6-VPN SID TLV . . . . . . . . . . . . . . . . . . . . 4 72 3.2. IPv4 VPN Over SRv6 Core . . . . . . . . . . . . . . . . . 5 73 3.3. IPv6 VPN Over SRv6 Core . . . . . . . . . . . . . . . . . 6 74 4. Migration from L3 MPLS based Segment Routing to SRv6 Segment 75 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 76 5. EVPN and SRv6 . . . . . . . . . . . . . . . . . . . . . . . . 7 77 6. Error Handling of BGP SRv6 SID Updates . . . . . . . . . . . 7 78 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 79 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 80 9. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 8 81 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 82 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 83 10.2. Informative References . . . . . . . . . . . . . . . . . 9 84 Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 10 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 87 1. Introduction 89 SRv6 refers to Segment Routing instantiated on the IPv6 dataplane [I- 90 D.filsfils-spring-srv6-network-programming][I-D.ietf-6man-segment-rou 91 ting-header]. 93 SRv6-based VPN (SRv6-VPN) refers to the creation of VPN between PE's 94 leveraging the SRv6 dataplane and more specifically the END.DT* 95 (crossconnect to a VRF) and END.DX* (crossconnect to a nexthop) 96 functions defined in the SRv6 network programming document 98 [I-D.filsfils-spring-srv6-network-programming]. SRv6-L3VPN refers to 99 the creation of Layer3 VPN service between PE's supporting an SRv6 100 data plane. 102 SRv6 SID refers to a SRv6 Segment Identifier as defined in 103 [I-D.filsfils-spring-srv6-network-programming]. 105 SRv6-VPN SID refers to an SRv6 SID that MAY be associated with one of 106 the END.DT or END.DX functions as defined in 107 [I-D.filsfils-spring-srv6-network-programming]. 109 To provide SRv6-VPN service with best-effort connectivity, the egress 110 PE signals an SRv6-VPN SID with the VPN route. The ingress PE 111 encapsulates the VPN packet in an outer IPv6 header where the 112 destination address is the SRv6-VPN SID provided by the egress PE. 113 The underlay between the PE's only need to support plain IPv6 114 forwarding [RFC2460]. 116 To provide SRv6-VPN service in conjunction with an underlay SLA from 117 the ingress PE to the egress PE, the egress PE colors the VPN route 118 with a color extended community. The ingress PE encapsulates the VPN 119 packet in an outer IPv6 header with an SRH that contains the SR 120 policy associated with the related SLA followed by the SRv6-VPN SID 121 associated with the route. The underlay nodes whose SRv6 SID's are 122 part of the SRH must support SRv6 data plane. 124 BGP is used to advertise the reachability of prefixes in a particular 125 VPN from an egress Provider Edge (egress-PE) to ingress Provider Edge 126 (ingress-PE) nodes. 128 This document describes how existing BGP messages between PEs may 129 carry SRv6 Segment IDs (SIDs) as the means to interconnect PEs and 130 form VPNs. 132 2. Requirements Language 134 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 135 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 136 document are to be interpreted as described in [RFC2119]. 138 3. BGP for SRv6-L3VPN 140 BGP egress nodes (egress-PEs) advertise a set of reachable prefixes. 141 Standard BGP update propagation schemes [RFC4271], which MAY make use 142 of route reflectors [RFC4456], are used to propagate these prefixes. 143 BGP ingress nodes (ingress-PE) receive these advertisements and may 144 add the prefix to the RIB in an appropriate VRF. 146 For PEs supporting SRv6 the egress-PE advertises an SRv6-VPN SID with 147 VPN routes. This SRv6-VPN SID only has local significance at the 148 egress-PE where it is allocated or configured on a per-CE or per-VRF 149 basis. In practice the SID encodes a cross-connect to a specific 150 Address Family table (END.DT) or next-hop/interface (END.DX) as 151 defined in the SRv6 Network Programming Document 152 [I-D.filsfils-spring-srv6-network-programming] 154 The SRv6 VPN SID MAY be routable within the AS of the egress-PE and 155 serves the dual purpose of providing reachability between ingress-PE 156 and egress-PE while also encoding the VPN identifier. 158 For each NLRI, the egress-PE includes a new optional, transitive BGP 159 SRv6-VPN SID Path TLV as part of the BGP Prefix-SID 160 Attribute[I-D.ietf-idr-bgp-prefix-sid]. It contains a list of SIDs, 161 for L3VPN only a single SRv6-VPN SID is necessary. See Section 3.1 162 below for details on the SRv6-VPN SID TLV. 164 At an ingress-PE, BGP installs the advertised prefix in the correct 165 RIB table, recursive via an SR Policy leveraging the received 166 SRv6-VPN SID. 168 Assuming best-effort connectivity to the egress PE, the SR policy has 169 a single path with a single SID list made of a single SID: the 170 SRv6-VPN SID received with the related route. 172 When the VPN route is colored with an extended color community C and 173 the SID is next-hop N and the ingress PE has a valid SRv6 Policy (N, 174 C) associated with SID list 175 [I-D.filsfils-spring-segment-routing-policy] then the SR Policy is 176 . 178 Multiple VPN routes MAY recurse on the same SR Policy. 180 3.1. SRv6-VPN SID TLV 182 The SRv6-VPN SID TLV is defined as another TLV for BGP-Prefix-SID 183 Attribute [I-D.ietf-idr-bgp-prefix-sid]. The value field of the BGP 184 Prefix SID attribute is defined here to be a set of elements encoded 185 as "Type/Length/Value" (i.e., a set of TLVs). Type for SRv6-VPN SID 186 TLV is defined to be TBD. 188 The IPv6-SID TLV MUST be present in the Prefix-SID attribute attached 189 to MP-BGP VPN NLRI defined in [RFC4659][RFC5549][RFC7432] when 190 egress-PE is capable of SRv6 data-plane. 192 0 1 2 3 193 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 194 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 195 | Type | Length | RESERVED | 196 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 197 | SRv6 SID information(Variable) | 198 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 200 SRv6 SID information is encoded as follows: 202 +---------------------------------------+ 203 | SID Type (1 Octet) | 204 +---------------------------------------+ 205 | SRv6 SID (16 octet) | 206 +---------------------------------------+ 208 Where: 210 o Type is TBD 212 o Length: 16bit field. The total length of the value portion of the 213 TLV. 215 o RESERVED: 8 bit field. SHOULD be 0 on transmission and MUST be 216 ignored on reception. 218 Current Type of SID defined as: 220 o Type-1 - corresponds to the equivalent functionality provided by 221 an VPN MPLS Label attribute when received with a route containing 222 a MPLS label[RFC4364]. 224 3.2. IPv4 VPN Over SRv6 Core 226 IPv4 VPN Over IPv6 Core is defined in [RFC5549], the MP_REACH_NLRI is 227 encoded as follows for an SRv6 Core: 229 o AFI = 1 231 o SAFI = 128 233 o Length of Next Hop Network Address = 16 (or 32) 235 o Network Address of Next Hop = IPv6 address of the egress PE 237 o NLRI = IPv4-VPN routes 239 o Label = Implicit-Null 240 SRv6-VPN SID are encoded as part of the SRv6-VPN SID TLV defined in 241 Section 3.1. The function of the SRv6 SID is entirely up to the 242 originator of the advertisement. In practice the function would 243 likely be End.DX4 or End.DT4. 245 3.3. IPv6 VPN Over SRv6 Core 247 IPv6 VPN over IPv6 Core is defined in [RFC4659], the MP_REACH_NLRI is 248 enclosed as follows for an SRv6 Core: 250 o AFI = 2 252 o SAFI = 128 254 o Length of Next Hop Network Address = 16 (or 32) 256 o Network Address of Next Hop = IPv6 address of the egress PE 258 o NLRI = IPv6-VPN routes 260 o Label = Implicit-Null 262 SRv6-VPN SID are encoded as part of the SRv6-VPN SID TLV defined in 263 Section 3.1. The function of the IPv6 SRv6 SID is entirely up to the 264 originator of the advertisement. In practice the function would 265 likely be End.DX6 or End.DT6. 267 4. Migration from L3 MPLS based Segment Routing to SRv6 Segment Routing 269 Migration from IPv4 MPLS based underlay to an SRv6 underlay with BGP 270 speakers is achieved with BGP sessions per BGP instance, one for IPv4 271 and a one for IPv6. Migration from IPv4 to IPv6 is independent of 272 SRv6 BGP endpoints, and the selection of which route to use (received 273 via the IPv4 or IPv6 session) is a local configurable decision of the 274 ingress-PE, and is outside the scope of this document. 276 Migration from IPv6 MPLS based underlay to an SRv6 underlay with BGP 277 speakers is achieved with a few simple rules at each BGP speaker. 279 At Egress-PE 280 If BGP offers an SRv6-VPN service 281 Then BGP allocates an SRv6-VPN SID for the VPN service 282 and adds the BGP SRv6-VPN SID TLV while advertising VPN prefixes. 283 If BGP offers an MPLS VPN service 284 Then BGP allocates an MPLS Label for the VPN service and 285 use it in NLRI as normal for MPLS L3 VPNs. 287 At Ingress-PE 288 *Selection of which encapsulation below (SRv6-VPN or MPLS-VPN) is 289 defined by local BGP policy 290 If BGP supports SRv6-VPN service, and 291 receives a BGP SRv6-VPN SID Attribute with an SRv6 SID 292 Then BGP programs the destination prefix in RIB recursive via 293 the related SR Policy. 294 If BGP supports MPLS VPN service, and 295 the MPLS Label is not Implicit-Null 296 Then the MPLS label is used as a VPN label and inserted with the 297 prefix into RIB via the BGP Nexthop. 299 5. EVPN and SRv6 301 The EVPN SRv6 solution is actively under definition and will be added 302 in a later revision. 304 6. Error Handling of BGP SRv6 SID Updates 306 When a BGP Speaker receives a BGP Update message containing a 307 malformed SRv6-VPN SID TLV, it MUST ignore the received BGP 308 attributes and not pass it to other BGP peers. This is equivalent to 309 the -attribute discard- action specified in [RFC7606]. When 310 discarding an attribute, a BGP speaker MAY log an error for further 311 analysis. 313 7. IANA Considerations 315 This memo includes no request to IANA. 317 8. Security Considerations 319 This document introduces no new security considerations beyond those 320 already specified in [RFC4271] and [RFC3107]. 322 9. Conclusions 324 This document proposes extensions to the BGP to allow advertising 325 certain attributes and functionalities related to SRv6. 327 10. References 329 10.1. Normative References 331 [I-D.filsfils-spring-segment-routing-policy] 332 Filsfils, C., Sivabalan, S., Yoyer, D., Nanduri, M., Lin, 333 S., bogdanov@google.com, b., Horneffer, M., Clad, F., 334 Steinberg, D., Decraene, B., and S. Litkowski, "Segment 335 Routing Policy for Traffic Engineering", draft-filsfils- 336 spring-segment-routing-policy-00 (work in progress), 337 February 2017. 339 [I-D.filsfils-spring-srv6-network-programming] 340 Filsfils, C., Leddy, J., daniel.voyer@bell.ca, d., 341 daniel.bernier@bell.ca, d., Steinberg, D., Raszuk, R., 342 Matsushima, S., Lebrun, D., Decraene, B., Peirens, B., 343 Salsano, S., Naik, G., Elmalky, H., Jonnalagadda, P., 344 Sharif, M., Ayyangar, A., Mynam, S., Bashandy, A., Raza, 345 K., Dukes, D., Clad, F., and P. Camarillo, "SRv6 Network 346 Programming", draft-filsfils-spring-srv6-network- 347 programming-00 (work in progress), March 2017. 349 [I-D.ietf-6man-segment-routing-header] 350 Previdi, S., Filsfils, C., Raza, K., Leddy, J., Field, B., 351 daniel.voyer@bell.ca, d., daniel.bernier@bell.ca, d., 352 Matsushima, S., Leung, I., Linkova, J., Aries, E., Kosugi, 353 T., Vyncke, E., Lebrun, D., Steinberg, D., and R. Raszuk, 354 "IPv6 Segment Routing Header (SRH)", draft-ietf-6man- 355 segment-routing-header-06 (work in progress), March 2017. 357 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 358 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 359 December 1998, . 361 [RFC3107] Rekhter, Y. and E. Rosen, "Carrying Label Information in 362 BGP-4", RFC 3107, DOI 10.17487/RFC3107, May 2001, 363 . 365 [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private 366 Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February 367 2006, . 369 [RFC4456] Bates, T., Chen, E., and R. Chandra, "BGP Route 370 Reflection: An Alternative to Full Mesh Internal BGP 371 (IBGP)", RFC 4456, DOI 10.17487/RFC4456, April 2006, 372 . 374 [RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., 375 Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based 376 Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February 377 2015, . 379 [RFC7606] Chen, E., Ed., Scudder, J., Ed., Mohapatra, P., and K. 380 Patel, "Revised Error Handling for BGP UPDATE Messages", 381 RFC 7606, DOI 10.17487/RFC7606, August 2015, 382 . 384 10.2. Informative References 386 [I-D.ietf-idr-bgp-prefix-sid] 387 Previdi, S., Filsfils, C., Lindem, A., Patel, K., 388 Sreekantiah, A., Ray, S., and H. Gredler, "Segment Routing 389 Prefix SID extensions for BGP", draft-ietf-idr-bgp-prefix- 390 sid-04 (work in progress), December 2016. 392 [I-D.ietf-isis-segment-routing-extensions] 393 Previdi, S., Filsfils, C., Bashandy, A., Gredler, H., 394 Litkowski, S., Decraene, B., and j. jefftant@gmail.com, 395 "IS-IS Extensions for Segment Routing", draft-ietf-isis- 396 segment-routing-extensions-11 (work in progress), March 397 2017. 399 [I-D.ietf-spring-segment-routing] 400 Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., 401 and R. Shakir, "Segment Routing Architecture", draft-ietf- 402 spring-segment-routing-11 (work in progress), February 403 2017. 405 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 406 Requirement Levels", BCP 14, RFC 2119, 407 DOI 10.17487/RFC2119, March 1997, 408 . 410 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 411 Border Gateway Protocol 4 (BGP-4)", RFC 4271, 412 DOI 10.17487/RFC4271, January 2006, 413 . 415 [RFC4659] De Clercq, J., Ooms, D., Carugi, M., and F. Le Faucheur, 416 "BGP-MPLS IP Virtual Private Network (VPN) Extension for 417 IPv6 VPN", RFC 4659, DOI 10.17487/RFC4659, September 2006, 418 . 420 [RFC5549] Le Faucheur, F. and E. Rosen, "Advertising IPv4 Network 421 Layer Reachability Information with an IPv6 Next Hop", 422 RFC 5549, DOI 10.17487/RFC5549, May 2009, 423 . 425 Appendix A. Contributors 427 Bart Peirens 428 Proximus 429 Belgium 431 Email: bart.peirens@proximus.com 433 Authors' Addresses 435 Gaurav Dawra (editor) 436 Cisco Systems 437 USA 439 Email: gdawra@cisco.com 441 Clarence Filsfils 442 Cisco Systems 443 Belgium 445 Email: cfilsfil@cisco.com 447 Darren Dukes 448 Cisco Systems 449 Canada 451 Email: ddukes@cisco.com 453 Patrice Brissette 454 Cisco Systems 455 Canada 457 Email: pbrisset@cisco.com 458 Pablo Camarilo 459 Cisco Systems 460 Spain 462 Email: pcamaril@cisco.com 464 Jonn Leddy 465 Comcast 466 USA 468 Email: john_leddy@cable.comcast.com 470 Daniel Voyer 471 Bell Canada 472 Canada 474 Email: daniel.voyer@bell.ca 476 Daniel Bernier 477 Bell Canada 478 Canada 480 Email: daniel.bernier@bell.ca 482 Dirk Steinberg 483 Steinberg Consulting 484 Germany 486 Email: dws@steinberg.net 488 Robert Raszuk 489 Bloomberg LP 490 USA 492 Email: robert@raszuk.net 494 Bruno Decraene 495 Orange 496 France 498 Email: bruno.decraene@orange.com 499 Satoru Matsushima 500 SoftBank 501 Japan 503 Email: satoru.matsushima@g.softbank.co.jp