idnits 2.17.1 draft-eastlake-sfc-nsh-ecn-support-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 243 has weird spacing: '... sender doma...' == Line 244 has weird spacing: '...ingress v |...' -- The document date (February 5, 2019) is 1905 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational draft: draft-ietf-tsvwg-tunnel-congestion-feedback (ref. 'TunnelCongFeedback') -- Obsolete informational reference (is this intentional?): RFC 4960 (Obsoleted by RFC 9260) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT Donald Eastlake 2 Intended status: Proposed Standard Huawei 3 Bob Briscoe 4 Independent 5 Andrew Malis 6 Huawei 7 Expires: August 4, 2019 February 5, 2019 9 Explicit Congestion Notification (ECN) and Congestion Feedback 10 Using the Network Service Header (NSH) 11 13 Abstract 15 Explicit congestion notification (ECN) allows a forwarding element to 16 notify downstream devices of the onset of congestion without having 17 to drop packets. Coupled with a means to feed back information about 18 congestion to upstream nodes, this can improve network efficiency 19 through better congestion control, frequently without packet drops. 20 This document specifies ECN and congestion feedback support within a 21 Service Function Chaining (SFC) domain through use of the Network 22 Service Header (NSH, RFC 8300) and IP Flow Information Export (IPFIX, 23 draft-ietf-tsvwg-tunnel-congestion-feedback). 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Distribution of this document is unlimited. Comments should be sent 31 to the SFC Working Group mailing list or to the 32 authors. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF), its areas, and its working groups. Note that 36 other groups may also distribute working documents as Internet- 37 Drafts. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 The list of current Internet-Drafts can be accessed at 45 http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft 46 Shadow Directories can be accessed at 47 http://www.ietf.org/shadow.html. 49 Table of Contents 51 1. Introduction............................................3 52 1.1 NSH Background.........................................3 53 1.2 ECN Background.........................................5 54 1.3 Tunnel Congestion Feedback Background..................5 55 1.4 Conventions Used in This Document......................7 57 2. The NSH ECN Field.......................................8 59 3. ECN Support in the NSH.................................10 60 3.1 At The Ingress........................................11 61 3.2 At Transit Nodes......................................12 62 3.2.1 At NSH Transit Nodes................................12 63 3.2.2 At an SF/Proxy......................................13 64 3.2.3 At Other Forwarding Nodes...........................13 65 3.3 At Exit/Egress........................................13 66 3.4 Conservation of Packets...............................14 68 4. Tunnel Congestion Feedback Support.....................15 70 5. IANA Considerations....................................16 71 6. Security Considerations................................17 73 7. Acknowledgements.......................................17 75 Normative References......................................18 76 Informative References....................................19 78 Authors' Addresses........................................20 80 1. Introduction 82 Explicit congestion notification (ECN [RFC3168]) allows a forwarding 83 element to notify downstream devices of the onset of congestion 84 without having to drop packets. Coupled with a means to feed back 85 information about congestion to upstream nodes, this can improve 86 network efficiency through better congestion control, frequently 87 without packet drops. This document specifies ECN and congestion 88 feedback support within a Service Function Chaining (SFC [RFC7665]) 89 domain through use of the Network Service Header (NSH [RFC8300]) and 90 IP Flow Information Export (IPFIX [TunnelCongFeedback]). 92 It requires that all ingress and egress nodes of the SFC domain 93 implement ECN. While congestion management will be the most effective 94 if all interior nodes of the SFC domain implement ECN, some benefit 95 is obtained even if some interior nodes do not implement ECN. In 96 particular, congestion at any bottleneck where ECN marking is not 97 implemented will be unmanaged. 99 The subsections below in this is section provide background 100 information on NSH, ECN, congestion feedback, and terminology used in 101 this document. 103 1.1 NSH Background 105 The Service Function Chaining (SFC [RFC7665]) architecture calls for 106 the encapsulation of traffic within a service function chaining 107 domain with a Network Service Header (NSH [RFC8300]) added by the 108 "Classifier" (ingress node) on entry to the domain and the NSH being 109 removed on exit from the domain at the egress node. The NSH is used 110 to control the path of a packet in an SFC domain. The NSH is a 111 natural place, in a domain where traffic is NSH encapsulated, to note 112 congestion, avoiding possible confusion due, for example, to changes 113 in the outer transport header in different parts of the domain. 115 | 116 v 117 +----------+ 118 . .|Classifier|. . . . . . . . . . . . . . 119 . +----------+ . 120 . | +----+ . 121 . | --+ SF | Service . 122 . | / +----+ Function . 123 . v --- Chaining . 124 . +-----+/ +----+ domain . 125 . | SFF |--------+ SF | . 126 . +-----+\ +----+ . 127 . | --- . 128 . | \ +----+ . 129 . | --+ SF | . 130 . v +----+ . 131 . +-----+ +----+ . 132 . | SFF |-----------------+ SF | . 133 . +-----+ +----+ . 134 . | +----+ . 135 . | --+ SF | . 136 . | / +----+ . 137 . v --- . 138 . +-----+/ +----+ . 139 . | SFF |--------+ SF | . 140 . +-----+\ +----+ . 141 . | --- . 142 . | \ +----+ . 143 . | --+ SF | . 144 . v +----+ . 145 . +------+ . 146 . . .| Exit |. . . . . . . . . . . . . . . 147 +------+ 148 | 149 v 151 Figure 1. Example SFC Path Forwarding Nodes 153 Figure 1 shows an SFC domain for the purpose of illustrating the use 154 of NSH. Traffic passes through a sequence of Service Function 155 Forwarders (SFFs) each of which sends the traffic to one or more 156 Service Functions (SFs). Each SF performs some operation on the 157 traffic, for example firewall or Network Address Translation (NAT), 158 and then returns it to the SFF from which it was received. 160 Logically, during the transit of each SFF, the outer transport header 161 that got the packet to the SFF is stripped, the SFF decides on the 162 next forwarding step, either adding a transport header or, if the SFF 163 is the exit/egress, removing the NSH header. The transport headers 164 added may be different in different regions of the SFC domain. For 165 example, IP could be used for some SFF-to-SFF communication and MPLS 166 used for other such communication. 168 1.2 ECN Background 170 Explicit congestion notification (ECN [RFC3168]) allows a forwarding 171 element (such as a router or an Service Function Forwarder (SFF) or 172 Service Function (SF)) to notify downstream devices of the onset of 173 congestion without having to drop packets. This can be used as an 174 element in active queue management (AQM) [RFC7567] to improve network 175 efficiency through better traffic control without packet drops. The 176 forwarding element can explicitly mark some packets in an ECN field 177 instead of dropping the packet. For example, a two-bit field is 178 available for ECN marking in IP headers [RFC3168]. 180 1.3 Tunnel Congestion Feedback Background 182 Tunnel Congestion Feedback [TunnelCongFeedback] is a building block 183 for various congestion mitigation methods. It supports feedback of 184 congestion information from an egress node to an ingress node. 185 Examples of actions that can be taken by an ingress node when it has 186 knowledge of downstream congestion include those listed below. 187 Details of implementing these traffic control methods, beyond those 188 given here, are outside the scope of this document. 190 Any action by the ingress to reduce congestion needs to allow 191 sufficient time for the end-to-end congestion control loop to respond 192 first, for instance by the ingress taking a smoothed average of the 193 level of congestion signalled by feedback from the tunnel egress. 195 (1) Traffic throttling (policing), where the downstream traffic 196 flowing out of the ingress node is limited to reduce or eliminate 197 congestion. 199 (2) Upstream congestion feedback, where the ingress node sends 200 messages upstream to or towards the ultimate traffic source, a 201 function that can throttle traffic generation/transmission. 203 (3) Traffic re-direction, where the ingress node configures the NSH 204 of some future traffic so that it avoids congested paths. Great 205 care must be taken to avoid (a) significant re-ordering of 206 traffic in flows that it is desirable to keep in order and (b) 207 oscillation/instability in traffic paths due to alternate 208 congestion of previously idle paths and the idling of previously 209 congested paths. For example, it is preferable to classify 210 traffic into flows of a sufficiently coarse granularity that the 211 flows are long lived and use a stable path per flow sending only 212 newly appearing flows on apparently uncongested paths. 214 Figure 2 shows an example path from an origin sender to a final 215 receiver passing through an example chain of service functions 216 between the ingress and egress of an SFC domain. The path is also 217 likely to pass through other network nodes outside the SFC domain 218 (not shown). The figure shows typical congestion feedback that would 219 be expected from the final receiver to the origin sender, which 220 controls the load the origin sender applies to all elements on the 221 path. The figure also shows the congestion feedback from the egress 222 to the ingress of the SFC domain that is described in this document, 223 to control or balance load within the SFC domain. 225 .:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = :. 226 _||_ End-to-End Congestion Feedback || 227 \ / || 228 \/ || 229 Inner Transport Header and Payload __ 230 | | - - - - - - - - - - - - - - - ->- - - - - -- - - - - - - - | | 231 | | | | 232 | | .:= = = = = = = = = = = = = = = = = = = = = =:. | | 233 | | _||_ Tunnel Congestion Feedback || | | 234 | | \ / || | | 235 | | \/ || | | 236 | | __ NSH __ | | 237 | | | |-------------------------->--------------| | | | 238 | |. . . | | ___ ___ ___ | |. . .| | 239 | | | | OT1 | | OT4 | | . . . | | OTn | | | | 240 | | | |-->--|SFF|--->---|SFF| |SFF|-->--| | | | 241 |__| |__| |___| |___| |___| |__| |__| 242 origin SFC | ^ | ^ SFC final 243 sender domain OT2| |OT3 OT6| |OT7 domain rcvr 244 ingress v | v | egress 245 +---+ +---+ 246 |SF | |SF | 247 +---+ +---+ 249 Figure 2: Congestion Feedback across an SFC Domain 251 SFC Domain congestion feedback in Figure 2 is shown within the 252 context of an end-to-end congestion feedback loop. Also shown is the 253 encapsulated layering of NSH headers within a series of outer 254 transport headers (OT1, OT2, ... OTn). 256 1.4 Conventions Used in This Document 258 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 259 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 260 document are to be interpreted as described in [RFC2119] [RFC8174] 261 when, and only when, they appear in all capitals, as shown here. 263 Acronyms: 265 AQM - Active Queue Management [RFC7567] 267 CE - Congestion Experienced [RFC3168] 269 downstream - The direction from ingress to egress 271 ECN - Explicit Congestion Notification [RFC3168] 273 ECT - ECN Capable Transport [RFC3168] 275 IPFIX - IP Flow Information Export [RFC7011] 277 Not-ECT - Not ECN-Capable Transport [RFC3168] 279 NSH - Network Service Header [RFC8300] 281 SF - Service Function [RFC7665] 283 SFC - Service Function Chaining [RFC7665] 285 SFF - Service Function Forwarder [RFC7665] - A type of node that 286 forwards based on the NSH. 288 TLV - Type Length Value 290 upstream - The direction from egress to ingress 292 2. The NSH ECN Field 294 The NSH header is used to encapsulate and control the subsequent path 295 of traffic (see Section 2 of [RFC8300]). The NSH also provides for 296 metadata inclusion, as shown in Figure 3. 298 +-----------------------------------+ 299 | Transport Encapsulation | 300 +-----------------------------------+ 301 | Network Service Header (NSH) | 302 | +------------------------------+ | 303 | | Base Header | | 304 | +------------------------------+ | 305 | | Service Path Header | | 306 | +------------------------------+ | 307 | | Metadata (Context Header(s)) | | 308 | +------------------------------+ | 309 +-----------------------------------+ 310 | Original Packet / Frame | 311 +-----------------------------------+ 313 Figure 3. Data Encapsulation with the NSH 315 Two currently unused bits (indicated by "U") in the NSH Base Header 316 (Section 2.2 of [RFC8300]) are allocated for ECN as shown in Figure 317 4. 319 0 1 2 3 320 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 321 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 322 |Ver|O|U| TTL | Length |U|U|U|U|MD Type| Next Protocol | 323 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 324 ^ ^ 325 | | 326 +-------+ 327 |NSH ECN| 328 | field | 329 +-------+ 331 Figure 4: NSH Base Header 333 Note to RFC Editor: The above figure should be adjusted based on the 334 bits assigned by IANA (see Section 5) and this note deleted. 336 Table 1 shows the meaning of the code points in the NSH ECN field. 337 These have the same meaning as the ECN field code points in the IPv4 338 or IPv6 header as defined in [RFC3168]. 340 Binary Name Meaning 341 ------ ------- -------------------------------- 342 00 Not-ECT Not ECN-Capable Transport 343 01 ECT(1) ECN-Capable Transport 344 10 ECT(0) ECN-Capable Transport 345 11 CE Congestion Experienced 347 Table 1. ECN Field Code Points 349 3. ECN Support in the NSH 351 This section describes the required behavior to support ECN using the 352 NSH. There are two aspects to ECN support: 353 1. ECN propagation during encapsulation or decapsulation 354 2. ECN marking during congestion at bottlenecks. 356 While this section covers all combinations of ECN-aware and not ECN- 357 aware, it is expected that in most cases the NSH domain will be 358 uniform so that, if this document is applicable, all SFFs will 359 support ECN; however, some legacy SFs might not support ECN. 361 ECN Propagation: 363 The specification of ECN tunneling [RFC6040] explains that an 364 ingress must not propagate ECN support into an encapsulating 365 header unless the egress supports correct onward propagation of 366 the ECN field during decapsulation. We define Compliant ECN 367 Decapsulation here as decapsulation compliant with either 368 [RFC6040] or an earlier compatible equivalent ([RFC4301], or full 369 functionality mode of [RFC3168]). 371 The procedures in Section 3.2.1 ensure that each ingress of the 372 large number of possible transport links within the SFC domain 373 does not propagate ECN support into the encapsulating outer 374 transport header unless the corresponding egress of that link 375 supports Compliant ECN Decapsulation. 377 Section 3.3 requires that all the egress nodes of the SFC domain 378 support Compliant ECN Decapsulation in conjunction with tunnel 379 congestion feedback, otherwise the scheme in this document will 380 not work. 382 ECN Marking: 384 At transit nodes the marking behavior specified in 3.2.1 is 385 recommended and if not implemented at such transit nodes, there 386 may be unmanaged congestion. 388 Detection of congestion will be most effective if ECN marking is 389 supported by all potential bottlenecks inside the domain in which 390 NSH is being used to route traffic as well as at the ingress and 391 egress. Nodes that do not support ECN marking, or that support 392 AQM but not ECN, will naturally use drop to relieve congestion. 393 The gap in the end-to-end packet sequence will be detected as 394 congestion by the final receiving endpoint, but not by the NSH 395 egress (see Figure 2). 397 3.1 At The Ingress 399 When the ingress/Classifier encapsulates an incoming IP packet with 400 an NSH, it MUST set the NSH ECN field using the "Normal mode" 401 specified in [RFC6040] (i.e., copied from the incoming IP header). 403 Then, if the resulting NSH ECN field is Not-ECT, the ingress SHOULD 404 set it to ECT(0). This indicates that, even though the end-to-end 405 transport is not ECN-capable, the egress and ingress of the SFC 406 domain are acting as an ECN-capable transport. This approach will 407 inherently support all known variatns of ECN, including the 408 experimental L4S capability [RFC8311], [ecnL4S]. 410 Packets arriving at the ingress might not use IP. If the protocol of 411 arriving packets supports an ECN field similar to IP, the procedures 412 for IP packets can be used. If arriving packets do not support an ECN 413 field similar to IP, they MUST be treated as if they are Not-ECT IP 414 packets. 416 Then, as the NSH encapsulated packet is further encapsulated with a 417 transport header, if ECN marking is available for that transport (as 418 it is for IP [RFC3168] and MPLS [RFC5129]), the ECN field of the 419 transport header MUST be set using the "Normal mode" specified in 420 [RFC6040] (i.e., copied from the NSH ECN field). 422 A summary of these normative steps is given in Table 2. 424 +-----------------+---------------+ 425 | Incoming Header | Departing NSH | 426 | (also equal to | and Outer | 427 | departing Inner | Headers | 428 | Header) | | 429 +-----------------+---------------+ 430 | Not-ECT | ECT(0) | 431 | ECT(0) | ECT(0) | 432 | ECT(1) | ECT(1) | 433 | CE | CE | 434 +-----------------+---------------+ 436 Table 2. Setting of ECN fields by an ingress/Classifier 438 The requirements in this section apply to all ingress nodes for the 439 domain in which NSH is being used to route traffic. 441 3.2 At Transit Nodes 443 This section described behavior at nodes that forward based on the 444 NSH such as SFF and other forwarding nodes such as IP routers. Figure 445 5 shows a packet on the wire between forwarding nodes. 447 +-----------------+ 448 | Outer Header | 449 +-----------------+ 450 | NSH | 451 +-----------------+ 452 | Inner Header | 453 +-----------------+ 454 | Payload | 455 +-----------------+ 457 Figure 5. Packet in Transit 459 3.2.1 At NSH Transit Nodes 461 When a packet is received at an NSH based forwarding node N1, such as 462 an SFF, the outer transport encapsulation is removed and its ECN 463 marking SHOULD be combined into the NSH ECN marking as specified in 464 [RFC6040]. If this is not done, any congestion encountered at non-NSH 465 transit nodes between N1 and the next upstream NSH based forwarding 466 node will be lost and not transmitted downstream. 468 The NSH forwarding node SHOULD use a recognized AQM algorithm 469 [RFC7567] to detect congestion. If the NSH ECN field indicates ECT, 470 it will probabilistically set the NSH ECN field to the Congestion 471 Experienced (CE) value or, in cases of extreme congestion, drop the 472 packet. 474 When the NSH encapsulated packet is further encapsulated for 475 transmission to the next SFF or SF, ECN marking behavior depends on 476 whether or not the node that will decapsulate the outer header 477 supports Compliant ECN Decapsulation (see Section 3). If it does, 478 then the ingress node propagates the NSH ECN field to this outer 479 encapsulation using the "Normal Mode" of ECN encapsulation [RFC6040] 480 (it copies the ECN field). If it does not, then the ingress MUST 481 clear ECN in the outer encapsulation to non-ECT (the "Compatibility 482 Mode" of [RFC6040]). 484 3.2.2 At an SF/Proxy 486 If the SF is NSH and ECN-aware, the processing is essentially the 487 same at the SF as at an SFF as discussed in Section 3.2.1. 489 If the SF is NSH-aware but not ECN-aware, then the SFF transmitting 490 the packet to the SF will use Compatibility Mode. Congestion 491 encountered in the SFF to SF and SF to SFF paths will be unmanaged. 493 If the SF is not NSH-aware, then an NSH proxy will be between the SFF 494 and the SF to avoid exposure of the NSH at the SF that does not 495 understand NSHs. This is described in Section 4.6 of [RFC7665]. The 496 SF and proxy together look to the SFF like an NSH-aware SF. The 497 behavior at the proxy and SF in this case is as below: 499 If such a proxy is not ECN-aware then congestion in the entire 500 path from SFF to proxy to SF back to proxy to SFF will be 501 unmanaged. 503 If the proxy is ECN-aware the proxy uses an AQM to indicate 504 congestion in the proxy itself in the NSH that it returns to the 505 SFF. The outer header used for the proxy to SF path uses Normal 506 Mode. The outer head used for the proxy return to SFF path uses 507 Normal Mode based copying the NSH ECN field to the outer header. 508 Thus congestion in the proxy will be managed. Congestion in the SF 509 will be managed only if the SF is ECN-aware implementing an AQM. 511 3.2.3 At Other Forwarding Nodes 513 Other forwarding nodes, that is non-NSH forwarding nodes between NSH 514 forwarding nodes, such as IP routers, might also be potential 515 bottlenecks. If so, they SHOULD implement an AQM algorithm to update 516 the ECN marking in the outer transport header as specified in 517 [RFC3168]. 519 3.3 At Exit/Egress 521 First, any actions are taken based on Congestion Experienced such as 522 forwarding statistics back to the ingress (see Section 4). If the 523 packet being carried inside the NSH is IP, when the NSH is removed 524 the NSH ECN field MUST be combined with IP ECN field as specified in 525 Table 3 that was extracted from [RFC6040]. This requirement applies 526 to all egress nodes for the domain in which NSH is being used to 527 route traffic. 529 +---------+---------------------------------------------+ 530 |Arriving | Arriving Outer Header | 531 | Inner +---------+-----------+-----------+-----------+ 532 | Header | Not-ECT | ECT(0) | ECT(1) | CE | 533 +---------+---------+-----------+-----------+-----------+ 534 | Not-ECT | Not-ECT |Not-ECT |Not-ECT | | 535 | ECT(0) | ECT(0) | ECT(0) | ECT(0) | CE | 536 | ECT(1) | ECT(1) | ECT(1) | ECT(1) | CE | 537 | CE | CE | CE | CE | CE | 538 +---------+---------+-----------+-----------+-----------+ 540 Table 3. Exit ECN Fields Merger 542 All the egress nodes of the SFC domain MUST support Compliant ECN 543 Decapsulation as specified in this section. If this is not the case, 544 the scheme described in this document will not work, and cannot be 545 used. 547 3.4 Conservation of Packets 549 The SFC specification permits an SF to absorb packets and to generate 550 new packets as well as to process and forward the packets it 551 receives. Such actions might appear to be packet loss due to 552 congestion or might mask the loss of packets by generating additional 553 packets. 555 The tunnel congestion feedback approach [TunnelCongFeedback] detects 556 loss by counting payload bytes in at the ingress and counting them 557 out at the egress. This does not work unless nodes conserve the 558 amount of payload bytes. Therefore, it will not be possible to detect 559 loss using this technique if they are not conserved. 561 Nonetheless, if a bottleneck supports ECN marking, it will be 562 possible to detect the very high level of CE markings that are 563 associated with congestion that is so excessive that it leads to 564 loss. However, it will not be possible for the tunnel congestion 565 feedback approach to detect any congestion, whether slight or severe, 566 if it occurs at a bottleneck that does not support ECN marking. 568 4. Tunnel Congestion Feedback Support 570 The collection and storage of congestion information may be useful 571 for later analysis but, unless it can be fed back to a point which 572 can take action to reduce congestion, it will not be useful in real 573 time. Such congestion feedback to the ingress enables it to take 574 actions such as those listed in Section 1.3. 576 IP Flow Information Export (IPFIX [RFC7011]) provides a standard for 577 communicating traffic flow statistics. As extended by 578 [TunnelCongFeedback], IPFIX can be used to determine the extent of 579 congestion between an ingress and egress. 581 IPFIX recommends use of SCTP [RFC4960] in partial reliability mode. 582 This mode allows loss of some packets, which is tolerable because 583 IPFIX communicates cumulative statistics. IPFIX over SCTP SHOULD be 584 used directly where there is IP connectivity between the ingress and 585 egress; however, there might be different transport protocols or 586 address spaces used in different regions of an SFC domain that make 587 such direct IP connectivity problematic. The NSH provides the general 588 method of routing of traffic within such domain so the IPFIX over 589 SCTP over IP traffic should be encapsulated in NSH when necessary. 591 5. IANA Considerations 593 IANA is requested to assign two contiguous bits in the NSH Base 594 Header Bits registry for ECN (bits 16 and 17 suggested) and note this 595 assignment as follows: 597 Bit Description Reference 598 ---------- ----------- --------------- 599 tbd(16-17) NSH ECN [this document] 601 6. Security Considerations 603 For general NSH security considerations, see [RFC8300]. 605 For security considerations concerning tampering with ECN signaling, 606 see [RFC3168]. For security considerations concerning ECN 607 encapsulation, see [RFC6040]. 609 For general IPFIX security considerations, see [RFC7011]. If deployed 610 in an untrusted environment, the signaling traffic between ingress 611 and egress can be protected utilizing the security mechanisms 612 provided by IPFIX (see section 11 in RFC7011). 614 The solution in this document does not introduce any greater 615 potential to invade privacy than would have been possible without the 616 solution. 618 7. Acknowledgements 620 The authors wish to thank the following for their comments and 621 suggestion: 623 Joel Halpern, Tal Mizrahi, Xinpeng Wei 625 Normative References 627 [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate 628 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, 629 March 1997, . 631 [RFC3168] - Ramakrishnan, K., Floyd, S., and D. Black, "The Addition 632 of Explicit Congestion Notification (ECN) to IP", RFC 3168, DOI 633 10.17487/RFC3168, September 2001, . 636 [RFC5129] - Davie, B., Briscoe, B., and J. Tay, "Explicit Congestion 637 Marking in MPLS", RFC 5129, DOI 10.17487/RFC5129, January 2008, 638 . 640 [RFC6040] - Briscoe, B., "Tunnelling of Explicit Congestion 641 Notification", RFC 6040, DOI 10.17487/RFC6040, November 2010, 642 . 644 [RFC7011] - Claise, B., Ed., Trammell, B., Ed., and P. Aitken, 645 "Specification of the IP Flow Information Export (IPFIX) 646 Protocol for the Exchange of Flow Information", STD 77, RFC 647 7011, DOI 10.17487/RFC7011, September 2013, . 650 [RFC7567] - Baker, F., Ed., and G. Fairhurst, Ed., "IETF 651 Recommendations Regarding Active Queue Management", BCP 197, 652 RFC 7567, DOI 10.17487/RFC7567, July 2015, . 655 [RFC8174] - Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 656 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 657 2017, 659 [RFC8300] - Quinn, P., Ed., Elzur, U., Ed., and C. Pignataro, Ed., 660 "Network Service Header (NSH)", RFC 8300, DOI 10.17487/RFC8300, 661 January 2018, . 663 [TunnelCongFeedback] - Wei, X., Zhu, L., and L. Deng, "Tunnel 664 Congestion Feedback", draft-ietf-tsvwg-tunnel-congestion- 665 feedback, work in progress. 667 Informative References 669 [RFC4301] - Kent, S. and K. Seo, "Security Architecture for the 670 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 671 2005, . 673 [RFC4960] - Stewart, R., Ed., "Stream Control Transmission Protocol", 674 RFC 4960, DOI 10.17487/RFC4960, September 2007, 675 . 677 [RFC7665] - Halpern, J., Ed., and C. Pignataro, Ed., "Service 678 Function Chaining (SFC) Architecture", RFC 7665, DOI 679 10.17487/RFC7665, October 2015, . 682 [RFC8311] - Black, D., "Relaxing Restrictions on Explicit Congestion 683 Notification (ECN) Experimentation", RFC 8311, DOI 684 10.17487/RFC8311, January 2018, . 687 [ecnL4S] - De Schepper, K., and B. Briscoe, "Identifying Modified 688 Explicit Congestion Notification (ECN) Semantics for Ultra-Low 689 Queuing Delay (L4S)", draft-ietf-tsvwg-ecn-l4s-id, work in 690 progress. 692 Authors' Addresses 694 Donald E. Eastlake, 3rd 695 Huawei Technologies 696 1424 Pro Shop Court 697 Davenport, FL 33896 USA 699 Tel: +1-508-333-2270 700 Email: d3e3e3@gmail.com 702 Bob Briscoe 703 Independent 704 UK 706 Email: ietf@bobbriscoe.net 707 URI: http://bobbriscoe.net/ 709 Andrew G. Malis 710 Huawei Technologies 712 Email: agmalis@gmail.com 714 Copyright and IPR Provisions 716 Copyright (c) 2019 IETF Trust and the persons identified as the 717 document authors. All rights reserved. 719 This document is subject to BCP 78 and the IETF Trust's Legal 720 Provisions Relating to IETF Documents 721 (http://trustee.ietf.org/license-info) in effect on the date of 722 publication of this document. Please review these documents 723 carefully, as they describe your rights and restrictions with respect 724 to this document. Code Components extracted from this document must 725 include Simplified BSD License text as described in Section 4.e of 726 the Trust Legal Provisions and are provided without warranty as 727 described in the Simplified BSD License. The definitive version of 728 an IETF Document is that published by, or under the auspices of, the 729 IETF. Versions of IETF Documents that are published by third parties, 730 including those that are translated into other languages, should not 731 be considered to be definitive versions of IETF Documents. The 732 definitive version of these Legal Provisions is that published by, or 733 under the auspices of, the IETF. Versions of these Legal Provisions 734 that are published by third parties, including those that are 735 translated into other languages, should not be considered to be 736 definitive versions of these Legal Provisions. For the avoidance of 737 doubt, each Contributor to the IETF Standards Process licenses each 738 Contribution that he or she makes as part of the IETF Standards 739 Process to the IETF Trust pursuant to the provisions of RFC 5378. No 740 language to the contrary, or terms, conditions or rights that differ 741 from or are inconsistent with the rights and licenses granted under 742 RFC 5378, shall have any effect and shall be null and void, whether 743 published or posted by such Contributor, or included with or in such 744 Contribution.