idnits 2.17.1 draft-ietf-mpls-sr-over-ip-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 23, 2019) is 1797 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) == Outdated reference: A later version (-26) exists of draft-ietf-6man-segment-routing-header-19 == Outdated reference: A later version (-13) exists of draft-ietf-bess-datacenter-gateway-02 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group X. Xu 3 Internet-Draft Alibaba, Inc 4 Intended status: Standards Track S. Bryant 5 Expires: November 24, 2019 Huawei 6 A. Farrel 7 Old Dog Consulting 8 S. Hassan 9 Cisco 10 W. Henderickx 11 Nokia 12 Z. Li 13 Huawei 14 May 23, 2019 16 SR-MPLS over IP 17 draft-ietf-mpls-sr-over-ip-06 19 Abstract 21 MPLS Segment Routing (SR-MPLS) is an MPLS data plane-based source 22 routing paradigm in which the sender of a packet is allowed to 23 partially or completely specify the route the packet takes through 24 the network by imposing stacked MPLS labels on the packet. SR-MPLS 25 can be leveraged to realize a source routing mechanism across MPLS, 26 IPv4, and IPv6 data planes by using an MPLS label stack as a source 27 routing instruction set while making no changes to SR-MPLS 28 specifications and interworking with SR-MPLS implementations. 30 This document describes how SR-MPLS capable routers and IP-only 31 routers can seamlessly co-exist and interoperate through the use of 32 SR-MPLS label stacks and IP encapsulation/tunneling such as MPLS-in- 33 UDP as defined in RFC 7510. 35 Status of This Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at https://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on November 24, 2019. 51 Copyright Notice 53 Copyright (c) 2019 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents 58 (https://trustee.ietf.org/license-info) in effect on the date of 59 publication of this document. Please review these documents 60 carefully, as they describe your rights and restrictions with respect 61 to this document. Code Components extracted from this document must 62 include Simplified BSD License text as described in Section 4.e of 63 the Trust Legal Provisions and are provided without warranty as 64 described in the Simplified BSD License. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 69 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 70 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 3 71 3. Procedures of SR-MPLS over IP . . . . . . . . . . . . . . . . 5 72 3.1. Forwarding Entry Construction . . . . . . . . . . . . . . 5 73 3.1.1. FIB Construction Example . . . . . . . . . . . . . . 6 74 3.2. Packet Forwarding Procedures . . . . . . . . . . . . . . 8 75 3.2.1. Packet Forwarding with Penultimate Hop Popping . . . 8 76 3.2.2. Packet Forwarding without Penultimate Hop Popping . . 10 77 3.2.3. Additional Forwarding Procedures . . . . . . . . . . 11 78 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 79 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 80 6. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 13 81 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 82 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 83 8.1. Normative References . . . . . . . . . . . . . . . . . . 15 84 8.2. Informative References . . . . . . . . . . . . . . . . . 16 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 87 1. Introduction 89 MPLS Segment Routing (SR-MPLS) [I-D.ietf-spring-segment-routing-mpls] 90 is an MPLS data plane-based source routing paradigm in which the 91 sender of a packet is allowed to partially or completely specify the 92 route the packet takes through the network by imposing stacked MPLS 93 labels on the packet. SR-MPLS uses an MPLS label stack to encode a 94 source routing instruction set. This can be used to realize a source 95 routing mechanism that can operate across MPLS, IPv4, and IPv6 data 96 planes. This approach makes no changes to SR-MPLS specifications and 97 allows interworking with SR-MPLS implementations. More specifically, 98 the source routing instruction set information contained in a source 99 routed packet could be uniformly encoded as an MPLS label stack no 100 matter whether the underlay is IPv4, IPv6, or MPLS. 102 This document describes how SR-MPLS capable routers and IP-only 103 routers can seamlessly co-exist and interoperate through the use of 104 SR-MPLS label stacks and IP encapsulation/tunneling such as MPLS-in- 105 UDP [RFC7510]. 107 Section 2 describes various use cases for the tunneling SR-MPLS over 108 IP. Section 3 describes a typical application scenario and how the 109 packet forwarding happens. 111 1.1. Terminology 113 This memo makes use of the terms defined in [RFC3031] and 114 [I-D.ietf-spring-segment-routing-mpls]. 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 118 "OPTIONAL" in this document are to be interpreted as described in BCP 119 14 [RFC2119] [RFC8174] when, and only when, they appear in all 120 capitals, as shown here. 122 2. Use Cases 124 Tunneling SR-MPLS using IPv4 and/or IPv6 tunnels is useful at least 125 in the use cases listed below. In all cases, this can be enabled 126 using an IP tunneling mechanism such as MPLS-in-UDP as described in 127 [RFC7510]. The tunnel selected MUST have its remote end point 128 (destination) address equal to the address of the next SR-MPLS 129 capable node identified as being on the SR path (i.e., the egress of 130 the active segment). The local end point (source) address is set to 131 an address of the encapsulating node. [RFC7510] gives further advice 132 on how to set the source address if the UDP zero-checksum mode is 133 used with MPLS-in-UDP. 135 o Incremental deployment of the SR-MPLS technology may be 136 facilitated by tunneling SR-MPLS packets across parts of a network 137 that are not SR-MPLS as shown in Figure 1. This demonstrates how 138 islands of SR-MPLS may be connected across a legacy network. It 139 may be particularly useful for joining sites (such as data 140 centers). 142 ________________________ 143 _______ ( ) _______ 144 ( ) ( IP Network ) ( ) 145 ( SR-MPLS ) ( ) ( SR-MPLS ) 146 ( Network ) ( ) ( Network ) 147 ( -------- -------- ) 148 ( | Border | SR-in-UDP Tunnel | Border | ) 149 ( | Router |========================| Router | ) 150 ( | R1 | | R2 | ) 151 ( -------- -------- ) 152 ( ) ( ) ( ) 153 ( ) ( ) ( ) 154 (_______) ( ) (_______) 155 (________________________) 157 Figure 1: SR-MPLS in UDP to Tunnel Between SR-MPLS Sites 159 o If encoding of entropy ([RFC6790] is desired, IP tunneling 160 mechanisms that allow encoding of entropy, such as MPLS-in-UDP 161 encapsulation [RFC7510] where the source port of the UDP header is 162 used as an entropy field, may be used to maximize the utilization 163 of ECMP and/or LAG, especially when it is difficult to make use of 164 the entropy label mechanism. This is to be contrasted with 165 [RFC4023] where MPLS-in-IP does not provide for an entropy 166 mechanism. Refer to [I-D.ietf-mpls-spring-entropy-label]) for 167 more discussion about using entropy labels in SR-MPLS. 169 o Tunneling MPLS over IP provides a technology that enables SR in an 170 IPv4 and/or IPv6 network where the routers do not support SRv6 171 capabilities [I-D.ietf-6man-segment-routing-header] and where MPLS 172 forwarding is not an option. This is shown in Figure 2. 174 __________________________________ 175 __( IP Network )__ 176 __( )__ 177 ( -- -- -- ) 178 -------- -- -- |SR| -- |SR| -- |SR| -- -------- 179 | Ingress| |IR| |IR| | | |IR| | | |IR| | | |IR| | Egress | 180 --->| Router |===========| |======| |======| |======| Router |---> 181 | SR | | | | | | | | | | | | | | | | | | SR | 182 -------- -- -- | | -- | | -- | | -- -------- 183 (__ -- -- -- __) 184 (__ __) 185 (__________________________________) 187 Key: 188 IR : IP-only Router 189 SR : SR-MPLS-capable Router 190 == : SR-MPLS in UDP Tunnel 192 Figure 2: SR-MPLS Enabled Within an IP Network 194 3. Procedures of SR-MPLS over IP 196 This section describes the construction of forwarding information 197 base (FIB) entries and the forwarding behavior that allow the 198 deployment of SR-MPLS when some routers in the network are IP only 199 (i.e., do not support SR-MPLS). Note that the examples in 200 Section 3.1.1 and Section 3.2 assume that OSPF or ISIS is enabled: in 201 fact, other mechanisms of discovery and advertisement could be used 202 including other routing protocols (such as BGP) or a central 203 controller. 205 3.1. Forwarding Entry Construction 207 This sub-section describes the how to construct the forwarding 208 information base (FIB) entry on an SR-MPLS-capable router when some 209 or all of the next-hops along the shortest path towards a prefix 210 Segment Identifier (prefix-SID) are IP-only routers. Section 3.1.1 211 provides a concrete example of how the process applies when using 212 OSPF or ISIS. 214 Consider router A that receives a labeled packet with top label L(E) 215 that corresponds to the prefix-SID SID(E) of prefix P(E) advertised 216 by router E. Suppose the i-th next-hop router (termed NHi) along the 217 shortest path from router A toward SID(E) is not SR-MPLS capable 218 while both routers A and E are SR-MPLS capable. The following 219 processing steps apply: 221 o Router E is SR-MPLS capable, so it advertises a Segment Routing 222 Global Block (SRGB). The SRGB is defined in [RFC8402]. There are 223 a number of ways that the advertisement can be achieved including 224 IGPs, BGP, configuration/management protocols. For example, see 225 [I-D.ietf-bess-datacenter-gateway]. 227 o When Router E advertises the prefix-SID SID(E) of prefix P(E) it 228 MUST also advertise the encapsulation endpoint and the tunnel type 229 of any tunnel used to reach E. This information is flooded domain 230 wide. 232 o If A and E are in different routing domains then the information 233 MUST be flooded into both domains. How this is achieved depends 234 on the advertisement mechanism being used. The objective is that 235 router A knows the characteristics of router E that originated the 236 advertisement of SID(E). 238 o Router A programs the FIB entry for prefix P(E) corresponding to 239 the SID(E) according to whether a pop or swap action is advertised 240 for the prefix. The resulting action may be: 242 * pop the top label 244 * swap the top label to a value equal to SID(E) plus the lower 245 bound of the SRGB of E 247 Once constructed, the FIB can be used by a router to tell it how to 248 process packets. It encapsulates the packets according to the 249 appropriate encapsulation advertised for the segment and then it 250 sends the packets towards the next hop NHi. 252 3.1.1. FIB Construction Example 254 This section is non-normative and provides a worked example of how a 255 FIB might be constructed using OSPF and ISIS extensions. It is based 256 on the process described in Section 3.1. 258 o Router E is SR-MPLS capable, so it advertises a Segment Routing 259 Global Block (SRGB) using 260 [I-D.ietf-ospf-segment-routing-extensions] or 261 [I-D.ietf-isis-segment-routing-extensions]. 263 o When Router E advertises the prefix-SID SID(E) of prefix P(E) it 264 also advertises the encapsulation endpoint and the tunnel type of 265 any tunnel used to reach E using [I-D.ietf-isis-encapsulation-cap] 266 or [I-D.ietf-ospf-encapsulation-cap]. 268 o If A and E are in different domains then the information is 269 flooded into both domains and any intervening domains. 271 * The OSPF Tunnel Encapsulation TLV 272 [I-D.ietf-ospf-encapsulation-cap] or the ISIS Tunnel 273 Encapsulation sub-TLV [I-D.ietf-isis-encapsulation-cap] is 274 flooded domain-wide. 276 * The OSPF SID/label range TLV 277 [I-D.ietf-ospf-segment-routing-extensions] or the ISIS SR- 278 Capabilities Sub-TLV [I-D.ietf-isis-segment-routing-extensions] 279 is advertised domain-wide so that router A knows the 280 characteristics of router E. 282 * When router E advertises the prefix P(E): 284 + If router E is running ISIS it uses the extended 285 reachability TLV (TLVs 135, 235, 236, 237) and associates 286 the IPv4/IPv6 or IPv4/IPv6 source router ID sub-TLV(s) 287 [RFC7794]. 289 + If router E is running OSPF it uses the OSPFv2 Extended 290 Prefix Opaque LSA [RFC7684] and sets the flooding scope to 291 AS-wide. 293 * If router E is running ISIS and advertises the ISIS capability 294 TLV (TLV 242) [RFC7981], it sets the "router-ID" field to a 295 valid value or includes an IPV6 TE router-ID sub-TLV (TLV 12), 296 or does both. The "S" bit (flooding scope) of the ISIS 297 capability TLV (TLV 242) is set to "1" . 299 o Router A programs the FIB entry for prefix P(E) corresponding to 300 the SID(E) according to whether a pop or swap action is advertised 301 for the prefix as follows: 303 * If the NP flag in OSPF or the P flag in ISIS is clear: 305 pop the top label 307 * If the NP flag in OSPF or the P flag in ISIS is set: 309 swap the top label to a value equal to SID(E) plus the lower 310 bound of the SRGB of E 312 When forwarding the packet according to the constructed FIB entry the 313 router encapsulates the packet according to the encapsulation as 314 advertised using the mechanisms described in 315 [I-D.ietf-isis-encapsulation-cap] or 317 [I-D.ietf-ospf-encapsulation-cap]). It then sends the packets 318 towards the next hop NHi. 320 3.2. Packet Forwarding Procedures 322 [RFC7510] specifies an IP-based encapsulation for MPLS, i.e., MPLS- 323 in-UDP. This approach is applicable where IP-based encapsulation for 324 MPLS is required and further fine-grained load balancing of MPLS 325 packets over IP networks over Equal-Cost Multipath (ECMP) and/or Link 326 Aggregation Groups (LAGs) is also required. This section provides 327 details about the forwarding procedure when UDP encapsulation is 328 adopted for SR-MPLS over IP. Other encapsulation and tunnelling 329 mechanisms can be applied using similar techniques, but for clarity 330 this section uses UDP encapsulation as the exemplar. 332 Nodes that are SR-MPLS capable can process SR-MPLS packets. Not all 333 of the nodes in an SR-MPLS domain are SR-MPLS capable. Some nodes 334 may be "legacy routers" that cannot handle SR-MPLS packets but can 335 forward IP packets. An SR-MPLS-capable node MAY advertise its 336 capabilities using the IGP as described in Section 3. There are six 337 types of node in an SR-MPLS domain: 339 o Domain ingress nodes that receive packets and encapsulate them for 340 transmission across the domain. Those packets may be any payload 341 protocol including native IP packets or packets that are already 342 MPLS encapsulated. 344 o Legacy transit nodes that are IP routers but that are not SR-MPLS 345 capable (i.e., are not able to perform segment routing). 347 o Transit nodes that are SR-MPLS capable but that are not identified 348 by a SID in the SID stack. 350 o Transit nodes that are SR-MPLS capable and need to perform SR-MPLS 351 routing because they are identified by a SID in the SID stack. 353 o The penultimate SR-MPLS capable node on the path that processes 354 the last SID on the stack on behalf of the domain egress node. 356 o The domain egress node that forwards the payload packet for 357 ultimate delivery. 359 3.2.1. Packet Forwarding with Penultimate Hop Popping 361 The description in this section assumes that the label associated 362 with each prefix-SID is advertised by the owner of the prefix-SID as 363 a Penultimate Hop Popping (PHP) label. That is, if one of the IGP 364 flooding mechanisms is used, the NP flag in OSPF or the P flag in 365 ISIS associated with the prefix-SID is not set. 367 +-----+ +-----+ +-----+ +-----+ +-----+ 368 | A +-------+ B +-------+ C +-------+ D +-------+ H | 369 +-----+ +--+--+ +--+--+ +--+--+ +-----+ 370 | | | 371 | | | 372 +--+--+ +--+--+ +--+--+ 373 | E +-------+ F +-------+ G | 374 +-----+ +-----+ +-----+ 376 +--------+ 377 |IP(A->E)| 378 +--------+ +--------+ +--------+ 379 | UDP | |IP(E->G)| |IP(G->H)| 380 +--------+ +--------+ +--------+ 381 | L(G) | | UDP | | UDP | 382 +--------+ +--------+ +--------+ 383 | L(H) | | L(H) | |Exp Null| 384 +--------+ +--------+ +--------+ 385 | Packet | ---> | Packet | ---> | Packet | 386 +--------+ +--------+ +--------+ 388 Figure 3: Packet Forwarding Example with PHP 390 In the example shown in Figure 3, assume that routers A, E, G and H 391 are SR-MPLS-capable while the remaining routers (B, C, D and F) are 392 only capable of forwarding IP packets. Routers A, E, G, and H 393 advertise their Segment Routing related information, such as via IS- 394 IS or OSPF. 396 Now assume that router A (the Domain ingress) wants to send a packet 397 to router H (the Domain egress) via the explicit path {E->G->H}. 398 Router A will impose an MPLS label stack on the packet that 399 corresponds to that explicit path. Since the next hop toward router 400 E is only IP-capable (B is a legacy transit node), router A replaces 401 the top label (that indicated router E) with a UDP-based tunnel for 402 MPLS (i.e., MPLS-over-UDP [RFC7510]) to router E and then sends the 403 packet. In other words, router A pops the top label and then 404 encapsulates the MPLS packet in a UDP tunnel to router E. 406 When the IP-encapsulated MPLS packet arrives at router E (which is an 407 SR-MPLS-capable transit node), router E strips the IP-based tunnel 408 header and then processes the decapsulated MPLS packet. The top 409 label indicates that the packet must be forwarded toward router G. 410 Since the next hop toward router G is only IP-capable, router E 411 replaces the current top label with an MPLS-over-UDP tunnel toward 412 router G and sends it out. That is, router E pops the top label and 413 then encapsulates the MPLS packet in a UDP tunnel to router G. 415 When the packet arrives at router G, router G will strip the IP-based 416 tunnel header and then process the decapsulated MPLS packet. The top 417 label indicates that the packet must be forwarded toward router H. 418 Since the next hop toward router H is only IP-capable (D is a legacy 419 transit router), router G would replace the current top label with an 420 MPLS-over-UDP tunnel toward router H and send it out. However, since 421 router G reaches the bottom of the label stack (G is the penultimate 422 SR-MPLS capable node on the path) this would leave the original 423 packet that router A wanted to send to router H encapsulated in UDP 424 as if it was MPLS (i.e., with a UDP header and destination port 425 indicating MPLS) even though the original packet could have been any 426 protocol. That is, the final SR-MPLS has been popped exposing the 427 payload packet. 429 To handle this, when a router (here it is router G) pops the final 430 SR-MPLS label, it inserts an explicit null label [RFC3032] before 431 encapsulating the packet in an MPLS-over-UDP tunnel toward router H 432 and sending it out. That is, router G pops the top label, discovers 433 it has reached the bottom of stack, pushes an explicit null label, 434 and then encapsulates the MPLS packet in a UDP tunnel to router H. 436 3.2.2. Packet Forwarding without Penultimate Hop Popping 438 Figure 4 demonstrates the packet walk in the case where the label 439 associated with each prefix-SID advertised by the owner of the 440 prefix-SID is not a Penultimate Hop Popping (PHP) label (e.g., the 441 the NP flag in OSPF or the P flag in ISIS associated with the prefix- 442 SID is set). Apart from the PHP function the roles of the routers is 443 unchanged from Section 3.2.1. 445 +-----+ +-----+ +-----+ +-----+ +-----+ 446 | A +-------+ B +-------+ C +--------+ D +--------+ H | 447 +-----+ +--+--+ +--+--+ +--+--+ +-----+ 448 | | | 449 | | | 450 +--+--+ +--+--+ +--+--+ 451 | E +-------+ F +--------+ G | 452 +-----+ +-----+ +-----+ 454 +--------+ 455 |IP(A->E)| 456 +--------+ +--------+ 457 | UDP | |IP(E->G)| 458 +--------+ +--------+ +--------+ 459 | L(E) | | UDP | |IP(G->H)| 460 +--------+ +--------+ +--------+ 461 | L(G) | | L(G) | | UDP | 462 +--------+ +--------+ +--------+ 463 | L(H) | | L(H) | | L(H) | 464 +--------+ +--------+ +--------+ 465 | Packet | ---> | Packet | ---> | Packet | 466 +--------+ +--------+ +--------+ 468 Figure 4: Packet Forwarding Example without PHP 470 As can be seen from the figure, the SR-MPLS label for each segment is 471 left in place until the end of the segment where it is popped and the 472 next instruction is processed. 474 3.2.3. Additional Forwarding Procedures 476 Non-MPLS Interfaces: Although the description in the previous two 477 sections is based on the use of prefix-SIDs, tunneling SR-MPLS 478 packets is useful when the top label of a received SR-MPLS packet 479 indicates an adjacency-SID and the corresponding adjacent node to 480 that adjacency-SID is not capable of MPLS forwarding but can still 481 process SR-MPLS packets. In this scenario the top label would be 482 replaced by an IP tunnel toward that adjacent node and then 483 forwarded over the corresponding link indicated by the adjacency- 484 SID. 486 When to use IP-based Tunnel: The description in the previous two 487 sections is based on the assumption that MPLS-over-UDP tunnel is 488 used when the nexthop towards the next segment is not MPLS- 489 enabled. However, even in the case where the nexthop towards the 490 next segment is MPLS-capable, an MPLS-over-UDP tunnel towards the 491 next segment could still be used instead due to local policies. 492 For instance, in the example as described in Figure 4, assume F is 493 now an SR-MPLS-capable transit node while all the other 494 assumptions remain unchanged: since F is not identified by a SID 495 in the stack and an MPLS-over-UDP tunnel is preferred to an MPLS 496 LSP according to local policies, router E replaces the current top 497 label with an MPLS-over-UDP tunnel toward router G and send it 498 out. (Note that if an MPLS LSP was preferred, the packet would be 499 forwarded as native SR-MPLS.) 501 IP Header Fields: When encapsulating an MPLS packet in UDP, the 502 resulting packet is further encapsulated in IP for transmission. 503 IPv4 or IPv6 may be used according to the capabilities of the 504 network. The address fields are set as described in Section 2. 505 The other IP header fields (such as the ECN field [RFC6040], the 506 DSCP code point [RFC2983], or IPv6 Flow Label) on each UDP- 507 encapsulated segment SHOULD be configurable according to the 508 operator's policy: they may be copied from the header of the 509 incoming packet; they may be promoted from the header of the 510 payload packet; they may be set according to instructions 511 programmed to be associated with the SID; or they may be 512 configured dependent on the outgoing interface and payload. 514 Entropy and ECMP: When encapsulating an MPLS packet with an IP 515 tunnel header that is capable of encoding entropy (such as 516 [RFC7510]), the corresponding entropy field (the source port in 517 the case of a UDP tunnel) MAY be filled with an entropy value that 518 is generated by the encapsulator to uniquely identify a flow. 519 However, what constitutes a flow is locally determined by the 520 encapsulator. For instance, if the MPLS label stack contains at 521 least one entropy label and the encapsulator is capable of reading 522 that entropy label, the entropy label value could be directly 523 copied to the source port of the UDP header. Otherwise, the 524 encapsulator may have to perform a hash on the whole label stack 525 or the five-tuple of the SR-MPLS payload if the payload is 526 determined as an IP packet. To avoid re-performing the hash or 527 hunting for the entropy label each time the packet is encapsulated 528 in a UDP tunnel it MAY be desirable that the entropy value 529 contained in the incoming packet (i.e., the UDP source port value) 530 is retained when stripping the UDP header and is re-used as the 531 entropy value of the outgoing packet. 533 Congestion Considerations: Section 5 of [RFC7510] provides a 534 detailed analysis of the implications of congestion in MPLS-over- 535 UDP systems and builds on section 3.1.3 of [RFC8085] that 536 describes the congestion implications of UDP tunnels. All of 537 those considerations apply to SR-MPLS-over-UDP tunnels as 538 described in this document. In particular, it should be noted 539 that the traffic carried in SR-MPLS flows is likely to be IP 540 traffic. 542 4. IANA Considerations 544 This document makes no requests for IANA action. 546 5. Security Considerations 548 The security consideration of [RFC8354] (which redirects the reader 549 to [RFC5095]) and [RFC7510] apply. DTLS [RFC6347] SHOULD be used 550 where security is needed on an MPLS-SR-over-UDP segment including 551 when the IP segment crosses the public Internet or some other 552 untrusted environment. [RFC8402] provides security considerations 553 for Segment Routing, and Section 8.1 of that document is particularly 554 applicable to SR-MPLS. 556 It is difficult for an attacker to pass a raw MPLS encoded packet 557 into a network and operators have considerable experience at 558 excluding such packets at the network boundaries, for example by 559 excluding all packets that are revealed to be carrying an MPLS packet 560 as the payload of IP tunnels. Further discussion of MPLS security is 561 found in [RFC5920]. 563 It is easy for a network ingress node to detect any attempt to 564 smuggle an IP packet into the network since it would see that the UDP 565 destination port was set to MPLS, and such filtering SHOULD be 566 applied. SR packets not having a destination address terminating in 567 the network would be transparently carried and would pose no 568 different security risk to the network under consideration than any 569 other traffic. 571 Where control plane techniques are used (as described in Section 3), 572 it is important that these protocols are adequately secured for the 573 environment in which they are run as discussed in [RFC6862] and 574 [RFC5920]. 576 6. Contributors 578 Ahmed Bashandy 579 Individual 580 Email: abashandy.ietf@gmail.com 582 Clarence Filsfils 583 Cisco 584 Email: cfilsfil@cisco.com 586 John Drake 587 Juniper 588 Email: jdrake@juniper.net 589 Shaowen Ma 590 Mellanox Technologies 591 Email: mashaowen@gmail.com 593 Mach Chen 594 Huawei 595 Email: mach.chen@huawei.com 597 Hamid Assarpour 598 Broadcom 599 Email:hamid.assarpour@broadcom.com 601 Robert Raszuk 602 Bloomberg LP 603 Email: robert@raszuk.net 605 Uma Chunduri 606 Huawei 607 Email: uma.chunduri@gmail.com 609 Luis M. Contreras 610 Telefonica I+D 611 Email: luismiguel.contrerasmurillo@telefonica.com 613 Luay Jalil 614 Verizon 615 Email: luay.jalil@verizon.com 617 Gunter Van De Velde 618 Nokia 619 Email: gunter.van_de_velde@nokia.com 621 Tal Mizrahi 622 Marvell 623 Email: talmi@marvell.com 625 Jeff Tantsura 626 Individual 627 Email: jefftant@gmail.com 629 7. Acknowledgements 631 Thanks to Joel Halpern, Bruno Decraene, Loa Andersson, Ron Bonica, 632 Eric Rosen, Jim Guichard, Gunter Van De Velde, Andy Malis, Robert 633 Sparks, and Al Morton for their insightful comments on this draft. 635 Additional thanks to Mirja Kuehlewind, Alvaro Retana, Spencer 636 Dawkins, Benjamin Kaduk, and Martin Vigoureux for careful reviews and 637 resulting comments. 639 8. References 641 8.1. Normative References 643 [I-D.ietf-spring-segment-routing-mpls] 644 Bashandy, A., Filsfils, C., Previdi, S., Decraene, B., 645 Litkowski, S., and R. Shakir, "Segment Routing with MPLS 646 data plane", draft-ietf-spring-segment-routing-mpls-22 647 (work in progress), May 2019. 649 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 650 Requirement Levels", BCP 14, RFC 2119, 651 DOI 10.17487/RFC2119, March 1997, 652 . 654 [RFC3031] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol 655 Label Switching Architecture", RFC 3031, 656 DOI 10.17487/RFC3031, January 2001, 657 . 659 [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., 660 Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack 661 Encoding", RFC 3032, DOI 10.17487/RFC3032, January 2001, 662 . 664 [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation 665 of Type 0 Routing Headers in IPv6", RFC 5095, 666 DOI 10.17487/RFC5095, December 2007, 667 . 669 [RFC6040] Briscoe, B., "Tunnelling of Explicit Congestion 670 Notification", RFC 6040, DOI 10.17487/RFC6040, November 671 2010, . 673 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 674 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 675 January 2012, . 677 [RFC7510] Xu, X., Sheth, N., Yong, L., Callon, R., and D. Black, 678 "Encapsulating MPLS in UDP", RFC 7510, 679 DOI 10.17487/RFC7510, April 2015, 680 . 682 [RFC7684] Psenak, P., Gredler, H., Shakir, R., Henderickx, W., 683 Tantsura, J., and A. Lindem, "OSPFv2 Prefix/Link Attribute 684 Advertisement", RFC 7684, DOI 10.17487/RFC7684, November 685 2015, . 687 [RFC7794] Ginsberg, L., Ed., Decraene, B., Previdi, S., Xu, X., and 688 U. Chunduri, "IS-IS Prefix Attributes for Extended IPv4 689 and IPv6 Reachability", RFC 7794, DOI 10.17487/RFC7794, 690 March 2016, . 692 [RFC7981] Ginsberg, L., Previdi, S., and M. Chen, "IS-IS Extensions 693 for Advertising Router Information", RFC 7981, 694 DOI 10.17487/RFC7981, October 2016, 695 . 697 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 698 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 699 May 2017, . 701 [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., 702 Decraene, B., Litkowski, S., and R. Shakir, "Segment 703 Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, 704 July 2018, . 706 8.2. Informative References 708 [I-D.ietf-6man-segment-routing-header] 709 Filsfils, C., Dukes, D., Previdi, S., Leddy, J., 710 Matsushima, S., and d. daniel.voyer@bell.ca, "IPv6 Segment 711 Routing Header (SRH)", draft-ietf-6man-segment-routing- 712 header-19 (work in progress), May 2019. 714 [I-D.ietf-bess-datacenter-gateway] 715 Farrel, A., Drake, J., Rosen, E., Patel, K., and L. Jalil, 716 "Gateway Auto-Discovery and Route Advertisement for 717 Segment Routing Enabled Domain Interconnection", draft- 718 ietf-bess-datacenter-gateway-02 (work in progress), 719 February 2019. 721 [I-D.ietf-isis-encapsulation-cap] 722 Xu, X., Decraene, B., Raszuk, R., Chunduri, U., Contreras, 723 L., and L. Jalil, "Advertising Tunnelling Capability in 724 IS-IS", draft-ietf-isis-encapsulation-cap-01 (work in 725 progress), April 2017. 727 [I-D.ietf-isis-segment-routing-extensions] 728 Previdi, S., Ginsberg, L., Filsfils, C., Bashandy, A., 729 Gredler, H., and B. Decraene, "IS-IS Extensions for 730 Segment Routing", draft-ietf-isis-segment-routing- 731 extensions-25 (work in progress), May 2019. 733 [I-D.ietf-mpls-spring-entropy-label] 734 Kini, S., Kompella, K., Sivabalan, S., Litkowski, S., 735 Shakir, R., and J. Tantsura, "Entropy label for SPRING 736 tunnels", draft-ietf-mpls-spring-entropy-label-12 (work in 737 progress), July 2018. 739 [I-D.ietf-ospf-encapsulation-cap] 740 Xu, X., Decraene, B., Raszuk, R., Contreras, L., and L. 741 Jalil, "The Tunnel Encapsulations OSPF Router 742 Information", draft-ietf-ospf-encapsulation-cap-09 (work 743 in progress), October 2017. 745 [I-D.ietf-ospf-segment-routing-extensions] 746 Psenak, P., Previdi, S., Filsfils, C., Gredler, H., 747 Shakir, R., Henderickx, W., and J. Tantsura, "OSPF 748 Extensions for Segment Routing", draft-ietf-ospf-segment- 749 routing-extensions-27 (work in progress), December 2018. 751 [RFC2983] Black, D., "Differentiated Services and Tunnels", 752 RFC 2983, DOI 10.17487/RFC2983, October 2000, 753 . 755 [RFC4023] Worster, T., Rekhter, Y., and E. Rosen, Ed., 756 "Encapsulating MPLS in IP or Generic Routing Encapsulation 757 (GRE)", RFC 4023, DOI 10.17487/RFC4023, March 2005, 758 . 760 [RFC5920] Fang, L., Ed., "Security Framework for MPLS and GMPLS 761 Networks", RFC 5920, DOI 10.17487/RFC5920, July 2010, 762 . 764 [RFC6790] Kompella, K., Drake, J., Amante, S., Henderickx, W., and 765 L. Yong, "The Use of Entropy Labels in MPLS Forwarding", 766 RFC 6790, DOI 10.17487/RFC6790, November 2012, 767 . 769 [RFC6862] Lebovitz, G., Bhatia, M., and B. Weis, "Keying and 770 Authentication for Routing Protocols (KARP) Overview, 771 Threats, and Requirements", RFC 6862, 772 DOI 10.17487/RFC6862, March 2013, 773 . 775 [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage 776 Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, 777 March 2017, . 779 [RFC8354] Brzozowski, J., Leddy, J., Filsfils, C., Maglione, R., 780 Ed., and M. Townsley, "Use Cases for IPv6 Source Packet 781 Routing in Networking (SPRING)", RFC 8354, 782 DOI 10.17487/RFC8354, March 2018, 783 . 785 Authors' Addresses 787 Xiaohu Xu 788 Alibaba, Inc 790 Email: xiaohu.xxh@alibaba-inc.com 792 Stewart Bryant 793 Huawei 795 Email: stewart.bryant@gmail.com 797 Adrian Farrel 798 Old Dog Consulting 800 Email: adrian@olddog.co.uk 802 Syed Hassan 803 Cisco 805 Email: shassan@cisco.com 807 Wim Henderickx 808 Nokia 810 Email: wim.henderickx@nokia.com 812 Zhenbin Li 813 Huawei 815 Email: lizhenbin@huawei.com