idnits 2.17.1 draft-ietf-rtgwg-segment-routing-ti-lfa-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (January 18, 2020) is 1559 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'Adjacency' is mentioned on line 545, but not defined == Missing Reference: 'Node' is mentioned on line 545, but not defined == Outdated reference: A later version (-16) exists of draft-bashandy-rtgwg-segment-routing-uloop-07 == Outdated reference: A later version (-26) exists of draft-ietf-lsr-flex-algo-05 == Outdated reference: A later version (-22) exists of draft-ietf-spring-segment-routing-policy-06 Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group S. Litkowski 2 Internet-Draft Cisco 3 Intended status: Standards Track A. Bashandy 4 Expires: July 2020 Individual 5 C. Filsfils 6 Cisco Systems 7 B. Decraene 8 Orange 9 P. Francois 10 INSA Lyon 11 D. Voyer 12 Bell Canada 13 F. Clad 14 P. Camarillo 15 Cisco Systems 16 January 18, 2020 18 Topology Independent Fast Reroute using Segment Routing 19 draft-ietf-rtgwg-segment-routing-ti-lfa-02 21 Abstract 23 This document presents Topology Independent Loop-free Alternate Fast 24 Re-route (TI-LFA), aimed at providing protection of node and 25 adjacency segments within the Segment Routing (SR) framework. This 26 Fast Re-route (FRR) behavior builds on proven IP-FRR concepts being 27 LFAs, remote LFAs (RLFA), and remote LFAs with directed forwarding 28 (DLFA). It extends these concepts to provide guaranteed coverage in 29 any IGP network. A key aspect of TI-LFA is the FRR path selection 30 approach establishing protection over the expected post-convergence 31 paths from the point of local repair, dramatically reducing the 32 operational need to control the tie-breaks among various FRR options. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at https://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on July 18, 2020. 50 Copyright Notice 52 Copyright (c) 2020 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (https://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction...................................................3 68 1.1. Conventions used in this document.........................7 69 2. Terminology....................................................7 70 3. Intersecting P-Space and Q-Space with post-convergence paths...8 71 3.1. P-Space property computation for a resource X.............8 72 3.2. Q-Space property computation for a link S-F, over post- 73 convergence paths..............................................8 74 3.3. Q-Space property computation for a set of links adjacent to 75 S, over post-convergence paths.................................9 76 3.4. Q-Space property computation for a node F, over post- 77 convergence paths..............................................9 78 3.5. Scaling considerations when computing Q-Space.............9 79 4. TI-LFA Repair Tunnel...........................................9 80 4.1. FRR path using a direct neighbor.........................10 81 4.2. FRR path using a PQ node.................................10 82 4.3. FRR path using a P node and Q node that are adjacent.....10 83 4.4. Connecting distant P and Q nodes along post-convergence paths 84 ..............................................................10 85 5. Protecting segments...........................................10 86 5.1. The active segment is a node segment.....................11 87 5.2. The active segment is an adjacency segment...............11 88 5.2.1. Protecting [Adjacency, Adjacency] segment lists.....11 89 5.2.2. Protecting [Adjacency, Node] segment lists..........12 90 5.3. Protecting SR policy midpoints against node failure......13 91 5.3.1. Protecting {F, T, D} or {S->F, T, D}................13 92 5.3.2. Protecting {F, F->T, D} or {S->F, F->T, D}..........14 93 6. TI-LFA and SR Algorithms......................................15 94 7. Usage of Adjacency segments in the repair list................15 95 8. Measurements on Real Networks.................................16 96 9. Security Considerations.......................................21 97 10. IANA Considerations..........................................21 98 11. Conclusions..................................................21 99 12. Acknowledgments..............................................22 100 13. References...................................................22 101 13.1. Normative References....................................22 102 13.2. Informative References..................................22 104 1. Introduction 106 Segment Routing aims at supporting services with tight SLA guarantees 107 [RFC8402]. By relying on SR this document provides a local repair 108 mechanism for standard IGP shortest path capable of restoring end-to- 109 end connectivity in the case of a sudden directly connected failure 110 of a network component. Non-SR mechanisms for local repair are beyond 111 the scope of this document. Non-local failures are addressed in a 112 separate document [I-D.bashandy-rtgwg-segment-routing-uloop]. 114 The term topology independent (TI) refers to the ability to provide a 115 loop free backup path irrespective of the topologies used in the 116 network. This provides a major improvement compared to LFA 117 ([RFC5286]) and remote LFA ([RFC7490]) which cannot be applicable in 118 some topologies ([RFC6571]). 120 For each destination in the network, TI-LFA pre-installs a backup 121 forwarding entry for each protected destination ready to be activated 122 upon detection of the failure of a link used to reach the 123 destination. TI-LFA provides protection in the event of any one of 124 the following: single link failure, single node failure, or single 125 SRLG failure. In link failure mode, the destination is protected 126 assuming the failure of the link. In node protection mode, the 127 destination is protected assuming that the neighbor connected to the 128 primary link has failed. In SRLG protecting mode, the destination is 129 protected assuming that a configured set of links sharing fate with 130 the primary link has failed (e.g. a linecard or a set of links 131 sharing a common transmission pipe). 133 Protection techniques outlined in this document are limited to 134 protecting links, nodes, and SRLGs that are within a routing domain. 135 Protecting domain exit routers and/or links attached to another 136 routing domains are beyond the scope of this document 138 Thanks to SR, TI-LFA does not require the establishment of TLDP 139 sessions with remote nodes in order to take advantage of the 140 applicability of remote LFAs (RLFA) [RFC7490][RFC7916] or remote LFAs 141 with directed forwarding (DLFA)[RFC5714]. All the Segment Identifiers 142 (SIDs) are available in the link state database (LSDB) of the IGP. As 143 a result, preferring LFAs over RLFAs or DLFAs, as well as minimizing 144 the number of RLFA or DLFA repair nodes is not required anymore. 146 Thanks to SR, there is no need to create state in the network in 147 order to enforce an explicit FRR path. This relieves the nodes 148 themselves from having to maintain extra state, and it relieves the 149 operator from having to deploy an extra protocol or extra protocol 150 sessions just to enhance the protection coverage. 152 [RFC7916] raised several operational considerations when using LFA or 153 remote LFA. [RFC7916] Section 3 presents a case where a high 154 bandwidth link between two core routers is protected through a PE 155 router connected with low bandwidth links. In such a case, 156 congestion may happen when the FRR backup path is activated. 157 [RFC7916] introduces a local policy framework to let the operator 158 tuning manually the best alternate election based on its own 159 requirements. 161 From a network capacity planning point of view, it is often assumed 162 that if a link L fails on a particular node X, the bandwidth consumed 163 on L will be spread over some of the remaining links of X. The 164 remaining links to be used are determined by the IGP routing 165 considering that the link L has failed (we assume that the traffic 166 uses the post-convergence path starting from the node X). In Figure 167 1, we consider a network with all metrics equal to 1 except the 168 metrics on links used by PE1, PE2 and PE3 which are 1000. An easy 169 network capacity planning method is to consider that if the link L 170 (X-B) fails, the traffic actually flowing through L will be spread 171 over the remaining links of X (X-H, X-D, X-A). Considering the IGP 172 metrics, only X-H and X-D can only be used in reality to carry the 173 traffic flowing through the link L. As a consequence, the bandwidth 174 of links X-H and X-D is sized according to this rule. We should 175 observe that this capacity planning policy works, however it is not 176 fully accurate. 178 In Figure 1, considering that the source of traffic is only from PE1 179 and PE4, when the link L fails, depending on the convergence speed of 180 the nodes, X may reroute its forwarding entries to the remote PEs 181 onto X-H or X-D; however in a similar timeframe, PE1 will also 182 reroute a subset of its traffic (the subset destined to PE2) out of 183 its nominal path reducing the quantity of traffic received by X. The 184 capacity planning rule presented previously has the drawback of 185 oversizing the network, however it allows to prevent any transient 186 congestion (when for example X reroutes traffic before PE1 does). 188 H --- I --- J 189 | | \ 190 PE4 | | PE3 191 \ | (L) | / 192 A --- X --- B --- G 193 / | | \ 194 PE1 | | PE2 195 \ | | / 196 C --- D --- E --- F 198 Figure 1 200 Based on this assumption, in order to facilitate the operation of 201 FRR, and limit the implementation of local FRR policies, it looks 202 interesting to steer the traffic onto the post-convergence path from 203 the PLR point of view during the FRR phase. In our example, when 204 link L fails, X switches the traffic destined to PE3 and PE2 on the 205 post-convergence paths. This is perfectly inline with the capacity 206 planning rule that was presented before and also inline with the fact 207 X may converge before PE1 (or any other upstream router) and may 208 spread the X-B traffic onto the post-convergence paths rooted at X. 210 It should be noted, that some networks may have a different capacity 211 planning rule, leading to an allocation of less bandwidth on X-H and 212 X-D links. In such a case, using the post-convergence paths rooted 213 at X during FRR may introduce some congestion on X-H and X-D links. 214 However it is important to note, that a transient congestion may 215 possibly happen, even without FRR activated, for instance when X 216 converges before the upstream routers. Operators are still free to 217 use the policy framework defined in [RFC7916] if the usage of the 218 post-convergence paths rooted at the PLR is not suitable. 220 Readers should be aware that FRR protection is pre-computing a backup 221 path to protect against a particular type of failure (link, node, 222 SRLG). When using the post-convergence path as FRR backup path, the 223 computed post-convergence path is the one considering the failure we 224 are protecting against. This means that FRR is using an expected 225 post-convergence path, and this expected post-convergence path may be 226 actually different from the post-convergence path used if the failure 227 that happened is different from the failure FRR was protecting 228 against. As an example, if the operator has implemented a protection 229 against a node failure, the expected post-convergence path used 230 during FRR will be the one considering that the node has failed. 231 However, even if a single link is failing or a set of links is 232 failing (instead of the full node), the node-protecting post- 233 convergence path will be used. The consequence is that the path used 234 during FRR is not optimal with respect to the failure that has 235 actually occurred. 237 Another consideration to take into account is: while using the 238 expected post-convergence path for SR traffic using node segments 239 only (for instance, PE to PE traffic using shortest path) has some 240 advantages, these advantages reduce when SR policies 241 ([I-D.ietf-spring-segment-routing-policy]) are involved. A segment- 242 list used in an SR policy is computed to obey a set of path 243 constraints defined locally at the head-end or centrally in a 244 controller. TI-LFA cannot be aware of such path constraints and 245 there is no reason to expect the TI-LFA backup path protecting one 246 the segments in that segment list to obey those constraints. When SR 247 policies are used and the operator wants to have a backup path which 248 still follows the policy requirements, this backup path should be 249 computed as part of the SR policy in the ingress node (or central 250 controller) and the SR policy should not rely on local protection. 251 Another option could be to use FlexAlgo ([I-D.ietf-lsr-flex-algo]) to 252 express the set of constraints and use a single node segment 253 associated with a FlexAlgo to reach the destination. When using a 254 node segment associated with a FlexAlgo, TI-LFA keeps providing an 255 optimal backup by applying the appropriate set of constraints. The 256 relationship between TI-LFA and the SR-algorithm is detailed in 257 Section 6. 259 Thanks to SR and the combination of Adjacency segments and Node 260 segments, the expression of the expected post-convergence path rooted 261 at the PLR is facilitated and does not create any additional state on 262 intermediate nodes. The easiest way to express the expected post- 263 convergence path in a loop-free manner is to encode it as a list of 264 adjacency segments. However, in an MPLS world, this may create a 265 long stack of labels to be pushed that some hardware may not be able 266 to push. One of the challenges of TI-LFA is to encode the expected 267 post-convergence path by combining adjacency segments and node 268 segments. Each implementation will be free to have its own path 269 compression optimization algorithm. This document details the basic 270 concepts that could be used to build the SR backup path as well as 271 the associated dataplane procedures. 273 L 274 S----F--{____}----D 275 /\ | / 276 | | | _______ / 277 |__}---Q{_______} 279 Figure 2 TI-LFA Protection 281 We use Figure 2 to illustrate the TI-LFA approach. 283 The Point of Local Repair (PLR), S, needs to find a node Q (a repair 284 node) that is capable of safely forwarding the traffic to a 285 destination D affected by the failure of the protected link L, a set 286 of links including L (SRLG), or the node F itself. The PLR also needs 287 to find a way to reach Q without being affected by the convergence 288 state of the nodes over the paths it wants to use to reach Q: the PLR 289 needs a loop-free path to reach Q. 291 Section 2 defines the main notations used in the document. They are 292 in line with [RFC5714]. 294 Section 3 suggests to compute the P-Space and Q-Space properties 295 defined in Section 2, for the specific case of nodes lying over the 296 post-convergence paths towards the protected destinations. 298 Using the properties defined in Section 3, Section 4 describes how 299 to compute protection lists that encode a loop-free post-convergence 300 path towards the destination. 302 Section 5 defines the segment operations to be applied by the PLR 303 to ensure consistency with the forwarding state of the repair node. 305 By applying the algorithms specified in this document to actual 306 service providers and large enterprise networks, we provide real life 307 measurements for the number of SIDs used by repair paths. Section 8 308 summarizes these measurements. 310 1.1. Conventions used in this document 312 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 313 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 314 "OPTIONAL" in this document are to be interpreted as described in BCP 315 14 [RFC2119] [RFC8174] when and only when, they appear in all 316 capitals, as shown here. 318 2. Terminology 320 We define the main notations used in this document as the following. 322 We refer to "old" and "new" topologies as the LSDB state before and 323 after the considered failure. 325 SPT_old(R) is the Shortest Path Tree rooted at node R in the initial 326 state of the network. 328 SPT_new(R, X) is the Shortest Path Tree rooted at node R in the state 329 of the network after the resource X has failed. 331 PLR stands for "Point of Local Repair". It is the router that 332 applies fast traffic restoration after detecting failure in a 333 directly attached link, set of links, and/or node. 335 Similar to [RFC7490], we use the concept of P-Space and Q-Space for 336 TI-LFA. 338 The P-Space P(R,X) of a node R w.r.t. a resource X (e.g. a link S-F, 339 a node F, or a SRLG) is the set of nodes that are reachable from R 340 without passing through X. It is the set of nodes that are not 341 downstream of X in SPT_old(R). 343 The Extended P-Space P'(R,X) of a node R w.r.t. a resource X is the 344 set of nodes that are reachable from R or a neighbor of R, without 345 passing through X. 347 The Q-Space Q(D,X) of a destination node D w.r.t. a resource X is the 348 set of nodes which do not use X to reach D in the initial state of 349 the network. In other words, it is the set of nodes which have D in 350 their P-Space w.r.t. S-F, F, or a set of links adjacent to S). 352 A symmetric network is a network such that the IGP metric of each 353 link is the same in both directions of the link. 355 3. Intersecting P-Space and Q-Space with post-convergence paths 357 One of the challenges of defining an SR path following the expected 358 post-convergence path is to reduce the size of the segment list. In 359 order to reduce this segment list, an implementation MAY determine 360 the P-Space/Extended P-Space and Q-Space properties (defined in 361 [RFC7490]) of the nodes along the expected post-convergence path from 362 the PLR to the protected destination and compute an SR-based explicit 363 path from P to Q when they are not adjacent. Such properties will be 364 used in Section 4 to compute the TI-LFA repair list. 366 3.1. P-Space property computation for a resource X 368 A node N is in P(R, X) if it is not downstream of X in SPT_old(R). X 369 can be a link, a node, or a set of links adjacent to the PLR. A node 370 N is in P'(R,X) if it is not downstream of X in SPT_old(N), for at 371 least one neighbor N of R. 373 3.2. Q-Space property computation for a link S-F, over post-convergence 374 paths 376 We want to determine which nodes on the post-convergence path from 377 the PLR to the destination D are in the Q-Space of destination D 378 w.r.t. link S-F. 380 This can be found by intersecting the post-convergence path to D, 381 assuming the failure of S-F, with Q(D, S-F). 383 3.3. Q-Space property computation for a set of links adjacent to S, 384 over post-convergence paths 386 We want to determine which nodes on the post-convergence path from 387 the PLR to the destination D are in the Q-Space of destination D 388 w.r.t. a set of links adjacent to S (S being the PLR). That is, we 389 aim to find the set of nodes on the post-convergence path that use 390 none of the members of the protected set of links, to reach D. 392 This can be found by intersecting the post-convergence path to D, 393 assuming the failure of the set of links, with the intersection among 394 Q(D, S->X) for all S->X belonging to the set of links. 396 3.4. Q-Space property computation for a node F, over post-convergence 397 paths 399 We want to determine which nodes on the post-convergence from the PLR 400 to the destination D are in the Q-Space of destination D w.r.t. node 401 F. 403 This can be found by intersecting the post-convergence path to D, 404 assuming the failure of F, with Q(D, F). 406 3.5. Scaling considerations when computing Q-Space 408 [RFC7490] raises scaling concerns about computing a Q-Space per 409 destination. Similar concerns may affect TI-LFA computation if an 410 implementation tries to compute a reverse SPT for every destination 411 in the network to determine the Q-Space. It will be up to each 412 implementation to determine the good tradeoff between scaling and 413 accuracy of the optimization. 415 4. TI-LFA Repair Tunnel 417 The TI-LFA repair tunnel consists of an outgoing interface and a list 418 of segments (repair list) to insert on the SR header. The repair 419 list encodes the explicit post-convergence path to the destination, 420 which avoids the protected resource X and, at the same time, is 421 guaranteed to be loop-free irrespective of the state of FIBs along 422 the nodes belonging to the explicit path. Thus there is no need for 423 any co-ordination or message exchange between the PLR and any other 424 router in the network. 426 The TI-LFA repair tunnel is found by intersecting P(S,X) and Q(D,X) 427 with the post-convergence path to D and computing the explicit SR- 428 based path EP(P, Q) from P to Q when these nodes are not adjacent 429 along the post convergence path. The TI-LFA repair list is expressed 430 generally as (Node_SID(P), EP(P, Q)). 432 Most often, the TI-LFA repair list has a simpler form, as described 433 in the following sections. Section 8 provides statistics for the 434 number of SIDs in the explicit path to protect against various 435 failures. 437 4.1. FRR path using a direct neighbor 439 When a direct neighbor is in P(S,X) and Q(D,x) and on the post- 440 convergence path, the outgoing interface is set to that neighbor and 441 the repair segment list MUST be empty. 443 This is comparable to a post-convergence LFA FRR repair. 445 4.2. FRR path using a PQ node 447 When a remote node R is in P(S,X) and Q(D,x) and on the post- 448 convergence path, the repair list MUST be made of a single node 449 segment to R and the outgoing interface MUST be set to the outgoing 450 interface used to reach R. 452 This is comparable to a post-convergence RLFA repair tunnel. 454 4.3. FRR path using a P node and Q node that are adjacent 456 When a node P is in P(S,X) and a node Q is in Q(D,x) and both are on 457 the post-convergence path and both are adjacent to each other, the 458 repair list MUST be made of two segments: A node segment to P (to be 459 processed first), followed by an adjacency segment from P to Q. 461 This is comparable to a post-convergence DLFA repair tunnel. 463 4.4. Connecting distant P and Q nodes along post-convergence paths 465 In some cases, there is no adjacent P and Q node along the post- 466 convergence path. However, the PLR can perform additional 467 computations to compute a list of segments that represent a loop-free 468 path from P to Q. How these computations are done is out of scope of 469 this document. 471 5. Protecting segments 473 In this section, we explain how a protecting router S processes the 474 active segment of a packet upon the failure of its primary outgoing 475 interface for the packet, S-F. 477 The behavior depends on the type of active segment to be protected. 479 5.1. The active segment is a node segment 481 The active segment MUST be kept on the SR header unchanged and the 482 repair list MUST be inserted at the head of the list. The active 483 segment becomes the first segment of the inserted repair list. 485 This behavior is slightly modified when SR-MPLS is used: 487 o If the repair list ends with an adjacency segment terminating on 488 the tail-end of the active segment, and if the active segment has 489 been signalled with penultimate hop popping, the active segment 490 MUST be popped before pushing the repair list. 492 o If the SRGB at the Q node is different from the SRGB at the PLR, 493 then the active segment (before the insertion of the repair list) 494 MUST be updated to fit the SRGB of the Q node. 496 In Section 5.3, we describe the node protection behavior of PLR S, 497 for the specific case where the active segment is a prefix segment 498 for the neighbor F itself. 500 5.2. The active segment is an adjacency segment 502 We define hereafter the FRR behavior applied by S for any packet 503 received with an active adjacency segment S-F for which protection 504 was enabled. As protection has been enabled for the segment S-F and 505 signalled in the IGP, any SR policy using this segment knows that it 506 may be transiently rerouted out of S-F in case of S-F failure. 508 We distinguish the case where this active segment is followed by 509 another adjacency segment from the case where it is followed by a 510 node segment. 512 5.2.1. Protecting [Adjacency, Adjacency] segment lists 514 If the next segment in the list is an Adjacency segment, then the 515 packet has to be conveyed to F. 517 To do so, S MUST apply a "NEXT" operation on Adj(S-F) and then two 518 consecutive "PUSH" operations: first it pushes a node segment for F, 519 and then it pushes a repair list allowing to reach F while bypassing 520 S-F. For details on the "NEXT" and "PUSH" operations, refer to 521 [RFC8402]. 523 Upon failure of S-F, a packet reaching S with a segment list matching 524 [adj(S-F),adj(F-M),...] will thus leave S with a segment list 525 matching [RT(F),node(F),adj(F-M)], where RT(F) is the repair tunnel 526 for destination F. 528 This behavior is slightly modified when SR-MPLS is used: 530 o If the repair list ends with an adjacency segment terminating on 531 F, and if the node segment of F has been signalled with 532 penultimate hop popping, the implementation MUST pop Adj(S-F) and 533 then push the repair list (the node segment of F is not pushed). 534 The packet will leave S with a segment list matching 535 [RT(F),adj(F-M)]. 537 o If the SRGB at the Q node is different from the SRGB at the PLR, 538 then MPLS label representing node(F) MUST be calculated as per the 539 SRGB of the Q node. 541 In Section 5.3.2, we describe the TI-LFA behavior of PLR S when 542 node protection is applied and the two first segments are Adjacency 543 Segments. 545 5.2.2. Protecting [Adjacency, Node] segment lists 547 If the next segment in the stack is a node segment, say for node T, 548 the segment list on the packet matches [adj(S-F),node(T),...]. 550 A first solution would consist in steering the packet back to F while 551 avoiding S-F. To do so, S MUST apply a "NEXT" operation on Adj(S-F) 552 and then two consecutive "PUSH" operations: first it pushes a node 553 segment for F, and then it pushes a repair list allowing to reach F 554 while bypassing S-F. 556 Upon failure of S-F, a packet reaching S with a segment list matching 557 [adj(S-F),node(T),...] will thus leave S with a segment list matching 558 [RT(F),node(F),node(T)]. 560 This behavior is slightly modified when SR-MPLS is used: 562 o If the repair list ends with an adjacency segment terminating on 563 F, and if the node segment of F has been signalled with 564 penultimate hop popping, the implementation MUST pop Adj(S-F) and 565 then push the repair list (the node segment of F is not pushed). 566 The packet will leave S with a segment list matching 567 [RT(F),node(T)]. 569 o If the SRGB at the Q node is different from the SRGB at the PLR, 570 then MPLS label representing node(F) MUST be calculated as per the 571 SRGB of the Q node. 573 Another solution is to not steer the packet back via F but rather 574 follow the new shortest path to T. In this case, S MUST apply a 575 "NEXT" operation on the Adjacency segment related to S-F, followed by 576 a "PUSH" of a repair list redirecting the traffic to a node Q, whose 577 path to node segment T is not affected by the failure. 579 Upon failure of S-F, packets reaching S with a segment list matching 580 [adj(S-F), node(T), ...], would leave S with a segment list matching 581 [RT(Q),node(T), ...]. Note that this second behavior is the one 582 followed for node protection, as described in Section 5.3.1. 584 This behavior is slightly modified when SR-MPLS is used: 586 o If the repair list ends with an adjacency segment terminating on T 587 (T being the Q node), and if the node segment of T has been 588 signalled with penultimate hop popping, the implementation MUST 589 pop Adj(S-F) and then push the repair list (the node segment of T 590 is not pushed). The packet will leave S with a segment list 591 matching [RT(Q=T), ...]. 593 o If the SRGB at the Q node is different from the SRGB at the PLR, 594 then the MPLS label representing node(T) MUST be calculated as per 595 the SRGB of the Q node. 597 The first proposal which merges back the traffic at the remote end of 598 the adjacency segment has the advantage of keeping as much as 599 possible the traffic on the existing path. As stated in Section 1, 600 when SR policies are involved and a strict compliance of the policy 601 is required, an end-to-end protection should be preferred over a 602 local repair mechanism. 604 5.3. Protecting SR policy midpoints against node failure 606 In this section, we describe the behavior of a node S configured to 607 interpret the failure of link S->F as the node failure of F, in the 608 specific case where the active segment of the packet received by S is 609 a Prefix SID of F represented as "F"), or an Adjacency SID for the 610 link S-F (represented as "S->F"). 612 5.3.1. Protecting {F, T, D} or {S->F, T, D} 614 This section describes the protection behavior of S when all of the 615 following conditions are true: 617 1. the active segment is a prefix SID for a neighbor F, or an 618 adjacency segment S->F 620 2. the primary interface used to forward the packet failed 622 3. the segment following the active segment is a prefix SID (for 623 node T) 625 4. node protection is active for that interface. 627 In such a case, the PLR MUST: 629 1. apply a NEXT operation; the segment F or S->F is removed 631 2. Confirm that the next segment is in the SRGB of F, meaning that 632 the next segment is a prefix segment, e.g. for node T 634 3. Retrieve the segment ID of T (as per the SRGB of F) 636 4. Apply a NEXT operation followed by a PUSH operation of T's segment 637 based on the SRGB of node S. 639 5. Look up T's segment (based on the updated label value) and 640 forward accordingly. 642 5.3.2. Protecting {F, F->T, D} or {S->F, F->T, D} 644 This section describes the protection behavior of S when all of the 645 following conditions are true: 647 1. the active segment is a prefix SID for a neighbor F, or an 648 adjacency segment S->F 650 2. the primary interface used to forward the packet failed 652 3. the segment following the active segment is an adjacency SID (F- 653 >T) 655 4. node protection is active for that interface. 657 In such a case, the PLR MUST: 659 1. Apply a NEXT operation; the segment F or S->F is removed 661 2. Confirm that the next segment is an adjacency SID of F, say F->T 663 3. Retrieve the node segment ID associated to T (as per the set of 664 Adjacency Segments of F) 666 4. Apply a NEXT operation on the next segment followed by a PUSH of 667 T's segment based on the SRGB of the node S. 669 5. Look up T's segment (based on the updated label value) and forward 670 accordingly. 672 It is noteworthy to mention that node "S" in the procedures described 673 in Sections 5.3.1 and 5.3.2 can always determine whether the 674 segment after popping the top segment is an adjacency SID or a 675 prefix-SID of the next-hop "F" as follows: 677 1. In a link state environment, the node "S" knows the SRGB and the 678 adj-SIDs of the neighboring node "F" 680 2. If the new segment after popping the top segment is within the 681 SRGB or the adj-SIDs of "F", then node "S" is certain that the 682 failure of node "F" is a midpoint failure and hence node "S" 683 applies the procedures specified in Sections 5.3.1 or 5.3.2, 684 respectively. 686 3. Otherwise the failure is not a midpoint failure and hence the node 687 "S" may apply other protection techniques that are beyond the 688 scope of this document or simply drop the packet and wait for 689 normal protocol convergence. 691 6. TI-LFA and SR Algorithms 693 SR allows an operator to bind an algorithm to a prefix SID (as 694 defined in [RFC8402]. The algorithm value dictates how the path to 695 the prefix is computed. The SR default algorithm is known has the 696 "Shortest Path" algorithm. The SR default algorithm allows an 697 operator to override the IGP shortest path by using local policies. 698 When TI-LFA uses Node-SIDs associated with the default algorithm, 699 there is no guarantee that the path will be loop-free as a local 700 policy may have overriden the expected IGP path. As the local 701 policies are defined by the operator, it becomes the responsibility 702 of this operator to ensure that the deployed policies do not affect 703 the TI-LFA deployment. It should be noted that such situation can 704 already happen today with existing mechanisms as remote LFA. 706 When a Node-SID is associated with the SR default algorithm, 707 enforcing TI-LFA to use Node-SIDs associated with a strict SPF 708 algorithm is a definitive solution to this problem. 710 [I-D.ietf-lsr-flex-algo] defines a flexible algorithm (FlexAlgo) 711 framework to be associated with Prefix SIDs. FlexAlgo allows a user 712 to associate a constrained path to a Prefix SID rather than using the 713 regular IGP shortest path. An implementation MAY support TI-LFA to 714 protect Node-SIDs associated to a FlexAlgo. In such a case, rather 715 than computing the expected post-convergence path based on the 716 regular SPF, an implementation SHOULD use the constrained SPF 717 algorithm bound to the FlexAlgo instead of the regular Dijkstra in 718 all the SPF/rSPF computations that are occurring during the TI-LFA 719 computation. This includes the computation of the P-Space and 720 Q-Space as well as the post-convergence path. 722 7. Usage of Adjacency segments in the repair list 724 The repair list of segments computed by TI-LFA may contain one or 725 more adjacency segments. An adjacency segment may be protected or 726 not protected. 728 S --- R2 --- R3 --- R4 --- R5 --- D 729 \ | \ / 730 R7 -- R8 731 | | 732 R9 -- R10 734 Figure 3 736 In Figure 3, all the metrics are equal to 1 except 737 R2-R7,R7-R8,R8-R4,R7-R9 which have a metric of 1000. Considering R2 738 as a PLR to protect against the failure of node R3 for the traffic 739 S->D, the repair list computed by R2 will be [adj(R7-R8),adj(R8-R4)] 740 and the outgoing interface will be to R7. If R3 fails, R2 pushes the 741 repair list onto the incoming packet to D. During the FRR, if R7-R8 742 fails and if TI-LFA has picked a protected adjacency segment for 743 adj(R7-R8), R7 will push an additional repair list onto the packet 744 following the procedures defined in Section 5. 746 To avoid the possibility of this double FRR, an implementation of TI- 747 LFA MAY pick only non protected adjacency segments when building the 748 repair list. 750 8. Measurements on Real Networks 752 This section presents measurements performed on real service provider 753 and large enterprise networks. The objective of the measurements is 754 to assess the number of SIDs required in an explicit path when the 755 mechanisms described in this document are used to protect against the 756 failure scenarios within the scope of this document. The number of 757 segments described in this section are applicable to instantiating 758 segment routing over the MPLS forwarding plane. 760 The measurements below indicate that for link and local SRLG 761 protection, a 1 SID repair path delivers more than 99% coverage. For 762 node protection a 2 SIDs repair path yields 99% coverage. 764 Table 1 below lists the characteristics of the networks used in our 765 measurements. The measurements are carried out as follows 767 o For each network, the algorithms described in this document are 768 applied to protect all prefixes against link, node, and local SRLG 769 failure 771 o For each prefix, the number of SIDs used by the repair path is 772 recored 774 o The percentage of number of SIDs are listed in Tables 2A/B, 3A/B, 775 and 4A/B 777 The measurements listed in the tables indicate that for link and 778 local SRLG protection, 1 SID repair paths are sufficient to protect 779 more than 99% of the prefix in almost all cases. For node protection 780 2 SIDs repair paths yield 99% coverage. 782 +-------------+------------+------------+------------+------------+ 783 | Network | Nodes | Circuits |Node-to-Link| SRLG info? | 784 | | | | Ratio | | 785 +-------------+------------+------------+------------+------------+ 786 | T1 | 408 | 665 | 1 : 63 | Yes | 787 +-------------+------------+------------+------------+------------+ 788 | T2 | 587 | 1083 | 1 : 84 | No | 789 +-------------+------------+------------+------------+------------+ 790 | T3 | 93 | 401 | 4 : 31 | Yes | 791 +-------------+------------+------------+------------+------------+ 792 | T4 | 247 | 393 | 1 : 59 | Yes | 793 +-------------+------------+------------+------------+------------+ 794 | T5 | 34 | 96 | 2 : 82 | Yes | 795 +-------------+------------+------------+------------+------------+ 796 | T6 | 50 | 78 | 1 : 56 | No | 797 +-------------+------------+------------+------------+------------+ 798 | T7 | 82 | 293 | 3 : 57 | No | 799 +-------------+------------+------------+------------+------------+ 800 | T8 | 35 | 41 | 1 : 17 | Yes | 801 +-------------+------------+------------+------------+------------+ 802 | T9 | 177 | 1371 | 7 : 74 | Yes | 803 +-------------+------------+------------+------------+------------+ 804 Table 1: Data Set Definition 806 The rest of this section presents the measurements done on the actual 807 topologies. The convention that we use is as follows 809 o 0 SIDs: the calculated repair path starts with a directly 810 connected neighbor that is also a loop free alternate, in which 811 case there is no need to explicitly route the traffic using 812 additional SIDs. This scenario is described in Section 4.1. 814 o 1 SIDs: the repair node is a PQ node, in which case only 1 SID is 815 needed to guarantee loop-freeness. This scenario is covered in 816 Section 4.2. 818 o 2 or more SIDs: The repair path consists of 2 or more SIDs as 819 described in Sections 4.3 and 4.4. We do not cover the case for 2 820 SIDs (Section 4.3) separately because there was no granularity in 821 the result. Also we treat the node-SID+adj-SID and node-SID + 822 node-SID the same because they do not differ from the data plane 823 point of view. 825 Table 2A and 2B below summarize the measurements on the number of 826 SIDs needed for link protection 828 +-------------+------------+------------+------------+------------+ 829 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 830 +-------------+------------+------------+------------+------------+ 831 | T1 | 74.227% | 25.256% | 0.517% | 0.001% | 832 +-------------+------------+------------+------------+------------+ 833 | T2 | 81.097% | 18.738% | 0.165% | 0.0% | 834 +-------------+------------+------------+------------+------------+ 835 | T3 | 95.878% | 4.067% | 0.056% | 0.0% | 836 +-------------+------------+------------+------------+------------+ 837 | T4 | 62.547% | 35.666% | 1.788% | 0.0% | 838 +-------------+------------+------------+------------+------------+ 839 | T5 | 85.733% | 14.267% | 0.0% | 0.0% | 840 +-------------+------------+------------+------------+------------+ 841 | T6 | 81.252% | 18.714% | 0.033% | 0.0% | 842 +-------------+------------+------------+------------+------------+ 843 | T7 | 98,857% | 1.143% | 0.0% | 0.0% | 844 +-------------+------------+------------+------------+------------+ 845 | T8 | 94,118% | 5.882% | 0.0% | 0.0% | 846 +-------------+------------+------------+------------+------------+ 847 | T9 | 98.950% | 1.050% | 0.0% | 0.0% | 848 +-------------+------------+------------+------------+------------+ 849 Table 2A: Link protection (repair size distribution) 851 +-------------+------------+------------+------------+------------+ 852 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 853 +-------------+------------+------------+------------+------------+ 854 | T1 | 74.227% | 99.482% | 99.999% | 100.0% | 855 +-------------+------------+------------+------------+------------+ 856 | T2 | 81.097% | 99.835% | 100.0% | 100.0% | 857 +-------------+------------+------------+------------+------------+ 858 | T3 | 95.878% | 99.944% | 100.0% | 100.0% | 859 +-------------+------------+------------+------------+------------+ 860 | T4 | 62.547% | 98.212% | 100.0% | 100.0% | 861 +-------------+------------+------------+------------+------------+ 862 | T5 | 85.733% | 100.000% | 100.0% | 100.0% | 863 +-------------+------------+------------+------------+------------+ 864 | T6 | 81.252% | 99.967% | 100.0% | 100.0% | 865 +-------------+------------+------------+------------+------------+ 866 | T7 | 98,857% | 100.000% | 100.0% | 100.0% | 867 +-------------+------------+------------+------------+------------+ 868 | T8 | 94,118% | 100.000% | 100.0% | 100.0% | 869 +-------------+------------+------------+------------+------------+ 870 | T9 | 98,950% | 100.000% | 100.0% | 100.0% | 871 +-------------+------------+------------+------------+------------+ 872 Table 2B: Link protection repair size cumulative distribution 874 Table 3A and 3B summarize the measurements on the number of SIDs 875 needed for local SRLG protection. 877 +-------------+------------+------------+------------+------------+ 878 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 879 +-------------+------------+------------+------------+------------+ 880 | T1 | 74.177% | 25.306% | 0.517% | 0.001% | 881 +-------------+------------+------------+------------+------------+ 882 | T2 | No SRLG Information | 883 +-------------+------------+------------+------------+------------+ 884 | T3 | 93.650% | 6.301% | 0.049% | 0.0% | 885 +-------------+------------+------------+------------+------------+ 886 | T4 | 62,547% | 35.666% | 1.788% | 0.0% | 887 +-------------+------------+------------+------------+------------+ 888 | T5 | 83.139% | 16.861% | 0.0% | 0.0% | 889 +-------------+------------+------------+------------+------------+ 890 | T6 | No SRLG Information | 891 +-------------+---------------------------------------------------+ 892 | T7 | No SRLG Information | 893 +-------------+------------+------------+------------+------------+ 894 | T8 | 85.185% | 14.815% | 0.0% | 0.0% | 895 +-------------+------------+------------+------------+------------+ 896 | T9 | 98,940% | 1.060% | 0.0% | 0.0% | 897 +-------------+------------+------------+------------+------------+ 898 Table 3A: Local SRLG protection repair size distribution 900 +-------------+------------+------------+------------+------------+ 901 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 902 +-------------+------------+------------+------------+------------+ 903 | T1 | 74.177% | 99.482% | 99.999% | 100.001% | 904 +-------------+------------+------------+------------+------------+ 905 | T2 | No SRLG Information | 906 +-------------+------------+------------+------------+------------+ 907 | T3 | 93.650% | 99.951% | 100.000% | 0.0% | 908 +-------------+------------+------------+------------+------------+ 909 | T4 | 62,547% | 98.212% | 100.000% | 100.0% | 910 +-------------+------------+------------+------------+------------+ 911 | T5 | 83.139% | 100.000% | 100.0% | 100.0% | 912 +-------------+------------+------------+------------+------------+ 913 | T6 | No SRLG Information | 914 +-------------+---------------------------------------------------+ 915 | T7 | No SRLG Information | 916 +-------------+------------+------------+------------+------------+ 917 | T8 | 85.185% | 100,000% | 100.000% | 100.0% | 918 +-------------+------------+------------+------------+------------+ 919 | T9 | 98,940% | 100,000% | 100.000% | 100.0% | 920 +-------------+------------+------------+------------+------------+ 921 Table 3B: Local SRLG protection repair size Cumulative distribution 923 The remaining two tables summarize the measurements on the number of 924 SIDs needed for node protection. 926 +---------+----------+----------+----------+----------+----------+ 927 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 4 SIDs | 928 +---------+----------+----------+----------+----------+----------+ 929 | T1 | 49.771% | 47.902% | 2.156% | 0.148% | 0.023% | 930 +---------+----------+----------+----------+----------+----------+ 931 | T2 | 36,528% | 59.625% | 3.628% | 0.194% | 0.025% | 932 +---------+----------+----------+----------+----------+----------+ 933 | T3 | 73,287% | 25,574% | 1,128% | 0.010% | 0% | 934 +---------+----------+----------+----------+----------+----------+ 935 | T4 | 36.112% | 57.350% | 6.329% | 0.199% | 0.010% | 936 +---------+----------+----------+----------+----------+----------+ 937 | T5 | 73.185% | 26.815% | 0% | 0% | 0% | 938 +---------+----------+----------+----------+----------+----------+ 939 | T6 | 78.362% | 21.320% | 0.318% | 0% | 0% | 940 +---------+----------+----------+----------+----------+----------+ 941 | T7 | 66.106% | 32.813% | 1.082% | 0% | 0% | 942 +---------+----------+----------+----------+----------+----------+ 943 | T8 | 59.712% | 40.288% | 0% | 0% | 0% | 944 +---------+----------+----------+----------+----------+----------+ 945 | T9 | 98.950% | 1.050% | 0% | 0% | 0% | 946 +---------+----------+----------+----------+----------+----------+ 947 Table 4A: Node protection (repair size distribution) 949 +---------+----------+----------+----------+----------+----------+ 950 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 4 SIDs | 951 +---------+----------+----------+----------+----------+----------+ 952 | T1 | 49.771% | 97.673% | 99.829% | 99.977% | 100% | 953 +---------+----------+----------+----------+----------+----------+ 954 | T2 | 36,528% | 96.153% | 99.781% | 99.975% | 100% | 955 +---------+----------+----------+----------+----------+----------+ 956 | T3 | 73,287% | 98.862% | 99.990% |100.0% | 100% | 957 +---------+----------+----------+----------+----------+----------+ 958 | T4 | 36.112% | 93.461% | 99.791% | 99.990% | 100% | 959 +---------+----------+----------+----------+----------+----------+ 960 | T5 | 73.185% | 100.0% | 100.0% |100.0% | 100% | 961 +---------+----------+----------+----------+----------+----------+ 962 | T6 | 78.362% | 99.682% | 100.0% |100.0% | 100% | 963 +---------+----------+----------+----------+----------+----------+ 964 | T7 | 66.106% | 98,918% | 100.0% |100.0% | 100% | 965 +---------+----------+----------+----------+----------+----------+ 966 | T8 | 59.712% | 100.0% | 100.0% |100.0% | 100% | 967 +---------+----------+----------+----------+----------+----------+ 968 | T9 | 98.950% | 100.0% | 100.0% |100.0% | 100% | 969 +---------+----------+----------+----------+----------+----------+ 970 Table 4B: Node protection (repair size cumulative distribution) 972 9. Security Considerations 974 The techniques described in this document are internal 975 functionalities to a router that result in the ability to guarantee 976 an upper bound on the time taken to restore traffic flow upon the 977 failure of a directly connected link or node. As these techniques 978 steer traffic to the post-convergence path as quickly as possible, 979 this serves to minimize the disruption associated with a local 980 failure which can be seen as a modest security enhancement. The 981 protection mechanisms does not protect external destinations, but 982 rather provides quick restoration for destination that are internal 983 to a routing domain. 985 10. IANA Considerations 987 No requirements for IANA 989 11. Conclusions 991 This document proposes a mechanism that is able to pre-calculate a 992 backup path for every primary path so as to be able to protect 993 against the failure of a directly connected link, node, or SRLG. 994 The mechanism is able to calculate the backup path irrespective of 995 the topology as long as the topology is sufficiently redundant. 997 12. Acknowledgments 999 We would like to thank Les Ginsberg, Stewart Bryant, Alexander 1000 Vainsthein, Chris Bowers for their valuable comments. 1002 This document was prepared using 2-Word-v2.0.template.dot. 1004 13. References 1006 13.1. Normative References 1008 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1009 Requirement Levels", BCP 14, RFC 2119, DOI 1010 10.17487/RFC2119, March 1997, . 1013 [RFC7916] Litkowski, S., Ed., Decraene, B., Filsfils, C., Raza, K., 1014 Horneffer, M., and P. Sarkar, "Operational Management of 1015 Loop-Free Alternates", RFC 7916, DOI 10.17487/RFC7916, July 1016 2016, . 1018 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 1019 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 1020 2017, . 1022 [RFC8402] Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., and 1023 R. Shakir, "Segment Routing Architecture", RFC 8402, DOI 1024 10.17487/RFC8402 July 2018, . 1027 13.2. Informative References 1029 [I-D.bashandy-rtgwg-segment-routing-uloop] Bashandy, A., Filsfils, 1030 C., Litkowski, S., Decraene, B., Francois, P., and Psenak, 1031 P. " Loop avoidance using Segment Routing", draft-bashandy- 1032 rtgwg-segment-routing-uloop-07, (work in progress), January 1033 2020 1035 [I-D.ietf-lsr-flex-algo] Psenak, P., Hegde, S., Filsfils, C., 1036 Talaulikar, K., and A. Gulko, "IGP Flexible Algorithm", 1037 draft-ietf-lsr-flex-algo-05 (work in progress), November 1038 2019. 1040 [I-D.ietf-spring-segment-routing-policy] Filsfils, C., Sivabalan, S., 1041 daniel.voyer@bell.ca, d., bogdanov@google.com, b., and P. 1042 Mattes, "Segment Routing Policy Architecture", draft-ietf- 1043 spring-segment-routing-policy-06 (work in progress), 1044 December 2019. 1046 [RFC5286] Atlas, A., Ed. and A. Zinin, Ed., "Basic Specification for 1047 IP Fast Reroute: Loop-Free Alternates", RFC 5286, DOI 1048 10.17487/RFC5286, September 2008, . 1051 [RFC5714] Shand, M. and S. Bryant, "IP Fast Reroute Framework", RFC 1052 5714, DOI 10.17487/RFC5714 January 2010, . 1055 [RFC6571] Filsfils, C., Francois, P., Shand, M., Decraene, B., 1056 Uttaro, J., Leymann, N., and M. Horneffer, "Loop-Free 1057 Alternate (LFA) Applicability in Service Provider (SP) 1058 Networks", RFC 6571, DOI 10.17487/RFC6571 June 2012, 1059 . 1061 [RFC7490] Bryant, S., Filsfils, C., Previdi, S., Shand, M., and N. 1062 So, "Remote Loop-Free Alternate (LFA) Fast Reroute (FRR)", 1063 RFC 7490, DOI 10.17487/RFC7490, April 2015, 1064 . 1066 Authors' Addresses 1068 Stephane Litkowski 1069 Cisco 1070 Email: slitkows.ietf@gmail.com 1072 Ahmed Bashandy 1073 Individual 1074 Email: abashandy.ietf@gmail.com 1076 Clarence Filsfils 1077 Cisco Systems 1078 Brussels 1079 Belgium 1080 Email: cfilsfil@cisco.com 1082 Bruno Decraene 1083 Orange 1084 Issy-les-Moulineaux 1085 France 1086 Email: bruno.decraene@orange.com 1088 Pierre Francois 1089 INSA Lyon 1090 Email: pierre.francois@insa-lyon.fr 1092 Daniel Voyer 1093 Bell Canada 1094 Canada 1095 Email: daniel.voyer@bell.ca 1097 Francois Clad 1098 Cisco Systems 1099 Email: fclad@cisco.com 1101 Pablo Camarillo 1102 Cisco Systems 1103 Email: pcamaril@cisco.com