idnits 2.17.1 draft-ietf-rtgwg-segment-routing-ti-lfa-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 4, 2020) is 1507 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'Adjacency' is mentioned on line 580, but not defined == Missing Reference: 'Node' is mentioned on line 580, but not defined == Unused Reference: 'I-D.ietf-spring-srv6-network-programming' is defined on line 1035, but no explicit reference was found in the text == Outdated reference: A later version (-28) exists of draft-ietf-spring-srv6-network-programming-11 == Outdated reference: A later version (-16) exists of draft-bashandy-rtgwg-segment-routing-uloop-08 == Outdated reference: A later version (-26) exists of draft-ietf-lsr-flex-algo-06 == Outdated reference: A later version (-22) exists of draft-ietf-spring-segment-routing-policy-06 Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Litkowski 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track A. Bashandy 5 Expires: September 5, 2020 Individual 6 C. Filsfils 7 Cisco Systems 8 B. Decraene 9 Orange 10 P. Francois 11 INSA Lyon 12 D. Voyer 13 Bell Canada 14 F. Clad 15 P. Camarillo 16 Cisco Systems 17 March 4, 2020 19 Topology Independent Fast Reroute using Segment Routing 20 draft-ietf-rtgwg-segment-routing-ti-lfa-03 22 Abstract 24 This document presents Topology Independent Loop-free Alternate Fast 25 Re-route (TI-LFA), aimed at providing protection of node and 26 adjacency segments within the Segment Routing (SR) framework. This 27 Fast Re-route (FRR) behavior builds on proven IP-FRR concepts being 28 LFAs, remote LFAs (RLFA), and remote LFAs with directed forwarding 29 (DLFA). It extends these concepts to provide guaranteed coverage in 30 any IGP network. A key aspect of TI-LFA is the FRR path selection 31 approach establishing protection over the expected post-convergence 32 paths from the point of local repair, dramatically reducing the 33 operational need to control the tie-breaks among various FRR options. 35 Status of This Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at https://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on September 5, 2020. 51 Copyright Notice 53 Copyright (c) 2020 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents 58 (https://trustee.ietf.org/license-info) in effect on the date of 59 publication of this document. Please review these documents 60 carefully, as they describe your rights and restrictions with respect 61 to this document. Code Components extracted from this document must 62 include Simplified BSD License text as described in Section 4.e of 63 the Trust Legal Provisions and are provided without warranty as 64 described in the Simplified BSD License. 66 Table of Contents 68 1. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . 3 69 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 70 2.1. Conventions used in this document . . . . . . . . . . . . 8 71 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 72 4. Intersecting P-Space and Q-Space with post-convergence paths 9 73 4.1. P-Space property computation for a resource X . . . . . . 9 74 4.2. Q-Space property computation for a link S-F, over post- 75 convergence paths . . . . . . . . . . . . . . . . . . . . 9 76 4.3. Q-Space property computation for a set of links adjacent 77 to S, over post-convergence paths . . . . . . . . . . . 10 78 4.4. Q-Space property computation for a node F, over post- 79 convergence paths . . . . . . . . . . . . . . . . . . . . 10 80 4.5. Scaling considerations when computing Q-Space . . . . . . 10 81 5. TI-LFA Repair path . . . . . . . . . . . . . . . . . . . . . 10 82 5.1. FRR path using a direct neighbor . . . . . . . . . . . . 11 83 5.2. FRR path using a PQ node . . . . . . . . . . . . . . . . 11 84 5.3. FRR path using a P node and Q node that are adjacent . . 11 85 5.4. Connecting distant P and Q nodes along post-convergence 86 paths . . . . . . . . . . . . . . . . . . . . . . . . . . 11 87 6. Building TI-LFA repair lists . . . . . . . . . . . . . . . . 11 88 6.1. Link protection . . . . . . . . . . . . . . . . . . . . . 12 89 6.1.1. The active segment is a node segment . . . . . . . . 12 90 6.1.2. The active segment is an adjacency segment . . . . . 12 91 6.2. Protecting SR policy midpoints against node failure . . . 13 92 6.2.1. Protecting {F, T, D} or {S->F, T, D} . . . . . . . . 14 93 6.2.2. Protecting {F, F->T, D} or {S->F, F->T, D} . . . . . 14 94 6.3. Dataplane specific considerations . . . . . . . . . . . . 15 95 6.3.1. MPLS dataplane considerations . . . . . . . . . . . . 15 96 6.3.2. SRv6 dataplane considerations . . . . . . . . . . . . 16 98 7. TI-LFA and SR algorithms . . . . . . . . . . . . . . . . . . 16 99 8. Usage of Adjacency segments in the repair list . . . . . . . 17 100 9. Measurements on Real Networks . . . . . . . . . . . . . . . . 17 101 10. Security Considerations . . . . . . . . . . . . . . . . . . . 22 102 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 103 12. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 22 104 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 22 105 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 106 14.1. Normative References . . . . . . . . . . . . . . . . . . 23 107 14.2. Informative References . . . . . . . . . . . . . . . . . 23 108 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 110 1. Acronyms 112 o DLFA: Remote LFA with Directed forwarding. 114 o FRR: Fast Re-route. 116 o IGP: Interior Gateway Protocol. 118 o LFA: Loop-Free Alternate. 120 o LSDB: Link State DataBase. 122 o PLR: Point of Local Repair. 124 o RL: Repair list. 126 o RLFA: Remote LFA. 128 o SID: Segment Identifier. 130 o SLA: Service Level Agreement. 132 o SPF: Shortest Path First. 134 o SPT: Shortest Path Tree. 136 o SR: Segment Routing. 138 o SRLG: Shared Risk Link Group. 140 o TI-LFA: Topology Independant LFA. 142 2. Introduction 144 Segment Routing aims at supporting services with tight SLA guarantees 145 [RFC8402]. By relying on SR this document provides a local repair 146 mechanism for standard IGP shortest path capable of restoring end-to- 147 end connectivity in the case of a sudden directly connected failure 148 of a network component. Non-SR mechanisms for local repair are 149 beyond the scope of this document. Non-local failures are addressed 150 in a separate document [I-D.bashandy-rtgwg-segment-routing-uloop]. 152 The term topology independent (TI) refers to the ability to provide a 153 loop free backup path irrespective of the topologies used in the 154 network. This provides a major improvement compared to LFA [RFC5286] 155 and remote LFA [RFC7490] which cannot provide a complete protection 156 coverage in some topologies as described in [RFC6571]. 158 For each destination in the network, TI-LFA pre-installs a backup 159 forwarding entry for each protected destination ready to be activated 160 upon detection of the failure of a link used to reach the 161 destination. TI-LFA provides protection in the event of any one of 162 the following: single link failure, single node failure, or single 163 SRLG failure. In link failure mode, the destination is protected 164 assuming the failure of the link. In node protection mode, the 165 destination is protected assuming that the neighbor connected to the 166 primary link has failed. In SRLG protecting mode, the destination is 167 protected assuming that a configured set of links sharing fate with 168 the primary link has failed (e.g. a linecard or a set of links 169 sharing a common transmission pipe). 171 Protection techniques outlined in this document are limited to 172 protecting links, nodes, and SRLGs that are within a routing domain. 173 Protecting domain exit routers and/or links attached to another 174 routing domains are beyond the scope of this document 176 Thanks to SR, TI-LFA does not require the establishment of TLDP 177 sessions with remote nodes in order to take advantage of the 178 applicability of remote LFAs (RLFA) [RFC7490][RFC7916] or remote LFAs 179 with directed forwarding (DLFA)[RFC5714]. All the Segment 180 Identifiers (SIDs) are available in the link state database (LSDB) of 181 the IGP. As a result, preferring LFAs over RLFAs or DLFAs, as well 182 as minimizing the number of RLFA or DLFA repair nodes is not required 183 anymore. 185 Thanks to SR, there is no need to create state in the network in 186 order to enforce an explicit FRR path. This relieves the nodes 187 themselves from having to maintain extra state, and it relieves the 188 operator from having to deploy an extra protocol or extra protocol 189 sessions just to enhance the protection coverage. 191 [RFC7916] raised several operational considerations when using LFA or 192 remote LFA. [RFC7916] Section 3 presents a case where a high 193 bandwidth link between two core routers is protected through a PE 194 router connected with low bandwidth links. In such a case, 195 congestion may happen when the FRR backup path is activated. 196 [RFC7916] introduces a local policy framework to let the operator 197 tuning manually the best alternate election based on its own 198 requirements. 200 From a network capacity planning point of view, it is often assumed 201 that if a link L fails on a particular node X, the bandwidth consumed 202 on L will be spread over some of the remaining links of X. The 203 remaining links to be used are determined by the IGP routing 204 considering that the link L has failed (we assume that the traffic 205 uses the post-convergence path starting from the node X). In 206 Figure 1, we consider a network with all metrics equal to 1 except 207 the metrics on links used by PE1, PE2 and PE3 which are 1000. An 208 easy network capacity planning method is to consider that if the link 209 L (X-B) fails, the traffic actually flowing through L will be spread 210 over the remaining links of X (X-H, X-D, X-A). Considering the IGP 211 metrics, only X-H and X-D can only be used in reality to carry the 212 traffic flowing through the link L. As a consequence, the bandwidth 213 of links X-H and X-D is sized according to this rule. We should 214 observe that this capacity planning policy works, however it is not 215 fully accurate. 217 In Figure 1, considering that the source of traffic is only from PE1 218 and PE4, when the link L fails, depending on the convergence speed of 219 the nodes, X may reroute its forwarding entries to the remote PEs 220 onto X-H or X-D; however in a similar timeframe, PE1 will also 221 reroute a subset of its traffic (the subset destined to PE2) out of 222 its nominal path reducing the quantity of traffic received by X. The 223 capacity planning rule presented previously has the drawback of 224 oversizing the network, however it allows to prevent any transient 225 congestion (when for example X reroutes traffic before PE1 does). 227 H --- I --- J 228 | | \ 229 PE4 | | PE3 230 \ | (L) | / 231 A --- X --- B --- G 232 / | | \ 233 PE1 | | PE2 234 \ | | / 235 C --- D --- E --- F 237 Figure 1 239 Based on this assumption, in order to facilitate the operation of 240 FRR, and limit the implementation of local FRR policies, it looks 241 interesting to steer the traffic onto the post-convergence path from 242 the PLR point of view during the FRR phase. In our example, when 243 link L fails, X switches the traffic destined to PE3 and PE2 on the 244 post-convergence paths. This is perfectly inline with the capacity 245 planning rule that was presented before and also inline with the fact 246 X may converge before PE1 (or any other upstream router) and may 247 spread the X-B traffic onto the post-convergence paths rooted at X. 249 It should be noted, that some networks may have a different capacity 250 planning rule, leading to an allocation of less bandwidth on X-H and 251 X-D links. In such a case, using the post-convergence paths rooted 252 at X during FRR may introduce some congestion on X-H and X-D links. 253 However it is important to note, that a transient congestion may 254 possibly happen, even without FRR activated, for instance when X 255 converges before the upstream routers. Operators are still free to 256 use the policy framework defined in [RFC7916] if the usage of the 257 post-convergence paths rooted at the PLR is not suitable. 259 Readers should be aware that FRR protection is pre-computing a backup 260 path to protect against a particular type of failure (link, node, 261 SRLG). When using the post-convergence path as FRR backup path, the 262 computed post-convergence path is the one considering the failure we 263 are protecting against. This means that FRR is using an expected 264 post-convergence path, and this expected post-convergence path may be 265 actually different from the post-convergence path used if the failure 266 that happened is different from the failure FRR was protecting 267 against. As an example, if the operator has implemented a protection 268 against a node failure, the expected post-convergence path used 269 during FRR will be the one considering that the node has failed. 270 However, even if a single link is failing or a set of links is 271 failing (instead of the full node), the node-protecting post- 272 convergence path will be used. The consequence is that the path used 273 during FRR is not optimal with respect to the failure that has 274 actually occurred. 276 Another consideration to take into account is: while using the 277 expected post-convergence path for SR traffic using node segments 278 only (for instance, PE to PE traffic using shortest path) has some 279 advantages, these advantages reduce when SR policies 280 ([I-D.ietf-spring-segment-routing-policy]) are involved. A segment- 281 list used in an SR policy is computed to obey a set of path 282 constraints defined locally at the head-end or centrally in a 283 controller. TI-LFA cannot be aware of such path constraints and 284 there is no reason to expect the TI-LFA backup path protecting one 285 the segments in that segment list to obey those constraints. When SR 286 policies are used and the operator wants to have a backup path which 287 still follows the policy requirements, this backup path should be 288 computed as part of the SR policy in the ingress node (or central 289 controller) and the SR policy should not rely on local protection. 290 Another option could be to use FlexAlgo ([I-D.ietf-lsr-flex-algo]) to 291 express the set of constraints and use a single node segment 292 associated with a FlexAlgo to reach the destination. When using a 293 node segment associated with a FlexAlgo, TI-LFA keeps providing an 294 optimal backup by applying the appropriate set of constraints. The 295 relationship between TI-LFA and the SR-algorithm is detailed in 296 Section 7. 298 Thanks to SR and the combination of Adjacency segments and Node 299 segments, the expression of the expected post-convergence path rooted 300 at the PLR is facilitated and does not create any additional state on 301 intermediate nodes. The easiest way to express the expected post- 302 convergence path in a loop-free manner is to encode it as a list of 303 adjacency segments. However, in an MPLS world, this may create a 304 long stack of labels to be pushed that some hardware may not be able 305 to push. One of the challenges of TI-LFA is to encode the expected 306 post-convergence path by combining adjacency segments and node 307 segments. Each implementation will be free to have its own path 308 compression optimization algorithm. This document details the basic 309 concepts that could be used to build the SR backup path as well as 310 the associated dataplane procedures. 312 L ____ 313 S----F--{____}----D 314 /\ | / 315 | | | _______ / 316 |__}---Q{_______} 318 Figure 2: TI-LFA Protection 320 We use Figure 2 to illustrate the TI-LFA approach. 322 The Point of Local Repair (PLR), S, needs to find a node Q (a repair 323 node) that is capable of safely forwarding the traffic to a 324 destination D affected by the failure of the protected link L, a set 325 of links including L (SRLG), or the node F itself. The PLR also 326 needs to find a way to reach Q without being affected by the 327 convergence state of the nodes over the paths it wants to use to 328 reach Q: the PLR needs a loop-free path to reach Q. 330 Section 3 defines the main notations used in the document. They are 331 in line with [RFC5714]. 333 Section 4 suggests to compute the P-Space and Q-Space properties 334 defined in Section 3, for the specific case of nodes lying over the 335 post-convergence paths towards the protected destinations. 337 Using the properties defined in Section 4, Section 5 describes how to 338 compute protection lists that encode a loop-free post-convergence 339 path towards the destination. 341 Section 6 defines the segment operations to be applied by the PLR to 342 ensure consistency with the forwarding state of the repair node. 344 By applying the algorithms specified in this document to actual 345 service providers and large enterprise networks, we provide real life 346 measurements for the number of SIDs used by repair paths. Section 9 347 summarizes these measurements. 349 2.1. Conventions used in this document 351 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 352 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 353 "OPTIONAL" in this document are to be interpreted as described in BCP 354 14 [RFC2119] [RFC8174] when, and only when, they appear in all 355 capitals, as shown here. 357 3. Terminology 359 We define the main notations used in this document as the following. 361 We refer to "old" and "new" topologies as the LSDB state before and 362 after the considered failure. 364 SPT_old(R) is the Shortest Path Tree rooted at node R in the initial 365 state of the network. 367 SPT_new(R, X) is the Shortest Path Tree rooted at node R in the state 368 of the network after the resource X has failed. 370 PLR stands for "Point of Local Repair". It is the router that 371 applies fast traffic restoration after detecting failure in a 372 directly attached link, set of links, and/or node. 374 Similar to [RFC7490], we use the concept of P-Space and Q-Space for 375 TI-LFA. 377 The P-Space P(R,X) of a node R w.r.t. a resource X (e.g. a link S-F, 378 a node F, or a SRLG) is the set of nodes that are reachable from R 379 without passing through X. It is the set of nodes that are not 380 downstream of X in SPT_old(R). 382 The Extended P-Space P'(R,X) of a node R w.r.t. a resource X is the 383 set of nodes that are reachable from R or a neighbor of R, without 384 passing through X. 386 The Q-Space Q(D,X) of a destination node D w.r.t. a resource X is the 387 set of nodes which do not use X to reach D in the initial state of 388 the network. In other words, it is the set of nodes which have D in 389 their P-Space w.r.t. S-F, F, or a set of links adjacent to S). 391 A symmetric network is a network such that the IGP metric of each 392 link is the same in both directions of the link. 394 4. Intersecting P-Space and Q-Space with post-convergence paths 396 One of the challenges of defining an SR path following the expected 397 post-convergence path is to reduce the size of the segment list. In 398 order to reduce this segment list, an implementation MAY determine 399 the P-Space/Extended P-Space and Q-Space properties (defined in 400 [RFC7490]) of the nodes along the expected post-convergence path from 401 the PLR to the protected destination and compute an SR-based explicit 402 path from P to Q when they are not adjacent. Such properties will be 403 used in Section 5 to compute the TI-LFA repair list. 405 4.1. P-Space property computation for a resource X 407 A node N is in P(R, X) if it is not downstream of X in SPT_old(R). X 408 can be a link, a node, or a set of links adjacent to the PLR. A node 409 N is in P'(R,X) if it is not downstream of X in SPT_old(N), for at 410 least one neighbor N of R. 412 4.2. Q-Space property computation for a link S-F, over post-convergence 413 paths 415 We want to determine which nodes on the post-convergence path from 416 the PLR to the destination D are in the Q-Space of destination D 417 w.r.t. link S-F. 419 This can be found by intersecting the post-convergence path to D, 420 assuming the failure of S-F, with Q(D, S-F). 422 4.3. Q-Space property computation for a set of links adjacent to S, 423 over post-convergence paths 425 We want to determine which nodes on the post-convergence path from 426 the PLR to the destination D are in the Q-Space of destination D 427 w.r.t. a set of links adjacent to S (S being the PLR). That is, we 428 aim to find the set of nodes on the post-convergence path that use 429 none of the members of the protected set of links, to reach D. 431 This can be found by intersecting the post-convergence path to D, 432 assuming the failure of the set of links, with the intersection among 433 Q(D, S->X) for all S->X belonging to the set of links. 435 4.4. Q-Space property computation for a node F, over post-convergence 436 paths 438 We want to determine which nodes on the post-convergence from the PLR 439 to the destination D are in the Q-Space of destination D w.r.t. node 440 F. 442 This can be found by intersecting the post-convergence path to D, 443 assuming the failure of F, with Q(D, F). 445 4.5. Scaling considerations when computing Q-Space 447 [RFC7490] raises scaling concerns about computing a Q-Space per 448 destination. Similar concerns may affect TI-LFA computation if an 449 implementation tries to compute a reverse SPT for every destination 450 in the network to determine the Q-Space. It will be up to each 451 implementation to determine the good tradeoff between scaling and 452 accuracy of the optimization. 454 5. TI-LFA Repair path 456 The TI-LFA repair path (RP) consists of an outgoing interface and a 457 list of segments (repair list (RL)) to insert on the SR header. The 458 repair list encodes the explicit post-convergence path to the 459 destination, which avoids the protected resource X and, at the same 460 time, is guaranteed to be loop-free irrespective of the state of FIBs 461 along the nodes belonging to the explicit path. Thus there is no 462 need for any co-ordination or message exchange between the PLR and 463 any other router in the network. 465 The TI-LFA repair path is found by intersecting P(S,X) and Q(D,X) 466 with the post-convergence path to D and computing the explicit SR- 467 based path EP(P, Q) from P to Q when these nodes are not adjacent 468 along the post convergence path. The TI-LFA repair list is expressed 469 generally as (Node_SID(P), EP(P, Q)). 471 Most often, the TI-LFA repair list has a simpler form, as described 472 in the following sections. Section 9 provides statistics for the 473 number of SIDs in the explicit path to protect against various 474 failures. 476 5.1. FRR path using a direct neighbor 478 When a direct neighbor is in P(S,X) and Q(D,x) and on the post- 479 convergence path, the outgoing interface is set to that neighbor and 480 the repair segment list MUST be empty. 482 This is comparable to a post-convergence LFA FRR repair. 484 5.2. FRR path using a PQ node 486 When a remote node R is in P(S,X) and Q(D,x) and on the post- 487 convergence path, the repair list MUST be made of a single node 488 segment to R and the outgoing interface MUST be set to the outgoing 489 interface used to reach R. 491 This is comparable to a post-convergence RLFA repair tunnel. 493 5.3. FRR path using a P node and Q node that are adjacent 495 When a node P is in P(S,X) and a node Q is in Q(D,x) and both are on 496 the post-convergence path and both are adjacent to each other, the 497 repair list MUST be made of two segments: A node segment to P (to be 498 processed first), followed by an adjacency segment from P to Q. 500 This is comparable to a post-convergence DLFA repair tunnel. 502 5.4. Connecting distant P and Q nodes along post-convergence paths 504 In some cases, there is no adjacent P and Q node along the post- 505 convergence path. However, the PLR can perform additional 506 computations to compute a list of segments that represent a loop-free 507 path from P to Q. How these computations are done is out of scope of 508 this document. 510 6. Building TI-LFA repair lists 512 The following sections describe how to build the repair lists using 513 the terminology defined in [RFC8402]. The procedures described in 514 Section 6.1 and Section 6.2 are equally applicable to both SR-MPLS 515 and SRv6 dataplane, while the dataplane-specific considerations are 516 described in Section 6.3. 518 6.1. Link protection 520 In this section, we explain how a protecting router S processes the 521 active segment of a packet upon the failure of its primary outgoing 522 interface for the packet, S-F. 524 6.1.1. The active segment is a node segment 526 The active segment MUST be kept on the SR header unchanged and the 527 repair list MUST be inserted at the head of the list. The active 528 segment becomes the first segment of the inserted repair list. 530 6.1.2. The active segment is an adjacency segment 532 We define hereafter the FRR behavior applied by S for any packet 533 received with an active adjacency segment S-F for which protection 534 was enabled. As protection has been enabled for the segment S-F and 535 signalled in the IGP, any SR policy using this segment knows that it 536 may be transiently rerouted out of S-F in case of S-F failure. 538 The simplest approach for link protection of an adjacency segment S-F 539 is to create a repair list that will carry the traffic to F. To do 540 so, one or two "PUSH" operations are performed. If the repair list, 541 while avoiding S-F, terminates on F, S only pushes the repair list. 542 Otherwise, S pushes a node segment of F, followed by by push of the 543 repair list. For details on the "NEXT" and "PUSH" operations, refer 544 to [RFC8402]. 546 This method which merges back the traffic at the remote end of the 547 adjacency segment has the advantage of keeping as much as possible 548 the traffic on the pre-failure path. As stated in Section 2, when SR 549 policies are involved and a strict compliance of the policy is 550 required, an end-to-end protection should be preferred over a local 551 repair mechanism. However this method may not provide the expected 552 post-convergence path to the final destination as the expected post- 553 convergence path may not go through F. Another method requires to 554 look to the next segment in the segment list. 556 We distinguish the case where this active segment is followed by 557 another adjacency segment from the case where it is followed by a 558 node segment. 560 6.1.2.1. Protecting [Adjacency, Adjacency] segment lists 562 If the next segment in the list is an Adjacency segment, then the 563 packet has to be conveyed to F. 565 To do so, S MUST apply a "NEXT" operation on Adj(S-F) and then one or 566 two "PUSH" operations. If the repair list, while avoiding S-F, 567 terminates on F, S only pushes the repair list. Otherwise, S pushes 568 a node segment of F, followed by push of the repair list.. For 569 details on the "NEXT" and "PUSH" operations, refer to [RFC8402]. 571 Upon failure of S-F, a packet reaching S with a segment list matching 572 [adj(S-F),adj(F-M),...] will thus leave S with a segment list 573 matching [RL(F),node(F),adj(F-M)], where RL(F) is the repair path for 574 destination F. 576 In Section 6.2.2, we describe the TI-LFA behavior of PLR S when node 577 protection is applied and the two first segments are Adjacency 578 Segments. 580 6.1.2.2. Protecting [Adjacency, Node] segment lists 582 If the next segment in the stack is a node segment, say for node T, 583 the segment list on the packet matches [adj(S-F),node(T),...]. 585 In this case, S MUST apply a "NEXT" operation on the Adjacency 586 segment related to S-F, followed by a "PUSH" of a repair list 587 redirecting the traffic to a node Q, whose path to node segment T is 588 not affected by the failure. 590 Upon failure of S-F, packets reaching S with a segment list matching 591 [adj(S-F), node(T), ...], would leave S with a segment list matching 592 [RL(Q),node(T), ...]. Note that this second behavior is the one 593 followed for node protection, as described in Section 6.2.1. 595 6.2. Protecting SR policy midpoints against node failure 597 In this section, we describe the behavior of a node S configured to 598 interpret the failure of link S->F as the node failure of F, in the 599 specific case where the active segment of the packet received by S is 600 a Prefix SID of F represented as "F"), or an Adjacency SID for the 601 link S-F (represented as "S->F"). 603 The description below is intended to specify the forwarding behavior 604 required for node protection. The description should not be 605 interpreted as limiting the possible implementations of this 606 forwarding behavior. An implementation complies with the description 607 below as long as the externally visible forwarding behavior produced 608 by the implementation is the same as that described below. 610 6.2.1. Protecting {F, T, D} or {S->F, T, D} 612 This section describes the protection behavior of S when all of the 613 following conditions are true: 615 1. the active segment is a prefix SID for a neighbor F, or an 616 adjacency segment S->F 618 2. the primary interface used to forward the packet failed 620 3. the segment following the active segment is a prefix SID (for 621 node T) 623 4. node protection is active for that interface. 625 In such a case, the PLR should: 627 1. apply a NEXT operation; the segment F or S->F is removed 629 2. Confirm that the next segment is in the SRGB of F, meaning that 630 the next segment is a prefix segment, e.g. for node T 632 3. Retrieve the segment ID of T (as per the SRGB of F) 634 4. Apply a NEXT operation followed by a PUSH operation of T's 635 segment based on the SRGB of node S. 637 5. Look up T's segment (based on the updated label value) and 638 forward accordingly. 640 6.2.2. Protecting {F, F->T, D} or {S->F, F->T, D} 642 This section describes the protection behavior of S when all of the 643 following conditions are true: 645 1. the active segment is a prefix SID for a neighbor F, or an 646 adjacency segment S->F 648 2. the primary interface used to forward the packet failed 650 3. the segment following the active segment is an adjacency SID (F- 651 >T) 653 4. node protection is active for that interface. 655 In such a case, the PLR should: 657 1. Apply a NEXT operation; the segment F or S->F is removed 659 2. Confirm that the next segment is an adjacency SID of F, say F->T 661 3. Retrieve the node segment ID associated to T (as per the set of 662 Adjacency Segments of F) 664 4. Apply a NEXT operation on the next segment followed by a PUSH of 665 T's segment based on the SRGB of the node S. 667 5. Look up T's segment (based on the updated label value) and 668 forward accordingly. 670 It is noteworthy to mention that node "S" in the procedures described 671 in Sections 5.3.1 and 5.3.2 can always determine whether the segment 672 after popping the top segment is an adjacency SID or a prefix-SID of 673 the next-hop "F" as follows: 675 1. In a link state environment, the node "S" knows the SRGB and the 676 adj-SIDs of the neighboring node "F" 678 2. If the new segment after popping the top segment is within the 679 SRGB or the adj-SIDs of "F", then node "S" is certain that the 680 failure of node "F" is a midpoint failure and hence node "S" 681 applies the procedures specified in Sections 5.3.1 or 5.3.2, 682 respectively. 684 3. Otherwise the failure is not a midpoint failure and hence the 685 node "S" may apply other protection techniques that are beyond 686 the scope of this document or simply drop the packet and wait for 687 normal protocol convergence. 689 6.3. Dataplane specific considerations 691 6.3.1. MPLS dataplane considerations 693 The following dataplane behaviors apply when creating a repair list 694 using an MPLS dataplane: 696 1. If the active segment is a node segment that has been signaled 697 with penultimate hop popping and the repair list ends with an 698 adjacency segment terminating on the tail-end of the active 699 segment, then the active segment MUST be popped before pushing 700 the repair list. 702 2. If the active segment is a node segment but the other conditions 703 in 1. are not met, the active segment MUST be popped then pushed 704 again with a label value computed according to the SRGB of Q, 705 where Q is the endpoint of the repair list. Finally, the repair 706 list MUST be pushed. 708 6.3.2. SRv6 dataplane considerations 710 The TI-LFA path computation algorithm is the same as in the SR-MPLS 711 dataplane. Note however that the Adjacency SIDs are typically 712 globally routed. In such case, there is no need for a preceding 713 Prefix SID and the resulting repair list is likely shorter. 715 If the traffic is protected at a Transit Node, then an SRv6 SID list 716 is added on the packet to apply the repair list. 718 If the traffic is protected at an SR Segment Endpoint Node, first the 719 Segment Endpoint packet processing is executed. Then the packet is 720 protected as if its were a transit packet. 722 7. TI-LFA and SR algorithms 724 SR allows an operator to bind an algorithm to a prefix SID (as 725 defined in [RFC8402]. The algorithm value dictates how the path to 726 the prefix is computed. The SR default algorithm is known has the 727 "Shortest Path" algorithm. The SR default algorithm allows an 728 operator to override the IGP shortest path by using local policies. 729 When TI-LFA uses Node-SIDs associated with the default algorithm, 730 there is no guarantee that the path will be loop-free as a local 731 policy may have overriden the expected IGP path. As the local 732 policies are defined by the operator, it becomes the responsibility 733 of this operator to ensure that the deployed policies do not affect 734 the TI-LFA deployment. It should be noted that such situation can 735 already happen today with existing mechanisms as remote LFA. 737 [I-D.ietf-lsr-flex-algo] defines a flexible algorithm (FlexAlgo) 738 framework to be associated with Prefix SIDs. FlexAlgo allows a user 739 to associate a constrained path to a Prefix SID rather than using the 740 regular IGP shortest path. An implementation MAY support TI-LFA to 741 protect Node-SIDs associated to a FlexAlgo. In such a case, rather 742 than computing the expected post-convergence path based on the 743 regular SPF, an implementation SHOULD use the constrained SPF 744 algorithm bound to the FlexAlgo (using the Flex Algo Definition) 745 instead of the regular Dijkstra in all the SPF/rSPF computations that 746 are occurring during the TI-LFA computation. This includes the 747 computation of the P-Space and Q-Space as well as the post- 748 convergence path. An implementation MUST only use Node-SIDs bound to 749 the FlexAlgo and/or Adj-SIDs that are unprotected to build the repair 750 list. 752 8. Usage of Adjacency segments in the repair list 754 The repair list of segments computed by TI-LFA may contain one or 755 more adjacency segments. An adjacency segment may be protected or 756 not protected. 758 S --- R2 --- R3 --- R4 --- R5 --- D 759 \ | \ / 760 R7 -- R8 761 | | 762 R9 -- R10 764 Figure 3 766 In Figure 3, all the metrics are equal to 1 except 767 R2-R7,R7-R8,R8-R4,R7-R9 which have a metric of 1000. Considering R2 768 as a PLR to protect against the failure of node R3 for the traffic 769 S->D, the repair list computed by R2 will be [adj(R7-R8),adj(R8-R4)] 770 and the outgoing interface will be to R7. If R3 fails, R2 pushes the 771 repair list onto the incoming packet to D. During the FRR, if R7-R8 772 fails and if TI-LFA has picked a protected adjacency segment for 773 adj(R7-R8), R7 will push an additional repair list onto the packet 774 following the procedures defined in Section 6. 776 To avoid the possibility of this double FRR, an implementation of TI- 777 LFA MAY pick only non protected adjacency segments when building the 778 repair list. 780 9. Measurements on Real Networks 782 This section presents measurements performed on real service provider 783 and large enterprise networks. The objective of the measurements is 784 to assess the number of SIDs required in an explicit path when the 785 mechanisms described in this document are used to protect against the 786 failure scenarios within the scope of this document. The number of 787 segments described in this section are applicable to instantiating 788 segment routing over the MPLS forwarding plane. 790 The measurements below indicate that for link and local SRLG 791 protection, a 1 SID repair path delivers more than 99% coverage. For 792 node protection a 2 SIDs repair path yields 99% coverage. 794 Table 1 below lists the characteristics of the networks used in our 795 measurements. The number of links refers to the number of 796 "bidirectional" links (not directed edges of the graph). The 797 measurements are carried out as follows: 799 o For each network, the algorithms described in this document are 800 applied to protect all prefixes against link, node, and local SRLG 801 failure 803 o For each prefix, the number of SIDs used by the repair path is 804 recored 806 o The percentage of number of SIDs are listed in Tables 2A/B, 3A/B, 807 and 4A/B 809 The measurements listed in the tables indicate that for link and 810 local SRLG protection, 1 SID repair paths are sufficient to protect 811 more than 99% of the prefix in almost all cases. For node protection 812 2 SIDs repair paths yield 99% coverage. 814 +-------------+------------+------------+------------+------------+ 815 | Network | Nodes | Links |Node-to-Link| SRLG info? | 816 | | | | Ratio | | 817 +-------------+------------+------------+------------+------------+ 818 | T1 | 408 | 665 | 1.63 | Yes | 819 +-------------+------------+------------+------------+------------+ 820 | T2 | 587 | 1083 | 1.84 | No | 821 +-------------+------------+------------+------------+------------+ 822 | T3 | 93 | 401 | 4.31 | Yes | 823 +-------------+------------+------------+------------+------------+ 824 | T4 | 247 | 393 | 1.59 | Yes | 825 +-------------+------------+------------+------------+------------+ 826 | T5 | 34 | 96 | 2.82 | Yes | 827 +-------------+------------+------------+------------+------------+ 828 | T6 | 50 | 78 | 1.56 | No | 829 +-------------+------------+------------+------------+------------+ 830 | T7 | 82 | 293 | 3.57 | No | 831 +-------------+------------+------------+------------+------------+ 832 | T8 | 35 | 41 | 1.17 | Yes | 833 +-------------+------------+------------+------------+------------+ 834 | T9 | 177 | 1371 | 7.74 | Yes | 835 +-------------+------------+------------+------------+------------+ 836 Table 1: Data Set Definition 838 The rest of this section presents the measurements done on the actual 839 topologies. The convention that we use is as follows 840 o 0 SIDs: the calculated repair path starts with a directly 841 connected neighbor that is also a loop free alternate, in which 842 case there is no need to explicitly route the traffic using 843 additional SIDs. This scenario is described in Section 5.1. 845 o 1 SIDs: the repair node is a PQ node, in which case only 1 SID is 846 needed to guarantee loop-freeness. This scenario is covered in 847 Section 5.2. 849 o 2 or more SIDs: The repair path consists of 2 or more SIDs as 850 described in Sections 4.3 and 4.4. We do not cover the case for 2 851 SIDs (Section 5.3) separately because there was no granularity in 852 the result. Also we treat the node-SID+adj-SID and node-SID + 853 node-SID the same because they do not differ from the data plane 854 point of view. 856 Table 2A and 2B below summarize the measurements on the number of 857 SIDs needed for link protection 859 +-------------+------------+------------+------------+------------+ 860 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 861 +-------------+------------+------------+------------+------------+ 862 | T1 | 74.227% | 25.256% | 0.517% | 0.001% | 863 +-------------+------------+------------+------------+------------+ 864 | T2 | 81.097% | 18.738% | 0.165% | 0.0% | 865 +-------------+------------+------------+------------+------------+ 866 | T3 | 95.878% | 4.067% | 0.056% | 0.0% | 867 +-------------+------------+------------+------------+------------+ 868 | T4 | 62.547% | 35.666% | 1.788% | 0.0% | 869 +-------------+------------+------------+------------+------------+ 870 | T5 | 85.733% | 14.267% | 0.0% | 0.0% | 871 +-------------+------------+------------+------------+------------+ 872 | T6 | 81.252% | 18.714% | 0.033% | 0.0% | 873 +-------------+------------+------------+------------+------------+ 874 | T7 | 98,857% | 1.143% | 0.0% | 0.0% | 875 +-------------+------------+------------+------------+------------+ 876 | T8 | 94,118% | 5.882% | 0.0% | 0.0% | 877 +-------------+------------+------------+------------+------------+ 878 | T9 | 98.950% | 1.050% | 0.0% | 0.0% | 879 +-------------+------------+------------+------------+------------+ 880 Table 2A: Link protection (repair size distribution) 882 +-------------+------------+------------+------------+------------+ 883 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 884 +-------------+------------+------------+------------+------------+ 885 | T1 | 74.227% | 99.482% | 99.999% | 100.0% | 886 +-------------+------------+------------+------------+------------+ 887 | T2 | 81.097% | 99.835% | 100.0% | 100.0% | 888 +-------------+------------+------------+------------+------------+ 889 | T3 | 95.878% | 99.944% | 100.0% | 100.0% | 890 +-------------+------------+------------+------------+------------+ 891 | T4 | 62.547% | 98.212% | 100.0% | 100.0% | 892 +-------------+------------+------------+------------+------------+ 893 | T5 | 85.733% | 100.000% | 100.0% | 100.0% | 894 +-------------+------------+------------+------------+------------+ 895 | T6 | 81.252% | 99.967% | 100.0% | 100.0% | 896 +-------------+------------+------------+------------+------------+ 897 | T7 | 98,857% | 100.000% | 100.0% | 100.0% | 898 +-------------+------------+------------+------------+------------+ 899 | T8 | 94,118% | 100.000% | 100.0% | 100.0% | 900 +-------------+------------+------------+------------+------------+ 901 | T9 | 98,950% | 100.000% | 100.0% | 100.0% | 902 +-------------+------------+------------+------------+------------+ 903 Table 2B: Link protection repair size cumulative distribution 904 Table 3A and 3B summarize the measurements on the number of SIDs 905 needed for local SRLG protection. 907 +-------------+------------+------------+------------+------------+ 908 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 909 +-------------+------------+------------+------------+------------+ 910 | T1 | 74.177% | 25.306% | 0.517% | 0.001% | 911 +-------------+------------+------------+------------+------------+ 912 | T2 | No SRLG Information | 913 +-------------+------------+------------+------------+------------+ 914 | T3 | 93.650% | 6.301% | 0.049% | 0.0% | 915 +-------------+------------+------------+------------+------------+ 916 | T4 | 62,547% | 35.666% | 1.788% | 0.0% | 917 +-------------+------------+------------+------------+------------+ 918 | T5 | 83.139% | 16.861% | 0.0% | 0.0% | 919 +-------------+------------+------------+------------+------------+ 920 | T6 | No SRLG Information | 921 +-------------+---------------------------------------------------+ 922 | T7 | No SRLG Information | 923 +-------------+------------+------------+------------+------------+ 924 | T8 | 85.185% | 14.815% | 0.0% | 0.0% | 925 +-------------+------------+------------+------------+------------+ 926 | T9 | 98,940% | 1.060% | 0.0% | 0.0% | 927 +-------------+------------+------------+------------+------------+ 928 Table 3A: Local SRLG protection repair size distribution 930 +-------------+------------+------------+------------+------------+ 931 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 932 +-------------+------------+------------+------------+------------+ 933 | T1 | 74.177% | 99.482% | 99.999% | 100.001% | 934 +-------------+------------+------------+------------+------------+ 935 | T2 | No SRLG Information | 936 +-------------+------------+------------+------------+------------+ 937 | T3 | 93.650% | 99.951% | 100.000% | 0.0% | 938 +-------------+------------+------------+------------+------------+ 939 | T4 | 62,547% | 98.212% | 100.000% | 100.0% | 940 +-------------+------------+------------+------------+------------+ 941 | T5 | 83.139% | 100.000% | 100.0% | 100.0% | 942 +-------------+------------+------------+------------+------------+ 943 | T6 | No SRLG Information | 944 +-------------+---------------------------------------------------+ 945 | T7 | No SRLG Information | 946 +-------------+------------+------------+------------+------------+ 947 | T8 | 85.185% | 100,000% | 100.000% | 100.0% | 948 +-------------+------------+------------+------------+------------+ 949 | T9 | 98,940% | 100,000% | 100.000% | 100.0% | 950 +-------------+------------+------------+------------+------------+ 951 Table 3B: Local SRLG protection repair size Cumulative distribution 952 The remaining two tables summarize the measurements on the number of 953 SIDs needed for node protection. 955 +---------+----------+----------+----------+----------+----------+ 956 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 4 SIDs | 957 +---------+----------+----------+----------+----------+----------+ 958 | T1 | 49.771% | 47.902% | 2.156% | 0.148% | 0.023% | 959 +---------+----------+----------+----------+----------+----------+ 960 | T2 | 36,528% | 59.625% | 3.628% | 0.194% | 0.025% | 961 +---------+----------+----------+----------+----------+----------+ 962 | T3 | 73,287% | 25,574% | 1,128% | 0.010% | 0% | 963 +---------+----------+----------+----------+----------+----------+ 964 | T4 | 36.112% | 57.350% | 6.329% | 0.199% | 0.010% | 965 +---------+----------+----------+----------+----------+----------+ 966 | T5 | 73.185% | 26.815% | 0% | 0% | 0% | 967 +---------+----------+----------+----------+----------+----------+ 968 | T6 | 78.362% | 21.320% | 0.318% | 0% | 0% | 969 +---------+----------+----------+----------+----------+----------+ 970 | T7 | 66.106% | 32.813% | 1.082% | 0% | 0% | 971 +---------+----------+----------+----------+----------+----------+ 972 | T8 | 59.712% | 40.288% | 0% | 0% | 0% | 973 +---------+----------+----------+----------+----------+----------+ 974 | T9 | 98.950% | 1.050% | 0% | 0% | 0% | 975 +---------+----------+----------+----------+----------+----------+ 976 Table 4A: Node protection (repair size distribution) 978 +---------+----------+----------+----------+----------+----------+ 979 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 4 SIDs | 980 +---------+----------+----------+----------+----------+----------+ 981 | T1 | 49.771% | 97.673% | 99.829% | 99.977% | 100% | 982 +---------+----------+----------+----------+----------+----------+ 983 | T2 | 36,528% | 96.153% | 99.781% | 99.975% | 100% | 984 +---------+----------+----------+----------+----------+----------+ 985 | T3 | 73,287% | 98.862% | 99.990% |100.0% | 100% | 986 +---------+----------+----------+----------+----------+----------+ 987 | T4 | 36.112% | 93.461% | 99.791% | 99.990% | 100% | 988 +---------+----------+----------+----------+----------+----------+ 989 | T5 | 73.185% | 100.0% | 100.0% |100.0% | 100% | 990 +---------+----------+----------+----------+----------+----------+ 991 | T6 | 78.362% | 99.682% | 100.0% |100.0% | 100% | 992 +---------+----------+----------+----------+----------+----------+ 993 | T7 | 66.106% | 98,918% | 100.0% |100.0% | 100% | 994 +---------+----------+----------+----------+----------+----------+ 995 | T8 | 59.712% | 100.0% | 100.0% |100.0% | 100% | 996 +---------+----------+----------+----------+----------+----------+ 997 | T9 | 98.950% | 100.0% | 100.0% |100.0% | 100% | 998 +---------+----------+----------+----------+----------+----------+ 999 Table 4B: Node protection (repair size cumulative distribution) 1001 10. Security Considerations 1003 The techniques described in this document are internal 1004 functionalities to a router that result in the ability to guarantee 1005 an upper bound on the time taken to restore traffic flow upon the 1006 failure of a directly connected link or node. As these techniques 1007 steer traffic to the post-convergence path as quickly as possible, 1008 this serves to minimize the disruption associated with a local 1009 failure which can be seen as a modest security enhancement. The 1010 protection mechanisms does not protect external destinations, but 1011 rather provides quick restoration for destination that are internal 1012 to a routing domain. 1014 11. IANA Considerations 1016 No requirements for IANA 1018 12. Conclusions 1020 This document proposes a mechanism that is able to pre-calculate a 1021 backup path for every primary path so as to be able to protect 1022 against the failure of a directly connected link, node, or SRLG. The 1023 mechanism is able to calculate the backup path irrespective of the 1024 topology as long as the topology is sufficiently redundant. 1026 13. Acknowledgments 1028 We would like to thank Les Ginsberg, Stewart Bryant, Alexander 1029 Vainsthein, Chris Bowers, Shraddha Hedge for their valuable comments. 1031 14. References 1033 14.1. Normative References 1035 [I-D.ietf-spring-srv6-network-programming] 1036 Filsfils, C., Camarillo, P., Leddy, J., Voyer, D., 1037 Matsushima, S., and Z. Li, "SRv6 Network Programming", 1038 draft-ietf-spring-srv6-network-programming-11 (work in 1039 progress), March 2020. 1041 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1042 Requirement Levels", BCP 14, RFC 2119, 1043 DOI 10.17487/RFC2119, March 1997, 1044 . 1046 [RFC7916] Litkowski, S., Ed., Decraene, B., Filsfils, C., Raza, K., 1047 Horneffer, M., and P. Sarkar, "Operational Management of 1048 Loop-Free Alternates", RFC 7916, DOI 10.17487/RFC7916, 1049 July 2016, . 1051 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1052 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1053 May 2017, . 1055 [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., 1056 Decraene, B., Litkowski, S., and R. Shakir, "Segment 1057 Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, 1058 July 2018, . 1060 14.2. Informative References 1062 [I-D.bashandy-rtgwg-segment-routing-uloop] 1063 Bashandy, A., Filsfils, C., Litkowski, S., Decraene, B., 1064 Francois, P., and P. Psenak, "Loop avoidance using Segment 1065 Routing", draft-bashandy-rtgwg-segment-routing-uloop-08 1066 (work in progress), January 2020. 1068 [I-D.ietf-lsr-flex-algo] 1069 Psenak, P., Hegde, S., Filsfils, C., Talaulikar, K., and 1070 A. Gulko, "IGP Flexible Algorithm", draft-ietf-lsr-flex- 1071 algo-06 (work in progress), February 2020. 1073 [I-D.ietf-spring-segment-routing-policy] 1074 Filsfils, C., Sivabalan, S., Voyer, D., Bogdanov, A., and 1075 P. Mattes, "Segment Routing Policy Architecture", draft- 1076 ietf-spring-segment-routing-policy-06 (work in progress), 1077 December 2019. 1079 [RFC5286] Atlas, A., Ed. and A. Zinin, Ed., "Basic Specification for 1080 IP Fast Reroute: Loop-Free Alternates", RFC 5286, 1081 DOI 10.17487/RFC5286, September 2008, 1082 . 1084 [RFC5714] Shand, M. and S. Bryant, "IP Fast Reroute Framework", 1085 RFC 5714, DOI 10.17487/RFC5714, January 2010, 1086 . 1088 [RFC6571] Filsfils, C., Ed., Francois, P., Ed., Shand, M., Decraene, 1089 B., Uttaro, J., Leymann, N., and M. Horneffer, "Loop-Free 1090 Alternate (LFA) Applicability in Service Provider (SP) 1091 Networks", RFC 6571, DOI 10.17487/RFC6571, June 2012, 1092 . 1094 [RFC7490] Bryant, S., Filsfils, C., Previdi, S., Shand, M., and N. 1095 So, "Remote Loop-Free Alternate (LFA) Fast Reroute (FRR)", 1096 RFC 7490, DOI 10.17487/RFC7490, April 2015, 1097 . 1099 Authors' Addresses 1101 Stephane Litkowski 1102 Cisco Systems 1103 France 1105 Email: slitkows.ietf@gmail.com 1107 Ahmed Bashandy 1108 Individual 1110 Email: abashandy.ietf@gmail.com 1112 Clarence Filsfils 1113 Cisco Systems 1114 Brussels 1115 Belgium 1117 Email: cfilsfil@cisco.com 1118 Bruno Decraene 1119 Orange 1120 Issy-les-Moulineaux 1121 France 1123 Email: bruno.decraene@orange.com 1125 Pierre Francois 1126 INSA Lyon 1128 Email: pierre.francois@insa-lyon.fr 1130 Daniel Voyer 1131 Bell Canada 1132 Canada 1134 Email: daniel.voyer@bell.ca 1136 Francois Clad 1137 Cisco Systems 1139 Email: fclad@cisco.com 1141 Pablo Camarillo 1142 Cisco Systems 1144 Email: pcamaril@cisco.com