idnits 2.17.1 draft-ietf-rtgwg-segment-routing-ti-lfa-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 29, 2021) is 1025 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'Adjacency' is mentioned on line 573, but not defined == Missing Reference: 'Node' is mentioned on line 573, but not defined == Outdated reference: A later version (-16) exists of draft-bashandy-rtgwg-segment-routing-uloop-10 == Outdated reference: A later version (-26) exists of draft-ietf-lsr-flex-algo-15 == Outdated reference: A later version (-22) exists of draft-ietf-spring-segment-routing-policy-11 Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Litkowski 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track A. Bashandy 5 Expires: December 31, 2021 Individual 6 C. Filsfils 7 Cisco Systems 8 P. Francois 9 INSA Lyon 10 B. Decraene 11 Orange 12 D. Voyer 13 Bell Canada 14 June 29, 2021 16 Topology Independent Fast Reroute using Segment Routing 17 draft-ietf-rtgwg-segment-routing-ti-lfa-07 19 Abstract 21 This document presents Topology Independent Loop-free Alternate Fast 22 Re-route (TI-LFA), aimed at providing protection of node and 23 adjacency segments within the Segment Routing (SR) framework. This 24 Fast Re-route (FRR) behavior builds on proven IP-FRR concepts being 25 LFAs, remote LFAs (RLFA), and remote LFAs with directed forwarding 26 (DLFA). It extends these concepts to provide guaranteed coverage in 27 any IGP network. A key aspect of TI-LFA is the FRR path selection 28 approach establishing protection over the expected post-convergence 29 paths from the point of local repair, dramatically reducing the 30 operational need to control the tie-breaks among various FRR options. 32 Status of This Memo 34 This Internet-Draft is submitted in full conformance with the 35 provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF). Note that other groups may also distribute 39 working documents as Internet-Drafts. The list of current Internet- 40 Drafts is at https://datatracker.ietf.org/drafts/current/. 42 Internet-Drafts are draft documents valid for a maximum of six months 43 and may be updated, replaced, or obsoleted by other documents at any 44 time. It is inappropriate to use Internet-Drafts as reference 45 material or to cite them other than as "work in progress." 47 This Internet-Draft will expire on December 31, 2021. 49 Copyright Notice 51 Copyright (c) 2021 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (https://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the Simplified BSD License. 64 Table of Contents 66 1. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 68 2.1. Conventions used in this document . . . . . . . . . . . . 8 69 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 70 4. Intersecting P-Space and Q-Space with post-convergence paths 9 71 4.1. P-Space property computation for a resource X . . . . . . 9 72 4.2. Q-Space property computation for a link S-F, over post- 73 convergence paths . . . . . . . . . . . . . . . . . . . . 9 74 4.3. Q-Space property computation for a set of links adjacent 75 to S, over post-convergence paths . . . . . . . . . . . 9 76 4.4. Q-Space property computation for a node F, over post- 77 convergence paths . . . . . . . . . . . . . . . . . . . . 10 78 4.5. Scaling considerations when computing Q-Space . . . . . . 10 79 5. TI-LFA Repair path . . . . . . . . . . . . . . . . . . . . . 10 80 5.1. FRR path using a direct neighbor . . . . . . . . . . . . 10 81 5.2. FRR path using a PQ node . . . . . . . . . . . . . . . . 11 82 5.3. FRR path using a P node and Q node that are adjacent . . 11 83 5.4. Connecting distant P and Q nodes along post-convergence 84 paths . . . . . . . . . . . . . . . . . . . . . . . . . . 11 85 6. Building TI-LFA repair lists . . . . . . . . . . . . . . . . 11 86 6.1. Link protection . . . . . . . . . . . . . . . . . . . . . 11 87 6.1.1. The active segment is a node segment . . . . . . . . 11 88 6.1.2. The active segment is an adjacency segment . . . . . 12 89 6.2. Dataplane specific considerations . . . . . . . . . . . . 13 90 6.2.1. MPLS dataplane considerations . . . . . . . . . . . . 13 91 6.2.2. SRv6 dataplane considerations . . . . . . . . . . . . 13 92 7. TI-LFA and SR algorithms . . . . . . . . . . . . . . . . . . 14 93 8. Usage of Adjacency segments in the repair list . . . . . . . 14 94 9. Measurements on Real Networks . . . . . . . . . . . . . . . . 15 95 10. Security Considerations . . . . . . . . . . . . . . . . . . . 20 96 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 97 12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 20 98 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 99 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 100 14.1. Normative References . . . . . . . . . . . . . . . . . . 21 101 14.2. Informative References . . . . . . . . . . . . . . . . . 21 102 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 104 1. Acronyms 106 o DLFA: Remote LFA with Directed forwarding. 108 o FRR: Fast Re-route. 110 o IGP: Interior Gateway Protocol. 112 o LFA: Loop-Free Alternate. 114 o LSDB: Link State DataBase. 116 o PLR: Point of Local Repair. 118 o RL: Repair list. 120 o RLFA: Remote LFA. 122 o SID: Segment Identifier. 124 o SLA: Service Level Agreement. 126 o SPF: Shortest Path First. 128 o SPT: Shortest Path Tree. 130 o SR: Segment Routing. 132 o SRGB: Segment Routing Global Block. 134 o SRLG: Shared Risk Link Group. 136 o TI-LFA: Topology Independant LFA. 138 2. Introduction 140 Segment Routing aims at supporting services with tight SLA guarantees 141 [RFC8402]. By relying on SR this document provides a local repair 142 mechanism for standard IGP shortest path capable of restoring end-to- 143 end connectivity in the case of a sudden directly connected failure 144 of a network component. Non-SR mechanisms for local repair are 145 beyond the scope of this document. Non-local failures are addressed 146 in a separate document [I-D.bashandy-rtgwg-segment-routing-uloop]. 148 The term topology independent (TI) refers to the ability to provide a 149 loop free backup path irrespective of the topologies used in the 150 network. This provides a major improvement compared to LFA [RFC5286] 151 and remote LFA [RFC7490] which cannot provide a complete protection 152 coverage in some topologies as described in [RFC6571]. 154 For each destination in the network, TI-LFA pre-installs a backup 155 forwarding entry for each protected destination ready to be activated 156 upon detection of the failure of a link used to reach the 157 destination. TI-LFA provides protection in the event of any one of 158 the following: single link failure, single node failure, or single 159 SRLG failure. In link failure mode, the destination is protected 160 assuming the failure of the link. In node protection mode, the 161 destination is protected assuming that the neighbor connected to the 162 primary link has failed. In SRLG protecting mode, the destination is 163 protected assuming that a configured set of links sharing fate with 164 the primary link has failed (e.g. a linecard or a set of links 165 sharing a common transmission pipe). 167 Protection techniques outlined in this document are limited to 168 protecting links, nodes, and SRLGs that are within a routing domain. 169 Protecting domain exit routers and/or links attached to another 170 routing domains are beyond the scope of this document 172 Thanks to SR, TI-LFA does not require the establishment of TLDP 173 sessions with remote nodes in order to take advantage of the 174 applicability of remote LFAs (RLFA) [RFC7490][RFC7916] or remote LFAs 175 with directed forwarding (DLFA)[RFC5714]. All the Segment 176 Identifiers (SIDs) are available in the link state database (LSDB) of 177 the IGP. As a result, preferring LFAs over RLFAs or DLFAs, as well 178 as minimizing the number of RLFA or DLFA repair nodes is not required 179 anymore. 181 Thanks to SR, there is no need to create state in the network in 182 order to enforce an explicit FRR path. This relieves the nodes 183 themselves from having to maintain extra state, and it relieves the 184 operator from having to deploy an extra protocol or extra protocol 185 sessions just to enhance the protection coverage. 187 [RFC7916] raised several operational considerations when using LFA or 188 remote LFA. [RFC7916] Section 3 presents a case where a high 189 bandwidth link between two core routers is protected through a PE 190 router connected with low bandwidth links. In such a case, 191 congestion may happen when the FRR backup path is activated. 192 [RFC7916] introduces a local policy framework to let the operator 193 tuning manually the best alternate election based on its own 194 requirements. 196 From a network capacity planning point of view, it is often assumed 197 that if a link L fails on a particular node X, the bandwidth consumed 198 on L will be spread over some of the remaining links of X. The 199 remaining links to be used are determined by the IGP routing 200 considering that the link L has failed (we assume that the traffic 201 uses the post-convergence path starting from the node X). In 202 Figure 1, we consider a network with all metrics equal to 1 except 203 the metrics on links used by PE1, PE2 and PE3 which are 1000. An 204 easy network capacity planning method is to consider that if the link 205 L (X-B) fails, the traffic actually flowing through L will be spread 206 over the remaining links of X (X-H, X-D, X-A). Considering the IGP 207 metrics, only X-H and X-D can only be used in reality to carry the 208 traffic flowing through the link L. As a consequence, the bandwidth 209 of links X-H and X-D is sized according to this rule. We should 210 observe that this capacity planning policy works, however it is not 211 fully accurate. 213 In Figure 1, considering that the source of traffic is only from PE1 214 and PE4, when the link L fails, depending on the convergence speed of 215 the nodes, X may reroute its forwarding entries to the remote PEs 216 onto X-H or X-D; however in a similar timeframe, PE1 will also 217 reroute a subset of its traffic (the subset destined to PE2) out of 218 its nominal path reducing the quantity of traffic received by X. The 219 capacity planning rule presented previously has the drawback of 220 oversizing the network, however it allows to prevent any transient 221 congestion (when for example X reroutes traffic before PE1 does). 223 H --- I --- J 224 | | \ 225 PE4 | | PE3 226 \ | (L) | / 227 A --- X --- B --- G 228 / | | \ 229 PE1 | | PE2 230 \ | | / 231 C --- D --- E --- F 233 Figure 1 235 Based on this assumption, in order to facilitate the operation of 236 FRR, and limit the implementation of local FRR policies, it looks 237 interesting to steer the traffic onto the post-convergence path from 238 the PLR point of view during the FRR phase. In our example, when 239 link L fails, X switches the traffic destined to PE3 and PE2 on the 240 post-convergence paths. This is perfectly inline with the capacity 241 planning rule that was presented before and also inline with the fact 242 X may converge before PE1 (or any other upstream router) and may 243 spread the X-B traffic onto the post-convergence paths rooted at X. 245 It should be noted, that some networks may have a different capacity 246 planning rule, leading to an allocation of less bandwidth on X-H and 247 X-D links. In such a case, using the post-convergence paths rooted 248 at X during FRR may introduce some congestion on X-H and X-D links. 249 However it is important to note, that a transient congestion may 250 possibly happen, even without FRR activated, for instance when X 251 converges before the upstream routers. Operators are still free to 252 use the policy framework defined in [RFC7916] if the usage of the 253 post-convergence paths rooted at the PLR is not suitable. 255 Readers should be aware that FRR protection is pre-computing a backup 256 path to protect against a particular type of failure (link, node, 257 SRLG). When using the post-convergence path as FRR backup path, the 258 computed post-convergence path is the one considering the failure we 259 are protecting against. This means that FRR is using an expected 260 post-convergence path, and this expected post-convergence path may be 261 actually different from the post-convergence path used if the failure 262 that happened is different from the failure FRR was protecting 263 against. As an example, if the operator has implemented a protection 264 against a node failure, the expected post-convergence path used 265 during FRR will be the one considering that the node has failed. 266 However, even if a single link is failing or a set of links is 267 failing (instead of the full node), the node-protecting post- 268 convergence path will be used. The consequence is that the path used 269 during FRR is not optimal with respect to the failure that has 270 actually occurred. 272 Another consideration to take into account is: while using the 273 expected post-convergence path for SR traffic using node segments 274 only (for instance, PE to PE traffic using shortest path) has some 275 advantages, these advantages reduce when SR policies 276 ([I-D.ietf-spring-segment-routing-policy]) are involved. A segment- 277 list used in an SR policy is computed to obey a set of path 278 constraints defined locally at the head-end or centrally in a 279 controller. TI-LFA cannot be aware of such path constraints and 280 there is no reason to expect the TI-LFA backup path protecting one 281 the segments in that segment list to obey those constraints. When SR 282 policies are used and the operator wants to have a backup path which 283 still follows the policy requirements, this backup path should be 284 computed as part of the SR policy in the ingress node (or central 285 controller) and the SR policy should not rely on local protection. 286 Another option could be to use FlexAlgo ([I-D.ietf-lsr-flex-algo]) to 287 express the set of constraints and use a single node segment 288 associated with a FlexAlgo to reach the destination. When using a 289 node segment associated with a FlexAlgo, TI-LFA keeps providing an 290 optimal backup by applying the appropriate set of constraints. The 291 relationship between TI-LFA and the SR-algorithm is detailed in 292 Section 7. 294 Thanks to SR and the combination of Adjacency segments and Node 295 segments, the expression of the expected post-convergence path rooted 296 at the PLR is facilitated and does not create any additional state on 297 intermediate nodes. The easiest way to express the expected post- 298 convergence path in a loop-free manner is to encode it as a list of 299 adjacency segments. However, in an MPLS world, this may create a 300 long stack of labels to be pushed that some hardware may not be able 301 to push. One of the challenges of TI-LFA is to encode the expected 302 post-convergence path by combining adjacency segments and node 303 segments. Each implementation will be free to have its own path 304 compression optimization algorithm. This document details the basic 305 concepts that could be used to build the SR backup path as well as 306 the associated dataplane procedures. 308 L ____ 309 S----F--{____}----D 310 /\ | / 311 | | | _______ / 312 |__}---Q{_______} 314 Figure 2: TI-LFA Protection 316 We use Figure 2 to illustrate the TI-LFA approach. 318 The Point of Local Repair (PLR), S, needs to find a node Q (a repair 319 node) that is capable of safely forwarding the traffic to a 320 destination D affected by the failure of the protected link L, a set 321 of links including L (SRLG), or the node F itself. The PLR also 322 needs to find a way to reach Q without being affected by the 323 convergence state of the nodes over the paths it wants to use to 324 reach Q: the PLR needs a loop-free path to reach Q. 326 Section 3 defines the main notations used in the document. They are 327 in line with [RFC5714]. 329 Section 4 suggests to compute the P-Space and Q-Space properties 330 defined in Section 3, for the specific case of nodes lying over the 331 post-convergence paths towards the protected destinations. 333 Using the properties defined in Section 4, Section 5 describes how to 334 compute protection lists that encode a loop-free post-convergence 335 path towards the destination. 337 Section 6 defines the segment operations to be applied by the PLR to 338 ensure consistency with the forwarding state of the repair node. 340 By applying the algorithms specified in this document to actual 341 service providers and large enterprise networks, we provide real life 342 measurements for the number of SIDs used by repair paths. Section 9 343 summarizes these measurements. 345 2.1. Conventions used in this document 347 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 348 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 349 "OPTIONAL" in this document are to be interpreted as described in BCP 350 14 [RFC2119] [RFC8174] when, and only when, they appear in all 351 capitals, as shown here. 353 3. Terminology 355 We define the main notations used in this document as the following. 357 We refer to "old" and "new" topologies as the LSDB state before and 358 after the considered failure. 360 SPT_old(R) is the Shortest Path Tree rooted at node R in the initial 361 state of the network. 363 SPT_new(R, X) is the Shortest Path Tree rooted at node R in the state 364 of the network after the resource X has failed. 366 PLR stands for "Point of Local Repair". It is the router that 367 applies fast traffic restoration after detecting failure in a 368 directly attached link, set of links, and/or node. 370 Similar to [RFC7490], we use the concept of P-Space and Q-Space for 371 TI-LFA. 373 The P-Space P(R,X) of a node R w.r.t. a resource X (e.g. a link S-F, 374 a node F, or a SRLG) is the set of nodes that are reachable from R 375 without passing through X. It is the set of nodes that are not 376 downstream of X in SPT_old(R). 378 The Extended P-Space P'(R,X) of a node R w.r.t. a resource X is the 379 set of nodes that are reachable from R or a neighbor of R, without 380 passing through X. 382 The Q-Space Q(D,X) of a destination node D w.r.t. a resource X is the 383 set of nodes which do not use X to reach D in the initial state of 384 the network. In other words, it is the set of nodes which have D in 385 their P-Space w.r.t. S-F, F, or a set of links adjacent to S). 387 A symmetric network is a network such that the IGP metric of each 388 link is the same in both directions of the link. 390 4. Intersecting P-Space and Q-Space with post-convergence paths 392 One of the challenges of defining an SR path following the expected 393 post-convergence path is to reduce the size of the segment list. In 394 order to reduce this segment list, an implementation MAY determine 395 the P-Space/Extended P-Space and Q-Space properties (defined in 396 [RFC7490]) of the nodes along the expected post-convergence path from 397 the PLR to the protected destination and compute an SR-based explicit 398 path from P to Q when they are not adjacent. Such properties will be 399 used in Section 5 to compute the TI-LFA repair list. 401 4.1. P-Space property computation for a resource X 403 A node N is in P(R, X) if it is not downstream of X in SPT_old(R). X 404 can be a link, a node, or a set of links adjacent to the PLR. A node 405 N is in P'(R,X) if it is not downstream of X in SPT_old(N), for at 406 least one neighbor N of R. 408 4.2. Q-Space property computation for a link S-F, over post-convergence 409 paths 411 We want to determine which nodes on the post-convergence path from 412 the PLR to the destination D are in the Q-Space of destination D 413 w.r.t. link S-F. 415 This can be found by intersecting the post-convergence path to D, 416 assuming the failure of S-F, with Q(D, S-F). 418 4.3. Q-Space property computation for a set of links adjacent to S, 419 over post-convergence paths 421 We want to determine which nodes on the post-convergence path from 422 the PLR to the destination D are in the Q-Space of destination D 423 w.r.t. a set of links adjacent to S (S being the PLR). That is, we 424 aim to find the set of nodes on the post-convergence path that use 425 none of the members of the protected set of links, to reach D. 427 This can be found by intersecting the post-convergence path to D, 428 assuming the failure of the set of links, with the intersection among 429 Q(D, S->X) for all S->X belonging to the set of links. 431 4.4. Q-Space property computation for a node F, over post-convergence 432 paths 434 We want to determine which nodes on the post-convergence from the PLR 435 to the destination D are in the Q-Space of destination D w.r.t. node 436 F. 438 This can be found by intersecting the post-convergence path to D, 439 assuming the failure of F, with Q(D, F). 441 4.5. Scaling considerations when computing Q-Space 443 [RFC7490] raises scaling concerns about computing a Q-Space per 444 destination. Similar concerns may affect TI-LFA computation if an 445 implementation tries to compute a reverse SPT for every destination 446 in the network to determine the Q-Space. It will be up to each 447 implementation to determine the good tradeoff between scaling and 448 accuracy of the optimization. 450 5. TI-LFA Repair path 452 The TI-LFA repair path (RP) consists of an outgoing interface and a 453 list of segments (repair list (RL)) to insert on the SR header. The 454 repair list encodes the explicit post-convergence path to the 455 destination, which avoids the protected resource X and, at the same 456 time, is guaranteed to be loop-free irrespective of the state of FIBs 457 along the nodes belonging to the explicit path. Thus there is no 458 need for any co-ordination or message exchange between the PLR and 459 any other router in the network. 461 The TI-LFA repair path is found by intersecting P(S,X) and Q(D,X) 462 with the post-convergence path to D and computing the explicit SR- 463 based path EP(P, Q) from P to Q when these nodes are not adjacent 464 along the post convergence path. The TI-LFA repair list is expressed 465 generally as (Node_SID(P), EP(P, Q)). 467 Most often, the TI-LFA repair list has a simpler form, as described 468 in the following sections. Section 9 provides statistics for the 469 number of SIDs in the explicit path to protect against various 470 failures. 472 5.1. FRR path using a direct neighbor 474 When a direct neighbor is in P(S,X) and Q(D,x) and on the post- 475 convergence path, the outgoing interface is set to that neighbor and 476 the repair segment list SHOULD be empty. 478 This is comparable to a post-convergence LFA FRR repair. 480 5.2. FRR path using a PQ node 482 When a remote node R is in P(S,X) and Q(D,x) and on the post- 483 convergence path, the repair list MUST be made of a single node 484 segment to R and the outgoing interface SHOULD be set to the outgoing 485 interface used to reach R. 487 This is comparable to a post-convergence RLFA repair tunnel. 489 5.3. FRR path using a P node and Q node that are adjacent 491 When a node P is in P(S,X) and a node Q is in Q(D,x) and both are on 492 the post-convergence path and both are adjacent to each other, the 493 repair list SHOULD be made of two segments: A node segment to P (to 494 be processed first), followed by an adjacency segment from P to Q. 496 This is comparable to a post-convergence DLFA repair tunnel. 498 5.4. Connecting distant P and Q nodes along post-convergence paths 500 In some cases, there is no adjacent P and Q node along the post- 501 convergence path. However, the PLR can perform additional 502 computations to compute a list of segments that represent a loop-free 503 path from P to Q. How these computations are done is out of scope of 504 this document. 506 6. Building TI-LFA repair lists 508 The following sections describe how to build the repair lists using 509 the terminology defined in [RFC8402]. The procedures described in 510 Section 6.1 are equally applicable to both SR-MPLS and SRv6 511 dataplane, while the dataplane-specific considerations are described 512 in Section 6.2. 514 6.1. Link protection 516 In this section, we explain how a protecting router S processes the 517 active segment of a packet upon the failure of its primary outgoing 518 interface for the packet, S-F. 520 6.1.1. The active segment is a node segment 522 The active segment MUST be kept on the SR header unchanged and the 523 repair list MUST be added. The active segment becomes the first 524 segment of the repair list. The way the repair list is added depends 525 on the dataplane used (see Section 6.2). 527 6.1.2. The active segment is an adjacency segment 529 We define hereafter the FRR behavior applied by S for any packet 530 received with an active adjacency segment S-F for which protection 531 was enabled. As protection has been enabled for the segment S-F and 532 signalled in the IGP, any SR policy using this segment knows that it 533 may be transiently rerouted out of S-F in case of S-F failure. 535 The simplest approach for link protection of an adjacency segment S-F 536 is to create a repair list that will carry the traffic to F. To do 537 so, one or two "PUSH" operations are performed. If the repair list, 538 while avoiding S-F, terminates on F, S only pushes the repair list. 539 Otherwise, S pushes a node segment of F, followed by by push of the 540 repair list. For details on the "NEXT" and "PUSH" operations, refer 541 to [RFC8402]. 543 This method which merges back the traffic at the remote end of the 544 adjacency segment has the advantage of keeping as much as possible 545 the traffic on the pre-failure path. As stated in Section 2, when SR 546 policies are involved and a strict compliance of the policy is 547 required, an end-to-end protection should be preferred over a local 548 repair mechanism. However this method may not provide the expected 549 post-convergence path to the final destination as the expected post- 550 convergence path may not go through F. Another method requires to 551 look to the next segment in the segment list. 553 We distinguish the case where this active segment is followed by 554 another adjacency segment from the case where it is followed by a 555 node segment. 557 6.1.2.1. Protecting [Adjacency, Adjacency] segment lists 559 If the next segment in the list is an Adjacency segment, then the 560 packet has to be conveyed to F. 562 To do so, S MUST apply a "NEXT" operation on Adj(S-F) and then one or 563 two "PUSH" operations. If the repair list, while avoiding S-F, 564 terminates on F, S only pushes the repair list. Otherwise, S pushes 565 a node segment of F, followed by push of the repair list.. For 566 details on the "NEXT" and "PUSH" operations, refer to [RFC8402]. 568 Upon failure of S-F, a packet reaching S with a segment list matching 569 [adj(S-F),adj(F-M),...] will thus leave S with a segment list 570 matching [RL(F),node(F),adj(F-M)], where RL(F) is the repair path for 571 destination F. 573 6.1.2.2. Protecting [Adjacency, Node] segment lists 575 If the next segment in the stack is a node segment, say for node T, 576 the segment list on the packet matches [adj(S-F),node(T),...]. 578 In this case, S MUST apply a "NEXT" operation on the Adjacency 579 segment related to S-F, followed by a "PUSH" of a repair list 580 redirecting the traffic to a node Q, whose path to node segment T is 581 not affected by the failure. 583 Upon failure of S-F, packets reaching S with a segment list matching 584 [adj(S-F), node(T), ...], would leave S with a segment list matching 585 [RL(Q),node(T), ...]. 587 6.2. Dataplane specific considerations 589 6.2.1. MPLS dataplane considerations 591 MPLS dataplane for Segment Routing is described in [RFC8660]. 593 The following dataplane behaviors apply when creating a repair list 594 using an MPLS dataplane: 596 1. If the active segment is a node segment that has been signaled 597 with penultimate hop popping and the repair list ends with an 598 adjacency segment terminating on the tail-end of the active 599 segment, then the active segment MUST be popped before pushing 600 the repair list. 602 2. If the active segment is a node segment but the other conditions 603 in 1. are not met, the active segment MUST be popped then pushed 604 again with a label value computed according to the SRGB of Q, 605 where Q is the endpoint of the repair list. Finally, the repair 606 list MUST be pushed. 608 6.2.2. SRv6 dataplane considerations 610 SRv6 dataplane and programming instructions are described 611 respectively in [RFC8754] and [RFC8986]. 613 The TI-LFA path computation algorithm is the same as in the SR-MPLS 614 dataplane. Note however that the Adjacency SIDs are typically 615 globally routed. In such case, there is no need for a preceding 616 Prefix SID and the resulting repair list is likely shorter. 618 If the traffic is protected at a Transit Node, then an SRv6 SID list 619 is added on the packet to apply the repair list. The addition of the 620 repair list follows the headend behaviors as specified in section 5 621 of [RFC8986]. 623 If the traffic is protected at an SR Segment Endpoint Node, first the 624 Segment Endpoint packet processing is executed. Then the packet is 625 protected as if its were a transit packet. 627 7. TI-LFA and SR algorithms 629 SR allows an operator to bind an algorithm to a prefix SID (as 630 defined in [RFC8402]. The algorithm value dictates how the path to 631 the prefix is computed. The SR default algorithm is known has the 632 "Shortest Path" algorithm. The SR default algorithm allows an 633 operator to override the IGP shortest path by using local policies. 634 When TI-LFA uses Node-SIDs associated with the default algorithm, 635 there is no guarantee that the path will be loop-free as a local 636 policy may have overriden the expected IGP path. As the local 637 policies are defined by the operator, it becomes the responsibility 638 of this operator to ensure that the deployed policies do not affect 639 the TI-LFA deployment. It should be noted that such situation can 640 already happen today with existing mechanisms as remote LFA. 642 [I-D.ietf-lsr-flex-algo] defines a flexible algorithm (FlexAlgo) 643 framework to be associated with Prefix SIDs. FlexAlgo allows a user 644 to associate a constrained path to a Prefix SID rather than using the 645 regular IGP shortest path. An implementation MAY support TI-LFA to 646 protect Node-SIDs associated to a FlexAlgo. In such a case, rather 647 than computing the expected post-convergence path based on the 648 regular SPF, an implementation SHOULD use the constrained SPF 649 algorithm bound to the FlexAlgo (using the Flex Algo Definition) 650 instead of the regular Dijkstra in all the SPF/rSPF computations that 651 are occurring during the TI-LFA computation. This includes the 652 computation of the P-Space and Q-Space as well as the post- 653 convergence path. An implementation MUST only use Node-SIDs bound to 654 the FlexAlgo and/or Adj-SIDs that are unprotected to build the repair 655 list. 657 8. Usage of Adjacency segments in the repair list 659 The repair list of segments computed by TI-LFA may contain one or 660 more adjacency segments. An adjacency segment may be protected or 661 not protected. 663 S --- R2 --- R3 --- R4 --- R5 --- D 664 \ | \ / 665 R7 -- R8 666 | | 667 R9 -- R10 669 Figure 3 671 In Figure 3, all the metrics are equal to 1 except 672 R2-R7,R7-R8,R8-R4,R7-R9 which have a metric of 1000. Considering R2 673 as a PLR to protect against the failure of node R3 for the traffic 674 S->D, the repair list computed by R2 will be [adj(R7-R8),adj(R8-R4)] 675 and the outgoing interface will be to R7. If R3 fails, R2 pushes the 676 repair list onto the incoming packet to D. During the FRR, if R7-R8 677 fails and if TI-LFA has picked a protected adjacency segment for 678 adj(R7-R8), R7 will push an additional repair list onto the packet 679 following the procedures defined in Section 6. 681 To avoid the possibility of this double FRR activation, an 682 implementation of TI-LFA MAY pick only non protected adjacency 683 segments when building the repair list. 685 9. Measurements on Real Networks 687 This section presents measurements performed on real service provider 688 and large enterprise networks. The objective of the measurements is 689 to assess the number of SIDs required in an explicit path when the 690 mechanisms described in this document are used to protect against the 691 failure scenarios within the scope of this document. The number of 692 segments described in this section are applicable to instantiating 693 segment routing over the MPLS forwarding plane. 695 The measurements below indicate that for link and local SRLG 696 protection, a 1 SID repair path delivers more than 99% coverage. For 697 node protection a 2 SIDs repair path yields 99% coverage. 699 Table 1 below lists the characteristics of the networks used in our 700 measurements. The number of links refers to the number of 701 "bidirectional" links (not directed edges of the graph). The 702 measurements are carried out as follows: 704 o For each network, the algorithms described in this document are 705 applied to protect all prefixes against link, node, and local SRLG 706 failure 708 o For each prefix, the number of SIDs used by the repair path is 709 recored 711 o The percentage of number of SIDs are listed in Tables 2A/B, 3A/B, 712 and 4A/B 714 The measurements listed in the tables indicate that for link and 715 local SRLG protection, 1 SID repair paths are sufficient to protect 716 more than 99% of the prefix in almost all cases. For node protection 717 2 SIDs repair paths yield 99% coverage. 719 +-------------+------------+------------+------------+------------+ 720 | Network | Nodes | Links |Node-to-Link| SRLG info? | 721 | | | | Ratio | | 722 +-------------+------------+------------+------------+------------+ 723 | T1 | 408 | 665 | 1.63 | Yes | 724 +-------------+------------+------------+------------+------------+ 725 | T2 | 587 | 1083 | 1.84 | No | 726 +-------------+------------+------------+------------+------------+ 727 | T3 | 93 | 401 | 4.31 | Yes | 728 +-------------+------------+------------+------------+------------+ 729 | T4 | 247 | 393 | 1.59 | Yes | 730 +-------------+------------+------------+------------+------------+ 731 | T5 | 34 | 96 | 2.82 | Yes | 732 +-------------+------------+------------+------------+------------+ 733 | T6 | 50 | 78 | 1.56 | No | 734 +-------------+------------+------------+------------+------------+ 735 | T7 | 82 | 293 | 3.57 | No | 736 +-------------+------------+------------+------------+------------+ 737 | T8 | 35 | 41 | 1.17 | Yes | 738 +-------------+------------+------------+------------+------------+ 739 | T9 | 177 | 1371 | 7.74 | Yes | 740 +-------------+------------+------------+------------+------------+ 741 Table 1: Data Set Definition 743 The rest of this section presents the measurements done on the actual 744 topologies. The convention that we use is as follows 746 o 0 SIDs: the calculated repair path starts with a directly 747 connected neighbor that is also a loop free alternate, in which 748 case there is no need to explicitly route the traffic using 749 additional SIDs. This scenario is described in Section 5.1. 751 o 1 SIDs: the repair node is a PQ node, in which case only 1 SID is 752 needed to guarantee loop-freeness. This scenario is covered in 753 Section 5.2. 755 o 2 or more SIDs: The repair path consists of 2 or more SIDs as 756 described in Sections 4.3 and 4.4. We do not cover the case for 2 757 SIDs (Section 5.3) separately because there was no granularity in 758 the result. Also we treat the node-SID+adj-SID and node-SID + 759 node-SID the same because they do not differ from the data plane 760 point of view. 762 Table 2A and 2B below summarize the measurements on the number of 763 SIDs needed for link protection 765 +-------------+------------+------------+------------+------------+ 766 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 767 +-------------+------------+------------+------------+------------+ 768 | T1 | 74.3% | 25.3% | 0.5% | 0.0% | 769 +-------------+------------+------------+------------+------------+ 770 | T2 | 81.1% | 18.7% | 0.2% | 0.0% | 771 +-------------+------------+------------+------------+------------+ 772 | T3 | 95.9% | 4.1% | 0.1% | 0.0% | 773 +-------------+------------+------------+------------+------------+ 774 | T4 | 62.5% | 35.7% | 1.8% | 0.0% | 775 +-------------+------------+------------+------------+------------+ 776 | T5 | 85.7% | 14.3% | 0.0% | 0.0% | 777 +-------------+------------+------------+------------+------------+ 778 | T6 | 81.2% | 18.7% | 0.0% | 0.0% | 779 +-------------+------------+------------+------------+------------+ 780 | T7 | 98.9% | 1.1% | 0.0% | 0.0% | 781 +-------------+------------+------------+------------+------------+ 782 | T8 | 94.1% | 5.9% | 0.0% | 0.0% | 783 +-------------+------------+------------+------------+------------+ 784 | T9 | 98.9% | 1.0% | 0.0% | 0.0% | 785 +-------------+------------+------------+------------+------------+ 786 Table 2A: Link protection (repair size distribution) 788 +-------------+------------+------------+------------+------------+ 789 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 790 +-------------+------------+------------+------------+------------+ 791 | T1 | 74.2% | 99.5% | 99.9% | 100.0% | 792 +-------------+------------+------------+------------+------------+ 793 | T2 | 81.1% | 99.8% | 100.0% | 100.0% | 794 +-------------+------------+------------+------------+------------+ 795 | T3 | 95.9% | 99.9% | 100.0% | 100.0% | 796 +-------------+------------+------------+------------+------------+ 797 | T4 | 62.5% | 98.2% | 100.0% | 100.0% | 798 +-------------+------------+------------+------------+------------+ 799 | T5 | 85.7% | 100.0% | 100.0% | 100.0% | 800 +-------------+------------+------------+------------+------------+ 801 | T6 | 81.2% | 99.9% | 100.0% | 100.0% | 802 +-------------+------------+------------+------------+------------+ 803 | T7 | 98,8% | 100.0% | 100.0% | 100.0% | 804 +-------------+------------+------------+------------+------------+ 805 | T8 | 94,1% | 100.0% | 100.0% | 100.0% | 806 +-------------+------------+------------+------------+------------+ 807 | T9 | 98,9% | 100.0% | 100.0% | 100.0% | 808 +-------------+------------+------------+------------+------------+ 809 Table 2B: Link protection repair size cumulative distribution 810 Table 3A and 3B summarize the measurements on the number of SIDs 811 needed for local SRLG protection. 813 +-------------+------------+------------+------------+------------+ 814 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 815 +-------------+------------+------------+------------+------------+ 816 | T1 | 74.2% | 25.3% | 0.5% | 0.0% | 817 +-------------+------------+------------+------------+------------+ 818 | T2 | No SRLG Information | 819 +-------------+------------+------------+------------+------------+ 820 | T3 | 93.6% | 6.3% | 0.0% | 0.0% | 821 +-------------+------------+------------+------------+------------+ 822 | T4 | 62.5% | 35.6% | 1.8% | 0.0% | 823 +-------------+------------+------------+------------+------------+ 824 | T5 | 83.1% | 16.8% | 0.0% | 0.0% | 825 +-------------+------------+------------+------------+------------+ 826 | T6 | No SRLG Information | 827 +-------------+---------------------------------------------------+ 828 | T7 | No SRLG Information | 829 +-------------+------------+------------+------------+------------+ 830 | T8 | 85.2% | 14.8% | 0.0% | 0.0% | 831 +-------------+------------+------------+------------+------------+ 832 | T9 | 98,9% | 1.1% | 0.0% | 0.0% | 833 +-------------+------------+------------+------------+------------+ 834 Table 3A: Local SRLG protection repair size distribution 836 +-------------+------------+------------+------------+------------+ 837 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 838 +-------------+------------+------------+------------+------------+ 839 | T1 | 74.2% | 99.5% | 99.9% | 100.0% | 840 +-------------+------------+------------+------------+------------+ 841 | T2 | No SRLG Information | 842 +-------------+------------+------------+------------+------------+ 843 | T3 | 93.6% | 99.9% | 100.0% | 0.0% | 844 +-------------+------------+------------+------------+------------+ 845 | T4 | 62.5% | 98.2% | 100.0% | 100.0% | 846 +-------------+------------+------------+------------+------------+ 847 | T5 | 83.1% | 100.0% | 100.0% | 100.0% | 848 +-------------+------------+------------+------------+------------+ 849 | T6 | No SRLG Information | 850 +-------------+---------------------------------------------------+ 851 | T7 | No SRLG Information | 852 +-------------+------------+------------+------------+------------+ 853 | T8 | 85.2% | 100.0% | 100.0% | 100.0% | 854 +-------------+------------+------------+------------+------------+ 855 | T9 | 98.9% | 100.0% | 100.0% | 100.0% | 856 +-------------+------------+------------+------------+------------+ 857 Table 3B: Local SRLG protection repair size Cumulative distribution 858 The remaining two tables summarize the measurements on the number of 859 SIDs needed for node protection. 861 +---------+----------+----------+----------+----------+----------+ 862 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 4 SIDs | 863 +---------+----------+----------+----------+----------+----------+ 864 | T1 | 49.8% | 47.9% | 2.1% | 0.1% | 0.0% | 865 +---------+----------+----------+----------+----------+----------+ 866 | T2 | 36,5% | 59.6% | 3.6% | 0.2% | 0.0% | 867 +---------+----------+----------+----------+----------+----------+ 868 | T3 | 73.3% | 25.6% | 1.1% | 0.0% | 0.0% | 869 +---------+----------+----------+----------+----------+----------+ 870 | T4 | 36.1% | 57.3% | 6.3% | 0.2% | 0.0% | 871 +---------+----------+----------+----------+----------+----------+ 872 | T5 | 73.2% | 26.8% | 0% | 0% | 0% | 873 +---------+----------+----------+----------+----------+----------+ 874 | T6 | 78.3% | 21.3% | 0.3% | 0% | 0% | 875 +---------+----------+----------+----------+----------+----------+ 876 | T7 | 66.1% | 32.8% | 1.1% | 0% | 0% | 877 +---------+----------+----------+----------+----------+----------+ 878 | T8 | 59.7% | 40.2% | 0% | 0% | 0% | 879 +---------+----------+----------+----------+----------+----------+ 880 | T9 | 98.9% | 1.0% | 0% | 0% | 0% | 881 +---------+----------+----------+----------+----------+----------+ 882 Table 4A: Node protection (repair size distribution) 884 +---------+----------+----------+----------+----------+----------+ 885 | Network | 0 SIDs | 1 SID | 2 SIDs | 3 SIDs | 4 SIDs | 886 +---------+----------+----------+----------+----------+----------+ 887 | T1 | 49.7% | 97.6% | 99.8% | 99.9% | 100% | 888 +---------+----------+----------+----------+----------+----------+ 889 | T2 | 36.5% | 96.1% | 99.7% | 99.9% | 100% | 890 +---------+----------+----------+----------+----------+----------+ 891 | T3 | 73.3% | 98.9% | 99.9% | 100.0% | 100% | 892 +---------+----------+----------+----------+----------+----------+ 893 | T4 | 36.1% | 93.4% | 99.8% | 99.9% | 100% | 894 +---------+----------+----------+----------+----------+----------+ 895 | T5 | 73.2% | 100.0% | 100.0% | 100.0% | 100% | 896 +---------+----------+----------+----------+----------+----------+ 897 | T6 | 78.4% | 99.7% | 100.0% | 100.0% | 100% | 898 +---------+----------+----------+----------+----------+----------+ 899 | T7 | 66.1% | 98.9% | 100.0% | 100.0% | 100% | 900 +---------+----------+----------+----------+----------+----------+ 901 | T8 | 59.7% | 100.0% | 100.0% | 100.0% | 100% | 902 +---------+----------+----------+----------+----------+----------+ 903 | T9 | 98.9% | 100.0% | 100.0% | 100.0% | 100% | 904 +---------+----------+----------+----------+----------+----------+ 905 Table 4B: Node protection (repair size cumulative distribution) 907 10. Security Considerations 909 The techniques described in this document are internal 910 functionalities to a router that result in the ability to guarantee 911 an upper bound on the time taken to restore traffic flow upon the 912 failure of a directly connected link or node. As these techniques 913 steer traffic to the post-convergence path as quickly as possible, 914 this serves to minimize the disruption associated with a local 915 failure which can be seen as a modest security enhancement. The 916 protection mechanisms does not protect external destinations, but 917 rather provides quick restoration for destination that are internal 918 to a routing domain. 920 Security considerations described in [RFC5286] and [RFC7490] apply to 921 this document. Similarly, as the solution described in the document 922 is based on Segment Routing technology, reader should be aware of the 923 security considerations related to this technology ([RFC8402]) and 924 its dataplane instantiations ([RFC8660], [RFC8754] and [RFC8986]). 925 However, this document does not introduce additional security 926 concern. 928 11. IANA Considerations 930 No requirements for IANA 932 12. Contributors 934 In addition to the authors listed on the front page, the following 935 co-authors have also contributed to this document: 937 Francois Clad, Cisco Systems 939 Pablo Camarillo, Cisco Systems 941 13. Acknowledgments 943 We would like to thank Les Ginsberg, Stewart Bryant, Alexander 944 Vainsthein, Chris Bowers, Shraddha Hedge for their valuable comments. 946 14. References 947 14.1. Normative References 949 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 950 Requirement Levels", BCP 14, RFC 2119, 951 DOI 10.17487/RFC2119, March 1997, 952 . 954 [RFC7916] Litkowski, S., Ed., Decraene, B., Filsfils, C., Raza, K., 955 Horneffer, M., and P. Sarkar, "Operational Management of 956 Loop-Free Alternates", RFC 7916, DOI 10.17487/RFC7916, 957 July 2016, . 959 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 960 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 961 May 2017, . 963 [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., 964 Decraene, B., Litkowski, S., and R. Shakir, "Segment 965 Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, 966 July 2018, . 968 [RFC8660] Bashandy, A., Ed., Filsfils, C., Ed., Previdi, S., 969 Decraene, B., Litkowski, S., and R. Shakir, "Segment 970 Routing with the MPLS Data Plane", RFC 8660, 971 DOI 10.17487/RFC8660, December 2019, 972 . 974 [RFC8754] Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J., 975 Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header 976 (SRH)", RFC 8754, DOI 10.17487/RFC8754, March 2020, 977 . 979 [RFC8986] Filsfils, C., Ed., Camarillo, P., Ed., Leddy, J., Voyer, 980 D., Matsushima, S., and Z. Li, "Segment Routing over IPv6 981 (SRv6) Network Programming", RFC 8986, 982 DOI 10.17487/RFC8986, February 2021, 983 . 985 14.2. Informative References 987 [I-D.bashandy-rtgwg-segment-routing-uloop] 988 Bashandy, A., Filsfils, C., Litkowski, S., Decraene, B., 989 Francois, P., and P. Psenak, "Loop avoidance using Segment 990 Routing", draft-bashandy-rtgwg-segment-routing-uloop-10 991 (work in progress), December 2020. 993 [I-D.ietf-lsr-flex-algo] 994 Psenak, P., Hegde, S., Filsfils, C., Talaulikar, K., and 995 A. Gulko, "IGP Flexible Algorithm", draft-ietf-lsr-flex- 996 algo-15 (work in progress), April 2021. 998 [I-D.ietf-spring-segment-routing-policy] 999 Filsfils, C., Talaulikar, K., Voyer, D., Bogdanov, A., and 1000 P. Mattes, "Segment Routing Policy Architecture", draft- 1001 ietf-spring-segment-routing-policy-11 (work in progress), 1002 April 2021. 1004 [RFC5286] Atlas, A., Ed. and A. Zinin, Ed., "Basic Specification for 1005 IP Fast Reroute: Loop-Free Alternates", RFC 5286, 1006 DOI 10.17487/RFC5286, September 2008, 1007 . 1009 [RFC5714] Shand, M. and S. Bryant, "IP Fast Reroute Framework", 1010 RFC 5714, DOI 10.17487/RFC5714, January 2010, 1011 . 1013 [RFC6571] Filsfils, C., Ed., Francois, P., Ed., Shand, M., Decraene, 1014 B., Uttaro, J., Leymann, N., and M. Horneffer, "Loop-Free 1015 Alternate (LFA) Applicability in Service Provider (SP) 1016 Networks", RFC 6571, DOI 10.17487/RFC6571, June 2012, 1017 . 1019 [RFC7490] Bryant, S., Filsfils, C., Previdi, S., Shand, M., and N. 1020 So, "Remote Loop-Free Alternate (LFA) Fast Reroute (FRR)", 1021 RFC 7490, DOI 10.17487/RFC7490, April 2015, 1022 . 1024 Authors' Addresses 1026 Stephane Litkowski 1027 Cisco Systems 1028 France 1030 Email: slitkows@cisco.com 1032 Ahmed Bashandy 1033 Individual 1035 Email: abashandy.ietf@gmail.com 1036 Clarence Filsfils 1037 Cisco Systems 1038 Brussels 1039 Belgium 1041 Email: cfilsfil@cisco.com 1043 Pierre Francois 1044 INSA Lyon 1046 Email: pierre.francois@insa-lyon.fr 1048 Bruno Decraene 1049 Orange 1050 Issy-les-Moulineaux 1051 France 1053 Email: bruno.decraene@orange.com 1055 Daniel Voyer 1056 Bell Canada 1057 Canada 1059 Email: daniel.voyer@bell.ca