idnits 2.17.1 draft-ietf-spring-nsh-sr-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 4 instances of too long lines in the document, the longest one being 82 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 7, 2019) is 1724 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 499 == Missing Reference: 'RFC6347' is mentioned on line 541, but not defined ** Obsolete undefined reference: RFC 6347 (Obsoleted by RFC 9147) == Missing Reference: 'ThisDocument' is mentioned on line 583, but not defined == Outdated reference: A later version (-22) exists of draft-ietf-spring-segment-routing-mpls-12 ** Downref: Normative reference to an Informational RFC: RFC 7665 == Outdated reference: A later version (-26) exists of draft-ietf-6man-segment-routing-header-09 Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SPRING J. Guichard, Ed. 3 Internet-Draft H. Song 4 Intended status: Standards Track Futurewei Technologies 5 Expires: February 8, 2020 J. Tantsura 6 Apstra inc. 7 J. Halpern 8 Ericsson 9 W. Henderickx 10 Nokia 11 M. Boucadair 12 Orange 13 S. Hassan 14 Cisco Systems 15 August 7, 2019 17 Network Service Header (NSH) and Segment Routing Integration for Service 18 Function Chaining (SFC) 19 draft-ietf-spring-nsh-sr-00 21 Abstract 23 This document describes two application scenarios where Network 24 Service Header (NSH) and Segment Routing (SR) techniques can be 25 deployed together to support Service Function Chaining (SFC) in an 26 efficient manner while maintaining separation of the service and 27 transport planes as originally intended by the SFC architecture. 29 In the first scenario, an NSH-based SFC is created using SR as the 30 transport between Service Function Forwarders (SFFs). SR in this 31 case is just one of many encapsulations that could be used to 32 maintain the transport-independent nature of NSH-based service 33 chains. 35 In the second scenario, SR is used to represent each service hop of 36 the NSH-based SFC as a segment within the segment-list. SR and NSH 37 in this case are integrated. 39 In both scenarios SR is responsible for steering packets between SFFs 40 along a given Service Function Path (SFP) while NSH is responsible 41 for maintaining the integrity of the service plane, the SFC instance 42 context, and any associated metadata. 44 These application scenarios demonstrate that NSH and SR can work 45 jointly and complement each other leaving the network operator with 46 the flexibility to use whichever transport technology makes sense in 47 specific areas of their network infrastructure, and still maintain an 48 end-to-end service plane using NSH. 50 Status of This Memo 52 This Internet-Draft is submitted in full conformance with the 53 provisions of BCP 78 and BCP 79. 55 Internet-Drafts are working documents of the Internet Engineering 56 Task Force (IETF). Note that other groups may also distribute 57 working documents as Internet-Drafts. The list of current Internet- 58 Drafts is at https://datatracker.ietf.org/drafts/current/. 60 Internet-Drafts are draft documents valid for a maximum of six months 61 and may be updated, replaced, or obsoleted by other documents at any 62 time. It is inappropriate to use Internet-Drafts as reference 63 material or to cite them other than as "work in progress." 65 This Internet-Draft will expire on February 8, 2020. 67 Copyright Notice 69 Copyright (c) 2019 IETF Trust and the persons identified as the 70 document authors. All rights reserved. 72 This document is subject to BCP 78 and the IETF Trust's Legal 73 Provisions Relating to IETF Documents 74 (https://trustee.ietf.org/license-info) in effect on the date of 75 publication of this document. Please review these documents 76 carefully, as they describe your rights and restrictions with respect 77 to this document. Code Components extracted from this document must 78 include Simplified BSD License text as described in Section 4.e of 79 the Trust Legal Provisions and are provided without warranty as 80 described in the Simplified BSD License. 82 Table of Contents 84 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 85 1.1. SFC Overview and Rationale . . . . . . . . . . . . . . . 3 86 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 4 87 1.3. SFC within SR Networks . . . . . . . . . . . . . . . . . 4 88 2. NSH-based SFC with SR-based transport tunnel . . . . . . . . 5 89 3. SR-based SFC with Integrated NSH Service Plane . . . . . . . 9 90 4. Encapsulation Details . . . . . . . . . . . . . . . . . . . . 11 91 4.1. NSH using MPLS-SR Transport . . . . . . . . . . . . . . . 11 92 4.2. NSH using SRv6 Transport . . . . . . . . . . . . . . . . 12 93 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 94 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 95 6.1. UDP Port Number for NSH . . . . . . . . . . . . . . . . . 13 96 6.2. Protocol Number for NSH . . . . . . . . . . . . . . . . . 14 97 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 98 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 99 8.1. Normative References . . . . . . . . . . . . . . . . . . 14 100 8.2. Informative References . . . . . . . . . . . . . . . . . 15 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 103 1. Introduction 105 1.1. SFC Overview and Rationale 107 The dynamic enforcement of a service-derived, adequate forwarding 108 policy for packets entering a network that supports advanced Service 109 Functions (SFs) has become a key challenge for operators and service 110 providers. Particularly, cascading SFs, for example at the Gi 111 interface in the context of mobile network infrastructure, have shown 112 their limits, such as the same redundant classification features must 113 be supported by many SFs in order to execute their function, some SFs 114 are receiving traffic that they are not supposed to process (e.g., 115 TCP proxies receiving UDP traffic), which inevitably affects their 116 dimensioning and performance, an increased design complexity related 117 to the properly ordered invocation of several SFs, etc. 119 In order to solve those problems and to avoid the adherence with the 120 underlying physical network topology while allowing for simplified 121 service delivery, Service Function Chaining (SFC) techniques have 122 been introduced. 124 SFC techniques are meant to rationalize the service delivery logic 125 and master the companion complexity while optimizing service 126 activation time cycles for operators that need more agile service 127 delivery procedures to better accommodate ever-demanding customer 128 requirements. Indeed, SFC allows to dynamically create service 129 planes that can be used by specific traffic flows. Each service 130 plane is realized by invoking and chaining the relevant service 131 functions in the right sequence. [RFC7498] provides an overview of 132 the SFC problem space and [RFC7665] specifies an SFC architecture. 133 The SFC architecture has the merit to not make assumptions on how 134 advanced features (e.g., load-balancing, loose or strict service 135 paths) have to be enabled with a domain. Various deployment options 136 are made available to operators with the SFC architecture and this 137 approach is fundamental to accommodate various and heterogeneous 138 deployment contexts. 140 Many approaches can be considered for encoding the information 141 required for SFC purposes (e.g., communicate a service chain pointer, 142 encode a list of loose/explicit paths, disseminate a service chain 143 identifier together with a set of context information, etc.). 144 Likewise, many approaches can also be considered for the channel to 145 be used to carry SFC-specific information (e.g., define a new header, 146 re-use existing fields, define an IPv6 extension header, etc.). 147 Among all these approaches, the IETF endorsed a transport-independent 148 SFC encapsulation scheme: NSH [RFC8300]; which is the most mature SFC 149 encapsulation solution. This design is pragmatic as it does not 150 require replicating the same specification effort as a function of 151 underlying transport encapsulation. Moreover, this design approach 152 encourages consistent SFC-based service delivery in networks enabling 153 distinct transport protocols in various segments of the network or 154 even between SFFs vs SF-SFF hops. 156 1.2. Requirements Language 158 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 159 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 160 "OPTIONAL" in this document are to be interpreted as described in 161 RFC2119 [RFC2119] when, and only when, they appear in all capitals, 162 as shown here. 164 1.3. SFC within SR Networks 166 As described in [I-D.ietf-spring-segment-routing], Segment Routing 167 (SR) leverages the source routing technique. Concretely, a node 168 steers a packet through an SR policy instantiated as an ordered list 169 of instructions called segments. While initially designed for 170 policy-based source routing, SR also finds its application in 171 supporting SFC [I-D.xu-clad-spring-sr-service-chaining]. The two SR 172 flavors, namely MPLS-SR [I-D.ietf-spring-segment-routing-mpls] and 173 SRv6 [I-D.ietf-6man-segment-routing-header], can both encode a 174 Service Function (SF) as a segment so that an SFC can be specified as 175 a segment list. Nevertheless, and as discussed in [RFC7498], traffic 176 steering is only a subset of the issues that motivated the design of 177 the SFC architecture. Further considerations such as simplifying 178 classification at intermediate SFs and allowing for coordinated 179 behaviors among SFs by means of supplying context information should 180 be taken into account when designing an SFC data plane solution. 182 While each scheme (i.e., NSH-based SFC and SR-based SFC) can work 183 independently, this document describes how the two can be used 184 together in concert and complement each other through two 185 representative application scenarios. Both application scenarios may 186 be supported using either MPLS-SR or SRv6: 188 o NSH-based SFC with SR-based transport plane: in this scenario 189 segment routing provides the transport encapsulation between SFFs 190 while NSH is used to convey and trigger SFC polices. 192 o SR-based SFC with integrated NSH service plane: in this scenario 193 each service hop of the SFC is represented as a segment of the SR 194 segment-list. SR is responsible for steering traffic through the 195 necessary SFFs as part of the segment routing path and NSH is 196 responsible for maintaining the service plane, and holding the SFC 197 instance context and associated metadata. 199 It is of course possible to combine both of these two scenarios so as 200 to support specific deployment requirements and use cases. 202 2. NSH-based SFC with SR-based transport tunnel 204 Because of the transport-independent nature of NSH-based service 205 chains, it is expected that the NSH has broad applicability across 206 different domains of a network. By way of illustration the various 207 SFs involved in a service chain are available in a single data 208 center, or spread throughout multiple locations (e.g., data centers, 209 different POPs), depending upon the operator preference and/or 210 availability of service resources. Regardless of where the service 211 resources are deployed it is necessary to provide traffic steering 212 through a set of SFFs and NSH-based service chains provide the 213 flexibility for the network operator to choose which particular 214 transport encapsulation to use between SFFs, which may be different 215 depending upon which area of the network the SFFs/SFs are currently 216 deployed. Therefore from an SFC architecture perspective, segment 217 routing is simply one of multiple available transport encapsulations 218 that can be used for traffic steering between SFFs. Concretely, NSH 219 does not require to use a unique transport encapsulation when 220 traversing a service chain. NSH-based service forwarding relies upon 221 underlying service node capabilities. 223 The following three figures provide an example of an SFC established 224 for flow F that has SF instances located in different data centers, 225 DC1 and DC2. For the purpose of illustration, let the SFC's Service 226 Path Identifier (SPI) be 100 and the initial Service Index (SI) be 227 255. 229 Referring to Figure 1, packets of flow F in DC1 are classified into 230 an NSH-based SFC and encapsulated after classification as and forwarded to SFF1 232 (which is the first SFF hop for this service chain). 234 After removing the outer transport encapsulation, that may or may not 235 be MPLS-SR or SRv6, SFF1 uses the SPI and SI carried within the NSH 236 encapsulation to determine that it should forward the packet to SF1. 237 SF1 applies its service, decrements the SI by 1, and returns the 238 packet to SFF1. SFF1 therefore has when the packet 239 comes back from SF1. SFF1 does a lookup on which 240 results in and forwards the packet to DC1-GW1. 242 +--------------------------- DC1 ----------------------------+ 243 | +-----+ | 244 | | SF1 | | 245 | +--+--+ | 246 | | | 247 | | | 248 | +------------+ | +------------+ | 249 | | N(100,255) | | | F:Inner Pkt| | 250 | +------------+ | +------------+ | 251 | | F:Inner Pkt| | | N(100,254) | | 252 | +------------+ ^ | | +------------+ | 253 | (2) | | | (3) | 254 | | | v | 255 | (1) | (4) | 256 |+------------+ ----> +--+---+ ----> +---------+ | 257 || | NSH | | NSH | | | 258 || Classifier +------------+ SFF1 +--------------+ DC1-GW1 + | 259 || | | | | | | 260 |+------------+ +------+ +---------+ | 261 | | 262 | +------------+ +------------+ | 263 | | N(100,255) | | N(100,254) | | 264 | +------------+ +------------+ | 265 | | F:Inner Pkt| | F:Inner Pkt| | 266 | +------------+ +------------+ | 267 | | 268 +------------------------------------------------------------+ 270 Figure 1: SR for inter-DC SFC - Part 1 272 Referring now to Figure 2, DC1-GW1 performs a lookup on the 273 information conveyed in the NSH which results in . The SR encapsulation has the SR segment-list to 275 forward the packet across the inter-DC network to DC2. 277 +----------- Inter DC ----------------+ 278 | (5) | 279 +------+ ----> | +---------+ ----> +---------+ | 280 | | NSH | | | SR | | | 281 + SFF1 +----------|-+ DC1-GW1 +-------------+ DC2-GW1 + | 282 | | | | | | | | 283 +------+ | +---------+ +---------+ | 284 | | 285 | +------------+ | 286 | | S(DC2-GW1) | | 287 | +------------+ | 288 | | N(100,254) | | 289 | +------------+ | 290 | | F:Inner Pkt| | 291 | +------------+ | 292 +-------------------------------------+ 294 Figure 2: SR for inter-DC SFC - Part 2 296 When the packet arrives at DC2, as shown in Figure 3, the SR 297 encapsulation is removed and DC2-GW1 performs a lookup on the NSH 298 which results in next-hop: SFF2. The outer transport encapsulation 299 may be any transport that is able to identify NSH as the next 300 protocol. 302 +------------------------ DC2 ----------------------+ 303 | +-----+ | 304 | | SF2 | | 305 | +--+--+ | 306 | | | 307 | | | 308 | +------------+ | +------------+ | 309 | | N(100,254) | | | F:Inner Pkt| | 310 | +------------+ | +------------+ | 311 | | F:Inner Pkt| | | N(100,253) | | 312 | +------------+ ^ | | +------------+ | 313 | (7) | | | (8) | 314 | | | v | 315 | (6) | (9) | 316 |+----------+ ----> +--+---+ ----> | 317 || | NSH | | IP | 318 || DC2-GW1 +------------+ SFF2 | | 319 || | | | | 320 |+----------+ +------+ | 321 | | 322 | +------------+ +------------+ | 323 | | N(100,254) | | F:Inner Pkt| | 324 | +------------+ +------------+ | 325 | | F:Inner Pkt| | 326 | +------------+ | 327 +---------------------------------------------------+ 329 Figure 3: SR for inter-DC SFC - Part 3 331 The benefits of this scheme are listed hereafter: 333 o The network operator is able to take advantage of the transport- 334 independent nature of the NSH encapsulation. 336 o The network operator is able to take advantage of the traffic 337 steering capability of SR where appropriate. 339 o Light-weight NSH is used in the data center for SFC and avoids 340 more complex hierarchical SFC schemes between data centers. 342 o Clear responsibility division and scope between NSH and SR. 344 Note that this scenario is applicable to any case where multiple 345 segments of a service chain are distributed into multiple domains or 346 where traffic-engineered paths are necessary between SFFs (strict 347 forwarding paths for example). Further note that the above example 348 can also be implemented using end to end segment routing between SFF1 349 and SFF2. (As such DC-GW1 and DC-GW2 are forwarding the packets 350 based on segment routing instructions and are not looking at the NSH 351 header for forwarding). 353 3. SR-based SFC with Integrated NSH Service Plane 355 In this scenario we assume that the SFs are NSH-aware and therefore 356 it should not be necessary to implement an SFC proxy to achieve 357 Service Function Chaining. The operation relies upon SR to perform 358 SFF-SFF transport and NSH to provide the service plane between SFs 359 thereby maintaining SFC context and metadata. 361 When a service chain is established, a packet associated with that 362 chain will first encapsulate an NSH that will be used to maintain the 363 end-to-end service plane through use of the SFC context. The SFC 364 context (e.g., the service plane path referenced by the SPI) is used 365 by an SFF to determine the SR segment list for forwarding the packet 366 to the next-hop SFFs. The packet is then encapsulated using the 367 (transport-specific) SR header and forwarded in the SR domain 368 following normal SR operation. 370 When a packet has to be forwarded to an SF attached to an SFF, the 371 SFF performs a lookup on the prefix SID associated with the SF to 372 retrieve the next-hop context between the SFF and SF. E.g. to 373 retrieve the destination MAC address in case native ethernet 374 encapsulation is used between SFF and SF. How the next-hop context 375 is populated is out of the scope of this document. The SFF strips 376 the SR information of the packet, updates the SR information, and 377 saves it to a cache indexed by the NSH SPI. This saved SR 378 information is used to encapsulate and forward the packet(s) coming 379 back from the SF. 381 When the SF receives the packet, it processes it as usual and sends 382 it back to the SFF. Once the SFF receives this packet, it extracts 383 the SR information using the NSH SPI as the index into the cache. 384 The SFF then pushes the SR header on top of the NSH header, and 385 forwards the packet to the next segment in the segment list. 387 Figure 4 illustrates an example of this scenario. 389 +-----+ +-----+ 390 | SF1 | | SF2 | 391 +--+--+ +--+--+ 392 | | 393 | | 394 +-----------+ | +-----------+ +-----------+ | +-----------+ 395 |N(100,255) | | |F:Inner Pkt| |N(100,254) | | |F:Inner Pkt| 396 +-----------+ | +-----------+ +-----------+ | +-----------+ 397 |F:Inner Pkt| | |N(100,254) | |F:Inner Pkt| | |N(100,253) | 398 +-----------+ | +-----------+ +-----------+ | +-----------+ 399 (2) ^ | (3) | (5) ^ | (6) | 400 | | | | | | 401 | | v | | v 402 +------------+ (1)--> +-+----+ (4)--> +---+--+ (7)-->IP 403 | | NSHoSR | | NSHoSR | | 404 | Classifier +--------+ SFF1 +---------------------+ SFF2 | 405 | | | | | | 406 +------------+ +------+ +------+ 408 +------------+ +------------+ 409 | S(SF1) | | S(SF2) | 410 +------------+ +------------+ 411 | S(SFF2) | | N(100,254) | 412 +------------+ +------------+ 413 | S(SF2) | | F:Inner Pkt| 414 +------------+ +------------+ 415 | N(100,255) | 416 +------------+ 417 | F:Inner Pkt| 418 +------------+ 420 Figure 4: NSH over SR for SFC 422 The benefits of this scheme include: 424 o It is economically sound for SF vendors to only support one 425 unified SFC solution. The SF is unaware of the SR. 427 o It simplifies the SFF (i.e., the SR router) by nullifying the 428 needs for re-classification and SR proxy. 430 o It provides a unique and standard way to pass metadata to SFs. 431 Note that currently there is no solution for MPLS-SR to carry 432 metadata and there is no solution to pass metadata to SR-unaware 433 SFs. 435 o SR is also used for forwarding purposes including between SFFs. 437 o It takes advantage of SR to eliminate the NSH forwarding state in 438 SFFs. This applies each time strict or loose SFPs are in use. 440 o It requires no interworking as would be the case if MPLS-SR based 441 SFC and NSH-based SFC were deployed as independent mechanisms in 442 different parts of the network. 444 4. Encapsulation Details 446 4.1. NSH using MPLS-SR Transport 448 MPLS-SR instantiates Segment IDs (SIDs) as MPLS labels and therefore 449 the segment routing header is a stack of MPLS labels. 451 When carrying NSH within an MPLS-SR transport, the full encapsulation 452 headers are as illustrated in Figure 5. 454 +------------------+ 455 ~ MPLS-SR Labels ~ 456 +------------------+ 457 | NSH Base Hdr | 458 +------------------+ 459 | Service Path Hdr | 460 +------------------+ 461 ~ Metadata ~ 462 +------------------+ 464 Figure 5: NSH using MPLS-SR Transport 466 As described in [I-D.ietf-spring-segment-routing] the IGP signaling 467 extension for IGP-Prefix segment includes a flag to indicate whether 468 directly connected neighbors of the node on which the prefix is 469 attached should perform the NEXT operation or the CONTINUE operation 470 when processing the SID. When NSH is carried beneath MPLS-SR it is 471 necessary to terminate the NSH-based SFC at the tail-end node of the 472 MPLS-SR label stack. This is the equivalent of MPLS Ultimate Hop 473 Popping (UHP) and therefore the prefix-SID associated with the tail- 474 end of the SFC MUST be advertised with the CONTINUE operation so that 475 the penultimate hop node does not pop the top label of the MPLS-SR 476 label stack and thereby expose NSH to the wrong SFF. It is 477 RECOMMENDED that a specific prefix-SID be allocated at each node for 478 use by the SFC application for this purpose. 480 At the end of the MPLS-SR path it is necessary to provide an 481 indication to the tail-end that NSH follows the MPLS-SR label stack. 483 There are several ways to achieve this but its specification is 484 outside the scope of this document. 486 4.2. NSH using SRv6 Transport 488 When carrying NSH within an SRv6 transport the full encapsulation is 489 as illustrated in Figure 6. 491 0 1 2 3 492 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 493 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 494 | Next Header | Hdr Ext Len | Routing Type | Segments Left | 495 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 496 | Last Entry | Flags | Tag | S 497 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ e 498 | | g 499 | Segment List[0] (128 bits IPv6 address) | m 500 | | e 501 | | n 502 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ t 503 | | 504 | | R 505 ~ ... ~ o 506 | | u 507 | | t 508 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ i 509 | | n 510 | Segment List[n] (128 bits IPv6 address) | g 511 | | 512 | | S 513 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ R 514 // // H 515 // Optional Type Length Value objects (variable) // 516 // // 517 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 518 |Ver|O|U| TTL | Length |U|U|U|U|MD Type| Next Protocol | 519 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ N 520 | Service Path Identifier | Service Index | S 521 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ H 522 | | 523 ~ Variable-Length Context Headers (opt.) ~ 524 | | 525 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 527 Figure 6: NSH using SRv6 Transport 529 Encapsulation of NSH following SRv6 may be indicated either by 530 encapsulating NSH in UDP (UDP port TBA1) and indicating UDP in the 531 Next Header field of the SRH, or by indicating an IP protocol number 532 for NSH in the Next Header of the SRH. The behavior for 533 encapsulating NSH over UDP, including the selection of the source 534 port number in particular, adheres to similar considerations as those 535 discussed in [RFC8086]. 537 5. Security Considerations 539 Generic SFC-related security considerations are discussed in 540 [RFC7665]. NSH-specific security considerations are discussed in 541 [RFC8300]. NSH-in-UDP with DTLS [RFC6347] should follow the 542 considerations discussed in Section 5 of [RFC8086], with a 543 destination port number set to TBA2 545 6. IANA Considerations 547 6.1. UDP Port Number for NSH 549 IANA is requested to assign the UDP port numbers TBA1 and TBA2 to the NSH from the "Service Name and Transport Protocol Port Number Registry" available at 550 https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml: 552 Service Name: NSH-in-UDP 553 Transport Protocol(s): UDP 554 Assignee: IESG iesg@ietf.org 555 Contact: IETF Chair chair@ietf.org 556 Description: NSH-in-UDP Encapsulation 557 Reference: [ThisDocument] 558 Port Number: TBA1 559 Service Code: N/A 560 Known Unauthorized Uses: N/A 561 Assignment Notes: N/A 563 Service Name: NSH-UDP-DTLS 564 Transport Protocol(s): UDP 565 Assignee: IESG iesg@ietf.org 566 Contact: IETF Chair chair@ietf.org 567 Description: NSH-in-UDP with DTLS Encapsulation 568 Reference: [ThisDocument] 569 Port Number: TBA2 570 Service Code: N/A 571 Known Unauthorized Uses: N/A 572 Assignment Notes: N/A 573 6.2. Protocol Number for NSH 575 IANA is requested to assign a protocol number TBA3 for the NSH from the "Assigned Internet Protocol Numbers" registry available at 576 https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml. 578 +---------+---------+--------------+---------------+----------------+ 579 | Decimal | Keyword | Protocol | IPv6 | Reference | 580 | | | | Extension | | 581 | | | | Header | | 582 +---------+---------+--------------+---------------+----------------+ 583 | TBA3 | NSH | Network | N | [ThisDocument] | 584 | | | Service | | | 585 | | | Header | | | 586 +---------+---------+--------------+---------------+----------------+ 588 7. Acknowledgments 590 TBD. 592 8. References 594 8.1. Normative References 596 [I-D.ietf-spring-segment-routing] 597 Filsfils, C., Previdi, S., Ginsberg, L., Decraene, B., 598 Litkowski, S., and R. Shakir, "Segment Routing 599 Architecture", draft-ietf-spring-segment-routing-15 (work 600 in progress), January 2018. 602 [I-D.ietf-spring-segment-routing-mpls] 603 Bashandy, A., Filsfils, C., Previdi, S., Decraene, B., 604 Litkowski, S., and R. Shakir, "Segment Routing with MPLS 605 data plane", draft-ietf-spring-segment-routing-mpls-12 606 (work in progress), February 2018. 608 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 609 Requirement Levels", BCP 14, RFC 2119, 610 DOI 10.17487/RFC2119, March 1997, 611 . 613 [RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function 614 Chaining (SFC) Architecture", RFC 7665, 615 DOI 10.17487/RFC7665, October 2015, 616 . 618 [RFC8086] Yong, L., Ed., Crabbe, E., Xu, X., and T. Herbert, "GRE- 619 in-UDP Encapsulation", RFC 8086, DOI 10.17487/RFC8086, 620 March 2017, . 622 [RFC8300] Quinn, P., Ed., Elzur, U., Ed., and C. Pignataro, Ed., 623 "Network Service Header (NSH)", RFC 8300, 624 DOI 10.17487/RFC8300, January 2018, 625 . 627 8.2. Informative References 629 [I-D.ietf-6man-segment-routing-header] 630 Previdi, S., Filsfils, C., Raza, K., Dukes, D., Leddy, J., 631 Field, B., daniel.voyer@bell.ca, d., 632 daniel.bernier@bell.ca, d., Matsushima, S., Leung, I., 633 Linkova, J., Aries, E., Kosugi, T., Vyncke, E., Lebrun, 634 D., Steinberg, D., and R. Raszuk, "IPv6 Segment Routing 635 Header (SRH)", draft-ietf-6man-segment-routing-header-09 636 (work in progress), March 2018. 638 [I-D.xu-clad-spring-sr-service-chaining] 639 Clad, F., Xu, X., Filsfils, C., daniel.bernier@bell.ca, 640 d., Decraene, B., Yadlapalli, C., Henderickx, W., Salsano, 641 S., and S. Ma, "Segment Routing for Service Chaining", 642 draft-xu-clad-spring-sr-service-chaining-00 (work in 643 progress), December 2017. 645 [RFC7498] Quinn, P., Ed. and T. Nadeau, Ed., "Problem Statement for 646 Service Function Chaining", RFC 7498, 647 DOI 10.17487/RFC7498, April 2015, 648 . 650 Authors' Addresses 652 James N Guichard (editor) 653 Futurewei Technologies 654 2330 Central Express Way 655 Santa Clara 656 USA 658 Email: james.n.guichard@futurewei.com 660 Haoyu Song 661 Futurewei Technologies 662 2330 Central Express Way 663 Santa Clara 664 USA 666 Email: haoyu.song@futurewei.com 667 Jeff Tantsura 668 Apstra inc. 669 USA 671 Email: jefftant.ietf@gmail.com 673 Joel Halpern 674 Ericsson 675 USA 677 Email: joel.halpern@ericsson.com 679 Wim Henderickx 680 Nokia 681 USA 683 Email: wim.henderickx@nokia.com 685 Mohamed Boucadair 686 Orange 687 USA 689 Email: mohamed.boucadair@orange.com 691 Syed Hassan 692 Cisco Systems 693 USA 695 Email: shassan@cisco.com