idnits 2.17.1 draft-ietf-spring-nsh-sr-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 4 instances of too long lines in the document, the longest one being 82 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 4, 2019) is 1659 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 505 == Missing Reference: 'ThisDocument' is mentioned on line 589, but not defined == Outdated reference: A later version (-22) exists of draft-ietf-spring-segment-routing-mpls-12 ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) ** Downref: Normative reference to an Informational RFC: RFC 7665 == Outdated reference: A later version (-26) exists of draft-ietf-6man-segment-routing-header-09 Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SPRING J. Guichard, Ed. 3 Internet-Draft H. Song 4 Intended status: Standards Track Futurewei Technologies 5 Expires: April 6, 2020 J. Tantsura 6 Apstra inc. 7 J. Halpern 8 Ericsson 9 W. Henderickx 10 Nokia 11 M. Boucadair 12 Orange 13 S. Hassan 14 Cisco Systems 15 October 4, 2019 17 Network Service Header (NSH) and Segment Routing Integration for Service 18 Function Chaining (SFC) 19 draft-ietf-spring-nsh-sr-01 21 Abstract 23 This document describes two application scenarios where Network 24 Service Header (NSH) and Segment Routing (SR) techniques can be 25 deployed together to support Service Function Chaining (SFC) in an 26 efficient manner while maintaining separation of the service and 27 transport planes as originally intended by the SFC architecture. 29 In the first scenario, an NSH-based SFC is created using SR as the 30 transport between Service Function Forwarders (SFFs). SR in this 31 case is just one of many encapsulations that could be used to 32 maintain the transport-independent nature of NSH-based service 33 chains. 35 In the second scenario, SR is used to represent each service hop of 36 the NSH-based SFC as a segment within the segment-list. SR and NSH 37 in this case are integrated. 39 In both scenarios SR is responsible for steering packets between SFFs 40 along a given Service Function Path (SFP) while NSH is responsible 41 for maintaining the integrity of the service plane, the SFC instance 42 context, and any associated metadata. 44 These application scenarios demonstrate that NSH and SR can work 45 jointly and complement each other leaving the network operator with 46 the flexibility to use whichever transport technology makes sense in 47 specific areas of their network infrastructure, and still maintain an 48 end-to-end service plane using NSH. 50 Status of This Memo 52 This Internet-Draft is submitted in full conformance with the 53 provisions of BCP 78 and BCP 79. 55 Internet-Drafts are working documents of the Internet Engineering 56 Task Force (IETF). Note that other groups may also distribute 57 working documents as Internet-Drafts. The list of current Internet- 58 Drafts is at https://datatracker.ietf.org/drafts/current/. 60 Internet-Drafts are draft documents valid for a maximum of six months 61 and may be updated, replaced, or obsoleted by other documents at any 62 time. It is inappropriate to use Internet-Drafts as reference 63 material or to cite them other than as "work in progress." 65 This Internet-Draft will expire on April 6, 2020. 67 Copyright Notice 69 Copyright (c) 2019 IETF Trust and the persons identified as the 70 document authors. All rights reserved. 72 This document is subject to BCP 78 and the IETF Trust's Legal 73 Provisions Relating to IETF Documents 74 (https://trustee.ietf.org/license-info) in effect on the date of 75 publication of this document. Please review these documents 76 carefully, as they describe your rights and restrictions with respect 77 to this document. Code Components extracted from this document must 78 include Simplified BSD License text as described in Section 4.e of 79 the Trust Legal Provisions and are provided without warranty as 80 described in the Simplified BSD License. 82 Table of Contents 84 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 85 1.1. SFC Overview and Rationale . . . . . . . . . . . . . . . 3 86 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 4 87 1.3. SFC within SR Networks . . . . . . . . . . . . . . . . . 4 88 2. NSH-based SFC with SR-based Transport Tunnel . . . . . . . . 5 89 3. SR-based SFC with Integrated NSH Service Plane . . . . . . . 9 90 4. Encapsulation Details . . . . . . . . . . . . . . . . . . . . 11 91 4.1. NSH using MPLS-SR Transport . . . . . . . . . . . . . . . 11 92 4.2. NSH using SRv6 Transport . . . . . . . . . . . . . . . . 12 93 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 94 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 95 6.1. UDP Port Number for NSH . . . . . . . . . . . . . . . . . 13 96 6.2. Protocol Number for NSH . . . . . . . . . . . . . . . . . 14 97 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 98 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 99 8.1. Normative References . . . . . . . . . . . . . . . . . . 14 100 8.2. Informative References . . . . . . . . . . . . . . . . . 15 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 103 1. Introduction 105 1.1. SFC Overview and Rationale 107 The dynamic enforcement of a service-derived, adequate forwarding 108 policy for packets entering a network that supports advanced Service 109 Functions (SFs) has become a key challenge for network operators. 110 Particularly, cascading SFs, for example at the Gi interface in the 111 context of mobile network infrastructure, have shown their limits, 112 such as the same redundant classification features must be supported 113 by many SFs in order to execute their function, some SFs are 114 receiving traffic that they are not supposed to process (e.g., TCP 115 proxies receiving UDP traffic), which inevitably affects their 116 dimensioning and performance, an increased design complexity related 117 to the properly ordered invocation of several SFs, etc. 119 In order to solve those problems and to avoid the adherence with the 120 underlying physical network topology while allowing for simplified 121 service delivery, Service Function Chaining (SFC) techniques have 122 been introduced. 124 SFC techniques are meant to rationalize the service delivery logic 125 and master the companion complexity while optimizing service 126 activation time cycles for operators that need more agile service 127 delivery procedures to better accommodate ever-demanding customer 128 requirements. Indeed, SFC allows to dynamically create service 129 planes that can be used by specific traffic flows. Each service 130 plane is realized by invoking and chaining the relevant service 131 functions in the right sequence. [RFC7498] provides an overview of 132 the SFC problem space and [RFC7665] specifies an SFC architecture. 133 The SFC architecture has the merit to not make assumptions on how 134 advanced features (e.g., load-balancing, loose or strict service 135 paths) have to be enabled with a domain. Various deployment options 136 are made available to operators with the SFC architecture and this 137 approach is fundamental to accommodate various and heterogeneous 138 deployment contexts. 140 Many approaches can be considered for encoding the information 141 required for SFC purposes (e.g., communicate a service chain pointer, 142 encode a list of loose/explicit paths, disseminate a service chain 143 identifier together with a set of context information, etc.). 144 Likewise, many approaches can also be considered for the channel to 145 be used to carry SFC-specific information (e.g., define a new header, 146 re-use existing fields, define an IPv6 extension header, etc.). 147 Among all these approaches, the IETF endorsed a transport-independent 148 SFC encapsulation scheme: NSH [RFC8300]; which is the most mature SFC 149 encapsulation solution. This design is pragmatic as it does not 150 require replicating the same specification effort as a function of 151 underlying transport encapsulation. Moreover, this design approach 152 encourages consistent SFC-based service delivery in networks enabling 153 distinct transport protocols in various segments of the network or 154 even between SFFs vs SF-SFF hops. 156 1.2. Requirements Language 158 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 159 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 160 "OPTIONAL" in this document are to be interpreted as described in 161 RFC2119 [RFC2119] when, and only when, they appear in all capitals, 162 as shown here. 164 1.3. SFC within SR Networks 166 As described in [RFC8402], Segment Routing (SR) leverages the source 167 routing technique. Concretely, a node steers a packet through an SR 168 policy instantiated as an ordered list of instructions called 169 segments. While initially designed for policy-based source routing, 170 SR also finds its application in supporting SFC 171 [I-D.xuclad-spring-sr-service-programming]. The two SR flavors, 172 namely MPLS-SR [I-D.ietf-spring-segment-routing-mpls] and SRv6 173 [I-D.ietf-6man-segment-routing-header], can both encode a Service 174 Function (SF) as a segment so that an SFC can be specified as a 175 segment list. Nevertheless, and as discussed in [RFC7498], traffic 176 steering is only a subset of the issues that motivated the design of 177 the SFC architecture. Further considerations such as simplifying 178 classification at intermediate SFs and allowing for coordinated 179 behaviors among SFs by means of supplying context information should 180 be taken into account when designing an SFC data plane solution. 182 While each scheme (i.e., NSH-based SFC and SR-based SFC) can work 183 independently, this document describes how the two can be used 184 together in concert and complement each other through two 185 representative application scenarios. Both application scenarios may 186 be supported using either MPLS-SR or SRv6: 188 o NSH-based SFC with SR-based transport plane: in this scenario 189 segment routing provides the transport encapsulation between SFFs 190 while NSH is used to convey and trigger SFC polices. 192 o SR-based SFC with integrated NSH service plane: in this scenario 193 each service hop of the SFC is represented as a segment of the SR 194 segment-list. SR is responsible for steering traffic through the 195 necessary SFFs as part of the segment routing path and NSH is 196 responsible for maintaining the service plane, and holding the SFC 197 instance context and associated metadata. 199 It is of course possible to combine both of these two scenarios so as 200 to support specific deployment requirements and use cases. 202 A classifier SHOULD assign an NSH Service Path Identifier (SPI) per 203 SR policy so that different traffic flows that use the same NSH 204 Service Function Path (SFP) but different SR policy can coexist on 205 the same SFP without conflict during SFF processing. 207 2. NSH-based SFC with SR-based Transport Tunnel 209 Because of the transport-independent nature of NSH-based service 210 chains, it is expected that the NSH has broad applicability across 211 different domains of a network. By way of illustration the various 212 SFs involved in a service chain are available in a single data 213 center, or spread throughout multiple locations (e.g., data centers, 214 different POPs), depending upon the operator preference and/or 215 availability of service resources. Regardless of where the service 216 resources are deployed it is necessary to provide traffic steering 217 through a set of SFFs and NSH-based service chains provide the 218 flexibility for the network operator to choose which particular 219 transport encapsulation to use between SFFs, which may be different 220 depending upon which area of the network the SFFs/SFs are currently 221 deployed. Therefore from an SFC architecture perspective, segment 222 routing is simply one of multiple available transport encapsulations 223 that can be used for traffic steering between SFFs. Concretely, NSH 224 does not require to use a unique transport encapsulation when 225 traversing a service chain. NSH-based service forwarding relies upon 226 underlying service node capabilities. 228 The following three figures provide an example of an SFC established 229 for flow F that has SF instances located in different data centers, 230 DC1 and DC2. For the purpose of illustration, let the SFC's Service 231 Path Identifier (SPI) be 100 and the initial Service Index (SI) be 232 255. 234 Referring to Figure 1, packets of flow F in DC1 are classified into 235 an NSH-based SFC and encapsulated after classification as and forwarded to SFF1 237 (which is the first SFF hop for this service chain). 239 After removing the outer transport encapsulation, that may or may not 240 be MPLS-SR or SRv6, SFF1 uses the SPI and SI carried within the NSH 241 encapsulation to determine that it should forward the packet to SF1. 243 SF1 applies its service, decrements the SI by 1, and returns the 244 packet to SFF1. SFF1 therefore has when the packet 245 comes back from SF1. SFF1 does a lookup on which 246 results in and forwards the packet to DC1-GW1. 248 +--------------------------- DC1 ----------------------------+ 249 | +-----+ | 250 | | SF1 | | 251 | +--+--+ | 252 | | | 253 | | | 254 | +------------+ | +------------+ | 255 | | N(100,255) | | | F:Inner Pkt| | 256 | +------------+ | +------------+ | 257 | | F:Inner Pkt| | | N(100,254) | | 258 | +------------+ ^ | | +------------+ | 259 | (2) | | | (3) | 260 | | | v | 261 | (1) | (4) | 262 |+------------+ ----> +--+---+ ----> +---------+ | 263 || | NSH | | NSH | | | 264 || Classifier +------------+ SFF1 +--------------+ DC1-GW1 + | 265 || | | | | | | 266 |+------------+ +------+ +---------+ | 267 | | 268 | +------------+ +------------+ | 269 | | N(100,255) | | N(100,254) | | 270 | +------------+ +------------+ | 271 | | F:Inner Pkt| | F:Inner Pkt| | 272 | +------------+ +------------+ | 273 | | 274 +------------------------------------------------------------+ 276 Figure 1: SR for inter-DC SFC - Part 1 278 Referring now to Figure 2, DC1-GW1 performs a lookup on the 279 information conveyed in the NSH which results in . The SR encapsulation has the SR segment-list to 281 forward the packet across the inter-DC network to DC2. 283 +----------- Inter DC ----------------+ 284 | (5) | 285 +------+ ----> | +---------+ ----> +---------+ | 286 | | NSH | | | SR | | | 287 + SFF1 +----------|-+ DC1-GW1 +-------------+ DC2-GW1 + | 288 | | | | | | | | 289 +------+ | +---------+ +---------+ | 290 | | 291 | +------------+ | 292 | | S(DC2-GW1) | | 293 | +------------+ | 294 | | N(100,254) | | 295 | +------------+ | 296 | | F:Inner Pkt| | 297 | +------------+ | 298 +-------------------------------------+ 300 Figure 2: SR for inter-DC SFC - Part 2 302 When the packet arrives at DC2, as shown in Figure 3, the SR 303 encapsulation is removed and DC2-GW1 performs a lookup on the NSH 304 which results in next-hop: SFF2. The outer transport encapsulation 305 may be any transport that is able to identify NSH as the next 306 protocol. 308 +------------------------ DC2 ----------------------+ 309 | +-----+ | 310 | | SF2 | | 311 | +--+--+ | 312 | | | 313 | | | 314 | +------------+ | +------------+ | 315 | | N(100,254) | | | F:Inner Pkt| | 316 | +------------+ | +------------+ | 317 | | F:Inner Pkt| | | N(100,253) | | 318 | +------------+ ^ | | +------------+ | 319 | (7) | | | (8) | 320 | | | v | 321 | (6) | (9) | 322 |+----------+ ----> +--+---+ ----> | 323 || | NSH | | IP | 324 || DC2-GW1 +------------+ SFF2 | | 325 || | | | | 326 |+----------+ +------+ | 327 | | 328 | +------------+ +------------+ | 329 | | N(100,254) | | F:Inner Pkt| | 330 | +------------+ +------------+ | 331 | | F:Inner Pkt| | 332 | +------------+ | 333 +---------------------------------------------------+ 335 Figure 3: SR for inter-DC SFC - Part 3 337 The benefits of this scheme are listed hereafter: 339 o The network operator is able to take advantage of the transport- 340 independent nature of the NSH encapsulation. 342 o The network operator is able to take advantage of the traffic 343 steering capability of SR where appropriate. 345 o Light-weight NSH is used in the data center for SFC and avoids 346 more complex hierarchical SFC schemes between data centers. 348 o Clear responsibility division and scope between NSH and SR. 350 Note that this scenario is applicable to any case where multiple 351 segments of a service chain are distributed into multiple domains or 352 where traffic-engineered paths are necessary between SFFs (strict 353 forwarding paths for example). Further note that the above example 354 can also be implemented using end to end segment routing between SFF1 355 and SFF2. (As such DC-GW1 and DC-GW2 are forwarding the packets 356 based on segment routing instructions and are not looking at the NSH 357 header for forwarding). 359 3. SR-based SFC with Integrated NSH Service Plane 361 In this scenario we assume that the SFs are NSH-aware and therefore 362 it should not be necessary to implement an SFC proxy to achieve 363 Service Function Chaining. The operation relies upon SR to perform 364 SFF-SFF transport and NSH to provide the service plane between SFs 365 thereby maintaining SFC context and metadata. 367 When a service chain is established, a packet associated with that 368 chain will first encapsulate an NSH that will be used to maintain the 369 end-to-end service plane through use of the SFC context. The SFC 370 context (e.g., the service plane path referenced by the SPI) is used 371 by an SFF to determine the SR segment list for forwarding the packet 372 to the next-hop SFFs. The packet is then encapsulated using the 373 (transport-specific) SR header and forwarded in the SR domain 374 following normal SR operation. 376 When a packet has to be forwarded to an SF attached to an SFF, the 377 SFF performs a lookup on the prefix SID associated with the SF to 378 retrieve the next-hop context between the SFF and SF. E.g. to 379 retrieve the destination MAC address in case native Ethernet 380 encapsulation is used between SFF and SF. How the next-hop context 381 is populated is out of the scope of this document. The SFF strips 382 the SR information of the packet, updates the SR information, and 383 saves it to a cache indexed by the NSH SPI. This saved SR 384 information is used to encapsulate and forward the packet(s) coming 385 back from the SF. 387 When the SF receives the packet, it processes it as usual and sends 388 it back to the SFF. Once the SFF receives this packet, it extracts 389 the SR information using the NSH SPI as the index into the cache. 390 The SFF then pushes the SR header on top of the NSH header, and 391 forwards the packet to the next segment in the segment list. 393 Figure 4 illustrates an example of this scenario. 395 +-----+ +-----+ 396 | SF1 | | SF2 | 397 +--+--+ +--+--+ 398 | | 399 | | 400 +-----------+ | +-----------+ +-----------+ | +-----------+ 401 |N(100,255) | | |F:Inner Pkt| |N(100,254) | | |F:Inner Pkt| 402 +-----------+ | +-----------+ +-----------+ | +-----------+ 403 |F:Inner Pkt| | |N(100,254) | |F:Inner Pkt| | |N(100,253) | 404 +-----------+ | +-----------+ +-----------+ | +-----------+ 405 (2) ^ | (3) | (5) ^ | (6) | 406 | | | | | | 407 | | v | | v 408 +------------+ (1)--> +-+----+ (4)--> +---+--+ (7)-->IP 409 | | NSHoSR | | NSHoSR | | 410 | Classifier +--------+ SFF1 +---------------------+ SFF2 | 411 | | | | | | 412 +------------+ +------+ +------+ 414 +------------+ +------------+ 415 | S(SF1) | | S(SF2) | 416 +------------+ +------------+ 417 | S(SFF2) | | N(100,254) | 418 +------------+ +------------+ 419 | S(SF2) | | F:Inner Pkt| 420 +------------+ +------------+ 421 | N(100,255) | 422 +------------+ 423 | F:Inner Pkt| 424 +------------+ 426 Figure 4: NSH over SR for SFC 428 The benefits of this scheme include: 430 o It is economically sound for SF vendors to only support one 431 unified SFC solution. The SF is unaware of the SR. 433 o It simplifies the SFF (i.e., the SR router) by nullifying the 434 needs for re-classification and SR proxy. 436 o It provides a unique and standard way to pass metadata to SFs. 437 Note that currently there is no solution for MPLS-SR to carry 438 metadata and there is no solution to pass metadata to SR-unaware 439 SFs. 441 o SR is also used for forwarding purposes including between SFFs. 443 o It takes advantage of SR to eliminate the NSH forwarding state in 444 SFFs. This applies each time strict or loose SFPs are in use. 446 o It requires no interworking as would be the case if MPLS-SR based 447 SFC and NSH-based SFC were deployed as independent mechanisms in 448 different parts of the network. 450 4. Encapsulation Details 452 4.1. NSH using MPLS-SR Transport 454 MPLS-SR instantiates Segment IDs (SIDs) as MPLS labels and therefore 455 the segment routing header is a stack of MPLS labels. 457 When carrying NSH within an MPLS-SR transport, the full encapsulation 458 headers are as illustrated in Figure 5. 460 +------------------+ 461 ~ MPLS-SR Labels ~ 462 +------------------+ 463 | NSH Base Hdr | 464 +------------------+ 465 | Service Path Hdr | 466 +------------------+ 467 ~ Metadata ~ 468 +------------------+ 470 Figure 5: NSH using MPLS-SR Transport 472 As described in [RFC8402] the IGP signaling extension for IGP-Prefix 473 segment includes a flag to indicate whether directly connected 474 neighbors of the node on which the prefix is attached should perform 475 the NEXT operation or the CONTINUE operation when processing the SID. 476 When NSH is carried beneath MPLS-SR it is necessary to terminate the 477 NSH-based SFC at the tail-end node of the MPLS-SR label stack. This 478 is the equivalent of MPLS Ultimate Hop Popping (UHP) and therefore 479 the prefix-SID associated with the tail-end of the SFC MUST be 480 advertised with the CONTINUE operation so that the penultimate hop 481 node does not pop the top label of the MPLS-SR label stack and 482 thereby expose NSH to the wrong SFF. It is RECOMMENDED that a 483 specific prefix-SID be allocated at each node for use by the SFC 484 application for this purpose. 486 At the end of the MPLS-SR path it is necessary to provide an 487 indication to the tail-end that NSH follows the MPLS-SR label stack. 489 There are several ways to achieve this but its specification is 490 outside the scope of this document. 492 4.2. NSH using SRv6 Transport 494 When carrying NSH within an SRv6 transport the full encapsulation is 495 as illustrated in Figure 6. 497 0 1 2 3 498 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 499 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 500 | Next Header | Hdr Ext Len | Routing Type | Segments Left | 501 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 502 | Last Entry | Flags | Tag | S 503 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ e 504 | | g 505 | Segment List[0] (128 bits IPv6 address) | m 506 | | e 507 | | n 508 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ t 509 | | 510 | | R 511 ~ ... ~ o 512 | | u 513 | | t 514 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ i 515 | | n 516 | Segment List[n] (128 bits IPv6 address) | g 517 | | 518 | | S 519 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ R 520 // // H 521 // Optional Type Length Value objects (variable) // 522 // // 523 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 524 |Ver|O|U| TTL | Length |U|U|U|U|MD Type| Next Protocol | 525 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ N 526 | Service Path Identifier | Service Index | S 527 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ H 528 | | 529 ~ Variable-Length Context Headers (opt.) ~ 530 | | 531 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 533 Figure 6: NSH using SRv6 Transport 535 Encapsulation of NSH following SRv6 may be indicated either by 536 encapsulating NSH in UDP (UDP port TBA1) and indicating UDP in the 537 Next Header field of the SRH, or by indicating an IP protocol number 538 for NSH in the Next Header of the SRH. The behavior for 539 encapsulating NSH over UDP, including the selection of the source 540 port number in particular, adheres to similar considerations as those 541 discussed in [RFC8086]. 543 5. Security Considerations 545 Generic SFC-related security considerations are discussed in 546 [RFC7665]. NSH-specific security considerations are discussed in 547 [RFC8300]. NSH-in-UDP with DTLS [RFC6347] should follow the 548 considerations discussed in Section 5 of [RFC8086], with a 549 destination port number set to TBA2 551 6. IANA Considerations 553 6.1. UDP Port Number for NSH 555 IANA is requested to assign the UDP port numbers TBA1 and TBA2 to the NSH from the "Service Name and Transport Protocol Port Number Registry" available at 556 https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml: 558 Service Name: NSH-in-UDP 559 Transport Protocol(s): UDP 560 Assignee: IESG iesg@ietf.org 561 Contact: IETF Chair chair@ietf.org 562 Description: NSH-in-UDP Encapsulation 563 Reference: [ThisDocument] 564 Port Number: TBA1 565 Service Code: N/A 566 Known Unauthorized Uses: N/A 567 Assignment Notes: N/A 569 Service Name: NSH-UDP-DTLS 570 Transport Protocol(s): UDP 571 Assignee: IESG iesg@ietf.org 572 Contact: IETF Chair chair@ietf.org 573 Description: NSH-in-UDP with DTLS Encapsulation 574 Reference: [ThisDocument] 575 Port Number: TBA2 576 Service Code: N/A 577 Known Unauthorized Uses: N/A 578 Assignment Notes: N/A 579 6.2. Protocol Number for NSH 581 IANA is requested to assign a protocol number TBA3 for the NSH from the "Assigned Internet Protocol Numbers" registry available at 582 https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml. 584 +---------+---------+--------------+---------------+----------------+ 585 | Decimal | Keyword | Protocol | IPv6 | Reference | 586 | | | | Extension | | 587 | | | | Header | | 588 +---------+---------+--------------+---------------+----------------+ 589 | TBA3 | NSH | Network | N | [ThisDocument] | 590 | | | Service | | | 591 | | | Header | | | 592 +---------+---------+--------------+---------------+----------------+ 594 7. Acknowledgments 596 TBD. 598 8. References 600 8.1. Normative References 602 [I-D.ietf-spring-segment-routing-mpls] 603 Bashandy, A., Filsfils, C., Previdi, S., Decraene, B., 604 Litkowski, S., and R. Shakir, "Segment Routing with MPLS 605 data plane", draft-ietf-spring-segment-routing-mpls-12 606 (work in progress), February 2018. 608 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 609 Requirement Levels", BCP 14, RFC 2119, 610 DOI 10.17487/RFC2119, March 1997, 611 . 613 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 614 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 615 January 2012, . 617 [RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function 618 Chaining (SFC) Architecture", RFC 7665, 619 DOI 10.17487/RFC7665, October 2015, 620 . 622 [RFC8086] Yong, L., Ed., Crabbe, E., Xu, X., and T. Herbert, "GRE- 623 in-UDP Encapsulation", RFC 8086, DOI 10.17487/RFC8086, 624 March 2017, . 626 [RFC8300] Quinn, P., Ed., Elzur, U., Ed., and C. Pignataro, Ed., 627 "Network Service Header (NSH)", RFC 8300, 628 DOI 10.17487/RFC8300, January 2018, 629 . 631 [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., 632 Decraene, B., Litkowski, S., and R. Shakir, "Segment 633 Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, 634 July 2018, . 636 8.2. Informative References 638 [I-D.ietf-6man-segment-routing-header] 639 Previdi, S., Filsfils, C., Raza, K., Dukes, D., Leddy, J., 640 Field, B., daniel.voyer@bell.ca, d., 641 daniel.bernier@bell.ca, d., Matsushima, S., Leung, I., 642 Linkova, J., Aries, E., Kosugi, T., Vyncke, E., Lebrun, 643 D., Steinberg, D., and R. Raszuk, "IPv6 Segment Routing 644 Header (SRH)", draft-ietf-6man-segment-routing-header-09 645 (work in progress), March 2018. 647 [I-D.xuclad-spring-sr-service-programming] 648 Clad, F., Xu, X., Filsfils, C., daniel.bernier@bell.ca, 649 d., Li, C., Decraene, B., Ma, S., Yadlapalli, C., 650 Henderickx, W., and S. Salsano, "Service Programming with 651 Segment Routing", draft-xuclad-spring-sr-service- 652 programming-02 (work in progress), April 2019. 654 [RFC7498] Quinn, P., Ed. and T. Nadeau, Ed., "Problem Statement for 655 Service Function Chaining", RFC 7498, 656 DOI 10.17487/RFC7498, April 2015, 657 . 659 Authors' Addresses 661 James N Guichard (editor) 662 Futurewei Technologies 663 2330 Central Express Way 664 Santa Clara 665 USA 667 Email: james.n.guichard@futurewei.com 668 Haoyu Song 669 Futurewei Technologies 670 2330 Central Express Way 671 Santa Clara 672 USA 674 Email: haoyu.song@futurewei.com 676 Jeff Tantsura 677 Apstra inc. 678 USA 680 Email: jefftant.ietf@gmail.com 682 Joel Halpern 683 Ericsson 684 USA 686 Email: joel.halpern@ericsson.com 688 Wim Henderickx 689 Nokia 690 USA 692 Email: wim.henderickx@nokia.com 694 Mohamed Boucadair 695 Orange 696 USA 698 Email: mohamed.boucadair@orange.com 700 Syed Hassan 701 Cisco Systems 702 USA 704 Email: shassan@cisco.com