idnits 2.17.1 draft-ietf-teas-rsvp-ingress-protection-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Authors' Addresses Section. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (October 19, 2015) is 3109 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'S' is mentioned on line 121, but not defined == Missing Reference: 'Ra' is mentioned on line 124, but not defined == Missing Reference: 'Rb' is mentioned on line 124, but not defined == Missing Reference: 'L3' is mentioned on line 124, but not defined == Unused Reference: 'RFC2119' is defined on line 770, but no explicit reference was found in the text == Unused Reference: 'RFC3031' is defined on line 775, but no explicit reference was found in the text == Unused Reference: 'RFC3209' is defined on line 780, but no explicit reference was found in the text Summary: 1 error (**), 0 flaws (~~), 9 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force H. Chen, Ed. 3 Internet-Draft Huawei Technologies 4 Intended status: Standards Track R. Torvi, Ed. 5 Expires: April 21, 2016 Juniper Networks 6 October 19, 2015 8 Extensions to RSVP-TE for LSP Ingress Local Protection 9 draft-ietf-teas-rsvp-ingress-protection-04.txt 11 Abstract 13 This document describes extensions to Resource Reservation Protocol - 14 Traffic Engineering (RSVP-TE) for locally protecting the ingress node 15 of a Traffic Engineered (TE) Label Switched Path (LSP), which is a 16 Point-to-Point (P2P) LSP or a Point-to-Multipoint (P2MP) LSP. 18 Status of this Memo 20 This Internet-Draft is submitted to IETF in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on April 21, 2016. 35 Copyright Notice 37 Copyright (c) 2015 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Co-authors . . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2.1. An Example of Ingress Local Protection . . . . . . . . . . 3 55 2.2. Ingress Local Protection with FRR . . . . . . . . . . . . 4 56 3. Ingress Failure Detection . . . . . . . . . . . . . . . . . . 4 57 3.1. Source Detects Failure . . . . . . . . . . . . . . . . . . 4 58 3.2. Backup and Source Detect Failure . . . . . . . . . . . . . 5 59 4. Backup Forwarding State . . . . . . . . . . . . . . . . . . . 5 60 4.1. Forwarding State for Backup LSP . . . . . . . . . . . . . 5 61 5. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 6 62 5.1. INGRESS_PROTECTION Object . . . . . . . . . . . . . . . . 6 63 5.1.1. Subobject: Backup Ingress IPv4 Address . . . . . . . . 7 64 5.1.2. Subobject: Backup Ingress IPv6 Address . . . . . . . . 8 65 5.1.3. Subobject: Ingress IPv4 Address . . . . . . . . . . . 8 66 5.1.4. Subobject: Ingress IPv6 Address . . . . . . . . . . . 8 67 5.1.5. Subobject: Traffic Descriptor . . . . . . . . . . . . 9 68 5.1.6. Subobject: Label-Routes . . . . . . . . . . . . . . . 9 69 6. Behavior of Ingress Protection . . . . . . . . . . . . . . . . 10 70 6.1. Ingress Behavior . . . . . . . . . . . . . . . . . . . . . 10 71 6.2. Backup Ingress Behavior . . . . . . . . . . . . . . . . . 11 72 6.2.1. Backup Ingress Behavior in Off-path Case . . . . . . . 11 73 6.2.2. Backup Ingress Behavior in On-path Case . . . . . . . 13 74 6.2.3. Failure Detection and Refresh PATH Messages . . . . . 14 75 6.3. Revertive Behavior . . . . . . . . . . . . . . . . . . . . 14 76 6.3.1. Revert to Primary Ingress . . . . . . . . . . . . . . 15 77 6.3.2. Global Repair by Backup Ingress . . . . . . . . . . . 15 78 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 79 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 80 8.1. A New Class Number . . . . . . . . . . . . . . . . . . . . 16 81 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 16 82 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 17 83 11. Normative References . . . . . . . . . . . . . . . . . . . . . 17 84 A. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 18 86 1. Co-authors 88 Ning So, Autumn Liu, Alia Atlas, Yimin Shen, Tarek Saad, Fengman Xu, 89 Mehmet Toy, Lei Liu 91 2. Introduction 93 For a MPLS LSP it is important to have a fast-reroute method for 94 protecting its ingress node and transit nodes. Protecting an ingress 95 is not covered either in the fast-reroute method defined in [RFC4090] 96 or in the P2MP fast-reroute extensions to fast-reroute in [RFC4875]. 98 An alternate approach to local protection (fast-reroute) is to use 99 global protection and set up a secondary backup LSP (whether P2MP or 100 P2P) from a backup ingress to the egresses. The main disadvantage of 101 this is that the backup LSP may reserve additional network bandwidth. 103 This specification defines a simple extension to RSVP-TE for local 104 protection of the ingress node of a P2MP or P2P LSP. 106 2.1. An Example of Ingress Local Protection 108 Figure 1 shows an example of using a backup P2MP LSP to locally 109 protect the ingress of a primary P2MP LSP, which is from ingress R1 110 to three egresses: L1, L2 and L3. The backup LSP is from backup 111 ingress Ra to the next hops R2 and R4 of ingress R1. 113 [R2]******[R3]*****[L1] 114 * | **** Primary LSP 115 * | ---- Backup LSP 116 * / .... BFD Session 117 * / $ Link 118 ....[R1]*******[R4]****[R5]*****[L2] $ 119 : $ $ / / * $ 120 : $ $ / / * 121 [S] $ / / * 122 $ $ / / * 123 $ $/ / * 124 [Ra]----[Rb] [L3] 126 Figure 1: Backup P2MP LSP for Locally Protecting Ingress 128 In normal operations, source S sends the traffic to primary ingress 129 R1. R1 imports the traffic into the primary LSP. 131 When source S detects the failure of R1, it switches the traffic to 132 backup ingress Ra, which imports the traffic from S into the backup 133 LSP to R1's next hops R2 and R4, where the traffic is merged into the 134 primary LSP, and then sent to egresses L1, L2 and L3. Source S 135 detects the failure of R1 and switches the traffic within 10s of ms. 137 Note that the backup ingress is one logical hop away from the 138 ingress. A logical hop is a direct link or a tunnel such as a GRE 139 tunnel, over which RSVP-TE messages may be exchanged. 141 2.2. Ingress Local Protection with FRR 143 Through using the ingress local protection and the FRR, we can 144 locally protect the ingress, all the links and the transit nodes of 145 an LSP. The traffic switchover time is within 10s of ms whenever the 146 ingress, any of the links and the transit nodes of the LSP fails. 148 The ingress node of the LSP can be locally protected through using 149 the ingress local protection. All the links and all the transit 150 nodes of the LSP can be locally protected through using the FRR. 152 3. Ingress Failure Detection 154 Exactly how to detect the failure of the ingress is out of scope. 155 However, it is necessary to discuss different modes for detecting the 156 failure because they determine what is the required behavior for the 157 source and backup ingress. 159 3.1. Source Detects Failure 161 Source Detects Failure or Source-Detect for short means that the 162 source is responsible for fast detecting the failure of the primary 163 ingress of an LSP. The backup ingress is ready to import the traffic 164 from the source into the backup LSP after the backup LSP is up. 166 In normal operations, the source sends the traffic to the primary 167 ingress. When the source detects the failure of the primary ingress, 168 it switches the traffic to the backup ingress, which delivers the 169 traffic to the next hops of the primary ingress through the backup 170 LSP, where the traffic is merged into the primary LSP. 172 For a P2P LSP, after the primary ingress fails, the backup ingress 173 MUST use a method to reliably detect the failure of the primary 174 ingress before the PATH message for the LSP expires at the next hop 175 of the primary ingress. After reliably detecting the failure, the 176 backup ingress sends/refreshes the PATH message to the next hop 177 through the backup LSP as needed. 179 After the primary ingress fails, it will not be reachable after 180 routing convergence. Thus checking whether the primary ingress 181 (address) is reachable is a possible method. 183 3.2. Backup and Source Detect Failure 185 Backup and Source Detect Failure or Backup-Source-Detect for short 186 means that both the backup ingress and the source are concurrently 187 responsible for fast detecting the failure of the primary ingress. 189 In normal operations, the source sends the traffic to the primary 190 ingress. It switches the traffic to the backup ingress when it 191 detects the failure of the primary ingress. 193 The backup ingress does not import any traffic from the source into 194 the backup LSP in normal operations. When it detects the failure of 195 the primary ingress, it imports the traffic from the source into the 196 backup LSP to the next hops of the primary ingress, where the traffic 197 is merged into the primary LSP. 199 The source-detect is preferred. It is simpler than the backup- 200 source-detect, which needs both the source and the backup ingress 201 detect the ingress failure quickly. 203 4. Backup Forwarding State 205 Before the primary ingress fails, the backup ingress is responsible 206 for creating the necessary backup LSPs. These LSPs might be multiple 207 bypass P2P LSPs that avoid the ingress. Alternately, the backup 208 ingress could choose to use a single backup P2MP LSP as a bypass or 209 detour to protect the primary ingress of a primary P2MP LSP. 211 The backup ingress may be off-path or on-path of an LSP. If a backup 212 ingress is not any node of the LSP, we call it is off-path. If a 213 backup ingress is a next-hop of the primary ingress of the LSP, we 214 call it is on-path. If it is on-path, the primary forwarding state 215 associated with the primary LSP SHOULD be clearly separated from the 216 backup LSP(s) state. 218 4.1. Forwarding State for Backup LSP 220 A forwarding entry for a backup LSP is created on the backup ingress 221 after the LSP is set up. Depending on the failure-detection mode 222 (e.g., source-detect), it may be used to forward received traffic or 223 simply be inactive (e.g., backup-source-detect) until required. In 224 either case, when the primary ingress fails, this entry is used to 225 import the traffic into the backup LSP to the next hops of the 226 primary ingress, where the traffic is merged into the primary LSP. 228 The forwarding entry for a backup LSP is a local implementation 229 issue. In one device, it may have an inactive flag. This inactive 230 forwarding entry is not used to forward any traffic normally. When 231 the primary ingress fails, it is changed to active, and thus the 232 traffic from the source is imported into the backup LSP. 234 5. Protocol Extensions 236 A new object INGRESS_PROTECTION is defined for signaling ingress 237 local protection. It is backward compatible. 239 5.1. INGRESS_PROTECTION Object 241 The INGRESS_PROTECTION object with the FAST_REROUTE object in a PATH 242 message is used to control the backup for protecting the primary 243 ingress of a primary LSP. The primary ingress MUST insert this 244 object into the PATH message to be sent to the backup ingress for 245 protecting the primary ingress. It has the following format: 247 Class-Num = TBD C-Type = 1 for INGRESS_PROTECTION_IPv4 248 C-Type = 2 for INGRESS_PROTECTION_IPv6 249 0 1 2 3 250 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 251 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 252 | Length (bytes) | Class-Num | C-Type | 253 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 254 | Reserved (zero) | Flags | Options | 255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 256 ~ (Subobjects) ~ 257 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 259 Flags 260 0x01 Ingress local protection available 261 0x02 Ingress local protection in use 262 0x04 Bandwidth protection 264 Options 265 0x01 Revert to Ingress 266 0x02 P2MP Backup 268 The flags are used to communicate status information from the backup 269 ingress to the primary ingress. 271 o Ingress local protection available: The backup ingress sets this 272 flag after backup LSPs are up and ready for locally protecting the 273 primary ingress. The backup ingress sends this to the primary 274 ingress to indicate that the primary ingress is locally protected. 276 o Ingress local protection in use: The backup ingress sets this flag 277 when it detects a failure in the primary ingress. The backup 278 ingress keeps it and does not send it to the primary ingress since 279 the primary ingress is down. 281 o Bandwidth protection: The backup ingress sets this flag if the 282 backup LSPs guarantee to provide desired bandwidth for the 283 protected LSP against the primary ingress failure. 285 The options are used by the primary ingress to specify the desired 286 behavior to the backup ingress. 288 o Revert to Ingress: The primary ingress sets this option indicating 289 that the traffic for the primary LSP successfully re-signaled will 290 be switched back to the primary ingress from the backup ingress 291 when the primary ingress is restored. 293 o P2MP Backup: This option is set to ask for the backup ingress to 294 use P2MP backup LSP to protect the primary ingress. Note that one 295 spare bit of the flags in the FAST-REROUTE object can be used to 296 indicate whether P2MP or P2P backup LSP is desired for protecting 297 an ingress and transit node. 299 The INGRESS_PROTECTION object may contain some sub objects below. 301 5.1.1. Subobject: Backup Ingress IPv4 Address 303 When the primary ingress of a protected LSP sends a PATH message with 304 an INGRESS_PROTECTION object to the backup ingress, the object may 305 have a Backup Ingress IPv4 Address sub object containing an IPv4 306 address belonging to the backup ingress. The Type of the sub object 307 is TBD1 (the exact number to be assigned by IANA), and the body of 308 the sub object is given below: 310 0 1 2 3 311 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 312 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 313 | Backup ingress IPv4 address (4 bytes) | 314 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 316 Backup ingress IPv4 address: An IPv4 host address of backup ingress 318 5.1.2. Subobject: Backup Ingress IPv6 Address 320 When the primary ingress of a protected LSP sends a PATH message with 321 an INGRESS_PROTECTION object to the backup ingress, the object may 322 have a Backup Ingress IPv6 Address sub object containing an IPv6 323 address belonging to the backup ingress. The Type of the sub object 324 is TBD2, the body of the sub object is given below: 326 0 1 2 3 327 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 328 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 329 | Backup ingress IPv6 address (16 bytes) | 330 ~ ~ 331 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 333 Backup ingress IPv6 address: An IPv6 host address of backup ingress 335 5.1.3. Subobject: Ingress IPv4 Address 337 The INGRESS_PROTECTION object may have an Ingress IPv4 Address sub 338 object containing an IPv4 address belonging to the primary ingress. 339 The Type of the sub object is TBD3. The sub object has the following 340 body: 342 0 1 2 3 343 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 344 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 345 | Ingress IPv4 address (4 bytes) | 346 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 348 Ingress IPv4 address: An IPv4 host address of ingress 350 5.1.4. Subobject: Ingress IPv6 Address 352 The INGRESS_PROTECTION object may have an Ingress IPv6 Address sub 353 object containing an IPv6 address belonging to the primary ingress. 354 The Type of the sub object is TBD4. The sub object has the following 355 body: 357 0 1 2 3 358 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 359 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 360 | Ingress IPv6 address (16 bytes) | 361 ~ ~ 362 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 363 Ingress IPv6 address: An IPv6 host address of ingress 365 5.1.5. Subobject: Traffic Descriptor 367 The INGRESS_PROTECTION object may have a Traffic Descriptor sub 368 object describing the traffic to be mapped to the backup LSP on the 369 backup ingress for locally protecting the primary ingress. The Type 370 of the sub object is TBD5, TBD6, TBD7 or TBD8 for Interface, IPv4 371 Prefix, IPv6 Prefix or Application Identifier respectively. The sub 372 object has the following body: 374 0 1 2 3 375 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 376 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 377 | Traffic Element 1 | 378 ~ ~ 379 | Traffic Element n | 380 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 382 The Traffic Descriptor sub object may contain multiple Traffic 383 Elements of same type as follows: 385 o Interface Traffic (Type TBD5): Each of the Traffic Elements is a 386 32 bit index of an interface, from which the traffic is imported 387 into the backup LSP. 389 o IPv4 Prefix Traffic (Type TBD6): Each of the Traffic Elements is 390 an IPv4 prefix, containing an 8-bit prefix length followed by an 391 IPv4 address prefix, whose length, in bits, is specified by the 392 prefix length, padded to a byte boundary. 394 o IPv6 Prefix Traffic (Type TBD7): Each of the Traffic Elements is 395 an IPv6 prefix, containing an 8-bit prefix length followed by an 396 IPv6 address prefix, whose length, in bits, is specified by the 397 prefix length, padded to a byte boundary. 399 o Application Traffic (Type TBD8): Each of the Traffic Elements is a 400 32 bit identifier of an application, from which the traffic is 401 imported into the backup LSP. 403 5.1.6. Subobject: Label-Routes 405 The INGRESS_PROTECTION object in a PATH message from the primary 406 ingress to the backup ingress will have a Label-Routes sub object 407 containing the labels and routes that the next hops of the ingress 408 use. The Type of the sub object is TBD9. The sub object has the 409 following body: 411 0 1 2 3 412 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 413 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 414 ~ Subobjects ~ 415 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 417 The Subobjects in the Label-Routes are copied from those in the 418 RECORD_ROUTE objects in the RESV messages that the primary ingress 419 receives from its next hops for the primary LSP. They MUST contain 420 the first hops of the LSP, each of which is paired with its label. 422 6. Behavior of Ingress Protection 424 There are four parts of ingress protection: 1) setting up the 425 necessary backup LSP forwarding state; 2) identifying the failure and 426 providing the fast repair (as discussed in Sections 3 and 4); 3) 427 maintaining the RSVP-TE control plane state until a global repair is 428 done; and 4) performing the global repair(see Section 6.3). 430 6.1. Ingress Behavior 432 The primary ingress MUST be configured with a couple of pieces of 433 information for ingress protection. 435 o Backup Ingress Address: The primary ingress MUST know an IP 436 address for it to be included in the INGRESS_PROTECTION object. 438 o Application Traffic Identifier: The primary ingress and backup 439 ingress MUST both know what application traffic should be directed 440 into the LSP. If a list of prefixes in the Traffic Descriptor 441 sub-object will not suffice, then a commonly understood 442 Application Traffic Identifier can be sent between the primary 443 ingress and backup ingress. The exact meaning of the identifier 444 should be configured similarly at both the primary ingress and 445 backup ingress. The Application Traffic Identifier is understood 446 within the unique context of the primary ingress and backup 447 ingress. 449 With this additional information, the primary ingress can create and 450 signal the necessary RSVP extensions to support ingress protection. 452 The primary ingress relays the information for ingress protection of 453 an LSP to the backup ingress via PATH messages. Once the LSP is 454 created, the ingress of the LSP sends the backup ingress a PATH 455 message with an INGRESS_PROTECTION object with Label-Routes 456 subobject, which is populated with the next-hops and labels. This 457 provides sufficient information for the backup ingress to create the 458 appropriate forwarding state and backup LSP(s). 460 The ingress also sends the backup ingress all the other PATH messages 461 for the LSP with an empty INGRESS_PROTECTION object. Thus, the 462 backup ingress has access to all the PATH messages needed for 463 modification to refresh control-plane state after a failure. 465 To protect the ingress of an LSP, the ingress MUST do the following 466 after the LSP is up. 468 1. Select a PATH message. 470 2. If the backup ingress is off-path, then send it a PATH message 471 with the content from the selected PATH message and an 472 INGRESS_PROTECTION object; else (the backup ingress is a next 473 hop, i.e., on-path case) add an INGRESS_PROTECTION object into 474 the existing PATH message to the backup ingress (i.e., the next 475 hop). The object contains the Traffic-Descriptor sub-object, the 476 Backup Ingress Address sub-object and the Label-Routes sub- 477 object. The options is set to indicate whether a Backup P2MP LSP 478 is desired. The Label-Routes sub-object contains the next-hops 479 of the ingress and their labels. 481 3. For each of the other PATH messages, send the backup ingress a 482 PATH message with the content copied from the message and an 483 empty INGRESS_PROTECTION object, which is an object without any 484 Traffic-Descriptor sub-object. 486 6.2. Backup Ingress Behavior 488 An LER determines that the ingress local protection is requested for 489 an LSP if the INGRESS_PROTECTION object is included in the PATH 490 message it receives for the LSP. The LER can further determine that 491 it is the backup ingress if one of its addresses is in the Backup 492 Ingress Address sub-object of the INGRESS_PROTECTION object. The LER 493 as the backup ingress will assume full responsibility of the ingress 494 after the primary ingress fails. In addition, the LER determines 495 that it is off-path if it is not any node of the LSP. 497 6.2.1. Backup Ingress Behavior in Off-path Case 499 The backup ingress considers itself as a PLR and the primary ingress 500 as its next hop and provides a local protection for the primary 501 ingress. It behaves very similarly to a PLR providing fast-reroute 502 where the primary ingress is considered as the failure-point to 503 protect. Where not otherwise specified, the behavior given in 504 [RFC4090] for a PLR applies. 506 The backup ingress MUST follow the control-options specified in the 507 INGRESS_PROTECTION object and the flags and specifications in the 508 FAST-REROUTE object. This applies to providing a P2MP backup if the 509 "P2MP backup" is set, a one-to-one backup if "one-to-one desired" is 510 set, facility backup if the "facility backup desired" is set, and 511 backup paths that support the desired bandwidth, and administrative- 512 colors that are requested. 514 If multiple non empty INGRESS_PROTECTION objects have been received 515 via multiple PATH messages for the same LSP, then the most recent one 516 MUST be the one used. 518 The backup ingress creates the appropriate forwarding state for the 519 backup LSP tunnel(s) to the merge point(s). 521 When the backup ingress sends a RESV message to the primary ingress, 522 it MUST add an INGRESS_PROTECTION object into the message. It MUST 523 set or clear the flags in the object to report "Ingress local 524 protection available", "Ingress local protection in use", and 525 "bandwidth protection". 527 If the backup ingress doesn't have a backup LSP tunnel to each of the 528 merge points, it SHOULD clear "Ingress local protection available". 529 [Editor Note: It is possible to indicate the number or which are 530 unprotected via a sub-object if desired.] 532 When the primary ingress fails, the backup ingress redirects the 533 traffic from a source into the backup P2P LSPs or the backup P2MP LSP 534 transmitting the traffic to the next hops of the primary ingress, 535 where the traffic is merged into the protected LSP. 537 In this case, the backup ingress MUST keep the PATH message with the 538 INGRESS_PROTECTION object received from the primary ingress and the 539 RESV message with the INGRESS_PROTECTION object to be sent to the 540 primary ingress. The backup ingress MUST set the "local protection 541 in use" flag in the RESV message, indicating that the backup ingress 542 is actively redirecting the traffic into the backup P2P LSPs or the 543 backup P2MP LSP for locally protecting the primary ingress failure. 545 Note that the RESV message with this piece of information will not be 546 sent to the primary ingress because the primary ingress has failed. 548 If the backup ingress has not received any PATH message from the 549 primary ingress for an extended period of time (e.g., a cleanup 550 timeout interval) and a confirmed primary ingress failure did not 551 occur, then the standard RSVP soft-state removal SHOULD occur. The 552 backup ingress SHALL remove the state for the PATH message from the 553 primary ingress, and tear down the one-to-one backup LSPs for 554 protecting the primary ingress if one-to-one backup is used or unbind 555 the facility backup LSPs if facility backup is used. 557 When the backup ingress receives a PATH message from the primary 558 ingress for locally protecting the primary ingress of a protected 559 LSP, it MUST check to see if any critical information has been 560 changed. If the next hops of the primary ingress are changed, the 561 backup ingress SHALL update its backup LSP(s) accordingly. 563 When the backup ingress receives a PATH message with an non empty 564 INGRESS_PROTECTION object, it examines the object to learn what 565 traffic associated with the LSP. It determines the next-hops to be 566 merged to by examining the Label-Routes sub-object in the object. 568 The backup ingress MUST store the PATH message received from the 569 primary ingress, but NOT forward it. 571 The backup ingress responds with a RESV to the PATH message received 572 from the primary ingress. If the INGRESS_PROTECTION object is not 573 "empty", the backup ingress SHALL send the RESV message with the 574 state indicating protection is available after the backup LSP(s) are 575 successfully established. 577 6.2.2. Backup Ingress Behavior in On-path Case 579 An LER as the backup ingress determines that it is on-path if one of 580 its addresses is a next hop of the primary ingress. The LER on-path 581 MUST send the corresponding PATH messages without any 582 INGRESS_PROTECTION object to its next hops. It creates a number of 583 backup P2P LSPs or a backup P2MP LSP from itself to the other next 584 hops (i.e., the next hops other than the backup ingress) of the 585 primary ingress. The other next hops are from the Label-Routes sub 586 object. 588 It also creates a forwarding entry, which sends/multicasts the 589 traffic from the source to the next hops of the backup ingress along 590 the protected LSP when the primary ingress fails. The traffic is 591 described by the Traffic-Descriptor. 593 After the forwarding entry is created, all the backup P2P LSPs or the 594 backup P2MP LSP is up and associated with the protected LSP, the 595 backup ingress MUST send the primary ingress the RESV message with 596 the INGRESS_PROTECTION object containing the state of the local 597 protection such as "local protection available" flag set to one, 598 which indicates that the primary ingress is locally protected. 600 When the primary ingress fails, the backup ingress sends/multicasts 601 the traffic from the source to its next hops along the protected LSP 602 and imports the traffic into each of the backup P2P LSPs or the 603 backup P2MP LSP transmitting the traffic to the other next hops of 604 the primary ingress, where the traffic is merged into protected LSP. 606 During the local repair, the backup ingress MUST continue to send the 607 PATH messages to its next hops as before, keep the PATH message with 608 the INGRESS_PROTECTION object received from the primary ingress and 609 the RESV message with the INGRESS_PROTECTION object to be sent to the 610 primary ingress. It MUST set the "local protection in use" flag in 611 the RESV message. 613 6.2.3. Failure Detection and Refresh PATH Messages 615 As described in [RFC4090], it is necessary to refresh the PATH 616 messages via the backup LSP(s). The Backup Ingress MUST wait to 617 refresh the PATH messages until it can accurately detect that the 618 ingress node has failed. An example of such an accurate detection 619 would be that the IGP has no bi-directional links to the ingress node 620 and the last change was long enough in the past that changes should 621 have been received (i.e., an IGP network convergence time or 622 approximately 2-3 seconds) or a BFD session to the primary ingress' 623 loopback address has failed and stayed failed after the network has 624 reconverged. 626 As described in [RFC4090 Section 6.4.3], the backup ingress, acting 627 as PLR, MUST modify and send any saved PATH messages associated with 628 the primary LSP to the corresponding next hops through backup LSP(s). 629 Any PATH message sent will not contain any INGRESS_PROTECTION object. 630 The RSVP_HOP object in the message contains an IP source address 631 belonging to the backup ingress. The sender template object has the 632 backup ingress address as its tunnel sender address. 634 6.3. Revertive Behavior 636 Upon a failure event in the (primary) ingress of a protected LSP, the 637 protected LSP is locally repaired by the backup ingress. There are a 638 couple of basic strategies for restoring the LSP to a full working 639 path. 641 - Revert to Primary Ingress: When the primary ingress is restored, 642 it re-signals each of the LSPs that start from the primary 643 ingress. The traffic for every LSP successfully re-signaled is 644 switched back to the primary ingress from the backup ingress. 646 - Global Repair by Backup Ingress: After determining that the 647 primary ingress of an LSP has failed, the backup ingress computes 648 a new optimal path, signals a new LSP along the new path, and 649 switches the traffic to the new LSP. 651 6.3.1. Revert to Primary Ingress 653 If "Revert to Primary Ingress" is desired for a protected LSP, the 654 (primary) ingress of the LSP SHOULD re-signal the LSP that starts 655 from the primary ingress after the primary ingress restores. After 656 the LSP is re-signaled successfully, the traffic SHOULD be switched 657 back to the primary ingress from the backup ingress on the source 658 node and redirected into the LSP starting from the primary ingress. 660 The primary ingress can specify the "Revert to Ingress" control- 661 option in the INGRESS_PROTECTION object in the PATH messages to the 662 backup ingress. After receiving the "Revert to Ingress" control- 663 option, the backup ingress MUST stop sending/refreshing PATH messages 664 for the protected LSP. 666 6.3.2. Global Repair by Backup Ingress 668 When the backup ingress has determined that the primary ingress of 669 the protected LSP has failed (e.g., via the IGP), it can compute a 670 new path and signal a new LSP along the new path so that it no longer 671 relies upon local repair. To do this, the backup ingress MUST use 672 the same tunnel sender address in the Sender Template Object and 673 allocate a LSP ID different from the one of the old LSP as the LSP-ID 674 of the new LSP. This allows the new LSP to share resources with the 675 old LSP. In addition, if the Ingress recovers, the Backup Ingress 676 SHOULD send it RESVs with the INGRESS_PROTECTION object where the 677 "Revert to Ingress" is specified. The Ingress can learn from the 678 RESVs what to signal. The Backup Ingress can reoptimize the new LSP 679 as necessary until the Ingress recovers. Alternately, the Backup 680 Ingress can create a new LSP with no bandwidth reservation that 681 duplicates the path(s) of the protected LSP, move traffic to the new 682 LSP, delete the protected LSP, and then resignal the new LSP with 683 bandwidth. 685 7. Security Considerations 687 In principle this document does not introduce new security issues. 688 The security considerations pertaining to RFC 4090, RFC 4875 and 689 other RSVP protocols remain relevant. 691 8. IANA Considerations 693 IANA is requested to administer the assignment of new values defined 694 in this document and summarized in this section. 696 8.1. A New Class Number 698 IANA maintains a registry called "Class Names, Class Numbers, and 699 Class Types" under "Resource Reservation Protocol-Traffic Engineering 700 (RSVP-TE) Parameters". IANA is requested to assign a new Class 701 Number for new object INGRESS_PROTECTION as follows: 703 +====================+===============+============================+ 704 | Class Names | Class Numbers | Class Types | 705 +====================+===============+============================+ 706 | INGRESS_PROTECTION | TBD (>192) | 1: INGRESS_PROTECTION_IPv4 | 707 | | +----------------------------+ 708 | | | 2: INGRESS_PROTECTION_IPv6 | 709 +--------------------+---------------+----------------------------+ 711 IANA is requested to assign Types for new TLVs in the new objects as 712 follows: 714 Type Name Allowed in 715 1 BACKUP_INGRESS_IPv4_ADDRESS INGRESS_PROTECTION_IPv4 716 2 BACKUP_INGRESS_IPv6_ADDRESS INGRESS_PROTECTION_IPv6 717 3 INGRESS_IPv4_ADDRESS INGRESS_PROTECTION_IPv4 718 4 INGRESS_IPv6_ADDRESS INGRESS_PROTECTION_IPv6 719 5 TRAFFIC_DESCRIPTOR_INTERFACE INGRESS_PROTECTION 720 6 TRAFFIC_DESCRIPTOR_IPv4_PREFIX INGRESS_PROTECTION_IPv4 721 7 TRAFFIC_DESCRIPTOR_IPv6_PREFIX INGRESS_PROTECTION_IPv6 722 8 TRAFFIC_DESCRIPTOR_APPLICATION INGRESS_PROTECTION 723 9 LabeL_Routes INGRESS_PROTECTION 725 9. Contributors 727 Renwei Li 728 Huawei Technologies 729 2330 Central Expressway 730 Santa Clara, CA 95050 731 USA 732 Email: renwei.li@huawei.com 733 Quintin Zhao 734 Huawei Technologies 735 Boston, MA 736 USA 737 Email: quintin.zhao@huawei.com 739 Zhenbin Li 740 Huawei Technologies 741 2330 Central Expressway 742 Santa Clara, CA 95050 743 USA 744 Email: zhenbin.li@huawei.com 746 Boris Zhang 747 Telus Communications 748 200 Consilium Pl Floor 15 749 Toronto, ON M1H 3J3 750 Canada 751 Email: Boris.Zhang@telus.com 753 Markus Jork 754 Juniper Networks 755 10 Technology Park Drive 756 Westford, MA 01886 757 USA 758 Email: mjork@juniper.net 760 10. Acknowledgement 762 The authors would like to thank Nobo Akiya, Rahul Aggarwal, Eric 763 Osborne, Ross Callon, Loa Andersson, Daniel King, Michael Yue, 764 Olufemi Komolafe, Rob Rennison, Neil Harrison, Kannan Sampath, 765 Gregory Mirsky, and Ronhazli Adam for their valuable comments and 766 suggestions on this draft. 768 11. Normative References 770 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 771 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 772 RFC2119, March 1997, 773 . 775 [RFC3031] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol 776 Label Switching Architecture", RFC 3031, DOI 10.17487/ 777 RFC3031, January 2001, 778 . 780 [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., 781 and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP 782 Tunnels", RFC 3209, DOI 10.17487/RFC3209, December 2001, 783 . 785 [RFC4090] Pan, P., Ed., Swallow, G., Ed., and A. Atlas, Ed., "Fast 786 Reroute Extensions to RSVP-TE for LSP Tunnels", RFC 4090, 787 DOI 10.17487/RFC4090, May 2005, 788 . 790 [RFC4875] Aggarwal, R., Ed., Papadimitriou, D., Ed., and S. 791 Yasukawa, Ed., "Extensions to Resource Reservation 792 Protocol - Traffic Engineering (RSVP-TE) for Point-to- 793 Multipoint TE Label Switched Paths (LSPs)", RFC 4875, 794 DOI 10.17487/RFC4875, May 2007, 795 . 797 Appendix A. Authors' Addresses 799 Huaimo Chen 800 Huawei Technologies 801 Boston, MA 802 USA 803 Email: huaimo.chen@huawei.com 805 Raveendra Torvi 806 Juniper Networks 807 10 Technology Park Drive 808 Westford, MA 01886 809 USA 810 Email: rtorvi@juniper.net 811 Ning So 812 Tata Communications 813 2613 Fairbourne Cir. 814 Plano, TX 75082 815 USA 816 Email: ningso01@gmail.com 818 Autumn Liu 819 Ericsson 820 300 Holger Way 821 San Jose, CA 95134 822 USA 823 Email: autumn.liu@ericsson.com 825 Alia Atlas 826 Juniper Networks 827 10 Technology Park Drive 828 Westford, MA 01886 829 USA 830 Email: akatlas@juniper.net 832 Yimin Shen 833 Juniper Networks 834 10 Technology Park Drive 835 Westford, MA 01886 836 USA 837 Email: yshen@juniper.net 839 Tarek Saad 840 Cisco Systems 841 Email: tsaad@cisco.com 843 Fengman Xu 844 Verizon 845 2400 N. Glenville Dr 846 Richardson, TX 75082 847 USA 848 Email: fengman.xu@verizon.com 849 Mehmet Toy 850 Comcast 851 1800 Bishops Gate Blvd. 852 Mount Laurel, NJ 08054 853 USA 854 Email: mehmet_toy@cable.comcast.com 856 Lei Liu 857 UC Davis 858 USA 859 Email: liulei.kddi@gmail.com