SR-MPLS over IPAlibaba, Incxiaohu.xxh@alibaba-inc.comHuaweistewart.bryant@gmail.comOld Dog Consultingadrian@olddog.co.ukCiscoshassan@cisco.comNokiawim.henderickx@nokia.comHuaweilizhenbin@huawei.comMPLS Segment Routing (SR-MPLS) is an MPLS data plane-based source
routing paradigm in which the sender of a packet is allowed to partially
or completely specify the route the packet takes through the network by
imposing stacked MPLS labels on the packet. SR-MPLS can be leveraged
to realize a source routing mechanism across MPLS, IPv4, and IPv6 data
planes by using an MPLS label stack as a source routing instruction set
while making no changes to SR-MPLS specifications and interworking with
SR-MPLS implementations.This document describes how SR-MPLS capable routers and IP-only
routers can seamlessly co-exist and interoperate through the use of
SR-MPLS label stacks and IP encapsulation/tunneling such as MPLS-in-UDP
as defined in RFC 7510.MPLS Segment Routing (SR-MPLS) is an MPLS data
plane-based source routing paradigm in which the sender of a packet is
allowed to partially or completely specify the route the packet takes
through the network by imposing stacked MPLS labels on the packet.
SR-MPLS uses an MPLS label stack to encode a source routing instruction
set. This can be used to realize a source routing mechanism that can
operate across MPLS, IPv4, and IPv6 data planes. This approach
makes no changes to SR-MPLS specifications and allows interworking with
SR-MPLS implementations. More specifically, the source routing
instruction set information contained in a source routed packet could be
uniformly encoded as an MPLS label stack no matter whether the underlay is
IPv4, IPv6 (including Segment Routing for IPv6 (SRv6) [RFC8354]), or MPLS.This document describes how SR-MPLS capable routers and IP-only
routers can seamlessly co-exist and interoperate through the use of
SR-MPLS label stacks and IP encapsulation/tunneling such as MPLS-in-UDP
. describes various use cases for the
tunneling SR-MPLS over IP. describes a typical
application scenario and how the packet forwarding happens.This memo makes use of the terms defined in and .The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 when, and only
when, they appear in all capitals, as shown here.Tunneling SR-MPLS using IPv4 and/or IPv6 (including SRv6) tunnels is
useful at least in the use cases listed below. In all cases, this can be
enabled using an IP tunneling mechanism such as MPLS-in-UDP as described
in . The tunnel selected MUST have its remote end
point (destination) address equal to the address of the next SR-MPLS
capable node identified as being on the SR path (i.e., the egress of the
active segment). The local end point (source) address is set to an address
of the encapsulating node. gives further advice
on how to set the source address if the UDP zero-checksum mode is used
with MPLS-in-UDP. Using UDP as the encapsulation may be particularly
beneficial because it is agnostic of the underlying transport.Incremental deployment of the SR-MPLS technology may be
facilitated by tunneling SR-MPLS packets across parts of a network
that are not SR-MPLS as shown in . This
demonstrates how islands of SR-MPLS may be connected across a legacy
network. It may be particularly useful for joining sites (such as
data centers).
If encoding of entropy ( is desired, IP
tunneling mechanisms that allow encoding of entropy, such as
MPLS-in-UDP encapsulation where the source
port of the UDP header is used as an entropy field, may be used to
maximize the utilization of ECMP and/or LAG, especially when it is
difficult to make use of the entropy label mechanism. This is to be
contrasted with where MPLS-in-IP does not
provide for an entropy mechanism. Refer to ) for more discussion
about using entropy labels in SR-MPLS.Tunneling MPLS over IP provides a technology that enables SR in
an IPv4 and/or IPv6 network where the routers do not support SRv6
capabilities
and where MPLS forwarding is not an option. This is shown in . This section describes the construction of forwarding information
base (FIB) entries and the forwarding behavior that allow the deployment
of SR-MPLS when some routers in the network are IP only (i.e., do not
support SR-MPLS). Note that the examples in and
assume that OSPF or ISIS is enabled: in fact, other
mechanisms of discovery and advertisement could be used including other
routing protocols (such as BGP) or a central controller.This sub-section describes the how to construct the forwarding
information base (FIB) entry on an SR-MPLS-capable router when some or
all of the next-hops along the shortest path towards a prefix Segment
Identifier (prefix-SID) are IP-only routers.
provides a concrete example of how the process applies when using OSPF
or ISIS.Consider router A that receives a labeled packet with top label
L(E) that corresponds to the prefix-SID SID(E) of prefix P(E)
advertised by router E. Suppose the i-th next-hop router (termed NHi)
along the shortest path from router A toward SID(E) is not SR-MPLS
capable while both routers A and E are SR-MPLS capable. The following
processing steps apply:Router E is SR-MPLS capable, so it advertises a Segment Routing
Global Block (SRGB). The SRGB is defined in .
There are a number of ways that the advertisement can be achieved
including IGPs, BGP, configuration/management protocols. For
example, see .When Router E advertises the prefix-SID SID(E) of prefix P(E)
it MUST also advertise the encapsulation endpoint and the tunnel
type of any tunnel used to reach E. This information is flooded
domain wide.If A and E are in different routing domains then the information MUST
be flooded into both domains. How this is achieved depends on the
advertisement mechanism being used. The objective is that router A
knows the characteristics of router E that originated the
advertisement of SID(E).Router A programs the FIB entry for prefix P(E) corresponding
to the SID(E) according to whether a pop or swap action is advertised
for the prefix. The resulting action may be:
pop the top labelswap the top label to a value equal to SID(E) plus the
lower bound of the SRGB of EOnce constructed, the FIB can be used by a router to tell it how to
process packets. It encapsulates the packets according to the
appropriate encapsulation advertised for the segment and then it sends
the packets towards the next hop NHi.This section is non-normative and provides a worked example of how
a FIB might be constructed using OSPF and ISIS extensions. It is based
on the process described in .Router E is SR-MPLS capable, so it advertises a Segment Routing
Global Block (SRGB) using
or
.When Router E advertises the prefix-SID SID(E) of prefix P(E)
it also advertises the encapsulation endpoint and the tunnel
type of any tunnel used to reach E using
or
.If A and E are in different domains then the information is
flooded into both domains and any intervening domains.
The OSPF Tunnel Encapsulation TLV
or the ISIS
Tunnel Encapsulation sub-TLV
is flooded
domain-wide.The OSPF SID/label range TLV
or
the ISIS SR-Capabilities Sub-TLV
is
advertised domain-wide so that router A knows the
characteristics of router E.When router E advertises the prefix P(E):
If router E is running ISIS it uses the extended
reachability TLV (TLVs 135, 235, 236, 237) and associates
the IPv4/IPv6 or IPv4/IPv6 source router ID sub-TLV(s)
.If router E is running OSPF it uses the OSPFv2 Extended
Prefix Opaque LSA and sets the
flooding scope to AS-wide.If router E is running ISIS and advertises the ISIS
capability TLV (TLV 242) , it sets the
"router-ID" field to a valid value or includes an IPV6
TE router-ID sub-TLV (TLV 12), or does both. The "S" bit
(flooding scope) of the ISIS capability TLV (TLV 242) is set
to "1" .Router A programs the FIB entry for prefix P(E) corresponding
to the SID(E) according to whether a pop or swap action is advertised
for the prefix as follows:
If the NP flag in OSPF or the P flag in ISIS is clear:
pop the top labelIf the NP flag in OSPF or the P flag in ISIS is set:
swap the top label to a value equal to SID(E) plus the
lower bound of the SRGB of EWhen forwarding the packet according to the constructed FIB entry the
router encapsulates the packet according to the encapsulation as advertised
using the mechanisms described in
or ). It then sends the
packets towards the next hop NHi.Note that specifies the use of port number 6635
to indicate that the payload of a UDP packet is MPLS, and port number 6636 for
MPLS-in-UDP utilizing DTLS. However,
and provide dynamic protocol
mechanisms to configure the use any Dynamic Port for a tunnel that uses UDP
encapsulation. Nothing in this document prevents the use of an IGP or any other
mechanism to negotiate the use of a Dynamic Port when UDP encapsulation is used
for SR-MPLS, but if no such mechanism is used then the port numbers specified in
are used. specifies an IP-based encapsulation for
MPLS, i.e., MPLS-in-UDP. This approach is applicable where IP-based
encapsulation for MPLS is required and further fine-grained load
balancing of MPLS packets over IP networks over Equal-Cost Multipath
(ECMP) and/or Link Aggregation Groups (LAGs) is also required. This
section provides details about the forwarding procedure when
UDP encapsulation is adopted for SR-MPLS over IP. Other encapsulation
and tunnelling mechanisms can be applied using similar techniques,
but for clarity this section uses UDP encapsulation as the exemplar.Nodes that are SR-MPLS capable can process SR-MPLS packets. Not all
of the nodes in an SR-MPLS domain are SR-MPLS capable. Some nodes may
be "legacy routers" that cannot handle SR-MPLS packets but can forward
IP packets. An SR-MPLS-capable node MAY advertise its capabilities
using the IGP as described in . There are six
types of node in an SR-MPLS domain: Domain ingress nodes that receive packets and encapsulate them
for transmission across the domain. Those packets may be any
payload protocol including native IP packets or packets that are
already MPLS encapsulated.Legacy transit nodes that are IP routers but that are not
SR-MPLS capable (i.e., are not able to perform segment
routing).Transit nodes that are SR-MPLS capable but that are not
identified by a SID in the SID stack.Transit nodes that are SR-MPLS capable and need to perform
SR-MPLS routing because they are identified by a SID in the SID
stack.The penultimate SR-MPLS capable node on the path that processes
the last SID on the stack on behalf of the domain egress node.The domain egress node that forwards the payload packet for
ultimate delivery.The description in this section assumes that the label associated
with each prefix-SID is advertised by the owner of the prefix-SID as
a Penultimate Hop Popping (PHP) label. That is, if one of the IGP
flooding mechanisms is used, the NP flag in OSPF or the P flag in
ISIS associated with the prefix-SID is not set.In the example shown in , assume that
routers A, E, G and H are SR-MPLS-capable while the remaining
routers (B, C, D and F) are only capable of forwarding IP packets.
Routers A, E, G, and H advertise their Segment Routing related
information, such as via IS-IS or OSPF.Now assume that router A (the Domain ingress) wants to send a
packet to router H (the Domain egress) via the explicit path
{E->G->H}. Router A will impose an MPLS label stack on the
packet that corresponds to that explicit path. Since the next hop
toward router E is only IP-capable (B is a legacy transit node),
router A replaces the top label (that indicated router E) with a
UDP-based tunnel for MPLS (i.e., MPLS-over-UDP ) to router E and then sends the packet. In other
words, router A pops the top label and then encapsulates the MPLS
packet in a UDP tunnel to router E.When the IP-encapsulated MPLS packet arrives at router E (which
is an SR-MPLS-capable transit node), router E strips the IP-based
tunnel header and then processes the decapsulated MPLS packet. The top
label indicates that the packet must be forwarded toward router G.
Since the next hop toward router G is only IP-capable, router E
replaces the current top label with an MPLS-over-UDP tunnel toward
router G and sends it out. That is, router E pops the top label and
then encapsulates the MPLS packet in a UDP tunnel to router G.When the packet arrives at router G, router G will strip the
IP-based tunnel header and then process the decapsulated MPLS
packet. The top label indicates that the packet must be forwarded
toward router H. Since the next hop toward router H is only
IP-capable (D is a legacy transit router), router G would replace
the current top label with an MPLS-over-UDP tunnel toward router H
and send it out. However, since router G reaches the bottom of the
label stack (G is the penultimate SR-MPLS capable node on the path)
this would leave the original packet that router A wanted to send to
router H encapsulated in UDP as if it was MPLS (i.e., with a UDP
header and destination port indicating MPLS) even though the
original packet could have been any protocol. That is, the final
SR-MPLS has been popped exposing the payload packet.To handle this, when a router (here it is router G) pops the
final SR-MPLS label, it inserts an explicit null label before encapsulating the packet in an
MPLS-over-UDP tunnel toward router H and sending it out. That is,
router G pops the top label, discovers it has reached the bottom of
stack, pushes an explicit null label, and then encapsulates the MPLS
packet in a UDP tunnel to router H. demonstrates the packet walk in the
case where the label associated with each prefix-SID advertised by
the owner of the prefix-SID is not a Penultimate Hop Popping (PHP)
label (e.g., the the NP flag in OSPF or the P flag in ISIS
associated with the prefix-SID is set). Apart from the PHP function
the roles of the routers is unchanged from .As can be seen from the figure, the SR-MPLS label for each
segment is left in place until the end of the segment where it is
popped and the next instruction is processed.Although the description in
the previous two sections is based on the use of prefix-SIDs,
tunneling SR-MPLS packets is useful when the top label of a
received SR-MPLS packet indicates an adjacency-SID and the
corresponding adjacent node to that adjacency-SID is not capable
of MPLS forwarding but can still process SR-MPLS packets. In
this scenario the top label would be replaced by an IP tunnel
toward that adjacent node and then forwarded over the
corresponding link indicated by the adjacency-SID.The description in
the previous two sections is based on the assumption that
MPLS-over-UDP tunnel is used when the nexthop towards the next
segment is not MPLS-enabled. However, even in the case where the
nexthop towards the next segment is MPLS-capable, an
MPLS-over-UDP tunnel towards the next segment could still be
used instead due to local policies. For instance, in the example
as described in , assume F is now an
SR-MPLS-capable transit node while all the other assumptions
remain unchanged: since F is not identified by a SID in the stack
and an MPLS-over-UDP tunnel is preferred to an MPLS LSP
according to local policies, router E replaces the current
top label with an MPLS-over-UDP tunnel toward router G and send
it out. (Note that if an MPLS LSP was preferred, the packet
would be forwarded as native SR-MPLS.)When encapsulating an MPLS
packet in UDP, the resulting packet is further encapsulated in
IP for transmission. IPv4 or IPv6 may be used according to the
capabilities of the network. The address fields are set as
described in . The other IP header
fields (such as the ECN field , the DSCP
code point , or IPv6 Flow Label) on each
UDP-encapsulated segment SHOULD be configurable according to the
operator's policy: they may be copied from the header of the
incoming packet; they may be promoted from the header of the
payload packet; they may be set according to instructions
programmed to be associated with the SID; or they may be
configured dependent on the outgoing interface and payload. The
TTL field setting in the encapsulating packet header is handled
as described in [RFC7510] which refers to [RFC4023].When encapsulating an MPLS
packet with an IP tunnel header that is capable of encoding
entropy (such as ), the corresponding
entropy field (the source port in the case of a UDP tunnel) MAY
be filled with an entropy value that is generated by the
encapsulator to uniquely identify a flow. However, what
constitutes a flow is locally determined by the encapsulator. For
instance, if the MPLS label stack contains at least one entropy
label and the encapsulator is capable of reading that entropy
label, the entropy label value could be directly copied to the
source port of the UDP header. Otherwise, the encapsulator may
have to perform a hash on the whole label stack or the five-tuple
of the SR-MPLS payload if the payload is determined as an IP packet.
To avoid re-performing the hash or hunting for the entropy label
each time the packet is encapsulated in a UDP tunnel it MAY be
desirable that the entropy value contained in the incoming
packet (i.e., the UDP source port value) is retained when
stripping the UDP header and is re-used as the entropy value of
the outgoing packet.Section 5 of
provides a detailed analysis of the
implications of congestion in MPLS-over-UDP systems and builds
on section 3.1.3 of that describes
the congestion implications of UDP tunnels. All of those
considerations apply to SR-MPLS-over-UDP tunnels as described
in this document. In particular, it should be noted that the
traffic carried in SR-MPLS flows is likely to be IP traffic.This document makes no requests for IANA action.The security consideration of (which redirects
the reader to ) and
apply. DTLS SHOULD be used where security is
needed on an MPLS-SR-over-UDP segment including when the IP segment crosses
the public Internet or some other untrusted environment.
provides security considerations for Segment Routing, and Section 8.1 of that
document is particularly applicable to SR-MPLS.It is difficult for an attacker to pass a raw MPLS encoded packet
into a network and operators have considerable experience at excluding
such packets at the network boundaries, for example by excluding all
packets that are revealed to be carrying an MPLS packet as the payload
of IP tunnels. Further discussion of MPLS security is found in
.It is easy for a network ingress node to detect any attempt to smuggle an IP
packet into the network since it would see that the UDP destination port
was set to MPLS, and such filtering SHOULD be applied. If, however, the
mechanisms described in
or are applied,
a wider variety of UDP port numbers might be in use making port filtering
harder.SR packets not having a destination address terminating in the network
would be transparently carried and would pose no different security risk to
the network under consideration than any other traffic.Where control plane techniques are used (as described in ), it is important that these protocols are adequately
secured for the environment in which they are run as discussed in
and .Thanks to Joel Halpern, Bruno Decraene, Loa Andersson,
Ron Bonica, Eric Rosen, Jim Guichard, Gunter Van De Velde,
Andy Malis, Robert Sparks, and Al Morton for their insightful
comments on this draft.Additional thanks to Mirja Kuehlewind, Alvaro Retana, Spencer Dawkins,
Benjamin Kaduk, Martin Vigoureux, Suresh Krishnan, and Éric Vyncke
for careful reviews and resulting comments.