SRv6 Path Egress Protection

Introduction specifies fast protections for nodes and links that are within a link-state IGP area. In other words, it specifies fast protections for transit nodes and links of an SR path, but does not describe any fast protections for the egress node or link of an SR path. While TI-LFA provides fast protection for transit nodes and links within an IGP area, it does not address egress node protection because the egress node is the endpoint of the SR path. TI-LFA relies on pre-computed backup paths that bypass failed nodes or links while maintaining the same destination. However, when the egress node itself fails, the destination becomes unreachable through the primary path. This document addresses this gap by introducing a Mirror SID mechanism that allows a backup egress node to take over the forwarding behavior of the failed egress node, effectively extending protection to the network edge. and specify fast protections for egress node(s) and link(s) of an MPLS TE LSP tunnel including P2P TE LSP tunnel and P2MP TE LSP tunnel in details. However, these documents do not discuss any fast protection for the egress node and link of a Segment Routing for IPv6 (SRv6) path or tunnel. For an SRv6 path from an ingress node to an egress node, the fast protection for the egress node and link of the path can be achieved through using 1 + 1 global protection. This solution uses more network resources and makes operation complex. A backup SRv6 path from the ingress node to a backup egress node is set up. A CE is dual-homed to the egress node and the backup egress node. A SID of the egress node is used to forward the traffic to the CE. This same SID is configured on the backup egress node to forward the traffic to the same CE. Both paths transmit the traffic to the same CE, which selects one. The CE selects the traffic from the egress node if the egress node and link work well; otherwise (i.e., the egress node or link failed), the CE selects the traffic from the backup egress node. This document presents a solution which provides fast protections for the egress node and link of an SRv6 path through extending IGP and using Mirror SID. Compared to 1 + 1 global protection, this solution is more efficient and the operation on it is simpler. The solution is scoped to a single link-state IGP area/level. It relies on IGP to distribute the tuple <PEB, PEA, Mirror SID> with the protected locators. The forwarding behavior for Service SIDs anchored on PEA may be obtained by the protector via existing means (e.g., ) or configuration, but this document does not introduce any per-service signaling in the IGP. Furthermore, the approach is applicable to modest numbers of protected services; large-scale deployments with many VPN/service instances or random multi-homing are not recommended due to IGP scaling considerations.

Terminologies The following terminologies are used in this document.

BFD:: Bidirectional Forwarding Detection
BGP:: Border Gateway Protocol
CE:: Customer Edge
DA:: Destination Address
Egress link:: A link from an egress node to another domain
Egress node:: A domain exit node on an SRv6 path
FIB:: Forwarding Information Base
IGP:: Interior Gateway Protocol
IS-IS:: Intermediate System to Intermediate System
L3VPN:: Layer 3 VPN
LFA:: Loop-Free Alternate
LS:: Link State, which is LSA in OSPF/OSPFv3 or LSP in IS-IS
LSA:: Link State Advertisement in OSPF/OSPFv3
LSP:: Label Switched Path in MPLS or Link State Protocol PDU in IS-IS
OSPF:: Open Shortest Path First
OSPFv3:: Open Shortest Path First version 3
P2MP:: Point-to-MultiPoint
P2P:: Point-to-Point
PDU:: Protocol Data Unit
PE:: Provider Edge
PLR:: Point of Local Repair
RL:: Repair List
SA:: Source Address
SID:: Segment Identifier
SR:: Segment Routing
SR path:: An SR path in this document is the active path of an SR Policy
SRv6:: SR for IPv6
SRv6 path:: An SRv6 path in this document is the active path of an SR Policy with SRv6 SIDs
TE:: Traffic Engineering
TI-LFA:: Topology Independent LFA
VPN:: Virtual Private Network

SRv6 Path Egress Protection This section describes the mechanism of SRv6 path egress protection and illustrates it through an example. All advertisements and computations in this section are confined to a single link-state IGP area/level for SRv6.

Mechanism is used to explain the mechanism of SRv6 path egress node and egress link protection.

PEB Protects Egress PEA of SRv6 Path

Egress Node Protection Desired Pathways in : Node PEA in is the egress node (aka egress) of the SRv6 path from PE1 to PEA and has SIDa which is the active segment in the packet from the SR path at PEA. Node PEB is the backup egress node (aka protector or backup egress) to provide the fast protection for the egress node (aka primary egress node) PEA. Node P1 is the direct previous/upstream endpoint of egress node PEA and acts as PLR (refer to ) to support the fast protection for PEA. Steps in Creating the Pathways: Step 1: Normal Pathway Set-up Normal path set-up establishes the SR path from ingress PE1 to egress PEA via P1. Ingress PE1 imports the traffic from CE1 into the SR path and egress PEA delivers the traffic from the SRv6 path to CE2. Step 2: Backup Pathway Set-up Step 2a: PEB Announces to Protect PEA When PEB is selected as a backup egress node to protect the egress node PEA, a SRv6 Mirror SID (refer to Section 5.1 of ) is configured on PEB to protect PEA. PEB MUST advertise this information through IGP, which includes the Mirror SID and the egress PEA. The information is represented by <PEB, PEA, Mirror SID>, together with the protected locators. This IGP signaling does not enumerate per-service entries. Step 2b: PEB Gets Forwarding Behavior of PEA After PEA receives the information <PEB, PEA, Mirror SID>, it may provide to PEB the forwarding behavior for the active SRv6 segment SIDa at PEA by existing means. When SIDa is a Service SID (e.g., a VPN SID) anchored on PEA, PEB may learn its forwarding behavior via the BGP-based overlay as per or by configuration; this document does not introduce per-service signaling in IGP. This enables PEB to reproduce the egress behavior for packets whose active segment at PEA is a Service SID, without requiring IGP to flood per-service state. Step 2c: PEB Creates FIB for PEA When PEB gets the forwarding behavior of SIDa of PEA, it MUST add a forwarding entry for SIDa into the forwarding table identified by the Mirror SID (the PEA context). This supports Service SID semantics at the protector. However, for large numbers of Service SIDs, operators SHOULD avoid deployments where protection requires fine-grained per-service modeling in IGP, as it may increase IGP flooding and affect convergence. Step 2d: P1 as PLR Prepares to Protect PEA by PEB After P1 as PLR receives the information <PEB, PEA, Mirror SID> and knows that PEB wants to protect SIDa of PEA, it computes an LFA for PEA assuming that PEA and PEB have the same anycast address. A Repair List RL (or say backup path) is obtained based on the LFA. It is one of the following:

o: RL = <Mirror SID> if the LFA is the next hop node to PEB along the shortest path to PEB; or
o: RL = <S1, ..., Sn, Mirror SID> if the LFA is a TI-LFA, where <S1, ..., Sn> is the TI-LFA Repair List to PEB computed by P1.

Step 3: Backup Path Is Engaged upon PEA Failure Step 3a: P1 Detects PEA Failure via BFD or Other Mechanisms Step 3b: P1 Sends Packet with SIDa to Backup Egress PEB When egress node PEA fails, P1 as PLR sends the packet with SIDa carried by the SR path to backup egress node PEB, but MUST encapsulate the packet before sending it by executing H.Encaps with the Repair List RL and a Source Address T. P1 as PLR needs to retain the route to PEA for a period of time after its IGP converges on the failure of PEA. Thus the backup path for PEA will be used when the other nodes (such as PE1) still send the packet to PEA via P1 since their IGPs do not converge on the failure. Suppose that the packet received by P1 is represented by Pkt = (S, SID-P1)(SIDa,SID-P1; SL=1)Pkt0, where SA = S and DA = SID-P1 (i.e., SID of P1), and Pkt0 is the rest of the packet. P1 sets DA to SIDa, updates SL and executes H.Encaps. The execution of H.Encaps pushes an IPv6 header to Pkt and sets some fields in the outer and inner IPv6 header to produce an encapsulated packet Pkt'. Pkt' will be one of the following:

o: Pkt' = (T, Mirror SID) (S, SIDa)Pkt0 if RL = <Mirror SID>; or
o: Pkt' = (T, S1)(Mirror SID, Sn, ..., S1; SL=n) (S, SIDa)Pkt0 if RL = <S1, ..., Sn, Mirror SID>.

Step 3c: PEB Decapsulates Packet and Forwards It When PEB receives the re-routed packet, which is (T, Mirror SID) (S, SIDa)Pkt0, it decapsulates the packet and forwards the decapsulated packet using the FIB table Tm identified by the Mirror SID as a variant of End.DT6 SID. The Mirror SID is called End.M. When a node processes a packet with an End.M SID as the destination, it MUST perform the following steps in order: 1. Verify that the End.M SID is locally instantiated. If not, process according to Section 4.1.1 of . 2. Remove the outer IPv6 header with all its extension headers. 3. Identify the FIB table associated with the End.M SID context. 4. Submit the inner packet to the identified FIB table for forwarding. If any of these steps fail, the packet MUST be dropped and an appropriate error counter SHOULD be incremented. The behavior of Mirror SID (End.M for short) is a variant of the End.DT6 behavior (refer to Section 4.6 of ). The End.M SID MUST be the last segment in an SR path, and a SID instance is associated with an IPv6 FIB table Tm.

Egress Link Protection Egress link protection is similar to egress node protection for SRv6 . When the egress link from egress node PEA to CE2 fails, PEA acting as a PLR reroutes the traffic to backup egress node PEB via a backup path. Specifically, PEA as a PLR pre-computes a Repair List RL (or say backup path) toward PEB after receiving <PEB, PEA, Mirror SID> and knowing that PEB wants to protect SIDa of PEA. When the link fails, PEA as PLR sends the packet with SIDa by executing H.Encaps with the Repair List RL. All operations occur within the same IGP flooding scope; no per-service signaling is introduced in IGP.

Example shows an example of fast protecting egress node PE3 of an SRv6 path, which is from ingress node PE1 to egress node PE3.

PE4 Protects Egress PE3 of SR Path Desired Pathways in : Node P1's pre-computed backup path for PE3 is from P1 to PE4 via P2. In normal operations, after receiving a packet with SRv6 destination PE3, P1 forwards the packet to PE3 according to its FIB. When PE3 receives the packet, it sends the packet to CE2. When PE3 fails, P1 as PLR detects the failure through using a failure detection mechanism such as BFD and forwards the packet to PE4 via the backup path. When PE4 receives the packet, it sends the packet to the same CE2. When P1's IGP converges on the failure of PE3, P1 as PLR needs to retain the route to PE3 for a period of time. Thus the backup path for PE3 will be used when the other nodes (such as PE1) still send the packet to PE3 via P1 since their IGPs do not converge on the failure. In , Both CE2 and CE3 are dual-homed to PE3 and PE4. PE3 has a locator A3:1::/64 and a VPN SID A3:1::B100. PE4 has a locator A4:1::/64 and VPN SID A4:1::B100. A Mirror SID A4:1::3 is configured on PE4 for protecting PE3 with locator A3:1::/64. P1 has SID-P1 = A5:1::A100. Steps in Creating the Pathways: Step 1: Normal Pathway Set-up [PEB is PE4, PEA is PE3] Step 2: Backup Pathway Set-up Step 2a: PE4 (aka PEB) Announces to Protect PE3 (aka PEA) After the configuration, PE4 advertises this information through an IGP LS (i.e., LSA in OSPFv3 or LSP in IS-IS), which includes PE3's locator and Mirror SID A4:1::3. Every node in the SR domain will receive this IGP LS, which indicates that PE4 wants to protect PE3 (indicated by PE3's locator) with Mirror SID A4:1::3. Step 2b: PE4 (aka PEB) Gets Forwarding Behavior of PE3 (aka PEA) When PE4 (e.g., BGP on PE4) receives a prefix whose VPN SID belongs to PE3 that is protected by PE4 through Mirror SID A4:1::3, it finds PE4's VPN SID corresponding to PE3's VPN SID. For example, local PE4 has Prefix 1.1.1.1 with VPN SID A4:1::B100, when PE4 receives prefix 1.1.1.1 with remote PE3's VPN SID A3:1::B100, it knows that they are for the same VPN. The forwarding behaviors for these two VPN SIDs are the same from function's point of view. If the behavior for PE3's VPN SID in PE3 forwards the packet with it to CE2, then the behavior for PE4's VPN SID in PE4 forwards the packet to the same CE2; and vice versa. Step 2c: PE4 (aka PEB) Creates FIB for PE3 (aka PEA) PE4 creates a forwarding entry for PE3's VPN SID A3:1::B100 in the FIB table identified by Mirror SID A4:1::3 according to the forwarding behavior for PE4's VPN SID A4:1::B100. Step 2d: P1 Prepares to Protect PE3 (aka PEA) by PE4 (aka PEB) Node P1's pre-computed backup path for destination PE3 is from P1 to PE4 having mirror SID A4:1::3. When P1 receives a packet destined to PE3's VPN SID A3:1::B100, in normal operations, it forwards the packet with source A1:1:: and destination PE3's VPN SID A3:1::B100 according to the FIB using the destination PE3's VPN SID A3:1::B100. Step 3: Backup Path Is Engaged upon PE3 (aka PEA) Failure Step 3a: P1 Detects PE3 (aka PEA) Failure via BFD Step 3b: P1 Sends Packet with SIDa to Backup Egress PE4 (aka PEB) When PE3 fails, P1 as PLR sends the packet to PE4 via the backup path pre-computed. P1 encapsulates the packet using H.Encaps before sending it to PE4. Suppose that the packet received by P1 is represented by Pkt = (SA=A1:1::,DA=A5:1::A100)(SIDa=A3:1::B100,SID-P1=A5:1::A100;SL=1) Pkt0, where DA = A5:1::A100 is P1's SID, A3:1::B100 is PE3's VPN SID, and Pkt0 is the rest of the packet. P1 sets DA to A3:1::B100, updates SL, and encapsulates the packet. The encapsulated packet Pkt' will be one of the following:

o: Pkt' = (T, Mirror SID A4:1::3) (A1:1::, A3:1::B100)Pkt0 if the LFA is the next hop node to PE4 along the shortest path to PE4; or (otherwise)
o: Pkt' = (T, S1)(Mirror SID A4:1::3, Sn, ..., S1; SL=n) (A1:1::, A3:1::B100)Pkt0.

where T is a Source Address, <S1, ..., Sn> is the TI-LFA Repair List to PE4 computed by P1. Step 3c: PE4 (aka PEB) Decapsulates Packet and Forwards It When PE4 receives the re-routed packet, it decapsulates the packet and forwards the decapsulated packet by executing the behavior of End.M for the Mirror SID that is associated with the IPv6 FIB table for PE3. The packet received by PE4 is (T, Mirror SID A4:1::3) (A1:1::, PE3's VPN SID A3:1::B100)Pkt0. PE4 obtains Mirror SID A4:1::3 in the outer IPv6 header of the packet, removes this outer IPv6 header, and then processes the inner IPv6 packet (A1:1::, A3:1::B100)Pkt0. It finds the FIB table for PE3 using Mirror SID A4:1::3 as the context ID, gets the forwarding entry for PE3's VPN SID A3:1::B100 from the table, and forwards the packet to CE2 using the entry. Note:This example demonstrates that a Service SID (e.g., a VPN SID) can be preserved at the protector via the Mirror-SID context. However, at large scale (many VPN/service instances and/or random multi-homing of services across multiple protectors), the amount of egress-protection information to be flooded in IGP increases and may affect convergence; such deployments are not recommended for this IGP-based mechanism. Operators SHOULD consolidate protectors per egress and limit per-service granularity in IGP.

Operational Guidelines Protector Consolidation: Prefer a single protector PEB per PEA within the IGP area/level to minimize the number of SRv6 <PEB, PEA, Mirror SID> advertisements. Limit Granularity in IGP: Do not attempt to enumerate per-service entries in IGP; use locator-level protection only. Service Behavior Acquisition: Learning Service-SID behaviors at the protector (e.g., via BGP per or configuration) is an implementation choice and does not alter the IGP flooding scope. Applicability Thresholds: When the protected service count per egress or the number of protection relationships grows large-especially with random multi-homing-the IGP control-plane load and convergence may be adversely affected; such deployments are not recommended for this mechanism.

Extensions to IGP for Egress Protection This section describes extensions to IS-IS and OSPFv3 for advertising the information about SRv6 path egress protection.

Extensions to IS-IS A new sub-TLV, called IS-IS SRv6 Mirror SID sub-TLV, is defined. It is used in the SRv6 Locator TLV defined in to advertise SRv6 Mirror SID and the locators of the nodes to be protected. The SRv6 Mirror SID inherits the topology/algorithm from the parent locator. The format of the sub-TLV is illustrated below.

IS-IS SRv6 Mirror SID sub-TLV

Type:: TBD1 (suggested value 8) is to be assigned by IANA.
Length:: 1 octet. Its value MUST NOT be less than 23. 23 is 19 (i.e., the size of Reserved, SRv6 Endpoint Function and SID) plus 4 (i.e., the minimum size of a IS-IS protected locators sub-sub-TLV). The entire IS-IS SRv6 Mirror SID sub-TLV MUST be ignored if the length is less than 23.
Reserved:: 1 octet. This octet MUST be set to zero on transmit, and ignored on receipt.
SRv6 Endpoint Function:: 2 octets. It MUST contain the endpoint function 74 for Mirror SID. The entire IS-IS SRv6 Mirror SID sub-TLV MUST be ignored if it does not contain the endpoint function 74.
SID:: 16 octets. This field contains the SRv6 Mirror SID to be advertised. It MUST NOT be zero (0). The entire IS-IS SRv6 Mirror SID sub-TLV MUST be ignored if it contains zero (0).

A protected locators sub-sub-TLV is defined and used to carry the Locators of the egress node to be protected by the SRv6 mirror SID. The IS-IS SRv6 Mirror SID sub-TLV MUST include one IS-IS protected locators sub-sub-TLV. It has the following format.

IS-IS Protected Locators sub-sub-TLV

Type:: TBD2 (suggested value 1) is to be assigned by IANA.
Length:: 1 octet. Its value MUST NOT be less than 2. The entire IS-IS SRv6 Mirror SID sub-TLV MUST be ignored if the length is less than 2.
Locator-Size:: 1 octet. Number of bits in the Locator field, which MUST be from the range (1-128). The entire IS-IS SRv6 Mirror SID sub-TLV MUST be ignored if the Locator-Size is outside this range.
Locator:: 1-16 octets. This field encodes an SRv6 Locator of an egress node to be protected by the SRv6 mirror SID. The Locator is encoded in the minimal number of octets for the given number of bits. Trailing bits MUST be set to zero and ignored when received.

When node B advertises that B wants to protect node A with a Mirror SID through an LSP, the LSP MUST have an SRv6 Locator TLV containing an IS-IS SRv6 Mirror SID sub-TLV, which includes the Mirror SID and node A's locators in an IS-IS Protected locators sub-sub-TLV. Note:The IS-IS SRv6 Mirror SID sub-TLV MUST include exactly one "Protected Locators" sub-sub-TLV and MUST NOT carry per-service (e.g., VPN/Service-SID) enumerations. This document does not define any IGP encoding to list individual services; attempting to do so at large scale is not suitable due to IGP flooding and convergence considerations.

Extensions to OSPFv3 Similarly, a new sub-TLV, called OSPFv3 Mirror SID sub-TLV, is defined. It is used in the SRv6 Locator TLV defined in to advertise SRv6 Mirror SID and the locators of the nodes to be protected. Its format is illustrated below.

OSPFv3 SRv6 Mirror SID sub-TLV

Type:: TBD3 (suggested value 8) is to be assigned by IANA.
Length:: 2 octets. Its value MUST NOT be less than 26. 26 is 20 (i.e., the size of Reserved, SRv6 Endpoint Function and SID) plus 6 (i.e., the minimum size of a OSPFv3 protected locators sub-TLV). The entire OSPFv3 SRv6 Mirror SID sub-TLV MUST be ignored if the length is less than 26.
Reserved:: 2 octets. It MUST be set to zero for transmission and ignored on reception.
SRv6 Endpoint Function:: 2 octets. It MUST contain the endpoint function 74 for End.M SID. The entire OSPFv3 SRv6 Mirror SID sub-TLV MUST be ignored if it does not contain the endpoint function 74.
SID:: 16 octets. This field contains the SRv6 Mirror SID to be advertised. It MUST NOT be zero (0). The entire OSPFv3 SRv6 Mirror SID sub-TLV MUST be ignored if it contains zero (0).

A protected locators sub-TLV is defined and used to carry the locators of the node to be protected by the SRv6 Mirror SID. The OSPFv3 SRv6 Mirror SID sub-TLV MUST include one OSPFv3 protected locators sub-TLV. It has the following format.

OSPFv3 Protected Locators sub-TLV

Type:: TBD4 (suggested value 1) is to be assigned by IANA.
Length:: 2 octets. Its value MUST NOT be less than 2. The entire OSPFv3 SRv6 Mirror SID sub-TLV MUST be ignored if the Length is less than 2.
Locator-Size:: 1 octet. Number of bits (1 - 128) in the Locator field. Number of bits in the Locator field, which MUST be from the range (1-128). The entire OSPFv3 SRv6 Mirror SID sub-TLV MUST be ignored if the Locator-Size is outside this range.
Locator:: 1-16 octets. This field encodes an SRv6 Locator of an egress node to be protected by the SRv6 mirror SID. The Locator is encoded in the minimal number of octets for the given number of bits. Trailing bits MUST be set to zero and ignored when received.

When node B advertises that B wants to protect node A with a Mirror SID through an LSA, the LSA MUST have an SRv6 Locator TLV containing an OSPFv3 SRv6 Mirror SID sub-TLV, which includes the Mirror SID and node A's locators in an OSPFv3 Protected Locators sub-TLV. Note:The OSPFv3 SRv6 Mirror SID sub-TLV MUST include exactly one "Protected Locators" sub-TLV and MUST NOT carry per-service (e.g., VPN/Service-SID) enumerations for the same reasons as above.

Security Considerations The egress protection specified in this document involves rerouting traffic around an egress node or link failure, via a backup path from a PLR to a backup egress node. The forwarding performed by the nodes in the data plane is anticipated, as part of the planning of egress protection. The extensions to control plane protocol IS-IS or OSPFv3 are used to support the egress protection on the nodes in an OSPFv3 or IS-IS area. The area is in a single administrative domain. In addition, the PLR and backup egress node are located close to the egress node, which is in the same administrative domain. Security concerns for IS-IS are addressed in , and . While IS-IS is deployed under a single administrative domain, there can be deployments where potential attackers have access to one or more networks in the IS-IS routing domain. In these deployments, the stronger authentication mechanisms defined in the aforementioned documents SHOULD be used. Security concerns for OSPFv3 are described in and . While OSPFv3 is under a single administrative domain, there can be deployments where potential attackers have access to one or more networks in the OSPFv3 routing domain. In these deployments, stronger authentication mechanisms such as those specified in and SHOULD be used. SRv6-Specific Security Considerations:The Mirror SID mechanism introduces the following SRv6-specific security considerations: - Mirror SID Authentication: Since the Mirror SID is advertised through IGP, it is essential that IGP advertisements are authenticated to prevent malicious nodes from advertising counterfeit Mirror SIDs. Implementations SHOULD support the cryptographic authentication mechanisms specified in for IS-IS and for OSPFv3. - Context Isolation: The FIB table identified by the Mirror SID MUST be properly isolated to prevent traffic from one protected egress node from being forwarded using the context of another egress node. Implementations MUST ensure that the context identified by a Mirror SID is only used for packets explicitly addressed to that Mirror SID. Security attacks may sometimes come from a customer domain. Such attacks are not introduced by the egress protection in this document and may occur regardless of the existence of egress protection. In one possible case, the egress link between an egress node and a CE could become a point of attack. An attacker that gains control of the CE might use it to simulate link failures and trigger constant and cascading activities in the network. If egress link protection is in place, egress link protection activities may also be triggered. As a general solution to defeat the attack, a damping mechanism SHOULD be used by the egress node to promptly suppress the services associated with the link or CE. The egress node would stop delivering the services to CE, essentially detaching them from the network and eliminating the effect of the simulated link failures. All protocol extensions operate within a single link-state IGP area/level; no per-service signaling is introduced in IGP, and references to BGP concern only how a protector may learn forwarding behavior.When a protector learns per-service forwarding behavior via mechanisms outside the IGP (e.g., BGP as per or local configuration), it SHOULD validate that the behavior is authorized and consistent with the protected egress node's capabilities advertised through those same external mechanisms. This document does not introduce per-service signaling in the IGP for this validation. The following threats are addressed by corresponding mechanisms: -- Unauthorized Rerouting: An attacker could attempt to trigger unnecessary rerouting by advertising false failure information. This is mitigated by: * Using BFD or other reliable failure detection mechanisms. * Authenticating IGP advertisements. * Implementing damping mechanisms to prevent flapping. -- Traffic Interception: An attacker could attempt to become a protector to intercept traffic. This is mitigated by: * Limiting protector selection to trusted nodes within the same administrative domain. * Authenticating IGP advertisements of Mirror SIDs. * Monitoring for unexpected protector advertisements. -- Denial of Service: An attacker could attempt to overwhelm the protector with traffic. This is mitigated by: * Implementing rate limiting at the protector. * Using proper FIB table isolation. * Monitoring traffic patterns. -- Control Plane Overload: An attacker could attempt to flood the IGP with excessive protection advertisements, causing control plane overload and convergence issues.This is mitigated by: * Limit the number of protection relationships per node. * Implement IGP flooding rate limiting. * Use the operational guidelines in Section 3.3 to limit the scale of deployments. * Monitor IGP database size and convergence times.

IANA Considerations

SRv6 Endpoint Behaviors Under registry "SRv6 Endpoint Behaviors" , IANA has assigned the following for End.M Endpoint Behavior:

IS-IS Under "IS-IS Sub-TLVs for TLVs Advertising Prefix Reachability registry", IANA is requested to add the following new Sub-TLV: IANA is requested to create and maintain a new registry for sub-sub-TLVs of the SRv6 Mirror SID Sub-TLV. The suggested registry name is

o: Sub-Sub-TLVs for SRv6 Mirror SID Sub-TLV

Initial suggested values for the registry are given below. The future assignments are to be made through IETF Review .

OSPFv3 Under registry "OSPFv3 SRv6 Locator LSA Sub-TLVs" , IANA is requested to assign the following new Sub-TLVs:

References Normative References Intermediate System to Intermediate System Intra-Domain Routing Exchange Protocol for use in Conjunction with the Protocol for Providing the Connectionless-mode Network Service (ISO 8473) International Organization for Standardization Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Extensions to RSVP-TE for Label Switched Path (LSP) Egress Protection This document describes extensions to Resource Reservation Protocol - Traffic Engineering (RSVP-TE) for locally protecting the egress node(s) of a Point-to-Point (P2P) or Point-to-Multipoint (P2MP) Traffic Engineered (TE) Label Switched Path (LSP). Segment Routing Architecture Segment Routing (SR) leverages the source routing paradigm. A node steers a packet through an ordered list of instructions, called "segments". A segment can represent any instruction, topological or service based. A segment can have a semantic local to an SR node or global within an SR domain. SR provides a mechanism that allows a flow to be restricted to a specific topological path, while maintaining per-flow state only at the ingress node(s) to the SR domain. SR can be directly applied to the MPLS architecture with no change to the forwarding plane. A segment is encoded as an MPLS label. An ordered list of segments is encoded as a stack of labels. The segment to process is on the top of the stack. Upon completion of a segment, the related label is popped from the stack. SR can be applied to the IPv6 architecture, with a new type of routing header. A segment is encoded as an IPv6 address. An ordered list of segments is encoded as an ordered list of IPv6 addresses in the routing header. The active segment is indicated by the Destination Address (DA) of the packet. The next active segment is indicated by a pointer in the new routing header. IS-IS Extensions for Segment Routing Segment Routing (SR) allows for a flexible definition of end-to-end paths within IGP topologies by encoding paths as sequences of topological sub-paths, called "segments". These segments are advertised by the link-state routing protocols (IS-IS and OSPFv3). This document describes the IS-IS extensions that need to be introduced for Segment Routing operating on an MPLS data plane. MPLS Egress Protection Framework This document specifies a fast reroute framework for protecting IP/MPLS services and MPLS transport tunnels against egress node and egress link failures. For each type of egress failure, it defines the roles of Point of Local Repair (PLR), protector, and backup egress router and the procedures of establishing a bypass tunnel from a PLR to a protector. It describes the behaviors of these routers in handling an egress failure, including local repair on the PLR and context-based forwarding on the protector. The framework can be used to develop egress protection mechanisms to reduce traffic loss before global repair reacts to an egress failure and control-plane protocols converge on the topology changes due to the egress failure. Segment Routing over IPv6 (SRv6) Network Programming The Segment Routing over IPv6 (SRv6) Network Programming framework enables a network operator or an application to specify a packet processing program by encoding a sequence of instructions in the IPv6 packet header. Each instruction is implemented on one or several nodes in the network and identified by an SRv6 Segment Identifier in the packet. This document defines the SRv6 Network Programming concept and specifies the base set of SRv6 behaviors that enables the creation of interoperable overlays with underlay optimization. Segment Routing Policy Architecture Segment Routing (SR) allows a node to steer a packet flow along any path. Intermediate per-path states are eliminated thanks to source routing. SR Policy is an ordered list of segments (i.e., instructions) that represent a source-routed policy. Packet flows are steered into an SR Policy on a node where it is instantiated called a headend node. The packets steered into an SR Policy carry an ordered list of segments associated with that SR Policy. This document updates RFC 8402 as it details the concepts of SR Policy and steering into an SR Policy. IS-IS Extensions to Support Segment Routing over the IPv6 Data Plane The Segment Routing (SR) architecture allows a flexible definition of the end-to-end path by encoding it as a sequence of topological elements called "segments". It can be implemented over the MPLS or the IPv6 data plane. This document describes the IS-IS extensions required to support SR over the IPv6 data plane. This document updates RFC 7370 by modifying an existing registry. OSPFv3 Extensions for Segment Routing over IPv6 (SRv6) The Segment Routing (SR) architecture allows a flexible definition of the end-to-end path by encoding it as a sequence of topological elements called segments. It can be implemented over an MPLS or IPv6 data plane. This document describes the OSPFv3 extensions required to support SR over the IPv6 data plane. IS-IS Cryptographic Authentication This document describes the authentication of Intermediate System to Intermediate System (IS-IS) Protocol Data Units (PDUs) using the Hashed Message Authentication Codes - Message Digest 5 (HMAC-MD5) algorithm as found in RFC 2104. IS-IS is specified in International Standards Organization (ISO) 10589, with extensions to support Internet Protocol version 4 (IPv4) described in RFC 1195. The base specification includes an authentication mechanism that allows for multiple authentication algorithms. The base specification only specifies the algorithm for cleartext passwords. This document replaces RFC 3567. This document proposes an extension to that specification that allows the use of the HMAC-MD5 authentication algorithm to be used in conjunction with the existing authentication mechanisms. [STANDARDS-TRACK] IS-IS Generic Cryptographic Authentication This document proposes an extension to Intermediate System to Intermediate System (IS-IS) to allow the use of any cryptographic authentication algorithm in addition to the already-documented authentication schemes, described in the base specification and RFC 5304. IS-IS is specified in International Standards Organization (ISO) 10589, with extensions to support Internet Protocol version 4 (IPv4) described in RFC 1195. Although this document has been written specifically for using the Hashed Message Authentication Code (HMAC) construct along with the Secure Hash Algorithm (SHA) family of cryptographic hash functions, the method described in this document is generic and can be used to extend IS-IS to support any cryptographic hash function in the future. [STANDARDS-TRACK] OSPF for IPv6 This document describes the modifications to OSPF to support version 6 of the Internet Protocol (IPv6). The fundamental mechanisms of OSPF (flooding, Designated Router (DR) election, area support, Short Path First (SPF) calculations, etc.) remain unchanged. However, some changes have been necessary, either due to changes in protocol semantics between IPv4 and IPv6, or simply to handle the increased address size of IPv6. These modifications will necessitate incrementing the protocol version from version 2 to version 3. OSPF for IPv6 is also referred to as OSPF version 3 (OSPFv3). Changes between OSPF for IPv4, OSPF Version 2, and OSPF for IPv6 as described herein include the following. Addressing semantics have been removed from OSPF packets and the basic Link State Advertisements (LSAs). New LSAs have been created to carry IPv6 addresses and prefixes. OSPF now runs on a per-link basis rather than on a per-IP-subnet basis. Flooding scope for LSAs has been generalized. Authentication has been removed from the OSPF protocol and instead relies on IPv6's Authentication Header and Encapsulating Security Payload (ESP). Even with larger IPv6 addresses, most packets in OSPF for IPv6 are almost as compact as those in OSPF for IPv4. Most fields and packet- size limitations present in OSPF for IPv4 have been relaxed. In addition, option handling has been made more flexible. All of OSPF for IPv4's optional capabilities, including demand circuit support and Not-So-Stubby Areas (NSSAs), are also supported in OSPF for IPv6. [STANDARDS-TRACK] OSPFv3 Link State Advertisement (LSA) Extensibility OSPFv3 requires functional extension beyond what can readily be done with the fixed-format Link State Advertisement (LSA) as described in RFC 5340. Without LSA extension, attributes associated with OSPFv3 links and advertised IPv6 prefixes must be advertised in separate LSAs and correlated to the fixed-format LSAs. This document extends the LSA format by encoding the existing OSPFv3 LSA information in Type-Length-Value (TLV) tuples and allowing advertisement of additional information with additional TLVs. Backward-compatibility mechanisms are also described. This document updates RFC 5340, "OSPF for IPv6", and RFC 5838, "Support of Address Families in OSPFv3", by providing TLV-based encodings for the base OSPFv3 unicast support and OSPFv3 address family support. Authentication/Confidentiality for OSPFv3 This document describes means and mechanisms to provide authentication/confidentiality to OSPFv3 using an IPv6 Authentication Header/Encapsulating Security Payload (AH/ESP) extension header. [STANDARDS-TRACK] Supporting Authentication Trailer for OSPFv3 Currently, OSPF for IPv6 (OSPFv3) uses IPsec as the only mechanism for authenticating protocol packets. This behavior is different from authentication mechanisms present in other routing protocols (OSPFv2, Intermediate System to Intermediate System (IS-IS), RIP, and Routing Information Protocol Next Generation (RIPng)). In some environments, it has been found that IPsec is difficult to configure and maintain and thus cannot be used. This document defines an alternative mechanism to authenticate OSPFv3 protocol packets so that OSPFv3 does not depend only upon IPsec for authentication. The OSPFv3 Authentication Trailer was originally defined in RFC 6506. This document obsoletes RFC 6506 by providing a revised definition, including clarifications and refinements of the procedures. Informative References Carrying Label Information in BGP-4 This document specifies the way in which the label mapping information for a particular route is piggybacked in the same Border Gateway Protocol (BGP) Update message that is used to distribute the route itself. [STANDARDS-TRACK] BGP/MPLS IP Virtual Private Networks (VPNs) This document describes a method by which a Service Provider may use an IP backbone to provide IP Virtual Private Networks (VPNs) for its customers. This method uses a "peer model", in which the customers' edge routers (CE routers) send their routes to the Service Provider's edge routers (PE routers); there is no "overlay" visible to the customer's routing algorithm, and CE routers at different sites do not peer with each other. Data packets are tunneled through the backbone, so that the core routers do not need to know the VPN routes. [STANDARDS-TRACK] Guidelines for Writing an IANA Considerations Section in RFCs Many protocols make use of identifiers consisting of constants and other well-known values. Even after a protocol has been defined and deployment has begun, new values may need to be assigned (e.g., for a new option type in DHCP, or a new encryption or authentication transform for IPsec). To ensure that such quantities have consistent values and interpretations across all implementations, their assignment must be administered by a central authority. For IETF protocols, that role is provided by the Internet Assigned Numbers Authority (IANA). In order for IANA to manage a given namespace prudently, it needs guidelines describing the conditions under which new values can be assigned or when modifications to existing values can be made. If IANA is expected to play a role in the management of a namespace, IANA must be given clear and concise instructions describing that role. This document discusses issues that should be considered in formulating a policy for assigning values to a namespace and provides guidelines for authors on the specific text that must be included in documents that place demands on IANA. This document obsoletes RFC 2434. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. BGP Overlay Services Based on Segment Routing over IPv6 (SRv6) This document defines procedures and messages for SRv6-based BGP services, including Layer 3 Virtual Private Network (L3VPN), Ethernet VPN (EVPN), and Internet services. It builds on "BGP/MPLS IP Virtual Private Networks (VPNs)" (RFC 4364) and "BGP MPLS-Based Ethernet VPN" (RFC 7432). Topology Independent Fast Reroute using Segment Routing Individual Cisco Systems Cisco Systems INSA Lyon Orange Bell Canada This document presents Topology Independent Loop-free Alternate Fast Reroute (TI-LFA), aimed at providing protection of node and adjacency segments within the Segment Routing (SR) framework. This Fast Reroute (FRR) behavior builds on proven IP Fast Reroute concepts being LFAs, remote LFAs (RLFA), and remote LFAs with directed forwarding (DLFA). It extends these concepts to provide guaranteed coverage in any two-connected networks using a link-state IGP. An important aspect of TI-LFA is the FRR path selection approach establishing protection over the expected post-convergence paths from the point of local repair, reducing the operational need to control the tie-breaks among various FRR options.

Acknowledgments The authors would like to thank Acee Lindem, Peter Psenak, Yimin Shen, Jie Dong, Zhenqiang Li, Alexander Vainshtein, Greg Mirsky, Bruno Decraene, Jeff Tantsura, Chris Bowers, Ketan Talaulikar, Bob Halley, Tal Mizrahi, Yingzhen Qu and Susan Hares for their comments to this work.

Contributors' Addresses