CCAMP Working Group                                          D. Caviglia
Internet-Draft                                             D. Bramanti Ceccarelli
Expires: January 16, May 1, 2009                                         D. Bramanti
                                                                Ericsson
                                                                   D. Li
                                           Huawei Technologies Co., LTD.
                                                             S. Bardalai
                                      Fujitsu Network Communications Inc
                                                           July 15,
                                                        October 28, 2008

    RSVP-TE Signaling Extension For The Conversion Between Permanent
Connections And Soft Permanent Connections In A GMPLS Enabled Transport
                                Network.

               draft-ietf-ccamp-pc-spc-rsvpte-ext-01.txt

               draft-ietf-ccamp-pc-spc-rsvpte-ext-02.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 16, May 1, 2009.

Abstract

   We would like to dedicate this work to our friend and colleague Dino
   Bramanti, who passed away at the early age of 38.  Dino has been
   involved in this work since its beginning.

   In a transport network scenario, where Data Plane connections
   controlled either by GMPLS Control Plane (Soft Permanent Connections
   - SPC) or by Management System (Permanent Connections - PC) may
   independently coexist, the ability of transforming an existing PC
   into a SPC and vice versa - without actually affecting Data Plane
   traffic being carried over it - is a requirement.  See draft
   "draft-ietf-ccamp-pc-and-reqs-04.txt [1].  This memo provides a minor
   extension to RSVP-TE [RFC2205],[RFC3471],[RFC3473],[RFC4872] [RFC2205], [RFC3471], [RFC3473], [RFC4872]
   signaling protocol, within GMPLS architecture, to enable such
   connection ownership transfer and describes the proposed procedures.
   Failure conductions and subsequent roll back are also illustrated
   taking into account that an handover failure must not impact the
   already established data plane connections.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Motivation . . . . . . . . . . . . . . . . . . . . . . . . . .  3
   4.  Overview Of Proposed RSVP-TE Based Solution  . . . . . . . . .  3
   5.  MP to CP handover: LSP Ownership Transfer From Management
       Plane To Control Plane . . . . . . . . . . . . . . . . . . . .  5
     5.1.  MP to CP Handover Procedure Success  . . . . . . . . . . .  6
     5.2.  MP to CP Handover Procedure Failure Handling . . . . . . .  7
       5.2.1.  MP to CP Handover Failure - Path Failure . . . . . . .  7
       5.2.2.  MP to CP Handover Failure - Resv Error . . . . . . . .  8
   6.  CP to MP handover : LSP Ownership Transfer From Control
       Plane To Management Plane  . . . . . . . . . . . . . . . . . . 13
     6.1.  CP to MP Handover Procedure Success  . . . . . . . . . . . 13
     6.2.  CP to MP Handover Procedure Failure  . . . . . . . . . . . 14
   7.  Discovery Phase  . . . . . . . . . . . . . . . . . . . . . . . 14
   8.  Alternative Way Of Retrieving Information Needed For MP To
       CP Handover  . . . . . . . . . . . . . . . . . . . . . . . . . 15
   9.  RSVP Message Formats . . . . . . . . . . . . . . . . . . . . . 16
   10. Objects Modification . . . . . . . . . . . . . . . . . . . . . 17
     10.1. Administrative Status Object . . . . . . . . . . . . . . . 17
     10.2. Error Spec Object  . . . . . . . . . . . . . . . . . . . . 18
   11. Acknoledgments . . . . . . . . . . . . . . . . . . . . . . . . 19
   12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 19
   13. Security Considerations  . . . . . . . . . . . . . . . . . . . 20
   14. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 20
   15. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
     15.1. Normative References . . . . . . . . . . . . . . . . . . . 20
     15.2. Informa</artwork>tional Informational References . . . . . . . . . . . . 20 . . . . . 21
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
   Intellectual Property and Copyright Statements . . . . . . . . . . 23

1.  Introduction

   In a typical traditional transport network scenario, Data Plane
   connections between two endpoints are controlled by means of a
   Network Management System (NMS) operating within Management Plane
   (MP).  NMS/MP is the owner of such transport connections, being
   responsible of their set up, tear down and maintenance.

   The adoption of a GMPLS Control Plane over networks that are already
   in service - controlled by NMS at Management Plane level - introduces
   the need for a procedure able to coordinate a control handover of a
   generic data plane connection from MP to CP.

   In addition, the control handover in the opposite direction, from CP
   to MP should SHOULD be possible as well.  The procedures described in this
   memo can be applied to any kind of LSP and network architecture.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Motivation

   The main motivation behind this work is the definition of a simple
   and very low impacting procedure that satisfies the requirements
   defined in "draft-ietf-ccamp-pc-and-reqs-04.txt [1].  Such procedure
   is aimed at giving the transport network operators the chance to
   convert existing LSP provisioned as PC by NMS to SPC without
   disrupting user traffic flowing on it.  Conversion from PC to SPC
   (i.e. when existing Data Plane connection ownership and control is
   passed from MP to CP) has been proposed as mandatory requirement,
   while the opposite operation, SPC to SC conversion, has been
   considered as a nice-to-have feature that can be seen as a back-out
   option.  For more details on requirements and motivations please
   refer to "draft-ietf-ccamp-pc-and-reqs-04.txt [1].

4.  Overview Of Proposed RSVP-TE Based Solution

   The whole process comprises of the discovery and conversion phases.
   The discovery phase being described in this document is an OPTIONAL
   procedure and not mandatory for the conversion phase to proceed.  The
   discovery phase is typically initiated by the operator and is
   performed hop-by-hop in order to discover the route.  The route
   discovered SHOULD be consistent with the network topology.  For
   example, for a multi-layer network the hops discovered should be
   contained within the same layer.

   Prior to initiating the discovery process it is assumed that the
   Control Plane domains have been established.  The operator at the
   originating node can optionally specify the terminating end-point at
   the time of initiating the discovery request or it could be
   automatically discovered.  For example, at a network layer boundary
   the discovery process can be terminated generating a response back to
   the originator.  Another possibility is to terminate the request at
   the Control Plane domain boundary.

   For conversion to PC or SPC the conversion phase will create an RSVP-
   TE session along the discovered or user-specified route and bind with
   the existing Management Plane owned cross-connect resources (e.g.
   lambdas, time slots and reserved bandwidth)and at the same time
   transfer the ownership to the Control Plane.  For conversion to PC
   the conversion phase will delete the existing RSVP- TE session
   information without deleting the cross-connect resources and transfer
   the ownership to the Management Plane.

   Proposed procedure relies on the utilization of a newly introduced
   flag, here named Handover flag, in the Administrative Status Object
   [RFC3471] and [RFC3473].  The point is that standard RSVP-TE
   signaling flow can be used to inform nodes about the ownership
   handover request regarding one LSP that is already in place on their
   Data Plane, where such flow has to be flagged in order to
   discriminate it from normal, Data Plane affecting, LSP setup/release
   procedure.  When a LSP owned by Management Plane (i.e. a PC) has to
   be handed over to Control Plane (i.e. converted into a SPC), a
   signaling set-up with HANDOVER flag set has to be sent from ingress
   node.

   For the opposite procedure (when a LSP owned and controlled by
   Control Plane has to be handed over to Management Plane, i.e.  SPC to
   PC conversion - or back out procedure for previous case) a signaling
   tear-down with HANDOVER flag set has to be sent from ingress or
   egress node, following the same procedure of a normal tear-down, from
   which is recognizable again by reading flag value.

   So, basically the HANDOVER flag is introduced and exploited to tell
   apart a normal set-up (or tear-down) procedure - that has to trigger
   an action on Data Plane state at each addressed node along the path
   as usual - from the LSP ownership handover procedure that MUST leave
   untouched Data Plane state.

   This is in some way similar as an approach to the Restart Procedure,
   ( [RFC2119]),
   ([RFC2119]), in the sense that the status of the physical resources
   at Data Plane has to stay unmodified but the associated information
   allowing its control has to be transferred.  The modification
   proposed in this document refers only to Administrative Status
   object, that is, the message flow is left unmodified for both set-up
   and deletion.  Moreover a new Error Value is defined to identify the
   failure of an Handover procedure.

   It is worth stressing that, when the LSP over Data Plane is adopted
   either by CP or MP, i.e. at the end of signaling with Handover flag
   set, normal CP procedures or MP procedures have to take their place
   as usual when needed.  This means that a LSP formerly owned by MP,
   signalled within CP with Handover flag set (i.e. handed over to CP)
   can be controlled by usual relevant Control Plane signaling flows
   (i.e. with Handover flag not set).  The same applies when considering
   the handover of a LSP from CP to MP when, at the end of procedure,
   the LSP belongs to Management Plane and can be fully controlled by
   NMS.  In other words, after the LSP handover procedures have taken
   place, the LSP is not different from the other LSP owned by handover
   destination entity and it has to be treated with usual rules for that
   entity.

   Following paragraphs give detailed description of proposed "MP to CP
   handover" and "CP to MP handover" procedure, based on Handover flag
   usage.  Handover of a bidirectional LSP is assumed.  The case of
   unidirectional LSP can be easily derived from that.

5.  MP to CP handover: LSP Ownership Transfer From Management Plane To
    Control Plane

   Let's consider the case of a Data Plane connection created by NMS.
   The Management Plane has the ownership and control of the LSP and
   wants to hand it over to Control Plane.  At the ingress node NMS
   initiates the transfer of LSP related information residing within
   Management Plane to RSVP-TE records within Control Plane.  We assume
   that this happens under operator or management application control
   and in particular that:

      - Control requests are sent to the ingress LSR by the MP
      - The MP has some way of knowing when the CP has completed its
      task or has failed.

   Ingress node collects from MP all the LSP related information needed
   at Control Plane level.  The way this operation is done and where
   such information is collected within MP is outside the scope of this
   document.  One possible (optional) way to collect it is explained in
   Section 8.

   A relevant part of such information is represented by the LSP path,
   which has to be handed over to CP to be used by signalling entity to
   fill the Explicit Route Object (ERO) during setup.  In order to
   support the MP to CP handover of LSP, the ERO object in the Path
   message MUST be filled with all the LSP relevant information down to
   the Label level.  That can be done by means of the object and
   procedures defined in [RFC3473].

   The precise filling of the ERO object is needed as we are assuming
   that the LSP already exists in Data Plane and that every signalling
   relevant info about it is available and accessible to MP in terms of
   required LSP parameters to build a RSVP-TE PATH message.  After the
   collection of all the LSP related information, the ingress node
   starts the handover procedure issuing a RSVP-TE PATH message
   including the Administrative Status Object with both HANDOVER and
   REFLECT flags set.  The R flag set assures that also the Resv message
   will set the H flag.  Upon reception of such RSVP-TE PATH, a node
   MUST be able to understand that a MP to CP handover procedure is in
   progress by reading the Handover flag.

   Either the ingress node of the LSP (upon request from MP) and
   intermediate and egress nodes (when receiving a Path/Resv message
   containing an Administrative Status object with the Handover flag
   set) are informed about the fact that a LSP handover procedure is
   requested or ongoing.  The node assumes that a Data Plane resource
   related to the info carried in Path Message is already allocated and
   in place.

   The following of the section illustrates in detail the procedure in
   cases in success and failures.

5.1.  MP to CP Handover Procedure Success

   Upon receiving a Path Message, each node SHOULD check the consistence
   of the actual Data Plane status of such resource.  Say the check goes
   OK (failure cases are illustrated in the next sections), then a
   RSVP-TE record for the LSP is created associating it to the
   corresponding Data Plane state.  The node accepts all the LSP
   information carried in the Path message (if the node is not the
   Ingress LER of the LSP, otherwise the information is sent from
   relevant MP entity) and stores it in Path State Block.  After that,
   the procedure goes on as described below.

   After propagating handover Path message, a node MUST wait for a Resv
   message including Administrative Status Object with Handover flag
   set.  After receiving it, the actual migration of LSP information is
   complete, the LSP is left completely under control of RSVP- TE within
   Control Plane.  This means that any memory about the former MP
   ownership of the LSP is lost.  If a Confirmation message was
   requested, then it is generated.  The handover procedure does not
   modify the Confirmation procedure.

5.2.  MP to CP Handover Procedure Failure Handling

   In case of Management Plane to Control Plane Procedure, two different
   failure scenarios can happen: Path Failure and Resv Failure.
   Moreover, each failure can be due to two different causes: Data Plane
   failure or Communication Failure.  A section for each combination
   will be analyzed in the following.

5.2.1.  MP to CP Handover Failure - Path Failure

5.2.1.1.  MP to CP Handover Failure - Path Message and Data Plane
          Failure

   The handover procedure can fail due to different causes, but in any
   case the network status but MUST be immediately rollbacked to the one
   previous to the handover procedure.  The failure can happen during
   the Path message or the Resv message forwarding.  In this paragraph
   we will analyze the first case.

   |           Path        |                       |                       |
   |---------------------->|         Path          |                       |
   |                       |----------------------X|                       |
   |                       |                       |                       |
   |       Path Err        |                       |                       |
   |<----------------------|                       |                       |
   |                       |                       |                       |
   Ingress LER           LSR A                   LSR B             Egress LER

   If an error occurs in an LSR or a LER, the last node that has
   received the Path message MUST send a Path Error message in the
   upstream direction including an Error_Spec object and the Handover
   flag set.  The Path Error message SHOULD have the Path_State_Removed
   flag set and the upstream nodes MAY process the Error_Spec object.

5.2.1.2.  MP to CP Handover Failure - Path Message and Communication
          failure

   Other possible scenarios are shown in the following pictures and
   consist on the unreachability of a node of the LSP.

   The below scenario postulates the usage of a reliable message
   delivery based on the mechanism defined in [RFC2961] [RFC2961].

   |           Path        |                       |                       |
   |---------------------->|         Path          |                       |
   |                       |------------X          |                       |
   |                       |------------X          |                       |
   |                       |       ...             |                       |
   |                       |------------X          |                       |
   |                       |                       |                       |
   |       Path Err        |                       |                       |
   |<----------------------|                       |                       |
   |                       |                       |                       |
   Ingress LER           LSR A                   LSR B             Egress LER

   The Path message sent from LSR A towards LSR B is lost or does not
   reach the destination for any reason.  A reliable delivery mechanism
   is implemented, LSR A retransmits the Path Message for a configurable
   number of times, then, if no ack is received, a Path Error message is
   MUST be sent back to the ingress LER LER, the Path_State_Removed flag
   SHOULD be set and the adoption procedure is aborted.

   In the next scenario RSVP-TE messages are sent without reliable
   message delivery, that is, no [RFC2961] MessageID procedure is used.

   |           Path        |                       |                       |
   |---------------------->|         Path          |                       |
   |                       |------------X          |                       |
   |                       |                       |                       |
   |                       |                       |                       |
   |----TIMER EXPIRES------|                       |                       |
   |       Path Tear       |                       |                       |
   |---------------------->|                       |                       |
   |                       |                       |                       |
   Ingress LER           LSR A                   LSR B             Egress LER

   If the Resv Message is not received by the expiration of a timer set
   by the ingress LER, the adoption procedure is again aborted and a
   PathTear message MAY be sent in the downstream direction with the H
   bit set set.

5.2.2.  MP to CP Handover Failure - Resv Error

5.2.2.1.  MP to CP Handover Failure - Resv Error and Data Plane failure

   In case a failure occurs during the Resv Message forwarding, things
   are quite different, because after the handover procedure an LSR is
   not able to distinguish an LSP created by the Control Plane from an
   LSP created by the Management Plane and then moved to the Control
   Plane.

|           Path        |          Path         |          Path         |
|---------------------->|---------------------->|---------------------->|
|                       |                       |          Resv         |
|                       |          Resv         |<----------------------|
|                       |X----------------------|                       |
|       Path Err        |       Resv Err       Path Tear       |                       |
|<----------------------|---------------------->|       Resv Err       Path Tear       |
|                       |                       |---------------------->|
|                       |                       |                       |
Ingress LER           LSR A                   LSR B             Egress LER

   In the case shown in the above picture, the failure occurs in LSR A.
   A Resv Error
   Considering to have a reliable message is delivery mechanism, a Path
   Tear message MUST be sent in the downstream direction and a Path
   Error message is MUST sent in the upstream direction. direction and the
   Path_State_Removed SHOULD flag should be set.  The Path Err and Path
   Tear messages remove the Path state established by the Path messages
   along the nodes of the LSP and abort the adoption procedure.

   Please note that the failure occurred after the handover procedure
   was successfully completed in LSR B. This means that LSR B is no
   longer able to know if the LSP was created by the Control Plane or a
   handover procedure took place.

   Upon receiving a Resv Error Path Tear message, LSR B would delete the LSP also
   from the Data Plane point of view.  To prevent this from happening,
   LSR A MUST include an Error_Spec object into the Resv Error message
   setting set the handover flag. flag in the Path Tear message.  The
   downstream nodes MUST process the
   Error Spec object, node move the LSP ownership back to the Management Plane
   and MUST NOT modify the Data Plane.

5.2.2.2.  MP to CP Handover Failure - Resv Error and Communication
          failure

   In case a Resv Message cannot reach one or more of the downstream
   nodes, the procedure is quite similar to the one previously seen
   about the Path Message.  Even in this case it is possible to
   distinguish two different scenarios.

   In the first scenario we consider the utilization of a reliable
   message delivery based on the mechanism defined in [RFC2961].  After
   a correct forwarding of the Path message along the nodes of the LSP,
   the Egress LSR sends a Resv message in the opposite direction.  It
   might happen that the Resv message does not reach an LSR, say LSR A.

   LSR B, after sending the Resv message again for a configurable number
   of times, sends MUST send a Resv Error Path Tear message in the downstream direction
   towards the Egress LER and a Path Error message (with the
   Path_State_Removed flag set) in the upstream direction towards the
   Ingress LER in order to inform the nodes of the path that the
   adoption procedure has failed and that the LSP ownership is to be
   moved back to the management plane.

|           Path        |          Path         |          Path         |
|---------------------->|---------------------->|---------------------->|
|                       |                       |          Resv         |
|                       |          Resv         |<----------------------|
|                       |           X-----------|                       |
|                       |           X-----------|                       |
|                       |               ...     |                       |
|                       |           X-----------|                       |
|                       |                       |                       |
|       Path Err        |       Path Err        |       Resv Err       Path Tear       |
|<----------------------|<----------------------|---------------------->|
|                       |                       |                       |
Ingress LER           LSR A                   LSR B             Egress LER

   Please note that the failure occurred after the handover procedure
   was successfully completed in the Egress LER.  This means that it is
   no longer able to know if the LSP was created by the Control Plane or
   a handover procedure took place.

   Upon receiving a Resv Error Path Tear message, the downstream nodes would delete
   the LSP also from the Data Plane point of view.  To prevent this from
   happening, LSR B MUST include an Error_Spec object into the
   Resv Error Path Tear message setting MUST include the Handover flag.  The downstream nodes
   MUST process the Error Spec object, move the LSP ownership back to
   the Management Plane and MUST NOT modify the Data Plane.

   Considering that the Resv message did not manage to reach LSR A, it
   is highly probable that the Path Error would fail too.  Due to this
   fact, a configurable timer MUST be set on the Ingress LER after
   sending the path and on LSR A after forwanding it.  When the timer
   expires, if no Resv or Path Error message is received, the handover
   procedure MUST be aborted and the LSP ownership returned to the
   Management Plane.

   The following picture, on the other hand, shows the scenario in which
   no reliable delivery mechanism is implemented.

|           Path        |          Path         |          Path         |
|---------------------->|---------------------->|---------------------->|
|                       |                       |          Resv         |
|                       |          Resv         |<----------------------|
|                       |           X-----------|                       |
|                       |                       |                       |
|                       |                       |                       |
|----TIMER EXPIRES------|                       |                       |
|       Path Tear       |       Path Tear       |       Path Tear       |
|---------------------->|---------------------->|---------------------->|
|                       |                       |                       |
Ingress LER           LSR A                   LSR B             Egress LER

   After sending the path message, the ingress LER sets a timer.  If non
   Resv message is received before the timer expires, then the adoption
   procedure is aborted and the Ingress LER MAY signal it by a Path Tear
   message with the H bit set.

5.2.2.3.  MP to CP Handover Failure - Node Graceful Restart

   In case one of the nodes restarts and graceful restart is enabled
   then one of the following scenarios will happen.

   Case I

   Restart timer is not infinite.  In the sequence diagram below, assume
   LSR A restarts.  In case the ingress LER does not receive the Resv
   message in time it will abort the conversion process by generating a
   PathTear message downstream.  Also, if LSR A does not complete the
   restart process within the restart time interval then LSR B will
   start tearing down all LSPs between LSR A and LSR B and this includes
   the LSP that is being used to carry out the conversion of MP
   resources to CP.  LSP B will generate a PathTear message downstream
   and a PathErr message upstream.  Both LSR B and the egress LER will
   not release the data-plane resources because in both nodes the H-bit
   is set in the PSB.

|           Path        |          Path         |          Path         |
|---------------------->|---------------------->|---------------------->|
|                       |                       |          Resv         |
|                       |          Resv         |<----------------------|
|                       X           X-----------|                       |
|  PathTear                                     |                       |
|----------X                                    |                       |
|                                           Restart Timer               |
|                                 PathErr      Expires     PathTear     |
|                                   X-----------|---------------------->|
|                       X                       |                       |
|                       |                       |                       |
Ingress LER           LSR A                   LSR B             Egress LER

   Case II

   Restart timer is infinite.  The sequence is quite similar to the
   previous one.  In this sequence the restart timer will not expire in
   LSR B since it is run infinitely.  Instead after LSR A restarts LSR B
   will start the recovery timer.  The recovery timer will expire since
   there will be no Path message with the RECOVERY LABEL received from
   LSR A given the ingress node had already removed the PSB after it
   aborts the conversion process.  Thus LSR B will tear-down the
   specific LSP that is being used to convert the MP resources to CP by
   generating a PathTear downstream and PathErr upstream.  Similarily to
   the previous case both LSR B and the egress LER will not release the
   data-plane resources because the H-bit is set in the PSB.

|           Path        |          Path         |          Path         |
|---------------------->|---------------------->|---------------------->|
|                       |                       |          Resv         |
|                       |          Resv         |<----------------------|
|                       X           X-----------|                       |
|  PathTear                                     |                       |
|----------X                                    |                       |
|                                               |                       |
|                       X                       |                       |
|                       |                       |                       |
|                       |                 Recovery Timer                |
|                       |         PathErr    Expires       PathTear     |
|                       |           X-----------|---------------------->|
|                       |                       |
Ingress LER           LSR A                   LSR B             Egress LER

   Case III

   Ingress LER did not abort the conversion process.  Once LSR A
   restarts the ingress LER will re-generate the Path message with the
   H-bit set.  When LSR B receives the Path message it may generate a
   PathErr since the RECOVERY LABEL may not be present.  The reason is
   LSR A may not have the label.  Similarily LSR B and egress LER will
   not release the data-plane resources since the H-bit is set.

|           Path        |          Path         |          Path         |
|---------------------->|---------------------->|---------------------->|
|                       |                       |          Resv         |
|                       |          Resv         |<----------------------|
|                       X           X-----------|                       |
|                                               |                       |
|                                               |                       |
|                       X                       |                       |
|           Path        |          Path         |                       |
|---------------------->|---------------------->|                       |
|        PathErr        |        PathErr        |       PathTear        |
|<----------------------|<----------------------|---------------------->|
|                       |                       |                       |
Ingress LER           LSR A                   LSR B             Egress LER

6.  CP to MP handover : LSP Ownership Transfer From Control Plane To
    Management Plane

   Let's now consider the case of LSP Ownership Transfer From Control
   Plane To Management Plane.  Also in this sections we will analyze the
   handover procedure success and failure.

6.1.  CP to MP Handover Procedure Success

   The scenario is still a Data Plane connection between two nodes
   acting as ingress and egress for a LSP.  But let's assume in this
   case that Control Plane has the ownership and control of the LSP and
   that we want to hand it over to Management Plane.  This means that at
   the end of such procedure, the Data Plane state related to that
   connection is still untouched, but the LSP related information record
   is no more owned by RSVP-TE over Control Plane.

   In other words, after LSP ownership transfer from CP to MP, the LSP
   is no more under control of RSVP-TE, which is no more able to "see"
   the LSP itself.  This Section covers the procedure needed to manage
   this procedure as a dual, opposite procedure respect to the one
   described in previous section.  The procedure is performed at a
   signaling level as described in Section 7.2.1 of [RFC3473].

   At LSP ingress node, relevant MP entity requests the ownership of the
   LSP, How this is done is outside the scope of memo.  Ingress node and
   MP exchange the relevant information for this task and then
   propagates it over Control Plane by means of RSVP-TE tear down
   signaling flow as detailed below.

   Ingress node MUST send out a Path message, with Handover and Reflect
   bits in Admin Status set.  No action is taken over Data Plane and
   Control Plane keeps track of special handover state the LSP is in.
   Transit and Egress nodes, upon reception of such handover Path,
   propagate it without any Data Plane action, retaining the handover
   state information associated to the LSP.  After that, every node
   waits until the Handover bit is received back in the Resv.  Then a
   PathTear is issued and the whole LSP information record is cleared
   from RSVP- TE data structures.  In other words, a normal LSP tear
   down signaling is exchanged between nodes traversed by the LSP, but
   handover flag set in Path message indicates that no Data Plane action
   has to correspond to Control Plane signaling.  At the end of handover
   tear down signaling flow, the LSP is released from Control Plane
   point of view, but its Data Plane state is still unmodified and it is
   now owned and controllable by MP.

6.2.  CP to MP Handover Procedure Failure

   Failures during CP to MP handover procedure MUST be managed at
   signaling level as in normal LSP tear down procedure.  The only
   difference is the handover flag set in Administrative Status Object
   inside Path message which MUST be read by receiving node and imposes
   that no action has to be made over Data Plane resource whose
   corresponding Control Plane record is involved in handover procedure.

7.  Discovery Phase

   The discovery process starts at the orignating end-point, which
   transmits a discovery request Notify message on the link identified
   to be part of the LSP to be converted.  The Notify message is
   forwarded hop-by-hop tracing the LSP information and identifying the
   next-hop.  The assumption being made here is that information
   regarding individual neighbors is already available.

   In case the destination address is not known the RSVP-TE session
   destination address MAY not be specified (i.e. set to 0.0.0.0) in the
   discovery request Notify message.

   Any node that decides to terminate the discovery process will not
   forward the Notify message and will generate a discovery response
   Notify message.

   If any error prevents the discovery process to be successfully
   completed, the ERROS_SPEC object in the response Notify message will
   be filled with a failure code, else it MUST be se set to the success
   code.  The discovery response message SHOULD be sent hop-by-hop back
   to the requestor.

   In case the destination address in the request message is 0.0.0.0
   then it MUST be filled in by the terminating entity in the response
   message SESSION object.

   The format of the Notify Message is as follows:

   <Notify message>  ::= <Common Header> [ <INTEGRITY> ]
                            [[ <MESSAGE_ID_ACK> | <MESSAGE_ID_NACK>]...]
                                     [ <MESSAGE_ID> ]
                                     <ERROR_SPEC>
                                     <discovery info>

               <discovery info> ::= <SESSION> <RSVP_HOP> <RECOVERY_LABEL>
                                      [ <ADMIN_STATUS> ]
                                      [ <POLICY DATA> ]
                                      [ <SESSION_ATTRIBUTES>]
                                      [ <UPSTREAM_LABEL> ]
                                      [ <RECORD_ROUTE> ]

   The RECORD_ROUTE object in the discovery response SHOULD be put
   together such that it can be directly used in a Path message for the
   coversion phase.  For example, explitcit label sub-objects can be
   specified only for outgoing links in the Path message [RFC3473].

8.  Alternative Way Of Retrieving Information Needed For MP To CP
    Handover

   An alternative way of getting the LSP related information required
   for the MP to CP handover is also proposed in this draft.  The
   rationale behind this way is that only a minimal set of information
   is handed over from MP to CP at LSPs Ingress node.  Instead of
   collecting within MP all the LSP relevant information down to the
   Label level, formatting it to an ERO and passing it to CP, as in
   previously described solution, it is possible to start with a minimum
   amount of information.  At the ingress node, the information needed
   to specify the LSP is the outgoing interface ID, upstream label and
   downstream label of this interface and the incoming interface ID of
   egress node.  The remaining information about an existing LSP can
   then be collected hop by hop, as the signalling is going on, by
   looking up the cross-connection table in Data Plane at each node
   along the LSP path.

   Starting from the information available at ingress LER about the
   outgoing interface ID of that ingress node, the incoming interface ID
   of next hop can be found by looking up the link resource table/
   database in the LER itself.  Following the similarity existing
   between the MP to CP handover procedure and the Restart Procedure,
   the Recovery Label Object MUST be used to carry the downstream label
   and the Upstream Label Object MUST be used to carry the upstream
   label to the next node.

   The Path message is hence built with the Recovery Label Object
   ([RFC3473]) and the Upstream Label Object ([RFC3473]), where the
   upstream label and downstream label of ingress outgoing interface of
   the LSP are included in these two objects.  In addition to above
   mentioned objects, the Path message MUST include the Administrative
   Status Object with HANDOVER flag set, as already defined in previous
   chapter for the detailed ERO based way of proceeding.  Such handover
   Path is sent to the incoming interface of next hop.  When this Path
   message reaches the second node along the LSP path, the information
   about incoming interface ID and the upstream and downstream labels of
   this interface is extracted from it and it is used to find next hop
   outgoing interface ID and the upstream/downstream labels by looking
   up the Data Plane cross-connection table.

   After having determined in this way the parameters describing the
   LSPs next hop, the outgoing Path message to be sent is built
   replacing the Recovery Label Object and Upstream Label Object content
   with the looked-up values of upstream and downstream labels.

   Re-iterating this procedure for each transit node along the LSP path,
   it is possible to make the handover Path message reach the egress
   node, exactly following the LSP that is in place over Data Plane.
   The ERO MAY in this case be included in the Path message as an
   optional object, and MAY be filled with the LSP relevant information
   down to either the port level with interface ID or the Label level
   with upstream and downstream labels.  The ERO can be used to check
   the consistence of resource in Data Plane down to the port level or
   label level at each intermediate node along the LSP path.

9.  RSVP Message Formats

   This memo does not introduce any modification in RSVP messages object
   composition.

10.  Objects Modification

   The modifications required concern two RSVP Objects: the
   Administrative Status and the Error Spec Object.

10.1.  Administrative Status Object

   This memo introduces a new flag into the Administrative Status
   object.  The Admin_Status Object is defined in [RFC3473].  This
   document uses the H-bit of the Admin_Status object.  The bit is bit
   number (TBD by IANA).  The format of the Admin_Status Object is:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |            Length             | Class-Num(196)|   C-Type (1)  |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |R|                        Reserved               |H|L|I|C|T|A|D|
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The different flags are defined as follows:

   - Reflect (R): 1 bit - Defined in [RFC3471]
      When set, indicates that the edge node SHOULD reflect the object/
      TLV back in the appropriate message.

   - Handover (H): 1bit
      When set, the H bit indicates that a Handover procedure for the
      transfer of LSP ownership between Management and Control Planes is
      ongoing.

   - Lockout (L): 1 bit - Defined in [RFC4872]
      When set, forces the recovery LSP to be temporarily unavailable to
      transport traffic (either normal or extra traffic).

   - Inhibit Alarm Communication (I): 1 bit - Defined in [RFC4783]
      When set, indicates that alarm communication is disabled for the
      LSP and that nodes SHOULD NOT add local alarm information.

   - Call Control (C): 1 bit - Defined in
   draft-ietf-ccamp-gmpls-rsvp-te-call-04 [2]
      This bit is set when the message is being used to control and
      manage a Call.

   -Testing

   - Testing (T): 1 bit - Defined in [RFC3471]
      When set, indicates that the local actions related to the
      "testing" mode should be taken.

   - Administratively down (A): 1 bit - Defined in [RFC3471]
      When set, indicates that the local actions related to the
      "administratively down" state should be taken.

   - Deletion in progress (D): 1 bit - Defined in [RFC3471]
      When set, indicates that that the local actions related to LSP
      teardown should be taken.

   The H bit must be used in conjunction with the R flag when is set in
   the Path message.  This will assures that the Resv message will
   maintain the H flag set.

10.2.  Error Spec Object

   It is possible that a failure, such as the lost of DCN connection or
   the restart of a node, occurs during the LSP ownership handing over.
   In this case the LSP adoption MUST be interrupted and the ownership
   of the LSP MUST be moved back to the Plane it belonged to.  It is
   important that the transaction failure MUST not affect the Data
   Plane.  The LSP MUST be kept in place and no traffic hint hit MUST occur.

   The failure is signaled by Path Error in the upstream direction and Resv
   Path Tear Messages in the downstream direction.  The Path Error Messages, which
   messages include an Error_Spec_Object (the Path_State_Removed flag
   SHOUL always be set) specifying the causes of the failure. failure, while the
   Path Tear messages, required in case of reliable recovery and
   optional otherwise, include the handover flag to prevent the deletion
   of the LSP from the Data Plane.

   This memo introduces a new Flag and a new Error Code(with Code (with different
   Error Values) into the Error_Spec Object, defined in [RFC2205].

      * ERROR_SPEC class = 6.
      * IPv4 ERROR_SPEC object: Class = 6, C-Type = 1

           +-------------+-------------+-------------+-------------+
           |            IPv4 Error Node Address (4 bytes)          |
           +-------------+-------------+-------------+-------------+
           |    Flags    |  Error Code |        Error Value        |
           +-------------+-------------+-------------+-------------+

   The fields of the object are defined as follows:

   - Error Node Address
      The IP address of the node in which the error was detected.
   - Error Code
      A one-octet error description.
   - Error Value
      A two-octet field containing additional information about the
      error.  Its contents depend upon the Error Type
   - Flags
      Flags assigned values:

         * 0x01 = InPlace

         * 0x02 = NotGuilty
      Proposed new value (TBD) = HandOverFailure

   The new flag is "Handover Procedure Failure" and the actual value is
   (TBD by IANA).  When this flag is set during an handover from
   Management Plane to Control Plane, the receiver must delete the
   Control Plane status associated with the LSP and move the ownership
   of the cross-connections back to the Management Plane.

   The proposed Error Code is "Handover Procedure Failure", and its
   value is (TBD by IANA)(33).  For this Error Code the following Error
   Values are defined:

      1 = Cross-connection mismatch

      2 = DCN error

11.  Acknoledgments

   We wish to thank Adrian Farrel for his editorial assistance and
   precious advices to prepare this draft for publication.  We also wish
   to thank Nicola Ciulli, that contributed to initial stage of this
   draft.

12.  Contributors
      Shan Zhu
      Fujitsu Network Communications Inc.
      2801 Telecom Parkway,
      Richardson, Texas 75082
      USA
      Email: Shan.Zhu@us.fujitsu.com
      Tel: +1-972-479-2041

      Igor Bryskin
      ADVA Optical Networking Inc
      7926 Jones Branch Drive
      Suite 615
      McLean, VA - 22102
      Email: ibryskin@advaoptical.com

      Daniele Ceccarelli
      Ericsson
      Via A. Negrone 1/A
      Genova-Sestri Ponente, Italy
      Phone: +390106002515
      Email: daniele.ceccarelli@ericsson.com

13.  Security Considerations

   The procedures described in this document rely completely on RSVP-TE
   messages and mechanism.  The use of Handover Flag set in Admin Status
   Object basically informs the receiving entity that no operations are
   to be done over Data Plane as consequence of such special signaling
   flow.  Using specially flagged signaling messages we want to limit
   the function of setup and tear down messages to Control Plane, making
   them not effective over related Data Plane resource usage.  So, no
   additional or special issues are arisen by adopting this procedure,
   that aren't already brought up by the use of the same messages,
   without handover flag setting, for LSP control.  For RSVP-TE Security
   please refer to [RFC3473].

14.  IANA Considerations

   IANA has been asked to manage the bit allocations for the
   Administrative Status object ([RFC3473]).  This document requires the
   allocation of the Handover bit: the H-bit.  IANA is requested to
   allocate a bit for this purpose.

15.  References

15.1.  Normative References

   [RFC3473]  Berger, L., "Generalized Multi-Protocol Label Switching
              (GMPLS) Signaling Resource ReserVation Protocol-Traffic
              Engineering (RSVP-TE) Extensions", RFC 3473, January 2003.

   [RFC2205]  Braden, B., Zhang, L., Berson, S., Herzog, S., and S.
              Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
              Functional Specification", RFC 2205, September 1997.

   [RFC2961]  Berger, L., Gan, D., Swallow, G., Pan, P., Tommasi, F.,
              and S. Molendini, "RSVP Refresh Overhead Reduction
              Extensions", RFC 2961, April 2001.

15.2.  Informa</artwork>tional  Informational References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4606]  Mannie, E. and D. Papadimitriou, "Generalized Multi-
              Protocol Label Switching (GMPLS) Extensions for
              Synchronous Optical Network (SONET) and Synchronous
              Digital Hierarchy (SDH) Control", RFC 4606, August 2006.

   [RFC3471]  Berger, L., "Generalized Multi-Protocol Label Switching
              (GMPLS) Signaling Functional Description", RFC 3471,
              January 2003.

   [RFC4872]  Lang, J., Rekhter, Y., and D. Papadimitriou, "RSVP-TE
              Extensions in Support of End-to-End Generalized Multi-
              Protocol Label Switching (GMPLS) Recovery", RFC 4872,
              May 2007.

   [RFC4783]  Berger, L., "GMPLS - Communication of Alarm Information",
              RFC 4783, December 2006.

URIs

   [1]  <http://tools.ietf.org/html/draft-ietf-ccamp-pc-and-sc-reqs-04>

   [2]  <http://tools.ietf.org/html/
        draft-ietf-ccamp-gmpls-rsvp-te-call-04>

Authors' Addresses

   Diego Caviglia
   Ericsson
   Via A. Negrone 1/A
   Genova - Sestri Ponente
   Italy

   Email: diego.caviglia@ericsson.com
   Daniele Ceccarelli
   Ericsson
   Via A. Negrone 1/A
   Genova - Sestri Ponente
   Italy

   Email: daniele.ceccarelli@ericsson.com

   Dino Bramanti
   Ericsson
   Via Moruzzi 1 C/O Area Ricerca CNR
   Pisa
   Italy

   Email: dino.bramanti@ericsson.com

   Dan Li
   Huawei Technologies Co., LTD.
   Shenzhen 518129
   Huawei Base, Bantian, Longgang
   Italy

   Email: dan.li@huawei.com

   Snigdho Bardalai
   Fujitsu Network Communications Inc
   2801 Telecom Parkway
   Richrdson, Texas 75082
   USA

   Email: Snigdho.Bardalai@us.fujitsu.com

Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.