--- 1/draft-ietf-mpls-rsvp-ingress-protection-00.txt 2014-07-03 21:14:32.351844272 -0700 +++ 2/draft-ietf-mpls-rsvp-ingress-protection-01.txt 2014-07-03 21:14:32.399845438 -0700 @@ -1,19 +1,19 @@ Internet Engineering Task Force H. Chen, Ed. Internet-Draft Huawei Technologies Intended status: Standards Track R. Torvi, Ed. -Expires: September 18, 2014 Juniper Networks - March 17, 2014 +Expires: January 4, 2015 Juniper Networks + July 3, 2014 Extensions to RSVP-TE for LSP Ingress Local Protection - draft-ietf-mpls-rsvp-ingress-protection-00.txt + draft-ietf-mpls-rsvp-ingress-protection-01.txt Abstract This document describes extensions to Resource Reservation Protocol - Traffic Engineering (RSVP-TE) for locally protecting the ingress node of a Traffic Engineered (TE) Label Switched Path (LSP) in a Multi- Protocol Label Switching (MPLS) and Generalized MPLS (GMPLS) network. Status of this Memo @@ -23,21 +23,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 18, 2014. + This Internet-Draft will expire on January 4, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -47,58 +47,54 @@ the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Co-authors . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. An Example of Ingress Local Protection . . . . . . . . . . 3 2.2. Ingress Local Protection with FRR . . . . . . . . . . . . 4 3. Ingress Failure Detection . . . . . . . . . . . . . . . . . . 4 - 3.1. Backup and Source Detect Failure . . . . . . . . . . . . . 4 - 3.2. Backup Detects Failure . . . . . . . . . . . . . . . . . . 5 - 3.3. Source Detects Failure . . . . . . . . . . . . . . . . . . 5 - 3.4. Next Hops Detect Failure . . . . . . . . . . . . . . . . . 5 - 3.5. Comparing Different Detection Modes . . . . . . . . . . . 6 - 4. Backup Forwarding State . . . . . . . . . . . . . . . . . . . 6 - 4.1. Forwarding State for Backup LSP . . . . . . . . . . . . . 7 - 4.2. Forwarding State on Next Hops . . . . . . . . . . . . . . 7 - 5. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 7 - 5.1. INGRESS_PROTECTION Object . . . . . . . . . . . . . . . . 8 - 5.1.1. Subobject: Backup Ingress IPv4/IPv6 Address . . . . . 10 - 5.1.2. Subobject: Ingress IPv4/IPv6 Address . . . . . . . . . 11 - 5.1.3. Subobject: Traffic Descriptor . . . . . . . . . . . . 11 - 5.1.4. Subobject: Label-Routes . . . . . . . . . . . . . . . 12 - 6. Behavior of Ingress Protection . . . . . . . . . . . . . . . . 13 - 6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 13 - 6.1.1. Relay-Message Method . . . . . . . . . . . . . . . . . 13 - 6.1.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 13 - 6.1.3. Comparing Two Methods . . . . . . . . . . . . . . . . 14 - 6.2. Ingress Behavior . . . . . . . . . . . . . . . . . . . . . 15 - 6.2.1. Relay-Message Method . . . . . . . . . . . . . . . . . 15 - 6.2.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 16 - 6.3. Backup Ingress Behavior . . . . . . . . . . . . . . . . . 17 - 6.3.1. Backup Ingress Behavior in Off-path Case . . . . . . . 17 - 6.3.2. Backup Ingress Behavior in On-path Case . . . . . . . 20 - 6.3.3. Failure Detection . . . . . . . . . . . . . . . . . . 21 - 6.4. Merge Point Behavior . . . . . . . . . . . . . . . . . . . 21 - 6.5. Revertive Behavior . . . . . . . . . . . . . . . . . . . . 22 - 6.5.1. Revert to Primary Ingress . . . . . . . . . . . . . . 22 - 6.5.2. Global Repair by Backup Ingress . . . . . . . . . . . 23 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 23 - 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 - 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 24 - 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 25 - 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 - 11.1. Normative References . . . . . . . . . . . . . . . . . . . 25 - 11.2. Informative References . . . . . . . . . . . . . . . . . . 26 - A. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 26 + 3.1. Source Detects Failure . . . . . . . . . . . . . . . . . . 4 + 3.2. Backup and Source Detect Failure . . . . . . . . . . . . . 5 + 3.3. Comparing Different Detection Modes . . . . . . . . . . . 5 + 4. Backup Forwarding State . . . . . . . . . . . . . . . . . . . 5 + 4.1. Forwarding State for Backup LSP . . . . . . . . . . . . . 6 + 5. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 6 + 5.1. INGRESS_PROTECTION Object . . . . . . . . . . . . . . . . 6 + 5.1.1. Subobject: Backup Ingress IPv4/IPv6 Address . . . . . 8 + 5.1.2. Subobject: Ingress IPv4/IPv6 Address . . . . . . . . . 9 + 5.1.3. Subobject: Traffic Descriptor . . . . . . . . . . . . 9 + 5.1.4. Subobject: Label-Routes . . . . . . . . . . . . . . . 10 + 6. Behavior of Ingress Protection . . . . . . . . . . . . . . . . 11 + 6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 11 + 6.1.1. Relay-Message Method . . . . . . . . . . . . . . . . . 11 + 6.1.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 11 + 6.1.3. Comparing Two Methods . . . . . . . . . . . . . . . . 12 + 6.2. Ingress Behavior . . . . . . . . . . . . . . . . . . . . . 13 + 6.2.1. Relay-Message Method . . . . . . . . . . . . . . . . . 13 + 6.2.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 14 + 6.3. Backup Ingress Behavior . . . . . . . . . . . . . . . . . 15 + 6.3.1. Backup Ingress Behavior in Off-path Case . . . . . . . 15 + 6.3.2. Backup Ingress Behavior in On-path Case . . . . . . . 17 + 6.3.3. Failure Detection . . . . . . . . . . . . . . . . . . 18 + 6.4. Revertive Behavior . . . . . . . . . . . . . . . . . . . . 19 + 6.4.1. Revert to Primary Ingress . . . . . . . . . . . . . . 19 + 6.4.2. Global Repair by Backup Ingress . . . . . . . . . . . 19 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 20 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 + 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 20 + 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 21 + 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 + 11.1. Normative References . . . . . . . . . . . . . . . . . . . 21 + 11.2. Informative References . . . . . . . . . . . . . . . . . . 22 + A. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 22 1. Co-authors Ning So, Autumn Liu, Alia Atlas, Yimin Shen, Fengman Xu, Mehmet Toy, Lei Liu 2. Introduction For MPLS LSPs it is important to have a fast-reroute method for protecting its ingress node as well as transit nodes. This is not @@ -118,43 +114,44 @@ Figure 1 shows an example of using a backup P2MP LSP to locally protect the ingress of a primary P2MP LSP, which is from ingress R1 to three egresses: L1, L2 and L3. The backup LSP is from backup ingress Ra to the next hops R2 and R4 of ingress R1. [R2]******[R3]*****[L1] * | **** Primary LSP * | ---- Backup LSP * / .... BFD Session * / $ Link - [R1]*******[R4]****[R5]*****[L2] $ - $ . / / * $ - $ . / / * - [S] . / / * - $ . / / * - $ ./ / * + ....[R1]*******[R4]****[R5]*****[L2] $ + : $ $ / / * $ + : $ $ / / * + [S] $ / / * + $ $ / / * + $ $/ / * [Ra]----[Rb] [L3] Figure 1: Backup P2MP LSP for Locally Protecting Ingress - Source S may send the traffic simultaneously to both primary ingress - R1 and backup ingress Ra. R1 imports the traffic into the primary - LSP. Ra normally does not put the traffic into the backup LSP. + In normal operations, source S sends the traffic to primary ingress + R1. R1 imports the traffic into the primary LSP to egresses L1, L2 + and L3. - Ra should be able to detect the failure of R1 and switch the traffic - within 10s of ms. The exact method by which Ra does so is out of - scope. Different options are discussed in this draft. + When source S detects the failure of R1, it switches the traffic to + backup ingress Ra, which imports the traffic from S into the backup + LSP to R1's next hops R2 and R4, where the traffic is merged into the + primary LSP, and then sent to egresses L1, L2 and L3. - When Ra detects the failure of R1, it imports the traffic from S into - the backup LSP to R1's next hops R2 and R4, where the traffic is - merged into the primary LSP, and then sent to egresses L1, L2 and L3. + Source S should be able to detect the failure of R1 and switch the + traffic within 10s of ms. The exact method by which S does so is out + of scope. - Note that the backup egress must be one logical hop away from the + Note that the backup ingress must be one logical hop away from the ingress. A logical hop is a direct link or a tunnel such as a GRE tunnel, over which RSVP-TE messages may be exchanged. 2.2. Ingress Local Protection with FRR Through using the ingress local protection and the FRR, we can locally protect the ingress node, all the links and the intermediate nodes of an LSP. The traffic switchover time is within tens of milliseconds whenever the ingress, any of the links and the intermediate nodes of the LSP fails. @@ -162,173 +159,105 @@ The ingress node of the LSP can be locally protected through using the ingress local protection. All the links and all the intermediate nodes of the LSP can be locally protected through using the FRR. 3. Ingress Failure Detection Exactly how the failure of the ingress (e.g. R1 in Figure 1) is detected is out of scope for this document. However, it is necessary to discuss different modes for detecting the failure because they determine what must be signaled and what is the required behavior for - the traffic source, backup ingress, and merge-points. + the traffic source and backup ingress. -3.1. Backup and Source Detect Failure +3.1. Source Detects Failure + + Source Detects Failure or Source-Detect for short means that the + source is responsible for fast detecting the failure of the primary + ingress of an LSP. The backup ingress is ready to import the traffic + from the source into the backup LSP after the backup LSP is up. + + In normal operations, the source sends the traffic to the primary + ingress. When the source detects the failure of the primary ingress, + it switches the traffic to the backup ingress, which delivers the + traffic to the next hops of the primary ingress through the backup + LSP, where the traffic is merged into the primary LSP. + + For a P2P LSP, after the primary ingress fails, the backup ingress + must use a method to reliably detect the failure of the primary + ingress before the PATH message for the LSP expires at the next hop + of the primary ingress. After reliably detecting the failure, the + backup ingress sends/refreshes the PATH message to the next hop + through the backup LSP as needed. + + After the primary ingress fails, it will not be reachable after + routing convergence. Thus checking whether the primary ingress + (address) is reachable is a possible method. + +3.2. Backup and Source Detect Failure Backup and Source Detect Failure or Backup-Source-Detect for short means that both the backup ingress and the source are concurrently - responsible for detecting the failures of the primary ingress. + responsible for fast detecting the failures of the primary ingress. In normal operations, the source sends the traffic to the primary ingress. It switches the traffic to the backup ingress when it detects the failure of the primary ingress. The backup ingress does not import any traffic from the source into the backup LSP in normal operations. When it detects the failure of the primary ingress, it imports the traffic from the source into the backup LSP to the next hops of the primary ingress, where the traffic is merged into the primary LSP. Note that the source may locally distinguish between the failure of the primary ingress and that of the link between the source and the primary ingress. When the source detects the failure of the link, it may continue to send the traffic to the primary ingress via another link between the source and the primary ingress if there is one. -3.2. Backup Detects Failure - - Backup Detects Failure or Backup-Detect means that the backup ingress - is responsible for detecting the failure of the primary ingress of an - LSP. The source SHOULD send the traffic simultaneously to both the - primary ingress and backup ingress. - - The backup ingress does not import any traffic from the source into - the backup LSP in normal operations. When it detects the failure of - the primary ingress, it imports the traffic from the source into the - backup LSP to the next hops of the primary ingress, where the traffic - is merged into the primary LSP. - - Note that the backup ingress may locally distinguish between the - failure of the primary ingress and that of the link between the - backup ingress and the primary ingress through two BFDs between the - backup ingress and the primary ingress. One is through the link, and - the other is not. If the first BFD is down and the second is up, the - link fails and the primary ingress does not. - -3.3. Source Detects Failure - - Source Detects Failure or Source-Detect means that the source is - responsible for detecting the failure of the primary ingress of an - LSP. The backup ingress is ready to import the traffic from the - source into the backup LSP after the backup LSP is up. - - In normal operations, the source sends the traffic to the primary - ingress. When the source detects the failure of the primary ingress, - it switches the traffic to the backup ingress, which delivers the - traffic to the next hops of the primary ingress through the backup - LSP, where the traffic is merged into the primary LSP. - -3.4. Next Hops Detect Failure - - Next Hops Detect Failure or Next-Hop-Detect means that each of the - next hops of the primary ingress of an LSP is responsible for - detecting the failure of the primary ingress. - - In normal operations, the source sends the traffic to both the - primary ingress and the backup ingress. Both ingresses deliver the - traffic to the next hops of the primary ingress. Each of the next - hops selects the traffic from the primary ingress and sends the - traffic to the destinations of the LSP. - - When each of the next hops detects the failure of the primary - ingress, it switches to receive the traffic from the backup ingress - and then sends the traffic to the destinations. - -3.5. Comparing Different Detection Modes - -+----------+--------------+----------------+--------+-------------------+ -|\_Behavior|Traffic Always|Backup Ingress |Next-Hop|Incorrect Failure | -| \______ |Sent to |Activation of |Select |Detection Cause | -|Detection\|Backup Ingress|Forwarding Entry|Stream |Traffic Duplication| -|Mode | | | |(Ingress does FRR) | -+----------+--------------+----------------+--------+-------------------+ -|Backup- | | | | | -|Source- | No | Yes | No | No | -|Detect | | | | | -+----------+--------------+----------------+--------+-------------------+ -|Backup- | Yes | Yes | No | Yes | -|Detect | | | | | -+----------+--------------+----------------+--------+-------------------+ -|Source- | No | No | No | No | -|Detect | | (Always Active)| | | -+----------+--------------+----------------+--------+-------------------+ -|Next-Hop- | Yes | No | Yes |(If Ingress-Next- | -|Detect | | (Always Active)| |Hop link fails, | -| | | | |stream selection | -| | | | |at Next-Next-Hops | -| | | | |can mitigate) | -+----------+--------------+----------------+--------+-------------------+ +3.3. Comparing Different Detection Modes - A primary goal of failure detection and FRR protection is to avoid - traffic duplication, particularly along the P2MP. A reasonable - assumption when this ingress protection is in use is that the ingress - is also trying to provide link and node protection. When the failure - cannot be accurately identified as that of the ingress, this can lead - to the ingress sending traffic on bypass to the next-next-hop(s) for - node-protection while the backup ingress is sending traffic to its - next-hop(s) if Next-Hop-Detect mode is used. RSVP Path messages from - the bypass may help to eventually resolve this by removing the - forwarding entry for receiving the traffic from the next-hop. + The source-detect is preferred. It is simpler than the backup- + source-detect, which needs both the source and the backup ingress + detect the ingress failaure quickly. 4. Backup Forwarding State Before the primary ingress fails, the backup ingress is responsible - for creating the necessary backup LSPs to the next hops of the - ingress. These LSPs might be multiple bypass P2P LSPs that avoid the - ingress. Alternately, the backup ingress could choose to use a - single backup P2MP LSP as a bypass or detour to protect the primary - ingress of a primary P2MP LSP. + for creating the necessary backup LSPs. These LSPs might be multiple + bypass P2P LSPs that avoid the ingress. Alternately, the backup + ingress could choose to use a single backup P2MP LSP as a bypass or + detour to protect the primary ingress of a primary P2MP LSP. The backup ingress may be off-path or on-path of an LSP. When a backup ingress is not any node of the LSP, we call the backup ingress is off-path. When a backup ingress is a next-hop of the primary ingress of the LSP, we call it is on-path. If the backup ingress is on-path, the primary forwarding state associated with the primary LSP SHOULD be clearly separated from the backup LSP(s) state. - Specifically in Backup-Detect mode, the backup ingress will receive - traffic from the primary ingress and from the traffic source; only - the former should be forwarded until failure is detected even if the - backup ingress is the only next-hop. 4.1. Forwarding State for Backup LSP A forwarding entry for a backup LSP is created on the backup ingress after the LSP is set up. Depending on the failure-detection mode (e.g., source-detect), it may be used to forward received traffic or - simply be inactive (e.g., backup-detect) until required. In either - case, when the primary ingress fails, this forwarding entry is used - to import the traffic into the backup LSP to the next hops of the + simply be inactive (e.g., backup-source-detect) until required. In + either case, when the primary ingress fails, this entry is used to + import the traffic into the backup LSP to the next hops of the primary ingress, where the traffic is merged into the primary LSP. The forwarding entry for a backup LSP is a local implementation issue. In one device, it may have an inactive flag. This inactive forwarding entry is not used to forward any traffic normally. When the primary ingress fails, it is changed to active, and thus the traffic from the source is imported into the backup LSP. -4.2. Forwarding State on Next Hops - - When Next-Hop-Detect is used, a forwarding entry for a backup LSP is - created on each of the next hops of the primary ingress of the LSP. - This forwarding entry does not forward any traffic normally. When - the primary ingress fails, it is used to import/select the traffic - from the backup LSP into the primary LSP. - 5. Protocol Extensions A new object INGRESS_PROTECTION is defined for signaling ingress local protection. It is backward compatible. 5.1. INGRESS_PROTECTION Object The INGRESS_PROTECTION object with the FAST_REROUTE object in a PATH message is used to control the backup for protecting the primary ingress of a primary LSP. The primary ingress MUST insert this @@ -329,31 +258,29 @@ 5.1. INGRESS_PROTECTION Object The INGRESS_PROTECTION object with the FAST_REROUTE object in a PATH message is used to control the backup for protecting the primary ingress of a primary LSP. The primary ingress MUST insert this object into the PATH message to be sent to the backup ingress for protecting the primary ingress. It has the following format: Class-Num = TBD C-Type = TBD - 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (bytes) | Class-Num | C-Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Secondary LSP ID | Flags | Options | DM | + | Secondary LSP ID | Flags | Options | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ (Subobjects) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - Flags 0x01 Ingress local protection available 0x02 Ingress local protection in use 0x04 Bandwidth protection Options 0x01 Revert to Ingress 0x02 Ingress-Proxy/Relay-Message 0x04 P2MP Backup @@ -350,37 +277,20 @@ Flags 0x01 Ingress local protection available 0x02 Ingress local protection in use 0x04 Bandwidth protection Options 0x01 Revert to Ingress 0x02 Ingress-Proxy/Relay-Message 0x04 P2MP Backup - DM (Detection Mode) - 0x00 Backup-Source-Detect - 0x01 Backup-Detect - 0x02 Source-Detect - 0x03 Next-Hop-Detect - - For backward compatible, the two high-order bits of the Class-Num in - the object are set as follows: - - o Class-Num = 0bbbbbbb for the object in a message not on LSP path. - The entire message should be rejected and an "Unknown Object - Class" error returned. - - o Class-Num = 10bbbbbb for the object in a message on LSP path. The - node should ignore the object, neither forwarding it nor sending - an error message. - The Secondary LSP ID in the object is an LSP ID that the primary ingress has allocated for a protected LSP tunnel. The backup ingress will use this LSP ID to set up a new LSP from the backup ingress to the destinations of the protected LSP tunnel. This allows the new LSP to share resources with the old one. The flags are used to communicate status information from the backup ingress to the primary ingress. o Ingress local protection available: The backup ingress sets this @@ -408,36 +318,20 @@ o Ingress-Proxy/Relay-Message: This option is set to one indicating that Ingress-Proxy method is used. It is set to zero indicating that Relay-Message method is used. o P2MP Backup: This option is set to ask for the backup ingress to use P2MP backup LSP to protect the primary ingress. Note that one spare bit of the flags in the FAST-REROUTE object can be used to indicate whether P2MP or P2P backup LSP is desired for protecting an ingress and intermediate node. - The DM (Detection Mode) is used by the primary ingress to specify a - desired failure detection mode. - - o Backup-Source-Detect (0x00): The backup ingress and the source are - concurrently responsible for detecting the failure involving the - primary ingress and redirecting the traffic. - - o Backup-Detect (0x01): The backup ingress is responsible for - detecting the failure and redirecting the traffic. - - o Source-Detect (0x02): The source is responsible for detecting the - failure and redirecting the traffic. - - o Next-Hop-Detect (0x03): The next hops of the primary ingress are - responsible for detecting the failure and selecting the traffic. - The INGRESS_PROTECTION object may contain some of the sub objects described below. 5.1.1. Subobject: Backup Ingress IPv4/IPv6 Address When the primary ingress of a protected LSP sends a PATH message with an INGRESS_PROTECTION object to the backup ingress, the object may have a Backup Ingress IPv4/IPv6 Address sub object containing an IPv4/IPv6 address belonging to the backup ingress. The formats of the sub object for Backup Ingress IPv4/IPv6 Address is given below: @@ -466,22 +360,21 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: TBD-2 Backup Ingress IPv6 Address Length: Total length of the subobject in bytes, including the Type and Length fields. The Length is always 20. Reserved: Reserved two bytes are set to zeros. IPv6 address: A 128-bit unicast, host address. 5.1.2. Subobject: Ingress IPv4/IPv6 Address - The INGRESS_PROTECTION object in a PATH message from the primary - ingress to the backup ingress may have an Ingress IPv4/IPv6 Address + The INGRESS_PROTECTION object may have an Ingress IPv4/IPv6 Address sub object containing an IPv4/IPv6 address belonging to the primary ingress. The sub object has the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Reserved (zeros) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4 address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -502,22 +395,21 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: TBD-4 Backup Ingress IPv6 Address Length: Total length of the subobject in bytes, including the Type and Length fields. The Length is always 20. Reserved: Reserved two bytes are set to zeros. IPv6 address: A 128-bit unicast, host address. 5.1.3. Subobject: Traffic Descriptor - The INGRESS_PROTECTION object in a PATH message from the primary - ingress to the backup ingress may have a Traffic Descriptor sub + The INGRESS_PROTECTION object may have a Traffic Descriptor sub object describing the traffic to be mapped to the backup LSP on the backup ingress for locally protecting the primary ingress. The sub object has the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Reserved (zeros) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Traffic Element 1 | @@ -653,30 +545,26 @@ +-------+-----------+------+--------+-----------------+---------+ |Relay- | No |Yes | No | No | Yes- | |Message| | | | | | +-------+-----------+------+--------+-----------------+---------+ |Proxy- | Yes |Yes- | Yes | Yes | Yes | |Ingress| | | | | | +-------+-----------+------+--------+-----------------+---------+ 6.2. Ingress Behavior - The primary ingress must be configured with four pieces of + The primary ingress must be configured with two or three pieces of information for ingress protection. o Backup Ingress Address: The primary ingress must know an IP address for it to be included in the INGRESS-PROTECTION object. - o Failure Detection Mode: The primary ingress must know what failure - detection mode is to be used: Backup-Source-Detect, Backup-Detect, - Source-Detect, or Next-Hop-Detect. - o Proxy-Ingress-Id (only needed for Proxy-Ingress Method): The Proxy-Ingress-Id is only used in the Record Route Object for recording the proxy-ingress. If no proxy-ingress-id is specified, then a local interface address that will not otherwise be included in the Record Route Object can be used. A similar technique is used in [RFC4090 Sec 6.1.1]. o Application Traffic Identifier: The primary ingress and backup ingress must both know what application traffic should be directed into the LSP. If a list of prefixes in the Traffic Descriptor @@ -698,26 +586,25 @@ 1. Select a PATH message. 2. If the backup ingress is off-path, then send the backup ingress a PATH message with the content from the selected PATH message and an INGRESS-PROTECTION object; else (the backup ingress is a next hop, i.e., on-path case) add an INGRESS-PROTECTION object into the existing PATH message to the backup ingress (i.e., the next hop). The INGRESS-PROTECTION object contains the Traffic- Descriptor sub-object, the Backup Ingress Address sub-object and - the Label-Routes sub-object. The DM (Detection Mode) in the - object is set to indicate the failure detection mode desired. - The flags is set to indicate whether a Backup P2MP LSP is - desired. If not yet allocated, allocate a second LSP-ID to be - used in the INGRESS-PROTECTION object. The Label-Routes sub- - object contains the next-hops of the ingress and their labels. + the Label-Routes sub-object. The flags is set to indicate + whether a Backup P2MP LSP is desired. If not yet allocated, + allocate a second LSP-ID to be used in the INGRESS-PROTECTION + object. The Label-Routes sub-object contains the next-hops of + the ingress and their labels. 3. For each of the other PATH messages, if the node to which the message is sent is not the backup ingress, then send the backup ingress a PATH message with the content copied from the message to the node and an empty INGRESS-PROTECTION object; else send the node the message with an empty INGRESS-PROTECTION object. 6.2.2. Proxy-Ingress Method The primary ingress is responsible for starting the RSVP signaling @@ -732,41 +619,38 @@ 3. In the PATH RRO, instead of recording the ingress node's address, replace it with the Proxy-Ingress-Id. 4. Leave the HOP object populated as usual with information for the ingress-node. 5. Add the INGRESS-PROTECTION object to the PATH message. Allocate a second LSP-ID to be used in the INGRESS-PROTECTION object. Include the Backup Ingress Address (IPv4 or IPv6) sub-object and - the Traffic-Descriptor sub-object. Set the control-options to - indicate the failure detection mode desired. Set or clear the - flag indicating that a Backup P2MP LSP is desired. + the Traffic-Descriptor sub-object. Set or clear the flag + indicating that a Backup P2MP LSP is desired. 6. Optionally, add the FAST-REROUTE object [RFC4090] to the Path message. Indicate whether one-to-one backup is desired. Indicate whether facility backup is desired. 7. The RSVP PATH message is sent to the backup node as normal. If the ingress detects that it can't communicate with the backup ingress, then the ingress should instead send the PATH message to the next-hop indicated in the ERO computed in step 1. Once the ingress detects that it can communicate with the backup ingress, the ingress SHOULD follow the steps 1-7 to obtain ingress failure protection. When the ingress node receives an RSVP PATH message with an INGRESS- PROTECTION object and the object specifies that node as the ingress node and the PHOP as the backup ingress node, the ingress node SHOULD - check the Failure Scenario specified in the INGRESS-PROTECTION object - and, if it is not the Next-Hop-Detect, then the ingress node SHOULD remove the INGRESS-PROTECTION object from the PATH message before sending it out. Additionally, the ingress node must store that it will install ingress forwarding state for the LSP rather than midpoint forwarding. When an RSVP RESV message is received by the ingress, it uses the NHOP to determine whether the message is received from the backup ingress or from a different node. The stored associated PATH message contains an INGRESS-PROTECTION object that identifies the backup ingress node. If the RESV message is not from the backup node, then @@ -807,29 +691,22 @@ FAST-REROUTE object. This applies to providing a P2MP backup if the "P2MP backup" is set, a one-to-one backup if "one-to-one desired" is set, facility backup if the "facility backup desired" is set, and backup paths that support the desired bandwidth, and administrative- colors that are requested. If multiple INGRESS-PROTECTION objects have been received via multiple PATH messages for the same LSP, then the most recent one that specified a Traffic-Descriptor sub-object MUST be the one used. - The backup ingress creates the appropriate forwarding state based on - failure detection mode specified. For the Source-Detect and Next- - Hop-Detect, this means that the backup ingress forwards any received - identified traffic into the backup LSP tunnel(s) to the merge - point(s). For the Backup-Detect and Backup-Source-Detect, this means - that the backup ingress creates state to quickly determine the - primary ingress has failed and switch to sending any received - identified traffic into the backup LSP tunnel(s) to the merge - point(s). + The backup ingress creates the appropriate forwarding state for the + backup LSP tunnel(s) to the merge point(s). When the backup ingress sends a RESV message to the primary ingress, it should add an INGRESS-PROTECTION object into the message. It SHOULD set or clear the flags in the object to report "Ingress local protection available", "Ingress local protection in use", and "bandwidth protection". If the backup ingress doesn't have a backup LSP tunnel to all the merge points, it SHOULD clear "Ingress local protection available". [Editor Note: It is possible to indicate the number or which are @@ -863,24 +740,24 @@ When the backup ingress receives a PATH message from the primary ingress for locally protecting the primary ingress of a protected LSP, it checks to see if any critical information has been changed. If the next hops of the primary ingress are changed, the backup ingress SHALL update its backup LSP(s). 6.3.1.1. Relay-Message Method When the backup ingress receives a PATH message with the INGRESS- PROTECTION object, it examines the object to learn what traffic - associated with the LSP and what ingress failure detection mode is - being used. It determines the next-hops to be merged to by examining - the Label-Routes sub-object in the object. If the Traffic-Descriptor - sub-object isn't included, this object is considered "empty". + associated with the LSP. It determines the next-hops to be merged to + by examining the Label-Routes sub-object in the object. If the + Traffic-Descriptor sub-object isn't included, this object is + considered "empty". The backup ingress stores the PATH message received from the primary ingress, but does NOT forward it. The backup ingress MUST respond with a RESV to the PATH message received from the primary ingress. If the INGRESS-PROTECTION object is not "empty", the backup ingress SHALL send the RESV message with the state indicating protection is available after the backup LSP(s) are successfully established. @@ -891,23 +768,22 @@ object) from the Record Route Object of each RESV that are closest to the top and not the Ingress router; this should be the second to the top pair. If a Label-Routes sub-object is included in the INGRESS- PROTECTION object, the included IPv4/IPv6 sub-objects are used to filter the set down to the specific next-hops where protection is desired. A RESV message must have been received before the Backup Ingress can create or select the appropriate backup LSP. When the backup ingress receives a PATH message with the INGRESS- PROTECTION object, the backup ingress examines the object to learn - what traffic associated with the LSP and what ingress failure - detection mode is being used. The backup ingress forwards the PATH - message to the ingress node with the normal RSVP changes. + what traffic associated with the LSP. The backup ingress forwards + the PATH message to the ingress node with the normal RSVP changes. When the backup ingress receives a RESV message with the INGRESS- PROTECTION object, the backup ingress records an IMPLICIT-NULL label in the RRO. Then the backup ingress forwards the RESV message to the ingress node, which is acting for the proxy ingress. 6.3.2. Backup Ingress Behavior in On-path Case An LER as the backup ingress determines that it is on-path if one of its addresses is a next hop of the primary ingress and the primary @@ -940,129 +816,73 @@ During the local repair, the backup ingress continues to send the PATH messages to its next hops as before, keeps the PATH message with the INGRESS_PROTECTION object received from the primary ingress and the RESV message with the INGRESS_PROTECTION object to be sent to the primary ingress. It sets the "local protection in use" flag in the RESV message. 6.3.3. Failure Detection - Failure detection happens much faster than RSVP, whether via a link- - level notification or BFD. As discussed, there are different modes - for detecting it. The backup ingress MUST have properly set up its - forwarding state to either always forward the specified traffic into - the backup LSP(s) for the Source-Detect and Next-Hop-Detect modes or - to swap from discarding to forwarding when a failure is detected for - the Backup-Source-Detect and Backup-Detect modes. - - For facility backup LSPs, the correct inner MPLS label to use must be - determined. For the ingress-proxy method, that MPLS label comes - directly from the RRO of the RESV. For the relay-message method, - that MPLS label comes from the Label-Routes sub-object in the non- - empty INGRESS-PROTECTION object. - As described in [RFC4090], it is necessary to refresh the PATH messages via the backup LSP(s). The Backup Ingress MUST wait to refresh the backup PATH messages until it can accurately detect that the ingress node has failed. An example of such an accurate detection would be that the IGP has no bi-directional links to the ingress node and the last change was long enough in the past that changes should have been received (i.e., an IGP network convergence time or approximately 2-3 seconds) or a BFD session to the primary ingress' loopback address has failed and stayed failed after the network has reconverged. As described in [RFC4090 Section 6.4.3], the backup ingress, acting as PLR, SHOULD modify - including removing any INGRESS-PROTECTION and FAST-REROUTE objects - and send any saved PATH messages associated with the primary LSP. -6.4. Merge Point Behavior - - An LSR that is serving as a Merge Point may need to support the - INGRESS-PROTECTION object and functionality defined in this - specification if the LSP is ingress-protected where the failure - scenario is Next-Hop-Detect. An LSR can determine that it must be a - merge point if it is not the ingress, it is not the backup ingress - (determined by examining the Backup Ingress Address (IPv4 or IPv6) - sub-object in the INGRESS-PROTECTION object), and the PHOP is the - ingress node. - - In that case, when the LSR receives a PATH message with an INGRESS- - PROTECTION object, the LSR MUST remove the INGRESS-PROTECTION object - before forwarding on the PATH message. If the failure scenario - specified is Next-Hop-Detect, the MP must connect up the fast-failure - detection (as configured) to accepting backup traffic received from - the backup node. There are a number of different ways that the MP - can enforce not forwarding traffic normally received from the backup - node. For instance, first, any LSPs set up from the backup node - should not be signaled with an IMPLICIT NULL label and second, the - associated label for the ingress- protected LSP could be set to - normally discard inside that context. - - When the MP receives a RESV message whose matching PATH state had an - INGRESS-PROTECTION object, the MP SHOULD add the INGRESS-PROTECTION - object to the RESV message before forwarding it. The Backup PATH - handling is as described in [RFC4090] and [RFC4875]. - -6.5. Revertive Behavior +6.4. Revertive Behavior Upon a failure event in the (primary) ingress of a protected LSP, the protected LSP is locally repaired by the backup ingress. There are a couple of basic strategies for restoring the LSP to a full working path. - Revert to Primary Ingress: When the primary ingress is restored, it re-signals each of the LSPs that start from the primary ingress. The traffic for every LSP successfully re-signaled is switched back to the primary ingress from the backup ingress. - Global Repair by Backup Ingress: After determining that the primary ingress of an LSP has failed, the backup ingress computes a new optimal path, signals a new LSP along the new path, and switches the traffic to the new LSP. -6.5.1. Revert to Primary Ingress +6.4.1. Revert to Primary Ingress If "Revert to Primary Ingress" is desired for a protected LSP, the (primary) ingress of the LSP re-signals the LSP that starts from the primary ingress after the primary ingress restores. When the LSP is re-signaled successfully, the traffic is switched back to the primary ingress from the backup ingress and redirected into the LSP starting from the primary ingress. - It is possible that the Ingress failure was inaccurately detected, - that the Ingress recovers before the Backup Ingress does Global - Repair, or that the Ingress has the ability to take over an LSP based - on receiving the associated RESVs. - If the ingress can resignal the PATH messages for the LSP, then the ingress can specify the "Revert to Ingress" control-option in the INGRESS-PROTECTION object. Doing so may cause a duplication of traffic while the Ingress starts sending traffic again before the Backup Ingress stops; the alternative is to drop traffic for a short period of time. Additionally, the Backup Ingress can set the "Revert To Ingress" control-option as a request for the Ingress to take over. -6.5.2. Global Repair by Backup Ingress - - When the backup ingress has determined that the primary ingress of - the protected LSP has failed (e.g., via the IGP), it can compute a - new path and signal a new LSP along the new path so that it no longer - relies upon local repair. To do this, the backup ingress uses the - same tunnel sender address in the Sender Template Object and uses the - previously allocated second LSP-ID in the INGRESS-PROTECTION object - of the PATH message as the LSP-ID of the new LSP. This allows the - new LSP to share resources with the old LSP. +6.4.2. Global Repair by Backup Ingress When the backup ingress has determined that the primary ingress of the protected LSP has failed (e.g., via the IGP), it can compute a new path and signal a new LSP along the new path so that it no longer relies upon local repair. To do this, the backup ingress uses the same tunnel sender address in the Sender Template Object and uses the previously allocated second LSP-ID in the INGRESS-PROTECTION object of the PATH message as the LSP-ID of the new LSP. This allows the new LSP to share resources with the old LSP. In addition, if the Ingress recovers, the Backup Ingress SHOULD send it RESVs with the @@ -1119,24 +938,24 @@ Markus Jork Juniper Networks 10 Technology Park Drive Westford, MA 01886 USA Email: mjork@juniper.net 10. Acknowledgement - The authors would like to thank Rahul Aggarwal, Eric Osborne, Ross - Callon, Loa Andersson, Michael Yue, Olufemi Komolafe, Rob Rennison, - Neil Harrison, Kannan Sampath, and Ronhazli Adam for their valuable - comments and suggestions on this draft. + The authors would like to thank Nobo Akiya, Rahul Aggarwal, Eric + Osborne, Ross Callon, Loa Andersson, Michael Yue, Olufemi Komolafe, + Rob Rennison, Neil Harrison, Kannan Sampath, and Ronhazli Adam for + their valuable comments and suggestions on this draft. 11. References 11.1. Normative References [RFC1700] Reynolds, J. and J. Postel, "Assigned Numbers", RFC 1700, October 1994. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. @@ -1193,28 +1011,29 @@ Huawei Technologies Boston, MA USA Email: huaimo.chen@huawei.com Ning So Tata Communications 2613 Fairbourne Cir. Plano, TX 75082 USA - Email: ning.so@tatacommunications.com + Email: ningso01@gmail.com Autumn Liu Ericsson 300 Holger Way San Jose, CA 95134 USA Email: autumn.liu@ericsson.com + Raveendra Torvi Juniper Networks 10 Technology Park Drive Westford, MA 01886 USA Email: rtorvi@juniper.net Alia Atlas Juniper Networks 10 Technology Park Drive