--- 1/draft-ietf-teas-rsvp-ingress-protection-04.txt 2016-03-21 12:24:03.350831028 -0700 +++ 2/draft-ietf-teas-rsvp-ingress-protection-05.txt 2016-03-21 12:24:03.466833945 -0700 @@ -1,19 +1,19 @@ Internet Engineering Task Force H. Chen, Ed. Internet-Draft Huawei Technologies -Intended status: Standards Track R. Torvi, Ed. -Expires: April 21, 2016 Juniper Networks - October 19, 2015 +Intended status: Experimental R. Torvi, Ed. +Expires: September 22, 2016 Juniper Networks + March 21, 2016 Extensions to RSVP-TE for LSP Ingress Local Protection - draft-ietf-teas-rsvp-ingress-protection-04.txt + draft-ietf-teas-rsvp-ingress-protection-05.txt Abstract This document describes extensions to Resource Reservation Protocol - Traffic Engineering (RSVP-TE) for locally protecting the ingress node of a Traffic Engineered (TE) Label Switched Path (LSP), which is a Point-to-Point (P2P) LSP or a Point-to-Multipoint (P2MP) LSP. Status of this Memo @@ -23,25 +23,25 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 21, 2016. + This Internet-Draft will expire on September 22, 2016. Copyright Notice - Copyright (c) 2015 IETF Trust and the persons identified as the + Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as @@ -58,37 +58,44 @@ 3.2. Backup and Source Detect Failure . . . . . . . . . . . . . 5 4. Backup Forwarding State . . . . . . . . . . . . . . . . . . . 5 4.1. Forwarding State for Backup LSP . . . . . . . . . . . . . 5 5. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 6 5.1. INGRESS_PROTECTION Object . . . . . . . . . . . . . . . . 6 5.1.1. Subobject: Backup Ingress IPv4 Address . . . . . . . . 7 5.1.2. Subobject: Backup Ingress IPv6 Address . . . . . . . . 8 5.1.3. Subobject: Ingress IPv4 Address . . . . . . . . . . . 8 5.1.4. Subobject: Ingress IPv6 Address . . . . . . . . . . . 8 5.1.5. Subobject: Traffic Descriptor . . . . . . . . . . . . 9 - 5.1.6. Subobject: Label-Routes . . . . . . . . . . . . . . . 9 + 5.1.6. Subobject: Label-Routes . . . . . . . . . . . . . . . 10 6. Behavior of Ingress Protection . . . . . . . . . . . . . . . . 10 - 6.1. Ingress Behavior . . . . . . . . . . . . . . . . . . . . . 10 - 6.2. Backup Ingress Behavior . . . . . . . . . . . . . . . . . 11 - 6.2.1. Backup Ingress Behavior in Off-path Case . . . . . . . 11 - 6.2.2. Backup Ingress Behavior in On-path Case . . . . . . . 13 - 6.2.3. Failure Detection and Refresh PATH Messages . . . . . 14 - 6.3. Revertive Behavior . . . . . . . . . . . . . . . . . . . . 14 - 6.3.1. Revert to Primary Ingress . . . . . . . . . . . . . . 15 - 6.3.2. Global Repair by Backup Ingress . . . . . . . . . . . 15 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 - 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 - 8.1. A New Class Number . . . . . . . . . . . . . . . . . . . . 16 - 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 16 - 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 17 - 11. Normative References . . . . . . . . . . . . . . . . . . . . . 17 - A. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 18 + 6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 10 + 6.1.1. Relay-Message Method . . . . . . . . . . . . . . . . . 10 + 6.1.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 11 + 6.1.3. Comparing Two Methods . . . . . . . . . . . . . . . . 12 + 6.2. Ingress Behavior . . . . . . . . . . . . . . . . . . . . . 12 + 6.2.1. Relay-Message Method . . . . . . . . . . . . . . . . . 13 + 6.2.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 13 + 6.3. Backup Ingress Behavior . . . . . . . . . . . . . . . . . 14 + 6.3.1. Backup Ingress Behavior in Off-path Case . . . . . . . 15 + 6.3.2. Backup Ingress Behavior in On-path Case . . . . . . . 17 + 6.3.3. Failure Detection and Refresh PATH Messages . . . . . 18 + 6.4. Revertive Behavior . . . . . . . . . . . . . . . . . . . . 18 + 6.4.1. Revert to Primary Ingress . . . . . . . . . . . . . . 18 + 6.4.2. Global Repair by Backup Ingress . . . . . . . . . . . 19 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 19 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 + 8.1. A New Class Number . . . . . . . . . . . . . . . . . . . . 20 + 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 20 + 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 21 + 11. Normative References . . . . . . . . . . . . . . . . . . . . . 21 + A. Problem Summary . . . . . . . . . . . . . . . . . . . . . . . 22 + B. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 23 1. Co-authors Ning So, Autumn Liu, Alia Atlas, Yimin Shen, Tarek Saad, Fengman Xu, Mehmet Toy, Lei Liu 2. Introduction For a MPLS LSP it is important to have a fast-reroute method for protecting its ingress node and transit nodes. Protecting an ingress @@ -244,34 +251,40 @@ object into the PATH message to be sent to the backup ingress for protecting the primary ingress. It has the following format: Class-Num = TBD C-Type = 1 for INGRESS_PROTECTION_IPv4 C-Type = 2 for INGRESS_PROTECTION_IPv6 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (bytes) | Class-Num | C-Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Reserved (zero) | Flags | Options | + | Secondary LSP ID | Flags | Options | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ (Subobjects) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Flags 0x01 Ingress local protection available 0x02 Ingress local protection in use 0x04 Bandwidth protection Options 0x01 Revert to Ingress 0x02 P2MP Backup + The Secondary LSP ID in the object is an LSP ID that the primary + ingress has allocated for a protected LSP tunnel. The backup ingress + may use this LSP ID to set up a new LSP from the backup ingress to + the destinations of the protected LSP tunnel. This allows the new + LSP to share resources with the old one. + The flags are used to communicate status information from the backup ingress to the primary ingress. o Ingress local protection available: The backup ingress sets this flag after backup LSPs are up and ready for locally protecting the primary ingress. The backup ingress sends this to the primary ingress to indicate that the primary ingress is locally protected. o Ingress local protection in use: The backup ingress sets this flag when it detects a failure in the primary ingress. The backup @@ -414,94 +428,237 @@ ~ Subobjects ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Subobjects in the Label-Routes are copied from those in the RECORD_ROUTE objects in the RESV messages that the primary ingress receives from its next hops for the primary LSP. They MUST contain the first hops of the LSP, each of which is paired with its label. 6. Behavior of Ingress Protection +6.1. Overview + There are four parts of ingress protection: 1) setting up the necessary backup LSP forwarding state; 2) identifying the failure and providing the fast repair (as discussed in Sections 3 and 4); 3) maintaining the RSVP-TE control plane state until a global repair is - done; and 4) performing the global repair(see Section 6.3). + done; and 4) performing the global repair(see Section 6.4). -6.1. Ingress Behavior + There are two different proposed signaling approaches to obtain + ingress protection. They both use the same new INGRESS_PROTECTION + object. The object is sent in both PATH and RESV messages. + +6.1.1. Relay-Message Method + + The primary ingress relays the information for ingress protection of + an LSP to the backup ingress via PATH messages. Once the LSP is + created, the ingress of the LSP sends the backup ingress a PATH + message with an INGRESS_PROTECTION object with Label-Routes + subobject, which is populated with the next-hops and labels. This + provides sufficient information for the backup ingress to create the + appropriate forwarding state and backup LSP(s). + + The ingress also sends the backup ingress all the other PATH messages + for the LSP with an empty INGRESS_PROTECTION object. Thus, the + backup ingress has access to all the PATH messages needed for + modification to refresh control-plane state after a failure. + + The advantages of this method include: 1) the primary LSP is + independent of the backup ingress; 2) simple; 3) less configuration; + and 4) less control traffic. + +6.1.2. Proxy-Ingress Method + + Conceptually, a proxy ingress is created that starts the RSVP + signaling. The explicit path of the LSP goes from the proxy ingress + to the backup ingress and then to the real ingress. The behavior and + signaling for the proxy ingress is done by the real ingress; the use + of a proxy ingress address avoids problems with loop detection. + + [ traffic source ] *** Primary LSP + $ $ --- Backup LSP + $ $ $$ Link + $ $ + [ proxy ingress ] [ backup ] + [ & ingress ] | + * | + *****[ MP ]----| + + Figure 2: Example Protected LSP with Proxy Ingress Node + + The backup ingress must know the merge points or next-hops and their + associated labels. This is accomplished by having the RSVP PATH and + RESV messages go through the backup ingress, although the forwarding + path need not go through the backup ingress. If the backup ingress + fails, the ingress simply removes the INGRESS_PROTECTION object and + forwards the PATH messages to the LSP's next-hop(s). If the ingress + has its LSP configured for ingress protection, then the ingress can + add the backup ingress and itself to the ERO and start forwarding the + PATH messages to the backup ingress. + + Slightly different behavior can apply for the on-path and off-path + cases. In the on-path case, the backup ingress is a next hop node + after the ingress for the LSP. In the off-path, the backup ingress + is not any next-hop node after the ingress for all associated sub- + LSPs. + + The key advantage of this approach is that it minimizes the special + handling code requires. Because the backup ingress is on the + signaling path, it can receive various notifications. It easily has + access to all the PATH messages needed for modification to be sent to + refresh control-plane state after a failure. + +6.1.3. Comparing Two Methods + + +-------+-----------+-------+--------------+---------------+---------+ + |\_ Item|Primary LSP|Config |PATH Msg from |RESV Msg from |Reuse | + | \_ |Depends on |Proxy- |Backup Ingress|Primary Ingress|Some | + | \|Backup |Ingress|to Primary |to Backup |Existing | + |Method |Ingress |ID |Ingress |Ingress |Functions| + +-------+-----------+-------+--------------+---------------+---------+ + |Relay- | No | No | No | No | Yes- | + |Message| | | | | | + +-------+-----------+-------+--------------+---------------+---------+ + |Proxy- | Yes | Yes- | Yes | Yes | Yes | + |Ingress| | | | | | + +-------+-----------+-------+--------------+---------------+---------+ + +6.2. Ingress Behavior The primary ingress MUST be configured with a couple of pieces of information for ingress protection. o Backup Ingress Address: The primary ingress MUST know an IP address for it to be included in the INGRESS_PROTECTION object. + o Proxy-Ingress-Id (only needed for Proxy-Ingress Method): The + Proxy-Ingress-Id is only used in the Record Route Object for + recording the proxy-ingress. If no proxy-ingress-id is specified, + then a local interface address that will not otherwise be included + in the Record Route Object can be used. A similar technique is + used in [RFC4090 Sec 6.1.1]. + o Application Traffic Identifier: The primary ingress and backup ingress MUST both know what application traffic should be directed into the LSP. If a list of prefixes in the Traffic Descriptor sub-object will not suffice, then a commonly understood Application Traffic Identifier can be sent between the primary ingress and backup ingress. The exact meaning of the identifier should be configured similarly at both the primary ingress and backup ingress. The Application Traffic Identifier is understood within the unique context of the primary ingress and backup ingress. + o A connection between backup ingress and primary ingress: If there + is not any direct link between the primary ingress and the backup + ingress, a tunnel MUST be configured between them. + With this additional information, the primary ingress can create and signal the necessary RSVP extensions to support ingress protection. - The primary ingress relays the information for ingress protection of - an LSP to the backup ingress via PATH messages. Once the LSP is - created, the ingress of the LSP sends the backup ingress a PATH - message with an INGRESS_PROTECTION object with Label-Routes - subobject, which is populated with the next-hops and labels. This - provides sufficient information for the backup ingress to create the - appropriate forwarding state and backup LSP(s). - - The ingress also sends the backup ingress all the other PATH messages - for the LSP with an empty INGRESS_PROTECTION object. Thus, the - backup ingress has access to all the PATH messages needed for - modification to refresh control-plane state after a failure. +6.2.1. Relay-Message Method To protect the ingress of an LSP, the ingress MUST do the following after the LSP is up. 1. Select a PATH message. 2. If the backup ingress is off-path, then send it a PATH message with the content from the selected PATH message and an INGRESS_PROTECTION object; else (the backup ingress is a next hop, i.e., on-path case) add an INGRESS_PROTECTION object into the existing PATH message to the backup ingress (i.e., the next hop). The object contains the Traffic-Descriptor sub-object, the Backup Ingress Address sub-object and the Label-Routes sub- object. The options is set to indicate whether a Backup P2MP LSP - is desired. The Label-Routes sub-object contains the next-hops - of the ingress and their labels. + is desired. A secondary LSP-ID is allocated (if it is not + allocated yet) and used in the object. The Label-Routes sub- + object contains the next-hops of the ingress and their labels. 3. For each of the other PATH messages, send the backup ingress a PATH message with the content copied from the message and an empty INGRESS_PROTECTION object, which is an object without any Traffic-Descriptor sub-object. -6.2. Backup Ingress Behavior +6.2.2. Proxy-Ingress Method + + The primary ingress is responsible for starting the RSVP signaling + for the proxy-ingress node. To do this, the following MUST be done + for the RSVP PATH message. + + 1. Compute the EROs for the LSP as normal for the ingress. + + 2. If the selected backup ingress node is not the first node on the + path (for all sub-LSPs), then insert at the beginning of the ERO + first the backup ingress node and then the ingress node. + + 3. In the PATH RRO, instead of recording the ingress node's address, + replace it with the Proxy-Ingress-Id. + + 4. Leave the HOP object populated as usual with information for the + ingress-node. + + 5. Add the INGRESS_PROTECTION object to the PATH message. Allocate + a secondary LSP-ID to be used in the INGRESS-PROTECTION object. + Include the Backup Ingress Address (IPv4 or IPv6) sub-object and + the Traffic-Descriptor sub-object. Set or clear the options + indicating that a Backup P2MP LSP is desired. + + 6. Optionally, add the FAST-REROUTE object [RFC4090] to the Path + message. Indicate whether one-to-one backup is desired. + Indicate whether facility backup is desired. + + 7. The RSVP PATH message is sent to the backup node as normal. + + If the ingress detects that it can't communicate with the backup + ingress, then the ingress SHOULD instead send the PATH message to the + next-hop indicated in the ERO computed in step 1. Once the ingress + detects that it can communicate with the backup ingress, the ingress + SHOULD follow the steps 1-7 to obtain ingress failure protection. + + When the ingress node receives an RSVP PATH message with an INGRESS- + PROTECTION object and the object specifies that node as the ingress + node and the PHOP as the backup ingress node, the ingress node SHOULD + remove the INGRESS_PROTECTION object from the PATH message before + sending it out. Additionally, the ingress node MUST store that it + will install ingress forwarding state for the LSP rather than + midpoint forwarding. + + When an RSVP RESV message is received by the ingress, it uses the + NHOP to determine whether the message is received from the backup + ingress or from a different node. The stored associated PATH message + contains an INGRESS_PROTECTION object that identifies the backup + ingress node. If the RESV message is not from the backup node, then + ingress forwarding state SHOULD be set up, and the INGRESS_PROTECTION + object MUST be added to the RESV before it is sent to the NHOP, which + SHOULD be the backup node. If the RESV message is from the backup + node, then the LSP SHOULD be considered available for use. + + If the backup ingress node is on the forwarding path, then a RESV is + received with an INGRESS_PROTECTION object and an NHOP that matches + the backup ingress. In this case, the ingress node's address will + not appear after the backup ingress in the RRO. The ingress node + SHOULD set up ingress forwarding state, just as is done if the LSP + weren't ingress-node protected. + +6.3. Backup Ingress Behavior An LER determines that the ingress local protection is requested for an LSP if the INGRESS_PROTECTION object is included in the PATH message it receives for the LSP. The LER can further determine that it is the backup ingress if one of its addresses is in the Backup Ingress Address sub-object of the INGRESS_PROTECTION object. The LER as the backup ingress will assume full responsibility of the ingress after the primary ingress fails. In addition, the LER determines that it is off-path if it is not any node of the LSP. -6.2.1. Backup Ingress Behavior in Off-path Case +6.3.1. Backup Ingress Behavior in Off-path Case The backup ingress considers itself as a PLR and the primary ingress as its next hop and provides a local protection for the primary ingress. It behaves very similarly to a PLR providing fast-reroute where the primary ingress is considered as the failure-point to protect. Where not otherwise specified, the behavior given in [RFC4090] for a PLR applies. The backup ingress MUST follow the control-options specified in the INGRESS_PROTECTION object and the flags and specifications in the @@ -553,44 +710,71 @@ primary ingress, and tear down the one-to-one backup LSPs for protecting the primary ingress if one-to-one backup is used or unbind the facility backup LSPs if facility backup is used. When the backup ingress receives a PATH message from the primary ingress for locally protecting the primary ingress of a protected LSP, it MUST check to see if any critical information has been changed. If the next hops of the primary ingress are changed, the backup ingress SHALL update its backup LSP(s) accordingly. +6.3.1.1. Relay-Message Method + When the backup ingress receives a PATH message with an non empty INGRESS_PROTECTION object, it examines the object to learn what traffic associated with the LSP. It determines the next-hops to be merged to by examining the Label-Routes sub-object in the object. The backup ingress MUST store the PATH message received from the primary ingress, but NOT forward it. The backup ingress responds with a RESV to the PATH message received from the primary ingress. If the INGRESS_PROTECTION object is not "empty", the backup ingress SHALL send the RESV message with the state indicating protection is available after the backup LSP(s) are successfully established. -6.2.2. Backup Ingress Behavior in On-path Case +6.3.1.2. Proxy-Ingress Method + + The backup ingress determines the next-hops to be merged to by + collecting the set of the pair of (IPv4/IPv6 sub-object, Label sub- + object) from the Record Route Object of each RESV that are closest to + the top and not the Ingress router; this should be the second to the + top pair. If a Label-Routes sub-object is included in the + INGRESS_PROTECTION object, the included IPv4/IPv6 sub-objects are + used to filter the set down to the specific next-hops where + protection is desired. A RESV message MUST have been received before + the Backup Ingress can create or select the appropriate backup LSP. + + When the backup ingress receives a PATH message with the + INGRESS_PROTECTION object, the backup ingress examines the object to + learn what traffic associated with the LSP. The backup ingress + forwards the PATH message to the ingress node with the normal RSVP + changes. + + When the backup ingress receives a RESV message with the + INGRESS_PROTECTION object, the backup ingress records an IMPLICIT- + NULL label in the RRO. Then the backup ingress forwards the RESV + message to the ingress node, which is acting for the proxy ingress. + +6.3.2. Backup Ingress Behavior in On-path Case An LER as the backup ingress determines that it is on-path if one of - its addresses is a next hop of the primary ingress. The LER on-path - MUST send the corresponding PATH messages without any - INGRESS_PROTECTION object to its next hops. It creates a number of - backup P2P LSPs or a backup P2MP LSP from itself to the other next - hops (i.e., the next hops other than the backup ingress) of the - primary ingress. The other next hops are from the Label-Routes sub - object. + its addresses is a next hop of the primary ingress (and for Proxy- + Ingress Method the primary ingress is not its next hop via checking + the PATH message with the INGRESS_PROTECTION object received from the + primary ingress). The LER on-path MUST send the corresponding PATH + messages without any INGRESS_PROTECTION object to its next hops. It + creates a number of backup P2P LSPs or a backup P2MP LSP from itself + to the other next hops (i.e., the next hops other than the backup + ingress) of the primary ingress. The other next hops are from the + Label-Routes sub object. It also creates a forwarding entry, which sends/multicasts the traffic from the source to the next hops of the backup ingress along the protected LSP when the primary ingress fails. The traffic is described by the Traffic-Descriptor. After the forwarding entry is created, all the backup P2P LSPs or the backup P2MP LSP is up and associated with the protected LSP, the backup ingress MUST send the primary ingress the RESV message with the INGRESS_PROTECTION object containing the state of the local @@ -603,91 +787,94 @@ backup P2MP LSP transmitting the traffic to the other next hops of the primary ingress, where the traffic is merged into protected LSP. During the local repair, the backup ingress MUST continue to send the PATH messages to its next hops as before, keep the PATH message with the INGRESS_PROTECTION object received from the primary ingress and the RESV message with the INGRESS_PROTECTION object to be sent to the primary ingress. It MUST set the "local protection in use" flag in the RESV message. -6.2.3. Failure Detection and Refresh PATH Messages +6.3.3. Failure Detection and Refresh PATH Messages As described in [RFC4090], it is necessary to refresh the PATH messages via the backup LSP(s). The Backup Ingress MUST wait to refresh the PATH messages until it can accurately detect that the ingress node has failed. An example of such an accurate detection would be that the IGP has no bi-directional links to the ingress node and the last change was long enough in the past that changes should have been received (i.e., an IGP network convergence time or approximately 2-3 seconds) or a BFD session to the primary ingress' loopback address has failed and stayed failed after the network has reconverged. As described in [RFC4090 Section 6.4.3], the backup ingress, acting as PLR, MUST modify and send any saved PATH messages associated with the primary LSP to the corresponding next hops through backup LSP(s). Any PATH message sent will not contain any INGRESS_PROTECTION object. The RSVP_HOP object in the message contains an IP source address belonging to the backup ingress. The sender template object has the backup ingress address as its tunnel sender address. -6.3. Revertive Behavior +6.4. Revertive Behavior Upon a failure event in the (primary) ingress of a protected LSP, the protected LSP is locally repaired by the backup ingress. There are a couple of basic strategies for restoring the LSP to a full working path. - Revert to Primary Ingress: When the primary ingress is restored, it re-signals each of the LSPs that start from the primary ingress. The traffic for every LSP successfully re-signaled is switched back to the primary ingress from the backup ingress. - Global Repair by Backup Ingress: After determining that the primary ingress of an LSP has failed, the backup ingress computes a new optimal path, signals a new LSP along the new path, and switches the traffic to the new LSP. -6.3.1. Revert to Primary Ingress +6.4.1. Revert to Primary Ingress If "Revert to Primary Ingress" is desired for a protected LSP, the (primary) ingress of the LSP SHOULD re-signal the LSP that starts from the primary ingress after the primary ingress restores. After the LSP is re-signaled successfully, the traffic SHOULD be switched back to the primary ingress from the backup ingress on the source node and redirected into the LSP starting from the primary ingress. The primary ingress can specify the "Revert to Ingress" control- option in the INGRESS_PROTECTION object in the PATH messages to the backup ingress. After receiving the "Revert to Ingress" control- option, the backup ingress MUST stop sending/refreshing PATH messages for the protected LSP. -6.3.2. Global Repair by Backup Ingress +6.4.2. Global Repair by Backup Ingress When the backup ingress has determined that the primary ingress of the protected LSP has failed (e.g., via the IGP), it can compute a new path and signal a new LSP along the new path so that it no longer relies upon local repair. To do this, the backup ingress MUST use - the same tunnel sender address in the Sender Template Object and - allocate a LSP ID different from the one of the old LSP as the LSP-ID - of the new LSP. This allows the new LSP to share resources with the - old LSP. In addition, if the Ingress recovers, the Backup Ingress - SHOULD send it RESVs with the INGRESS_PROTECTION object where the - "Revert to Ingress" is specified. The Ingress can learn from the - RESVs what to signal. The Backup Ingress can reoptimize the new LSP - as necessary until the Ingress recovers. Alternately, the Backup - Ingress can create a new LSP with no bandwidth reservation that - duplicates the path(s) of the protected LSP, move traffic to the new - LSP, delete the protected LSP, and then resignal the new LSP with - bandwidth. + the same tunnel sender address in the Sender Template Object and the + previously allocated secondary LSP-ID in the INGRESS_PROTECTION + object of the PATH message as the LSP-ID of the new LSP. This allows + the new LSP to share resources with the old LSP. In addition, if the + Ingress recovers, the Backup Ingress SHOULD send it RESVs with the + INGRESS_PROTECTION object where the "Revert to Ingress" is specified. + The Secondary LSP ID MUST be the unused LSP ID - while the LSP ID + signaled in the RESV will be that currently active. The Ingress can + learn from the RESVs what to signal. Even if the Ingress does not + take over, the RESVs notify it that the particular LSP IDs are in + use. The Backup Ingress can reoptimize the new LSP as necessary + until the Ingress recovers. Alternately, the Backup Ingress can + create a new LSP with no bandwidth reservation that duplicates the + path(s) of the protected LSP, move traffic to the new LSP, delete the + protected LSP, and then resignal the new LSP with bandwidth. 7. Security Considerations In principle this document does not introduce new security issues. The security considerations pertaining to RFC 4090, RFC 4875 and other RSVP protocols remain relevant. 8. IANA Considerations IANA is requested to administer the assignment of new values defined @@ -787,21 +974,77 @@ DOI 10.17487/RFC4090, May 2005, . [RFC4875] Aggarwal, R., Ed., Papadimitriou, D., Ed., and S. Yasukawa, Ed., "Extensions to Resource Reservation Protocol - Traffic Engineering (RSVP-TE) for Point-to- Multipoint TE Label Switched Paths (LSPs)", RFC 4875, DOI 10.17487/RFC4875, May 2007, . -Appendix A. Authors' Addresses +Appendix A. Problem Summary + + There is a need for a fast and efficient protection against the + failure of the ingress node of a MPLS TE LSP (either P2MP LSP or P2P + LSP). + + For a MPLS TE LSP, protecting the failures of its transit nodes using + fast-reroute (FRR) is covered in RFC 4090 for P2P LSP and RFC 4875 + for P2MP LSP. However, protecting the failure of its ingress node + using FRR is not covered in either RFC 4090 or RFC 4875. The MPLS + Transport Profile (MPLS-TP) Linear Protection described in RFC 6378 + can provide a protection against the failure of any transit node of a + LSP between the ingress node and the egress node of the LSP, but + cannot protect against the failure of the ingress node. + + To protect against the failure of the (primary) ingress node of a + primary end to end P2MP (or P2P) TE LSP, a typical existing solution + is to set up a secondary backup end to end P2MP (or P2P) TE LSP from + a backup ingress node, which is different from the primary ingress + node, to the backup egress nodes (or node), which are (or is) + different from the primary egress nodes (or node) of the primary LSP. + For a P2MP TE LSP, on each of the primary (and backup) egress nodes, + a P2P LSP is created from the egress node to its primary (backup) + ingress node and configured with BFD. This is used to detect the + failure of the primary (backup) ingress node for the receiver to + switch to the backup (or primary) egress node to receive the traffic + after the primary (or backup) ingress node fails when both the + primary LSP and the secondary LSP carry the traffic. In addition, + FRR may be used to provide protections against the failures of the + transit nodes and the links of the primary and secondary end to end + TE LSPs. + + There are a number of issues in this solution, which are briefed as + follows: + + o It consumes lots of network resources. Double states need to be + maintained in the network since two end to end TE LSPs are + created. Double link bandwidth is reserved and used when both the + primary and the secondary end to end TE LSPs carry the traffic at + the same time. + + o More operations are needed, which include the configurations of + two end to end TE LSPs and BFDs from each of the egress nodes to + its corresponding ingress node. + + o The detection of the failure of the ingress node may not be + reliable. Any failure on the path of the BFD from an egress node + to an ingress node may cause the BFD down to indicate the failure + of the ingress node. + + o The speed of protection against the failure of the ingress node + may be slow. + + The ingress local protection proposed in this draft will resolve the + above issues. + +Appendix B. Authors' Addresses Huaimo Chen Huawei Technologies Boston, MA USA Email: huaimo.chen@huawei.com Raveendra Torvi Juniper Networks 10 Technology Park Drive