--- 1/draft-ietf-teas-rsvp-ingress-protection-13.txt 2018-02-28 18:13:09.874330657 -0800 +++ 2/draft-ietf-teas-rsvp-ingress-protection-14.txt 2018-02-28 18:13:09.930331982 -0800 @@ -1,167 +1,171 @@ Internet Engineering Task Force H. Chen, Ed. Internet-Draft Huawei Technologies Intended status: Experimental R. Torvi, Ed. -Expires: August 17, 2018 Juniper Networks - February 13, 2018 +Expires: September 1, 2018 Juniper Networks + February 28, 2018 Extensions to RSVP-TE for LSP Ingress FRR Protection - draft-ietf-teas-rsvp-ingress-protection-13.txt + draft-ietf-teas-rsvp-ingress-protection-14.txt Abstract This document describes extensions to Resource Reservation Protocol - Traffic Engineering (RSVP-TE) for locally protecting the ingress node of a Point-to-Point (P2P) or Point-to-Multipoint (P2MP) Traffic - Engineered (TE) Label Switched Path (LSP). The procedures described - in this document are experimental. + Engineered (TE) Label Switched Path (LSP). It extends the fast- + reroute (FRR) protection for transit nodes of an LSP to the ingress + node of the LSP. The procedures described in this document are + experimental. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on August 17, 2018. + This Internet-Draft will expire on September 1, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 1.1. Ingress Local Protection . . . . . . . . . . . . . . . . . 4 + 1.1. Ingress Local Protection Example . . . . . . . . . . . . . 4 + 1.2. Ingress Local Protection Overview . . . . . . . . . . . . 5 2. Ingress Failure Detection . . . . . . . . . . . . . . . . . . 5 - 2.1. Source Detects Failure . . . . . . . . . . . . . . . . . . 5 - 2.2. Backup and Source Detect Failure . . . . . . . . . . . . . 5 - 3. Backup Forwarding State . . . . . . . . . . . . . . . . . . . 6 - 3.1. Forwarding State for Backup LSP . . . . . . . . . . . . . 6 - 4. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 7 - 4.1. INGRESS_PROTECTION Object . . . . . . . . . . . . . . . . 7 - 4.1.1. Subobject: Backup Ingress IPv4 Address . . . . . . . . 8 - 4.1.2. Subobject: Backup Ingress IPv6 Address . . . . . . . . 9 - 4.1.3. Subobject: Ingress IPv4 Address . . . . . . . . . . . 9 - 4.1.4. Subobject: Ingress IPv6 Address . . . . . . . . . . . 10 - 4.1.5. Subobject: Traffic Descriptor . . . . . . . . . . . . 10 - 4.1.6. Subobject: Label-Routes . . . . . . . . . . . . . . . 11 - 5. Behavior of Ingress Protection . . . . . . . . . . . . . . . . 11 - 5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 11 - 5.1.1. Relay-Message Method . . . . . . . . . . . . . . . . . 12 - 5.1.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 12 - 5.2. Ingress Behavior . . . . . . . . . . . . . . . . . . . . . 13 - 5.2.1. Relay-Message Method . . . . . . . . . . . . . . . . . 14 - 5.2.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 15 - 5.3. Backup Ingress Behavior . . . . . . . . . . . . . . . . . 16 - 5.3.1. Backup Ingress Behavior in Off-path Case . . . . . . . 16 - 5.3.2. Backup Ingress Behavior in On-path Case . . . . . . . 18 - 5.3.3. Failure Detection and Refresh PATH Messages . . . . . 19 - 5.4. Revertive Behavior . . . . . . . . . . . . . . . . . . . . 20 - 5.4.1. Revert to Primary Ingress . . . . . . . . . . . . . . 20 - 5.4.2. Global Repair by Backup Ingress . . . . . . . . . . . 20 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 - 7. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 21 - 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 - 9. Co-authors and Contributors . . . . . . . . . . . . . . . . . 22 - 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 24 - 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 - 11.1. Normative References . . . . . . . . . . . . . . . . . . . 24 - 11.2. Informative References . . . . . . . . . . . . . . . . . . 25 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 + 2.1. Source Detects Failure . . . . . . . . . . . . . . . . . . 6 + 2.2. Backup and Source Detect Failure . . . . . . . . . . . . . 6 + 3. Backup Forwarding State . . . . . . . . . . . . . . . . . . . 7 + 3.1. Forwarding State for Backup LSP . . . . . . . . . . . . . 7 + 4. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 8 + 4.1. INGRESS_PROTECTION Object . . . . . . . . . . . . . . . . 8 + 4.1.1. Subobject: Backup Ingress IPv4 Address . . . . . . . . 10 + 4.1.2. Subobject: Backup Ingress IPv6 Address . . . . . . . . 10 + 4.1.3. Subobject: Ingress IPv4 Address . . . . . . . . . . . 11 + 4.1.4. Subobject: Ingress IPv6 Address . . . . . . . . . . . 11 + 4.1.5. Subobject: Traffic Descriptor . . . . . . . . . . . . 12 + 4.1.6. Subobject: Label-Routes . . . . . . . . . . . . . . . 12 + 5. Behavior of Ingress Protection . . . . . . . . . . . . . . . . 13 + 5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 13 + 5.1.1. Relay-Message Method . . . . . . . . . . . . . . . . . 13 + 5.1.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 14 + 5.2. Ingress Behavior . . . . . . . . . . . . . . . . . . . . . 15 + 5.2.1. Relay-Message Method . . . . . . . . . . . . . . . . . 15 + 5.2.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . . 16 + 5.3. Backup Ingress Behavior . . . . . . . . . . . . . . . . . 17 + 5.3.1. Backup Ingress Behavior in Off-path Case . . . . . . . 18 + 5.3.2. Backup Ingress Behavior in On-path Case . . . . . . . 20 + 5.3.3. Failure Detection and Refresh PATH Messages . . . . . 21 + 5.4. Revertive Behavior . . . . . . . . . . . . . . . . . . . . 21 + 5.4.1. Revert to Primary Ingress . . . . . . . . . . . . . . 21 + 5.4.2. Global Repair by Backup Ingress . . . . . . . . . . . 22 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 22 + 7. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 22 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 + 9. Co-authors and Contributors . . . . . . . . . . . . . . . . . 23 + 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 25 + 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26 + 11.1. Normative References . . . . . . . . . . . . . . . . . . . 26 + 11.2. Informative References . . . . . . . . . . . . . . . . . . 26 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26 1. Introduction For a MPLS TE LSP, protecting the failures of its transit nodes using fast-reroute (FRR) is covered in RFC 4090 for P2P LSP and RFC 4875 for P2MP LSP. However, protecting the failure of its ingress node using FRR is not covered in either RFC 4090 or RFC 4875. The MPLS Transport Profile (MPLS-TP) Linear Protection described in RFC 6378 can provide a protection against the failure of any transit node of a LSP between the ingress node and the egress node of the LSP, but cannot protect against the failure of the ingress node. To protect against the failure of the (primary) ingress node of a primary end to end P2MP (or P2P) TE LSP, a typical existing solution - is to set up a secondary backup end to end P2MP (or P2P) TE LSP from - a backup ingress node, which is different from the primary ingress - node, to the backup egress nodes (or node), which are (or is) - different from the primary egress nodes (or node) of the primary LSP. - For a P2MP TE LSP, on each of the primary (and backup) egress nodes, - a P2P LSP is created from the egress node to its primary (backup) - ingress node and configured with BFD. This is used to detect the - failure of the primary (backup) ingress node for the receiver to - switch to the backup (or primary) egress node to receive the traffic - after the primary (or backup) ingress node fails when both the - primary LSP and the secondary LSP carry the traffic. In addition, - FRR may be used to provide protections against the failures of the - transit nodes and the links of the primary and secondary end to end - TE LSPs. + is to set up a secondary backup end to end P2MP (or P2P) TE LSP. The + backup LSP is from a backup ingress node to backup egress nodes (or + node). The backup ingress node is different from the primary ingress + node. The backup egress nodes (or node) are (or is) different from + the primary egress nodes (or node) of the primary LSP. For a P2MP TE + LSP, on each of the primary (and backup) egress nodes, a P2P LSP is + created from the egress node to its primary (backup) ingress node and + configured with BFD. This is used to detect the failure of the + primary (backup) ingress node for the receiver to switch to the + backup (or primary) egress node to receive the traffic after the + primary (or backup) ingress node fails when both the primary LSP and + the secondary LSP carry the traffic. In addition, FRR may be used to + provide protections against the failures of the transit nodes and the + links of the primary and secondary end to end TE LSPs. - There are a number of issues in this solution, which are briefed as - follows: + There are a number of issues in this solution: o It consumes lots of network resources. Double states need to be maintained in the network since two end to end TE LSPs are created. Double link bandwidth is reserved and used when both the primary and the secondary end to end TE LSPs carry the traffic at the same time. - o More operations are needed, which include the configurations of - two end to end TE LSPs and BFDs from each of the egress nodes to - its corresponding ingress node. + o More operations are needed, which include the configuration of two + end to end TE LSPs and BFDs from each of the egress nodes to its + corresponding ingress node. o The detection of the failure of the ingress node may not be reliable. Any failure on the path of the BFD from an egress node - to an ingress node may cause the BFD down to indicate the failure - of the ingress node. + to an ingress node may cause the BFD to indicate the failure of + the ingress node. o The speed of protection against the failure of the ingress node may be slow. This specification defines a simple extension to RSVP-TE for local protection (FRR) of the ingress node of a P2MP or P2P LSP to resolve these issues. Ingress local protection and ingress FRR protection will be used exchangeably. Note that this document is experimental. Two different approaches are proposed to transfer the information for ingress protection. They both use the same new INGRESS_PROTECTION object, which is sent in both PATH and RESV messages between a primary ingress and a backup ingress. One approach is Relay-Message Method (refer to section 5.1.1 and 5.2.1), the other is Proxy-Ingress Method (refer to section 5.1.2 and 5.2.2). Each of them has its advantages and disadvantages. It is hard to decide which one is used as a standard approach now. - After one approach is selected, the document SHOULD become proposed - standard. + After one approach is selected, the document will be revised to + reflect that selection and any other items learned from the + experiment. The revised document is expected to be submitted for + publication on the standards track. -1.1. Ingress Local Protection +1.1. Ingress Local Protection Example Figure 1 shows an example of using a backup P2MP LSP to locally protect the ingress of a primary P2MP LSP, which is from ingress Ia to three egresses: L1, L2 and L3. The backup LSP is from backup ingress Ib to the next hops R2 and R4 of ingress Ia. ******* ******* S Source [R2]-----[R3]-----[L1] Ix Ingress */ & Rx Transit */ & Lx Egress @@ -186,58 +190,101 @@ When source S detects the failure of Ia, it switches the traffic to backup ingress Ib, which imports the traffic from S into the backup LSP to Ia's next hops R2 and R4, where the traffic is merged into the primary LSP, and then sent to egresses L1, L2 and L3. Note that the backup ingress is one logical hop away from the ingress. A logical hop is a direct link or a tunnel such as a GRE tunnel, over which RSVP-TE messages may be exchanged. +1.2. Ingress Local Protection Overview + + There are four parts in ingress local protection: + + o Setting up the necessary backup LSP forwarding state based on the + information received for ingress local protection; + + o Detecting the primary ingress failure and providing the fast + repair (as discussed in Sections 2 and 3); + + o Maintaining the RSVP-TE control plane state until a global repair + is done; and + + o Performing the global repair(see Section 5.4). + + The primary ingress of a primary LSP sends the backup ingress the + information for ingress protection in a PATH message with a new + INGRESS_PROTECTION object. The backup ingress sets up the backup + LSP(s) and forwarding state after receiving the necessary information + for ingress protection. And then it sends the primary ingress the + status of ingress protection in a RESV message with a new + INGRESS_PROTECTION object. + + When the primary ingress fails, the backup ingress sends or refreshes + the next hops of the primary ingress the PATH messages without any + INGRESS_PROTECTION object after verifying the failure. Thus the + RSVP-TE control plane state of the primary LSP is maintained. + 2. Ingress Failure Detection Exactly how to detect the failure of the ingress is out of scope. However, it is necessary to discuss different modes for detecting the failure because they determine what is the required behavior for the source and backup ingress. 2.1. Source Detects Failure Source Detects Failure or Source-Detect for short means that the source is responsible for fast detecting the failure of the primary - ingress of an LSP. The backup ingress is ready to import the traffic - from the source into the backup LSP(s) after the backup LSP(s) is up. + ingress of an LSP. Fast detecting the failure means detecting the + failure in a few or tens of milliseconds. The backup ingress is + ready to import the traffic from the source into the backup LSP(s) + after the backup LSP(s) is up. In normal operations, the source sends the traffic to the primary ingress. When the source detects the failure of the primary ingress, it switches the traffic to the backup ingress, which delivers the traffic to the next hops of the primary ingress through the backup LSP(s), where the traffic is merged into the primary LSP. For an LSP, after the primary ingress fails, the backup ingress MUST - use a method to reliably detect the failure of the primary ingress - before the PATH message for the LSP expires at the next hop of the - primary ingress. After reliably detecting the failure, the backup - ingress sends/refreshes the PATH message to the next hop through the - backup LSP as needed. The method may detect the failure of the - primary ingress slowly such as in seconds. + use a method to verify the failure of the primary ingress before the + PATH message for the LSP expires at the next hop of the primary + ingress. After verifying the failure, the backup ingress sends/ + refreshes the PATH message to the next hop through the backup LSP as + needed. The method may verify the failure of the primary ingress + slowly such as in seconds. After the primary ingress fails, it will not be reachable after routing convergence. Thus checking whether the primary ingress (address) is reachable is a possible method. + When the previously failed primary ingress of a primary LSP becomes + available again and the primary LSP has recovered from its primary + ingress, the source may switches the traffic to the primary ingress + from the backup ingress. A operator may control the traffic switch + through using a command on the source node after seeing that the + primary LSP has recovered. + 2.2. Backup and Source Detect Failure Backup and Source Detect Failure or Backup-Source-Detect for short means that both the backup ingress and the source are concurrently responsible for fast detecting the failure of the primary ingress. + Note that one of the differences between Source-Detect and Backup- + Source-Detect is: in the former, the backup ingress verifies the + failure of the primary ingress slowly such as in seconds; in the + latter, the backup ingress detects the failure fast such as in a few + or tens of milliseconds. + In normal operations, the source sends the traffic to the primary ingress. It switches the traffic to the backup ingress when it detects the failure of the primary ingress. The backup ingress does not import any traffic from the source into the backup LSP in normal operations. When it detects the failure of the primary ingress, it imports the traffic from the source into the backup LSP to the next hops of the primary ingress, where the traffic is merged into the primary LSP. @@ -247,59 +294,79 @@ 3. Backup Forwarding State Before the primary ingress fails, the backup ingress is responsible for creating the necessary backup LSPs. These LSPs might be multiple bypass P2P LSPs that avoid the ingress. Alternately, the backup ingress could choose to use a single backup P2MP LSP as a bypass or detour to protect the primary ingress of a primary P2MP LSP. The backup ingress may be off-path or on-path of an LSP. If a backup - ingress is not any node of the LSP, we call it is off-path. If a - backup ingress is a next-hop of the primary ingress of the LSP, we - call it is on-path. When a backup ingress for protecting the primary - ingress is configured or computed, the backup ingress MUST not be on - the LSP except for it is the next hop of the primary ingress. If it - is on-path, the primary forwarding state associated with the primary - LSP SHOULD be clearly separated from the backup LSP(s) state. + ingress is not any node of the LSP, it is off-path. If a backup + ingress is a next-hop of the primary ingress of the LSP, it is on- + path. When a backup ingress for protecting the primary ingress is + configured, the backup ingress MUST not be on the LSP except for it + is the next hop of the primary ingress. If it is on-path, the + primary forwarding state associated with the primary LSP SHOULD be + clearly separated from the backup LSP(s) state. 3.1. Forwarding State for Backup LSP A forwarding entry for a backup LSP is created on the backup ingress after the LSP is set up. Depending on the failure-detection mode (e.g., source-detect), it may be used to forward received traffic or simply be inactive (e.g., backup-source-detect) until required. In either case, when the primary ingress fails, this entry is used to import the traffic into the backup LSP to the next hops of the primary ingress, where the traffic is merged into the primary LSP. The forwarding entry for a backup LSP is a local implementation issue. In one device, it may have an inactive flag. This inactive forwarding entry is not used to forward any traffic normally. When the primary ingress fails, it is changed to active, and thus the traffic from the source is imported into the backup LSP. 4. Protocol Extensions A new object INGRESS_PROTECTION is defined for signaling ingress - local protection. It is backward compatible. + local protection. The primary ingress of a primary LSP sends the + backup ingress this object in a PATH message. In this case, the + object contains the information needed to set up ingress protection. + The information includes: + + o Backup ingress IP address indicating the backup ingress, + + o Traffic Descriptor describing the traffic that the primary LSP + transports, this traffic is imported into the backup LSP(s) on the + backup ingress when the primary ingress fails, + + o Label and Routes indicating the first hops of the primary LSP, + each of which is paired with its label, and + + o Desire options on ingress protection such as P2MP option + indicating a desire to use a backup P2MP LSP to protect the + primary ingress of a primary P2MP LSP. + + The backup ingress sends the primary ingress this object in a RESV + message. In this case, the object contains the information about the + status on the ingress protection. 4.1. INGRESS_PROTECTION Object The INGRESS_PROTECTION object with the FAST_REROUTE object in a PATH message is used to control the backup for protecting the primary ingress of a primary LSP. The primary ingress MUST insert this object into the PATH message to be sent to the backup ingress for protecting the primary ingress. It has the following format: - Class-Num = TBD C-Type = 1 for INGRESS_PROTECTION_IPv4 - C-Type = 2 for INGRESS_PROTECTION_IPv6 + Class-Num = TBD (Using 37 PROTECTION is suggested) + C-Type = 4 for INGRESS_PROTECTION 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (bytes) | Class-Num | C-Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved (zero) | NUB | Flags | Options | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ (Subobjects) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ NUB Number of Unprotected Branches @@ -322,37 +389,37 @@ o Ingress local protection available: The backup ingress MUST set this flag after backup LSPs are up and ready for locally protecting the primary ingress. The backup ingress sends this to the primary ingress to indicate that the primary ingress is locally protected. o Ingress local protection in use: The backup ingress MUST set this flag when it detects a failure in the primary ingress and actively redirects the traffic into the backup LSPs. The backup ingress - keeps it and does not send it to the primary ingress since the - primary ingress is down. + records this flag and does not send any RESV message with this + flag to the primary ingress since the primary ingress is down. o Bandwidth protection: The backup ingress MUST set this flag if the backup LSPs guarantee to provide desired bandwidth for the protected LSP against the primary ingress failure. The options are used by the primary ingress to specify the desired behavior to the backup ingress. o Revert to Ingress: The primary ingress sets this option indicating that the traffic for the primary LSP successfully re-signaled will be switched back to the primary ingress from the backup ingress when the primary ingress is restored. o P2MP Backup: This option is set to ask for the backup ingress to - use P2MP backup LSP to protect the primary ingress. + use backup P2MP LSP to protect the primary ingress. The INGRESS_PROTECTION object may contain some sub objects of following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length |Reserved (zero)| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Contents/Body of subobject | @@ -460,47 +527,40 @@ IPv6 address prefix, whose length, in bits, is specified by the prefix length, padded to a byte boundary. o Application Traffic (Type TBD8): Each of the Traffic Elements is a 32 bit identifier of an application, from which the traffic is imported into the backup LSP. 4.1.6. Subobject: Label-Routes The INGRESS_PROTECTION object in a PATH message from the primary - ingress to the backup ingress will have a Label-Routes sub object + ingress to the backup ingress may have a Label-Routes sub object containing the labels and routes that the next hops of the ingress use. The Type of the sub object is TBD9. The sub object has the following body: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Subobjects ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Subobjects in the Label-Routes are copied from those in the RECORD_ROUTE objects in the RESV messages that the primary ingress receives from its next hops for the primary LSP. They MUST contain the first hops of the LSP, each of which is paired with its label. 5. Behavior of Ingress Protection 5.1. Overview - There are four parts of ingress protection: 1) setting up the - necessary backup LSP forwarding state based on the information for - ingress protection; 2) identifying the failure and providing the fast - repair (as discussed in Sections 3 and 4); 3) maintaining the RSVP-TE - control plane state until a global repair is done; and 4) performing - the global repair(see Section 6.4). - There are two different proposed signaling approaches to transfer the information for ingress protection. They both use the same new INGRESS_PROTECTION object. The object is sent in both PATH and RESV messages. 5.1.1. Relay-Message Method The primary ingress relays the information for ingress protection of an LSP to the backup ingress via PATH messages. Once the LSP is created, the ingress of the LSP sends the backup ingress a PATH @@ -509,34 +569,31 @@ provides sufficient information for the backup ingress to create the appropriate forwarding state and backup LSP(s). The ingress also sends the backup ingress all the other PATH messages for the LSP with an empty INGRESS_PROTECTION object. An INGRESS_PROTECTION object without any Traffic-Descriptor sub-object is called an empty INGRESS_PROTECTION object. Thus, the backup ingress has access to all the PATH messages needed for modification to refresh control-plane state after a failure. - The empty INGRESS_PROTECTION object is for efficient process of + The empty INGRESS_PROTECTION object is for efficient processing of ingress protection for a P2MP LSP. For a P2MP LSP, its primary ingress may have more than one PATH messages, each of which is sent to a next hop along a branch of the P2MP LSP. The PATH message along a branch will be selected and sent to the backup ingress with an INGRESS_PROTECTION object containing the Traffic-Descriptor sub- object; all the PATH messages along the other branches will be sent to the backup ingress containing an INGRESS_PROTECTION object without any Traffic-Descriptor sub-object (empty INGRESS_PROTECTION object). - For a P2MP LSP, the backup ingress only needs one Traffic-Descriptor. - The advantages of this method include: 1) the primary LSP is - independent of the backup ingress; 2) simple; 3) less configuration; - and 4) less control traffic. + For a P2MP LSP, the backup ingress only needs one Traffic-Descriptor. 5.1.2. Proxy-Ingress Method Conceptually, a proxy ingress is created that starts the RSVP signaling. The explicit path of the LSP goes from the proxy ingress to the backup ingress and then to the real ingress. The behavior and signaling for the proxy ingress is done by the real ingress; the use of a proxy ingress address avoids problems with loop detection. Note that the proxy ingress MUST reside within the same router as the real ingress. @@ -562,32 +619,33 @@ add the backup ingress and itself to the ERO and start forwarding the PATH messages to the backup ingress. Slightly different behavior can apply for the on-path and off-path cases. In the on-path case, the backup ingress is a next hop node after the ingress for the LSP. In the off-path, the backup ingress is not any next-hop node after the ingress for all associated sub- LSPs. The key advantage of this approach is that it minimizes the special - handling code requires. Because the backup ingress is on the + handling code required. Because the backup ingress is on the signaling path, it can receive various notifications. It easily has access to all the PATH messages needed for modification to be sent to refresh control-plane state after a failure. 5.2. Ingress Behavior The primary ingress MUST be configured with a couple of pieces of information for ingress protection. - o Backup Ingress Address: The primary ingress MUST know an IP - address for it to be included in the INGRESS_PROTECTION object. + o Backup Ingress Address: The primary ingress MUST know the IP + address of the backup ingress it wants to be used before it can + use the INGRESS_PROTECTION object. o Proxy-Ingress-Id (only needed for Proxy-Ingress Method): The Proxy-Ingress-Id is only used in the Record Route Object for recording the proxy-ingress. If no proxy-ingress-id is specified, then a local interface address that will not otherwise be included in the Record Route Object can be used. A similar technique is used in [RFC4090 Sec 6.1.1]. o Application Traffic Identifier: The primary ingress and backup ingress MUST both know what application traffic should be directed @@ -724,22 +783,22 @@ ingress. It behaves very similarly to a PLR providing fast-reroute where the primary ingress is considered as the failure-point to protect. Where not otherwise specified, the behavior given in [RFC4090] for a PLR applies. The backup ingress MUST follow the control-options specified in the INGRESS_PROTECTION object and the flags and specifications in the FAST-REROUTE object. This applies to providing a P2MP backup if the "P2MP backup" is set, a one-to-one backup if "one-to-one desired" is set, facility backup if the "facility backup desired" is set, and - backup paths that support the desired bandwidth, and administrative- - colors that are requested. + backup paths that support the desired bandwidth, and administrative + groups that are requested. If multiple non empty INGRESS_PROTECTION objects have been received via multiple PATH messages for the same LSP, then the most recent one MUST be the one used. The backup ingress creates the appropriate forwarding state for the backup LSP tunnel(s) to the merge point(s). When the backup ingress sends a RESV message to the primary ingress, it MUST add an INGRESS_PROTECTION object into the message. It MUST @@ -921,72 +980,68 @@ allocate a LSP ID different from the one of the old LSP as the LSP-ID of the new LSP. This allows the new LSP to share resources with the old LSP. Alternately, the Backup Ingress can create a new LSP with no bandwidth reservation that duplicates the path(s) of the protected LSP, move traffic to the new LSP, delete the protected LSP, and then resignal the new LSP with bandwidth. 6. Security Considerations In principle this document does not introduce new security issues. - The security considerations pertaining to RFC 4090, RFC 4875 and - other RSVP protocols remain relevant. + The security considerations pertaining to RFC 4090, RFC 4875, RFC + 2205 and RFC 3209 remain relevant. 7. Compatibility This extension reuses and extends semantics and procedures defined in RFC 2205, RFC 3209, RFC 4090 and RFC 4875 to support ingress protection. One new object is defined to indicate ingress protection with class numbers in the form 0bbbbbbb. Per RFC 2205, a node not supporting this extension will not recognize the new class number and should respond with an "Unknown Object Class" error. The error message will propagate to the ingress, which can then take action to avoid the incompatible node as a backup ingress or may simply terminate the session. 8. IANA Considerations IANA maintains a registry called "Class Names, Class Numbers, and - Class Types" under "Resource Reservation Protocol-Traffic Engineering - (RSVP-TE) Parameters". Upon approval of this document, IANA is - requested to assign a new Class Number of form 0bbbbbbb for new - object INGRESS_PROTECTION located at , as follows: - - +====================+===============+============================+ - | Class Names | Class Numbers | Class Types | - +====================+===============+============================+ - | INGRESS_PROTECTION | TBD | 1: INGRESS_PROTECTION_IPv4 | - | |(124 suggested)+----------------------------+ - | | | 2: INGRESS_PROTECTION_IPv6 | - +--------------------+---------------+----------------------------+ - - When this document moves to standards track, IANA is requested to - create and maintain a new registry under INGRESS_PROTECTION located - at . + Class Types" under "Resource Reservation Protocol (RSVP) Parameters". + Upon approval of this document, IANA is requested to assign a new + Class Type or C-Type under Class Number 37 and Class Name PROTECTION + located at , as follows: - o Sub-object type - TBD INGRESS_PROTECTION + Value Description Reference + ----- ----------- --------- + 4 Type 4 INGRESS_PROTECTION This Document - Initial values for the registry are given below. The future - assignments are to be made through IETF Review. + It is anticipated that the future document that moves the idea to the + standard track expects IANA to create and maintain a new registry + under PROTECTION object class, Class Number 37, C-Type 4. Initial + values for the registry are given below. The future assignments are + to be made through IETF Review. Value Name Definition + ----- ---- ---------- + 0 Reserved 1 BACKUP_INGRESS_IPv4_ADDRESS Section 4.1.1 2 BACKUP_INGRESS_IPv6_ADDRESS Section 4.1.2 3 INGRESS_IPv4_ADDRESS Section 4.1.3 4 INGRESS_IPv6_ADDRESS Section 4.1.4 5 TRAFFIC_DESCRIPTOR_INTERFACE Section 4.1.5 6 TRAFFIC_DESCRIPTOR_IPv4_PREFIX Section 4.1.5 7 TRAFFIC_DESCRIPTOR_IPv6_PREFIX Section 4.1.5 8 TRAFFIC_DESCRIPTOR_APPLICATION Section 4.1.5 9 LABEL_ROUTES Section 4.1.6 + 10-127 Unassigned + 128-255 Reserved 9. Co-authors and Contributors 1. Co-authors Autumn Liu Ciena USA Email: hliu@ciena.com