]> SID as source address in SRv6 China Mobile
CN yangfeng@chinamobile.com
New H3C Technologies
CN linchangwang.04414@h3c.com
RTG SPRING SRv6 is being rapidly deployed and is currently primarily used in trusted-domain backbone networks. Both the carrier market and the enterprise market are adopting SRv6 for end-to-end service delivery. However, if a firewall exists along an SRv6 path, not only legitimate SRv6 traffic but also OAM response packets to head-end will be dropped. This proposal addresses this issue by using SID as source address in SRv6 packets.
Introduction SRv6 is being rapidly deployed and is currently primarily used in trusted-domain backbone networks. Both the carrier market and the enterprise market are adopting SRv6 for end-to-end service delivery. However, if a firewall exists along an SRv6 path, not only legitimate SRv6 traffic but also feedback packets to head-end will be dropped. The reason has been elaborated in Section 8.1 of . SRv6 implementations use the ingress PE’s loopback IPv6 address as the outer IPv6 source address for encapsulated traffic. This design leads to asymmetric bidirectional flow tuples. When stateful firewalls exist along the SRv6 forwarding path, legitimate bidirectional traffic and all upstream response packets, e.g. ICMP response, are dropped by firewalls, as they fail to match stateful session rules. Operators are forced to deploy additional multi-layer tunneling such as IPsec to bypass firewall filtering, which introduces significant header overhead and weakens the native programmability advantages of SRv6.
Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Terminology AC: attachment circuit. PE: Provider Edge. SID: Segment Identifier, defined in . SRv6: SR over IPv6, defined in . VPLS: Virtual Private LAN Service. VPWS: Virtual Private Wire Service. VPN: Virtual Private Network.
Using SRv6 SID as Source Address Only unicast traffic are eligible for using SID as source address. There are several cases SHOULD be considered for using SRv6 SID as source address when there is firewall in middle. * User traffic. This includes SRv6 VPN-based services and VPN-less IP over SRv6 tunnels. * ICMP traffic. This is mainly for SRv6 Ping in SRv6 OAM scenario.
User Traffic For SRv6 VPN-based services, the user traffic SHOULD use the SRv6 service SID as source address. The service SIDs are locally allocated by the PE per VPN/AC, packets received from an AC can always be unambiguously associated with a SRv6 service SID. All those End.DX* and End.DT* SIDs except End.DT2M SHOULD be used for source address. For VPN-less IP forwarding over SRv6 tunnels, the tunnels SHOULD use End SID as source address.
ICMP Traffic There are 2 cases, tunnel ends and transit node generated ICMP, respectively. For ping or the ICMP response generated by head or tail end of SRv6 tunnel, it SHOULD use the SRv6 SID as source address, such as ping, trace. For SRv6 VPN-based and VPN-less case, it SHOULD use the SID specified in when there is a firewall in middle of SRv6 tunnel. Refer to RFC 8986 4.1.1, Allowing the processing of specific Upper-Layer header types is useful for Operations, Administration, and Maintenance (OAM). For the transit node generated ICMP error response message, the destination address would be a SID, when processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an VPN SID (End.DT4\End.DT6\End.DT46\End.DX4\End.DX6\End.DX2\End.DX2V\End.DT2U), process the packet as per Section 4.1.1 of .
Control and Management Traffic Control and Management Traffic will not be terminated by VPN, thus will not be impacted.
Use Cases
SRv6 Network with SR-aware Stateful Firewall
Problem Statement To provide VPN service in an SRv6 network , the ingress PE encapsulates the payload in an outer IPv6 header with the Segment Routing Header (SRH) carrying the SR Policy segment list along with the VPN Service SID. If the VPN service is with best-effort connectivity, the destination address of the outer IPv6 header carries the VPN service SID and the SRH is omitted. Along the forwarding path in the SRv6 network, firewalls may be deployed to filter the traffics. If a firewall is SR-aware, it will retrieve the final destination of an SRv6 packet from the last entry in the SRH rather than the destination address field of the IPv6 header . A stateful firewall keeps a track of the state of the network connections traveling across it. Whenever a packet arrives to seek permission to pass through it, the firewall checks from its state table if there is an active connection between identified by 3 tuple or 5 tuple. Thus only legitimate packets are allowed to be transmitted across it. and show the bidirectional VPN traffic packets passing through a firewall in an SRv6 network. The source address of the outer IPv6 header is the IPv6 address of ingress PE. The final destination address of the outer IPv6 header is the VPN Service SID of egress PE. In the SR-Policy-based way, the final destination address is encapsulated in the last entry in the SRH, Segment[0]. In the best-effort way, the SRH is omitted.
PE2): Packet (PE1 <--- PE2): ********************** ********************** * IPv6 * * IPv6 * * SA=PE1-IP-ADDR * * SA=PE2-IP-ADDR * * DA=NextSegment * * DA=NextSegment * ********************** ********************** * SRH * * SRH * * Seg[0]=PE2-VPN-SID * * Seg[0]=PE1-VPN-SID * * Seg[...] * * Seg[...] * ********************** ********************** * Eth/IPv4/IPv6 * * Eth/IPv4/IPv6 * * Source=CE1 * * Source=CE2 * * Destination=CE2 * * Destination=CE1 * ********************** ********************** * Payload * * Payload * ********************** ********************** ]]>
PE2): Packet (PE1 <--- PE2): ********************** ********************** * IPv6 * * IPv6 * * SA=PE1-IP-ADDR * * SA=PE2-IP-ADDR * * DA=PE2-VPN-SID * * DA=PE1-VPN-SID * ********************** ********************** * Eth/IPv4/IPv6 * * Eth/IPv4/IPv6 * * Source=CE1 * * Source=CE2 * * Destination=CE2 * * Destination=CE1 * ********************** ********************** * Payload * * Payload * ********************** ********************** ]]>
The stateful firewall will check the association relationships of the bidirectional VPN traffic packets. A common implementation may record the key information of the packets on forward way(internal to external), such as source address and destination address. When receiving a packet on backward way(external to internal), it checks the state table if there is an existing forward packet flow. For example, the firewall may require that the source address of packet on backward way matches the destination address of packet on forward way, and destination address will be checked in the similar way. If not matched, the packet on the backward path will be regarded as illegal and thus dropped. An SR-aware firewall is able to retrieve the final destination of an SRv6 packet from the last entry in the SRH. The <source, destination> tuple of the packet from PE1 to PE2 is <PE1-IP-ADDR, PE2-VPN-SID>, and the other direction is <PE2-IP-ADDR, PE1-VPN-SID>. However, the source address of the outer IPv6 packet is usually a loopback interface of the ingress PE. Eventually, the source address and destination address of the forward and backward VPN traffic are regarded as different flow, and they may be blocked by the firewall.
Solution for SRv6 Traffic Pass Thru SR-aware Stateful Firewall In the SRv6-based VPN service, the final destination of the outer IPv6 header is the VPN-SID of the egress PE, which is associated with that VPN service. But the source address of the outer IPv6 header is usually unrelated to the VPN service. So, it can be difficult for a stateful firewall to establish the association relationship between the bidirectional traffic flows. The proposed solution is to unify the semantic of the source and destination address thus ensure the symmetry of the bidirectional flow. When an ingress PE receives the client packet from CE, it checks which L3 VPN service it belongs to, and uses the VPN-SID associated with that L3 VPN service as the source address when encapsulating the outer IPv6 header with the optional SRH.
According to and , an SRv6 VPN Service SID is an IPv6 address, and it is routable by its Locator prefix in the SRv6 network. In the proposed solution, when an SRv6 VPN Service SID is used as the source address of the outer IPv6 header in the SRv6 network, it is treated as a normal IPv6 address and does not perform any special behavior.
IANA Considerations This document has no IANA actions.
Security Considerations TBD.
Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification This document describes the format of a set of control messages used in ICMPv6 (Internet Control Message Protocol). ICMPv6 is the Internet Control Message Protocol for Internet Protocol version 6 (IPv6). [STANDARDS-TRACK] Segment Routing Architecture Segment Routing (SR) leverages the source routing paradigm. A node steers a packet through an ordered list of instructions, called "segments". A segment can represent any instruction, topological or service based. A segment can have a semantic local to an SR node or global within an SR domain. SR provides a mechanism that allows a flow to be restricted to a specific topological path, while maintaining per-flow state only at the ingress node(s) to the SR domain. SR can be directly applied to the MPLS architecture with no change to the forwarding plane. A segment is encoded as an MPLS label. An ordered list of segments is encoded as a stack of labels. The segment to process is on the top of the stack. Upon completion of a segment, the related label is popped from the stack. SR can be applied to the IPv6 architecture, with a new type of routing header. A segment is encoded as an IPv6 address. An ordered list of segments is encoded as an ordered list of IPv6 addresses in the routing header. The active segment is indicated by the Destination Address (DA) of the packet. The next active segment is indicated by a pointer in the new routing header. IPv6 Segment Routing Header (SRH) Segment Routing can be applied to the IPv6 data plane using a new type of Routing Extension Header called the Segment Routing Header (SRH). This document describes the SRH and how it is used by nodes that are Segment Routing (SR) capable. Segment Routing over IPv6 (SRv6) Network Programming The Segment Routing over IPv6 (SRv6) Network Programming framework enables a network operator or an application to specify a packet processing program by encoding a sequence of instructions in the IPv6 packet header. Each instruction is implemented on one or several nodes in the network and identified by an SRv6 Segment Identifier in the packet. This document defines the SRv6 Network Programming concept and specifies the base set of SRv6 behaviors that enables the creation of interoperable overlays with underlay optimization. BGP Overlay Services Based on Segment Routing over IPv6 (SRv6) This document defines procedures and messages for SRv6-based BGP services, including Layer 3 Virtual Private Network (L3VPN), Ethernet VPN (EVPN), and Internet services. It builds on "BGP/MPLS IP Virtual Private Networks (VPNs)" (RFC 4364) and "BGP MPLS-Based Ethernet VPN" (RFC 7432). Operations, Administration, and Maintenance (OAM) in Segment Routing over IPv6 (SRv6) This document describes how the existing IPv6 mechanisms for ping and traceroute can be used in a Segment Routing over IPv6 (SRv6) network. The document also specifies the OAM flag (O-flag) in the Segment Routing Header (SRH) for performing controllable and predictable flow sampling from segment endpoints. In addition, the document describes how a centralized monitoring system performs a path continuity check between any nodes within an SRv6 domain. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Service Programming with Segment Routing Cisco Systems, Inc. China Mobile Cisco Systems, Inc. Bell Canada Huawei Orange Mellanox AT&T Nokia Universita di Roma "Tor Vergata" This document defines data plane functionality required to implement service segments and achieve service programming in SR-enabled MPLS and IPv6 networks, as described in the Segment Routing architecture. Segment Routing IPv6 Security Considerations Energy Sciences Network Huawei China Unicom Telefonica SI6 Networks SRv6 is a traffic engineering, encapsulation and steering mechanism utilizing IPv6 addresses to identify segments in a pre-defined policy. This document discusses security considerations in SRv6 networks, including the potential threats and the possible mitigation methods. The document does not define any new security protocols or extensions to existing protocols.