<?xml version="1.0" encoding="US-ASCII"?>

<!-- [rfced] updated by Chris /08/19/19 -->

<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC4090 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4090.xml">
<!ENTITY RFC5286 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5286.xml">
<!ENTITY RFC7490 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7490.xml">
<!ENTITY RFC7812 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7812.xml">
<!ENTITY RFC8104 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8104.xml">
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml">
<!ENTITY RFC8400 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8400.xml">
<!ENTITY RFC8402 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8402.xml">
]>

<!-- [rfced] The sortrefs PI was set to "no" in the original.  Please review. -->

<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="yes" ?>
<?rfc toc="yes"?>
<?rfc tocdepth="4"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="no" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?> version='1.0' encoding='utf-8'?>
<rfc submissionType="IETF" xmlns:xi="http://www.w3.org/2001/XInclude" version="3" category="std" consensus="yes" number="XXXX" ipr="trust200902"> consensus="true" docName="draft-ietf-mpls-egress-protection-framework-07" indexInclude="true" ipr="trust200902" number="8679" prepTime="2019-12-04T22:12:35" scripts="Common,Latin" sortRefs="true" submissionType="IETF" symRefs="true" tocDepth="3" tocInclude="true" xml:lang="en">
  <link href="https://datatracker.ietf.org/doc/draft-ietf-mpls-egress-protection-framework-07" rel="prev"/>
  <link href="https://dx.doi.org/10.17487/rfc8679" rel="alternate"/>
  <link href="urn:issn:2070-1721" rel="alternate"/>
  <front>
    <title>MPLS Egress Protection Framework
    </title> Framework</title>
    <seriesInfo name="RFC" value="8679" stream="IETF"/>
    <author fullname="Yimin Shen" surname="Yimin Shen">
      <organization>Juniper surname="Shen" initials="Y">
      <organization showOnFrontPage="true">Juniper Networks</organization>
      <address>
        <postal>
          <street>10 Technology Park Drive</street>
          <city>Westford</city>
          <region>MA</region>
          <code>01886</code>
          <country>USA</country>
          <country>United States of America</country>
        </postal>
        <phone>+1 9785890722</phone> 978 589 0722</phone>
        <email>yshen@juniper.net</email>
      </address>
    </author>
    <author fullname="Minto Jeyananth" surname="Minto Jeyananth">
      <organization>Juniper surname="Jeyananth" initials="M">
      <organization showOnFrontPage="true">Juniper Networks</organization>
      <address>
        <postal>
          <street>1133 Innovation Way</street>
          <city>Sunnyvale</city>
          <region>CA</region>
          <code>94089</code>
          <country>USA</country>
          <country>United States of America</country>
        </postal>
        <phone>+1 4089367563</phone> 408 936 7563</phone>
        <email>minto@juniper.net</email>
      </address>
    </author>
    <author fullname="Bruno Decraene" surname="Bruno Decraene">
      <organization>Orange</organization> surname="Decraene" initials="B">
      <organization showOnFrontPage="true">Orange</organization>
      <address>
        <email>bruno.decraene@orange.com</email>
      </address>
    </author>
    <author fullname="Hannes Gredler" surname="Hannes Gredler">
      <organization>RtBrick Inc</organization> surname="Gredler" initials="H">
      <organization showOnFrontPage="true">RtBrick Inc.</organization>
      <address>
        <email>hannes@rtbrick.com</email>
      </address>
    </author>
    <author fullname="Carsten Michel" surname="Carsten Michel">
      <organization>Deutsche surname="Michel" initials="C">
      <organization showOnFrontPage="true">Deutsche Telekom</organization>
      <address>
        <email>c.michel@telekom.de</email>
      </address>
    </author>
    <author fullname="Huaimo Chen" surname="Huaimo Chen">
      <organization>Huawei Technologies Co., Ltd.</organization> surname="Chen" initials="H">
      <organization showOnFrontPage="true">Futurewei</organization>
      <address>
	<email>huaimo.chen@huawei.com</email>
        <postal>
          <street/>
          <city>Boston</city>
          <region>MA</region>
          <code/>
          <country>United States of America</country>
        </postal>
        <email>Huaimo.chen@futurewei.com</email>
      </address>
    </author>
    <date year="2019" month="September"/>

    <area>General</area>

    <workgroup>Internet Engineering Task Force</workgroup> month="12" year="2019"/>
    <area>RTG</area>
    <workgroup>Multiprotocol Label Switching</workgroup>
    <keyword>fast reroute</keyword>
    <keyword>egress protection</keyword>
    <keyword>local repair</keyword>

    <abstract>
      <t>
    <abstract pn="section-abstract">
      <t pn="section-abstract-1">
	This document specifies a fast reroute framework for protecting IP/MPLS services and MPLS transport tunnels against egress node and egress link failures. For each type of egress failure, it defines the roles of point Point of local repair Local Repair (PLR), protector, and backup egress router, router and the procedures of establishing a bypass tunnel from a PLR to a protector. It describes the behaviors of these routers in handling an egress failure, including local repair on the PLR, PLR and context-based forwarding on the protector. The framework can be used to develop egress protection mechanisms to reduce traffic loss before global repair reacts to an egress failure and control plane control-plane protocols converge on the topology changes due to the egress failure.
      </t>
    </abstract>
    <boilerplate>
      <section anchor="status-of-memo" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.1">
        <name slugifiedName="name-status-of-this-memo">Status of This Memo</name>
        <t pn="section-boilerplate.1-1">
            This is an Internet Standards Track document.
        </t>
        <t pn="section-boilerplate.1-2">
            This document is a product of the Internet Engineering Task Force
            (IETF).  It represents the consensus of the IETF community.  It has
            received public review and has been approved for publication by
            the Internet Engineering Steering Group (IESG).  Further
            information on Internet Standards is available in Section 2 of
            RFC 7841.
        </t>
        <t pn="section-boilerplate.1-3">
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            <eref target="https://www.rfc-editor.org/info/rfc8679" brackets="none"/>.
        </t>
      </section>
      <section anchor="copyright" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.2">
        <name slugifiedName="name-copyright-notice">Copyright Notice</name>
        <t pn="section-boilerplate.2-1">
            Copyright (c) 2019 IETF Trust and the persons identified as the
            document authors. All rights reserved.
        </t>
        <t pn="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            (<eref target="https://trustee.ietf.org/license-info" brackets="none"/>) in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document. Code Components extracted from this
            document must include Simplified BSD License text as described in
            Section 4.e of the Trust Legal Provisions and are provided without
            warranty as described in the Simplified BSD License.
        </t>
      </section>
    </boilerplate>
    <toc>
      <section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" pn="section-toc.1">
        <name slugifiedName="name-table-of-contents">Table of Contents</name>
        <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1">
          <li pn="section-toc.1-1.1">
            <t keepWithNext="true" pn="section-toc.1-1.1.1"><xref derivedContent="1" format="counter" sectionFormat="of" target="section-1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-introduction">Introduction</xref></t>
          </li>
          <li pn="section-toc.1-1.2">
            <t keepWithNext="true" pn="section-toc.1-1.2.1"><xref derivedContent="2" format="counter" sectionFormat="of" target="section-2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-specification-of-requiremen">Specification of Requirements</xref></t>
          </li>
          <li pn="section-toc.1-1.3">
            <t keepWithNext="true" pn="section-toc.1-1.3.1"><xref derivedContent="3" format="counter" sectionFormat="of" target="section-3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-terminology">Terminology</xref></t>
          </li>
          <li pn="section-toc.1-1.4">
            <t keepWithNext="true" pn="section-toc.1-1.4.1"><xref derivedContent="4" format="counter" sectionFormat="of" target="section-4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-requirements">Requirements</xref></t>
          </li>
          <li pn="section-toc.1-1.5">
            <t keepWithNext="true" pn="section-toc.1-1.5.1"><xref derivedContent="5" format="counter" sectionFormat="of" target="section-5"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-egress-node-protection">Egress Node Protection</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.5.2">
              <li pn="section-toc.1-1.5.2.1">
                <t keepWithNext="true" pn="section-toc.1-1.5.2.1.1"><xref derivedContent="5.1" format="counter" sectionFormat="of" target="section-5.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-reference-topology">Reference Topology</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.2">
                <t keepWithNext="true" pn="section-toc.1-1.5.2.2.1"><xref derivedContent="5.2" format="counter" sectionFormat="of" target="section-5.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-egress-node-failure-and-det">Egress Node Failure and Detection</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.3">
                <t keepWithNext="true" pn="section-toc.1-1.5.2.3.1"><xref derivedContent="5.3" format="counter" sectionFormat="of" target="section-5.3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-protector-and-plr">Protector and PLR</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.4">
                <t keepWithNext="true" pn="section-toc.1-1.5.2.4.1"><xref derivedContent="5.4" format="counter" sectionFormat="of" target="section-5.4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-protected-egress">Protected Egress</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.5">
                <t keepWithNext="true" pn="section-toc.1-1.5.2.5.1"><xref derivedContent="5.5" format="counter" sectionFormat="of" target="section-5.5"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-egress-protected-tunnel-and">Egress-Protected Tunnel and Service</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.6">
                <t keepWithNext="true" pn="section-toc.1-1.5.2.6.1"><xref derivedContent="5.6" format="counter" sectionFormat="of" target="section-5.6"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-egress-protection-bypass-tu">Egress-Protection Bypass Tunnel</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.7">
                <t keepWithNext="true" pn="section-toc.1-1.5.2.7.1"><xref derivedContent="5.7" format="counter" sectionFormat="of" target="section-5.7"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-context-id-context-label-an">Context ID, Context Label, and Context-Based Forwarding</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.8">
                <t keepWithNext="true" pn="section-toc.1-1.5.2.8.1"><xref derivedContent="5.8" format="counter" sectionFormat="of" target="section-5.8"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-advertisement-and-path-reso">Advertisement and Path Resolution for Context ID</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.9">
                <t keepWithNext="true" pn="section-toc.1-1.5.2.9.1"><xref derivedContent="5.9" format="counter" sectionFormat="of" target="section-5.9"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-egress-protection-bypass-tun">Egress-Protection Bypass Tunnel Establishment</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.10">
                <t keepWithNext="true" pn="section-toc.1-1.5.2.10.1"><xref derivedContent="5.10" format="counter" sectionFormat="of" target="section-5.10"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-local-repair-on-plr">Local Repair on PLR</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.11">
                <t keepWithNext="true" pn="section-toc.1-1.5.2.11.1"><xref derivedContent="5.11" format="counter" sectionFormat="of" target="section-5.11"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-service-label-distribution-">Service Label Distribution from Egress Router to Protector</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.12">
                <t keepWithNext="true" pn="section-toc.1-1.5.2.12.1"><xref derivedContent="5.12" format="counter" sectionFormat="of" target="section-5.12"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-centralized-protector-mode">Centralized Protector Mode</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.6">
            <t keepWithNext="true" pn="section-toc.1-1.6.1"><xref derivedContent="6" format="counter" sectionFormat="of" target="section-6"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-egress-link-protection">Egress Link Protection</xref></t>
          </li>
          <li pn="section-toc.1-1.7">
            <t keepWithNext="true" pn="section-toc.1-1.7.1"><xref derivedContent="7" format="counter" sectionFormat="of" target="section-7"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-global-repair">Global Repair</xref></t>
          </li>
          <li pn="section-toc.1-1.8">
            <t keepWithNext="true" pn="section-toc.1-1.8.1"><xref derivedContent="8" format="counter" sectionFormat="of" target="section-8"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-operational-considerations">Operational Considerations</xref></t>
          </li>
          <li pn="section-toc.1-1.9">
            <t keepWithNext="true" pn="section-toc.1-1.9.1"><xref derivedContent="9" format="counter" sectionFormat="of" target="section-9"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-general-context-based-forwa">General Context-Based Forwarding</xref></t>
          </li>
          <li pn="section-toc.1-1.10">
            <t keepWithNext="true" pn="section-toc.1-1.10.1"><xref derivedContent="10" format="counter" sectionFormat="of" target="section-10"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-example-layer-3-vpn-egress-">Example: Layer 3 VPN Egress Protection</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.10.2">
              <li pn="section-toc.1-1.10.2.1">
                <t keepWithNext="true" pn="section-toc.1-1.10.2.1.1"><xref derivedContent="10.1" format="counter" sectionFormat="of" target="section-10.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-egress-node-protection-2">Egress Node Protection</xref></t>
              </li>
              <li pn="section-toc.1-1.10.2.2">
                <t keepWithNext="true" pn="section-toc.1-1.10.2.2.1"><xref derivedContent="10.2" format="counter" sectionFormat="of" target="section-10.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-egress-link-protection-2">Egress Link Protection</xref></t>
              </li>
              <li pn="section-toc.1-1.10.2.3">
                <t keepWithNext="true" pn="section-toc.1-1.10.2.3.1"><xref derivedContent="10.3" format="counter" sectionFormat="of" target="section-10.3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-global-repair-2">Global Repair</xref></t>
              </li>
              <li pn="section-toc.1-1.10.2.4">
                <t keepWithNext="true" pn="section-toc.1-1.10.2.4.1"><xref derivedContent="10.4" format="counter" sectionFormat="of" target="section-10.4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-other-modes-of-vpn-label-al">Other Modes of VPN Label Allocation</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.11">
            <t keepWithNext="true" pn="section-toc.1-1.11.1"><xref derivedContent="11" format="counter" sectionFormat="of" target="section-11"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-iana-considerations">IANA Considerations</xref></t>
          </li>
          <li pn="section-toc.1-1.12">
            <t keepWithNext="true" pn="section-toc.1-1.12.1"><xref derivedContent="12" format="counter" sectionFormat="of" target="section-12"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-security-considerations">Security Considerations</xref></t>
          </li>
          <li pn="section-toc.1-1.13">
            <t keepWithNext="true" pn="section-toc.1-1.13.1"><xref derivedContent="13" format="counter" sectionFormat="of" target="section-13"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-references">References</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.13.2">
              <li pn="section-toc.1-1.13.2.1">
                <t keepWithNext="true" pn="section-toc.1-1.13.2.1.1"><xref derivedContent="13.1" format="counter" sectionFormat="of" target="section-13.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-normative-references">Normative References</xref></t>
              </li>
              <li pn="section-toc.1-1.13.2.2">
                <t keepWithNext="true" pn="section-toc.1-1.13.2.2.1"><xref derivedContent="13.2" format="counter" sectionFormat="of" target="section-13.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-informative-references">Informative References</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.14">
            <t keepWithNext="true" pn="section-toc.1-1.14.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.a"/><xref derivedContent="" format="title" sectionFormat="of" target="name-acknowledgements">Acknowledgements</xref></t>
          </li>
          <li pn="section-toc.1-1.15">
            <t keepWithNext="true" pn="section-toc.1-1.15.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.b"/><xref derivedContent="" format="title" sectionFormat="of" target="name-authors-addresses">Authors' Addresses</xref></t>
          </li>
        </ul>
      </section>
    </toc>
  </front>
  <middle>
    <section anchor="intro" title="Introduction">
     <t> numbered="true" toc="include" removeInRFC="false" pn="section-1">
      <name slugifiedName="name-introduction">Introduction</name>
      <t pn="section-1-1">
       In MPLS networks, label switched paths Label Switched Paths (LSPs) are widely used as transport tunnels to carry IP and MPLS services across MPLS domains. Examples of MPLS services are layer-2 Layer 2 VPNs, layer-3 Layer 3 VPNs, hierarchical LSPs, and others. In general, a tunnel may carry multiple services of one or multiple types, if the tunnel satisfies both individual and aggregate requirements (e.g., CoS, Class of Service (CoS) and QoS) of these services. The egress router of the tunnel hosts the service instances of the services. An MPLS service instance forwards service packets via an egress link to the service destination, based on a service label. An IP service instance does the same same, based on a service an IP service address. The egress link is often called a PE-CE (provider edge Provider Edge - customer edge) Customer Edge (PE-CE) link or attachment circuit Attachment Circuit (AC).
      </t>

     <t>
      <t pn="section-1-2">
       Today, local-repair-based fast reroute mechanisms (<xref
target="RFC4090"/>, (see <xref target="RFC5286"/>, target="RFC4090" format="default" sectionFormat="of" derivedContent="RFC4090"/>, <xref target="RFC7490"/>, target="RFC5286" format="default" sectionFormat="of" derivedContent="RFC5286"/>, <xref target="RFC7490" format="default" sectionFormat="of" derivedContent="RFC7490"/>, and
<xref target="RFC7812"/>) target="RFC7812" format="default" sectionFormat="of" derivedContent="RFC7812"/>) have been widely deployed to protect MPLS tunnels against transit link/node failures, with traffic restoration time in the order of tens of milliseconds. Local repair refers to the scenario where the router upstream to an anticipated failure, a.k.a. PLR (point of local repair), a.k.a., PLR, pre-establishes a bypass tunnel to the router downstream of the failure, a.k.a. MP (merge point), a.k.a., Merge Point (MP), pre-installs the forwarding state of the bypass tunnel in the data plane, and uses a rapid mechanism (e.g., link layer OAM, BFD, link-layer Operations, Administration, and Maintenance (OAM), Bidirectional Forwarding Detection (BFD), and others) to locally detect the failure in the data plane. When the failure occurs, the PLR reroutes traffic through the bypass tunnel to the MP, allowing the traffic to continue to flow to the tunnel's egress router.
      </t>

     <t>
      <t pn="section-1-3">
       This document specifies a fast reroute framework for egress node and egress link protection. Similar to transit link/node protection, this framework also relies on a PLR to perform local failure detection and local repair. In egress node protection, the PLR is the penultimate-hop penultimate hop router of a tunnel. In egress link protection, the PLR is the egress router of the tunnel. The framework further uses a so-called "protector" to serve as the tailend tail end of a bypass tunnel. The protector is a router that hosts "protection service instances" and has its own connectivity or paths to service destinations. When a PLR does local repair, the protector performs "context label switching" for rerouted MPLS service packets and "context IP forwarding" for rerouted IP service packets, to allow the service packets to continue to reach the service destinations.
      </t>

     <t>
      <t pn="section-1-4">
       This framework considers an egress node failure as a failure of a tunnel, tunnel and a failure of all the services carried by the tunnel, tunnel as service packets that can no longer reach the service instances on the egress router. Therefore, the framework addresses egress node protection at both the tunnel level and service level level, simultaneously. Likewise, the framework considers an egress link failure as a failure of all the services traversing the link, link and addresses egress link protection at the service level.
      </t>

     <t>
      <t pn="section-1-5">
       This framework requires that the destination (a CE or site) of a service MUST <bcp14>MUST</bcp14> be dual-homed or have dual paths to an MPLS network, via two MPLS edge routers. One of the routers is the egress router of the service's transport tunnel, and the other is a backup egress router which that hosts a "backup service instance". In the "co-located" protector mode in this document, the backup egress router serves as the protector, and hence protector; hence, the backup service instance acts as the protection service instance. In the "centralized" protector mode (<xref target="centralized" />), format="default" sectionFormat="of" derivedContent="Section 5.12"/>), the protector and the backup egress router are decoupled, and the protection service instance and the backup service instance are hosted separately by the two routers.
      </t>

     <t>
      <t pn="section-1-6">
       The framework is described by mainly referring to P2P (point-to-point) point-to-point (P2P) tunnels. However, it is equally applicable to P2MP (point-to-multipoint), MP2P (multipoint-to-point), point-to-multipoint (P2MP), multipoint-to-point (MP2P), and MP2MP (multipoint-to-multipoint) multipoint-to-multipoint (MP2MP) tunnels, as the sub-LSPs of these tunnels can be viewed as P2P tunnels.
      </t>

     <t>
      <t pn="section-1-7">
       The framework is a multi-service and multi-transport framework. It assumes a generic model where each service is comprised of a common set of components, including a service instance, a service label, a service label distribution protocol, and an MPLS transport tunnel. The framework also assumes that the service label to be is downstream assigned, i.e., assigned by an egress router. Therefore, the framework is generally applicable to most existing and future services. However, there are services with certain modes, where a protector is unable to pre-establish the forwarding state for egress protection, or a PLR is not allowed to reroute traffic to other routers in order to avoid traffic duplication, e.g., the broadcast, multicast, and unknown unicast traffic in VPLS Virtual Private LAN Service (VPLS) and EVPN. Ethernet VPN (EVPN). These cases are left for future study. Services which that use upstream-assigned service labels are also out of scope of this document and left for future study.
      </t>

     <t>
      <t pn="section-1-8">
       The framework does not require extensions for the existing signaling and
label distribution protocols (e.g., RSVP, LDP, BGP, etc.) of MPLS tunnels. It
assumes that transport tunnels and bypass tunnels are to be established by using the
generic procedures provided by the protocols. On the other hand, it does not
preclude extensions to the protocols which that may facilitate the procedures. One
example of such extension is <xref target="RFC8400"/>. target="RFC8400" format="default" sectionFormat="of" derivedContent="RFC8400"/>. The framework does see the need for extensions of IGPs and service label distribution protocols in some procedures, particularly for supporting protection establishment and context label switching. This document provides guidelines for these extensions, but it leaves the specific details to separate documents.
      </t>

     <t>
      <t pn="section-1-9">
       The framework is intended to complement control-plane convergence and
global repair. Control-plane convergence relies on control protocols to react
on the topology changes due to a failure. Global repair relies on an ingress
router to remotely detect a failure and switch traffic to an alternative
path. An example of global repair is the BGP Prefix Independent Convergence prefix independent convergence
mechanism <xref target="BGP-PIC"/> target="I-D.ietf-rtgwg-bgp-pic" format="default" sectionFormat="of" derivedContent="BGP-PIC"/> for BGP established BGP-established services. Compared with these mechanisms, this framework is considered as faster in traffic restoration, due to the nature of local failure detection and local repair. It is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that the framework be used in conjunction with control-plane convergence or global repair, in order to take the advantages of both approaches. That is, the framework provides fast and temporary repair, while control-plane convergence or global repair provides ultimate and permanent repair.
      </t>
    </section>
    <section title="Specification of Requirements">
     <t>The numbered="true" toc="include" removeInRFC="false" pn="section-2">
      <name slugifiedName="name-specification-of-requiremen">Specification of Requirements</name>
      <t pn="section-2-1">  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
       "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
    "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
    "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and "OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document are
    to be interpreted as described in BCP 14 <xref target="RFC2119"/>
       and target="RFC2119" format="default" sectionFormat="of" derivedContent="RFC2119"/>
        <xref target="RFC8174"/>.</t> target="RFC8174" format="default" sectionFormat="of" derivedContent="RFC8174"/> when, and only when, they appear in all capitals,
    as shown here. </t>
    </section>
    <section anchor="terms" title="Terminology">

     <t>
       Egress router - A numbered="true" toc="include" removeInRFC="false" pn="section-3">
      <name slugifiedName="name-terminology">Terminology</name>
      <dl newline="true" spacing="normal" pn="section-3-1">
        <dt pn="section-3-1.1">Egress router:</dt>
        <dd pn="section-3-1.2">A router at the egress endpoint of a tunnel. It hosts service instances for all the services carried by the tunnel, tunnel and has connectivity with the destinations of the services.
     </t>

     <t>
       Egress node failure - A
      </dd>
        <dt pn="section-3-1.3">Egress node failure:</dt>
        <dd pn="section-3-1.4">A failure of an egress router.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.5">
       Egress link failure - A failure:</dt>
        <dd pn="section-3-1.6">A failure of the egress link (e.g., PE-CE link, attachment circuit) of a service.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.7">
       Egress failure - failure:</dt>
        <dd pn="section-3-1.8"> An egress node failure or an egress link failure.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.9">
       Egress-protected tunnel - A tunnel:</dt>
        <dd pn="section-3-1.10">A tunnel whose egress router is protected by a mechanism according to this framework. The egress router is hence called a protected egress router.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.11">
       Egress-protected service - An service:</dt>
        <dd pn="section-3-1.12">An IP or MPLS service which that is carried by an egress-protected tunnel, tunnel and hence protected by a mechanism according to this framework.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.13">
       Backup egress router - Given router:</dt>
        <dd pn="section-3-1.14">Given an egress-protected tunnel and its egress router, this is another router which that has connectivity with all or a subset of the destinations of the egress-protected services carried by the egress-protected tunnel.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.15">
       Backup service instance - A instance:</dt>
        <dd pn="section-3-1.16">A service instance which that is hosted by a backup egress router, router and corresponding corresponds to an egress-protected service on a protected egress router.
     </t>

     <t>
       Protector - A
      </dd>
        <dt pn="section-3-1.17">
       Protector:</dt>
        <dd pn="section-3-1.18">A role acted by a router as an alternate of a protected egress router, to handle service packets in the event of an egress failure. A protector may be physically co-located with or decoupled from a backup egress router, depending on the co-located or centralized protector mode.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.19">
       Protection service instance - A instance:</dt>
        <dd pn="section-3-1.20">A service instance hosted by a protector, corresponding protector that corresponds to the service instance of an egress-protected service on a protected egress router. A protection service instance is a backup service instance, if the protector is co-located with a backup egress router.
     </t>

     <t>
       PLR -
      </dd>
        <dt pn="section-3-1.21">
       PLR:</dt>
        <dd pn="section-3-1.22"> A router at the point of local repair. In egress node protection, it is the penultimate-hop penultimate hop router on an egress-protected tunnel. In egress link protection, it is the egress router of the egress-protected tunnel.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.23">
       Protected egress {E, P} - P}:</dt>
        <dd pn="section-3-1.24"> A virtual node consisting of an ordered pair of egress router E and protector P. It serves as the virtual destination of an egress-protected tunnel, tunnel and as the virtual location of the egress-protected services carried by the tunnel.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.25">
       Context identifier (ID) - A (ID):</dt>
        <dd pn="section-3-1.26">A globally unique IP address assigned to a protected egress {E, P}.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.27">
       Context label - A label:</dt>
        <dd pn="section-3-1.28">A non-reserved label assigned to a context ID by a protector.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.29">
       Egress-protection bypass tunnel - A tunnel:</dt>
        <dd pn="section-3-1.30">A tunnel used to reroute service packets around an egress failure.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.31">
       Co-located protector mode - The mode:</dt>
        <dd pn="section-3-1.32">The scenario where a protector and a backup egress router are co-located as one router, and hence router; hence, each backup service instance serves as a protection service instance.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.33">
       Centralized protector mode - The mode:</dt>
        <dd pn="section-3-1.34">The scenario where a protector is a dedicated router, router and is decoupled from backup egress routers.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.35">
       Context label switching - Label switching:</dt>
        <dd pn="section-3-1.36">Label switching performed by a protector, protector in the label space of an egress router indicated by a context label.
     </t>

     <t>
      </dd>
        <dt pn="section-3-1.37">
       Context IP forwarding - IP forwarding:</dt>
        <dd pn="section-3-1.38">IP forwarding performed by a protector, protector in the IP address space of an egress router indicated by a context label.
     </t>
      </dd>
      </dl>
    </section>
    <section anchor="req" title="Requirements">
     <t> numbered="true" toc="include" removeInRFC="false" pn="section-4">
      <name slugifiedName="name-requirements">Requirements</name>
      <t pn="section-4-1">
       This document considers the following as the design requirements of this egress protection framework.
      </t>

     <t>
       <list style ="symbols">
	 <t>
      <ul spacing="normal" bare="false" empty="false" pn="section-4-2">
        <li pn="section-4-2.1">
	   The framework must support P2P tunnels. It should equally support P2MP, MP2P MP2P, and MP2MP tunnels, by treating each sub-LSP as a P2P tunnel.
	 </t>

	 <t>
	 </li>
        <li pn="section-4-2.2">
	   The framework must support multi-service and multi-transport networks. It must accommodate existing and future signaling and label-distribution protocols of tunnels and bypass tunnels, including RSVP, LDP, BGP, IGP, segment routing, Segment Routing, and others. It must also accommodate existing and future IP/MPLS services, including layer-2 Layer 2 VPNs, layer-3 Layer 3 VPNs, hierarchical LSP, and others. It MUST <bcp14>MUST</bcp14> provide a general solution for networks where different types of services and tunnels co-exist.
	 </t>

	 <t>
	 </li>
        <li pn="section-4-2.3">
	   The framework must consider minimizing disruption during deployment. It should only involve routers close to egress, the egress and be transparent to ingress routers and other transit routers.
	 </t>

	 <t>
	 </li>
        <li pn="section-4-2.4">
	   In egress node protection, for scalability and performance reasons, a PLR must be agnostic to services and service labels. It must maintain bypass tunnels and bypass forwarding state on a per-transport-tunnel basis, basis rather than on a per-service-destination or per-service-label basis. It should also support bypass tunnel sharing between transport tunnels.
	 </t>

	 <t>
	 </li>
        <li pn="section-4-2.5">
	   A PLR must be able to use its local visibility or information of routing or TE topology to compute or resolve a path for a bypass tunnel.
	 </t>

	 <t>
	 </li>
        <li pn="section-4-2.6">
	   A protector must be able to perform context label switching for rerouted MPLS service packets, based on a service label(s) assigned by an egress router. It must be able to perform context IP forwarding for rerouted IP service packets, in the public or private IP address space used by an egress router.
	 </t>

	 <t>
	 </li>
        <li pn="section-4-2.7">
	   The framework must be able to work seamlessly with transit link/node protection mechanisms to achieve end-to-end coverage.
	 </t>

	 <t>
	 </li>
        <li pn="section-4-2.8">
	   The framework must be able to work in conjunction with global repair and control plane control-plane convergence.
	 </t>
       </list>
     </t>
	 </li>
      </ul>
    </section>
    <section anchor="egress-node-protection" title = "Egress node protection"> numbered="true" toc="include" removeInRFC="false" pn="section-5">
      <name slugifiedName="name-egress-node-protection">Egress Node Protection</name>
      <section anchor="ref-topo" title = "Reference topology">
       <t> numbered="true" toc="include" removeInRFC="false" pn="section-5.1">
        <name slugifiedName="name-reference-topology">Reference Topology</name>
        <t pn="section-5.1-1">
	 This document refers to the following topology when describing the procedures of egress node protection.
        </t>
        <figure align="center" anchor="Figure-1">
	 <preamble></preamble> anchor="Figure-1" align="left" suppress-title="false" pn="figure-1">
          <artwork align="center"><![CDATA[ align="center" name="" type="ascii-art" alt="" pn="section-5.1-2.1">
               services 1, ..., N
     =====================================>
     =====================================&gt; tunnel

   I ------ R1 ------- PLR --------------- E ----
ingress          penultimate-hop          penultimate hop        egress    \
                        |  .           (primary    \
                        |  .            service     \
			|  .            instances)            instances )  \
			|  .                          \
			|  .                           \   service
                        |  .                             destinations
			|  .                           / (CEs, sites)
                        |  .                          /
			|  . bypass                  /
			|  . tunnel                 /
                        |  .                       /
                        |  ...............        /
                        R2 --------------- P ----
                                       protector
                                      (protection
		                       service
		                       instances)

						 ]]></artwork>
	 <postamble></postamble> </artwork>
        </figure>
      </section>
      <section anchor="egress-node-failure" title = "Egress node failure and detection">
       <t> numbered="true" toc="include" removeInRFC="false" pn="section-5.2">
        <name slugifiedName="name-egress-node-failure-and-det">Egress Node Failure and Detection</name>
        <t pn="section-5.2-1">
	 An egress node failure refers to the failure of an MPLS tunnel's egress router. At the service level, it is also a service instance failure for each IP/MPLS service carried by the tunnel.
        </t>

       <t>
        <t pn="section-5.2-2">
	 An egress node failure can be detected by an adjacent router (i.e., PLR in this framework) through a node liveness detection mechanism, mechanism or a mechanism based on a collective failure of all the links to that node. The mechanisms MUST <bcp14>MUST</bcp14> be reasonably fast, i.e., faster than control plane control-plane failure detection and remote failure detection. Otherwise, local repair will not be able to provide much benefit compared to control plane control-plane convergence or global repair. In general, the speed, accuracy, and reliability of a failure detection mechanism are the key factors to decide its applicability in egress node protection. This document provides the following guidelines for network operators to choose a proper type of protection on a PLR.
        </t>
       <t>
	 <list style ="symbols">
	   <t>
        <ul spacing="normal" bare="false" empty="false" pn="section-5.2-3">
          <li pn="section-5.2-3.1">
	     If the PLR has a mechanism to detect and differentiate a link failure (of the link between the PLR and the egress node) and an egress node failure, it SHOULD <bcp14>SHOULD</bcp14> set up both link protection and egress node protection, protection and trigger one and only one protection upon a corresponding failure.
	   </t>

	   <t>
	   </li>
          <li pn="section-5.2-3.2">
            <t pn="section-5.2-3.2.1">
	     If the PLR has a fast mechanism to detect a link failure and an egress node failure, but it cannot distinguish them; or, them, or if the PLR has a fast mechanism to detect a link failure only, but not an egress node failure, the PLR has two options:

	     <list style ="numbers">
	       <t>

            </t>
            <ol spacing="normal" type="1" start="1" pn="section-5.2-3.2.2">
              <li pn="section-5.2-3.2.2.1" derivedCounter="1.">
		 It MAY <bcp14>MAY</bcp14> set up link protection only, only and leave the egress node failure to be handled by global repair and control plane control-plane convergence.
	       </t>
	       <t>
	       </li>
              <li pn="section-5.2-3.2.2.2" derivedCounter="2.">
		 It MAY <bcp14>MAY</bcp14> set up egress node protection only, only and treat a link failure as a trigger for the egress node protection. The assumption is that treating a link failure as an egress node failure MUST NOT <bcp14>MUST NOT</bcp14> have a negative impact on services. Otherwise, it SHOULD <bcp14>SHOULD</bcp14> adopt the previous option.
	       </t>
	     </list>
	   </t>
	 </list>
       </t>
	       </li>
            </ol>
          </li>
        </ul>
      </section>
      <section anchor="protector" title = "Protector and PLR">
       <t> numbered="true" toc="include" removeInRFC="false" pn="section-5.3">
        <name slugifiedName="name-protector-and-plr">Protector and PLR</name>
        <t pn="section-5.3-1">
	 A router is assigned to the "protector" role to protect a tunnel and the services carried by the tunnel against an egress node failure. The protector is responsible for hosting a protection service instance for each protected service, serving as the tailend tail end of a bypass tunnel, and performing context label switching and/or context IP forwarding for rerouted service packets.
        </t>

       <t>
        <t pn="section-5.3-2">
	 A tunnel is protected by only one protector. Multiple tunnels to a given egress router may be protected by a common protector or different protectors. A protector may protect multiple tunnels with a common egress router or different egress routers.
        </t>

       <t>
        <t pn="section-5.3-3">
	 For each tunnel, its penultimate-hop penultimate hop router acts as a PLR. The PLR pre-establishes a bypass tunnel to the protector, protector and pre-installs bypass forwarding state in the data plane. Upon detection of an egress node failure, the PLR reroutes all the service packets received on the tunnel though through the bypass tunnel to the protector. For MPLS service packets, the PLR keeps service labels intact in the packets. The In turn, the protector in turn forwards the service packets towards the ultimate service destinations. Specifically, it performs context label switching for MPLS service packets, based on the service labels assigned by the protected egress router; it performs context IP forwarding for IP service packets, based on their destination addresses.
        </t>

       <t>
        <t pn="section-5.3-4">
	 The protector MUST <bcp14>MUST</bcp14> have its own connectivity with each service destination, via a direct link or a multi-hop path, which MUST NOT <bcp14>MUST NOT</bcp14> traverse the protected egress router or be affected by the egress node failure. This also means that each service destination MUST <bcp14>MUST</bcp14> be dual-homed or have dual paths to the egress router and a backup egress router which that may serve as the protector. Each protection service instance on the protector relies on such connectivity to set up forwarding state for context label switching and context IP forwarding.
        </t>
      </section>
      <section anchor="protected-egress" title = "Protected egress">
       <t> numbered="true" toc="include" removeInRFC="false" pn="section-5.4">
        <name slugifiedName="name-protected-egress">Protected Egress</name>
        <t pn="section-5.4-1">
	 This document introduces the notion of "protected egress" as a virtual node consisting of the egress router E of a tunnel and a protector P. It is denoted by an ordered pair of {E, P}, indicating the primary-and-protector relationship between the two routers. It serves as the virtual destination of the tunnel, tunnel and the virtual location of service instances for the services carried by the tunnel. The tunnel and services are considered as being "associated" with the protected egress {E, P}.
        </t>

       <t>
        <t pn="section-5.4-2">
       A given egress router E may be the tailend tail end of multiple tunnels. In general, the tunnels may be protected by multiple protectors, e.g., P1, P2, and so on, with each Pi protecting a subset of the tunnels. Thus, these routers form multiple protected egresses, i.e., {E, P1}, {E, P2}, and so on. Each tunnel is associated with one and only one protected egress {E, Pi}.  All the services carried by the tunnel are then automatically associated with the protected egress {E, Pi}. Conversely, a service associated with a protected egress {E, Pi} MUST <bcp14>MUST</bcp14> be carried by a tunnel associated with the protected egress {E, Pi}. This mapping MUST <bcp14>MUST</bcp14> be ensured by the ingress router of the tunnel and the service (<xref target="ep-tunnel-service" />). format="default" sectionFormat="of" derivedContent="Section 5.5"/>).
        </t>

       <t>
	 Two
        <t pn="section-5.4-3">
	 The two routers X and Y may be protectors for each other. In this case, they form two distinct protected egresses egresses: {X, Y} and {Y, X}.
        </t>
      </section>
      <section anchor="ep-tunnel-service" title = "Egress-protected tunnel and service">
       <t> numbered="true" toc="include" removeInRFC="false" pn="section-5.5">
        <name slugifiedName="name-egress-protected-tunnel-and">Egress-Protected Tunnel and Service</name>
        <t pn="section-5.5-1">
	 A tunnel, which is associated with a protected egress {E, P}, is called an egress-protected tunnel. It is associated with one and only one protected egress {E, P}.  Multiple egress-protected tunnels may be associated with a given protected egress {E, P}.  In this case, they share the common egress router and protector, but they may or may not share a common ingress router, router or a common PLR (i.e., penultimate-hop penultimate hop router).
        </t>

       <t>
        <t pn="section-5.5-2">
	 An egress-protected tunnel is considered as logically "destined" for its protected egress {E, P}.  Its path MUST <bcp14>MUST</bcp14> be resolved and established with E as the physical tailend. tail end.
        </t>

       <t>
        <t pn="section-5.5-3">
	 A service, which is associated with a protected egress {E, P}, is called an egress-protected service. The egress Egress router E hosts the primary instance of the service, and the protector P hosts the protection instance of the service.
        </t>

       <t>
        <t pn="section-5.5-4">
	 An egress-protected service is associated with one and only one protected egress {E, P}.  Multiple egress-protected services may be associated with a given protected egress {E, P}.  In this case, these services share the common egress router and protector, but they may or may not be carried by a common egress-protected tunnel or a common ingress router.
        </t>

       <t>
        <t pn="section-5.5-5">
	 An egress-protected service MUST <bcp14>MUST</bcp14> be mapped to an egress-protected tunnel by its ingress router, based on the common protected egress {E, P} of the service and the tunnel. This is achieved by introducing the notion of a "context ID" for a protected egress {E, P}, as described in (<xref <xref target="cid" />). format="default" sectionFormat="of" derivedContent="Section 5.7"/>.
        </t>
      </section>
      <section anchor="ep-bypass" title = "Egress-protection bypass tunnel">

       <t> numbered="true" toc="include" removeInRFC="false" pn="section-5.6">
        <name slugifiedName="name-egress-protection-bypass-tu">Egress-Protection Bypass Tunnel</name>
        <t pn="section-5.6-1">
	 An egress-protected tunnel destined for a protected egress {E, P} MUST <bcp14>MUST</bcp14> have a bypass tunnel from its PLR to the protector P. This bypass tunnel is called an egress-protection bypass tunnel. The bypass tunnel is considered as logically "destined" for the protected egress {E, P}. Due to its bypass nature, it MUST <bcp14>MUST</bcp14> be established with P as the physical tailend tail end and E as the node to avoid.

The bypass tunnel MUST have the property that it MUST NOT <bcp14>MUST NOT</bcp14> be affected by the topology change caused by an egress node failure. failure; thus, it <bcp14>MUST</bcp14> contain a property that protects it from this scenario.
        </t>

       <t>
        <t pn="section-5.6-2">
	 An egress-protection bypass tunnel is associated with one and only one protected egress {E, P}. A PLR may share an egress-protection bypass tunnel for multiple egress-protected tunnels associated with a common protected egress {E, P}.
        </t>
      </section>
      <section anchor="cid" title = "Context numbered="true" toc="include" removeInRFC="false" pn="section-5.7">
        <name slugifiedName="name-context-id-context-label-an">Context ID, context label, Context Label, and context-based forwarding">

       <t> Context-Based Forwarding</name>
        <t pn="section-5.7-1">
	 In this framework, a globally unique IPv4 or IPv6 address is assigned to a protected egress {E, P} as the identifier of the protected egress {E, P}. It is called a "context ID" due to its specific usage in context label switching and context IP forwarding on the protector. It is an IP address that is logically owned by both the egress router and the protector. For the egress router, it indicates the protector. For the protector, it indicates the egress router, particularly the egress router's forwarding context. For other routers in the network, it is an address reachable via both the egress router and the protector (<xref target="adv" />), format="default" sectionFormat="of" derivedContent="Section 5.8"/>), similar to an anycast address.
        </t>

       <t>
        <t pn="section-5.7-2">
	 The main purpose of a context ID is to coordinate the ingress router, egress router, PLR PLR, and protector to establish egress protection. The procedures are described below, given an egress-protected service associated with a protected egress {E, P} with a context ID.
        </t>
       <t>
	 <list style ="symbols">
	   <t>
        <ul spacing="normal" bare="false" empty="false" pn="section-5.7-3">
          <li pn="section-5.7-3.1">
	     If the service is an MPLS service, when E distributes a service label binding message to the ingress router, E attaches the context ID to the message. If the service is an IP service, when E advertises the service destination address to the ingress router, E attaches the context ID to the advertisement message. How The service protocol chooses how the context ID is encoded in the messages is a choice of the service protocol. messages. A protocol extension of a "context ID" object may be needed, if there is no existing mechanism for this purpose.
	   </t>
	   <t>
	   </li>
          <li pn="section-5.7-3.2">
	     The ingress router uses the service's context ID as the destination to establish or resolve an egress-protected tunnel. The ingress router then maps the service to the tunnel for transportation. The semantics of the context ID is transparent to the ingress router. The ingress router only treats the context ID as an IP address of E, in the same manner as establishing or resolving a regular transport tunnel.
	   </t>
	   <t>
	   </li>
          <li pn="section-5.7-3.3">
	     The context ID is conveyed to the PLR by the signaling protocol of the egress-protected tunnel, tunnel or learned by the PLR via an IGP (i.e., OSPF or ISIS) IS-IS) or a topology-driven label distribution protocol (e.g., LDP). The PLR uses the context ID as the destination to establish or resolve an egress-protection bypass tunnel to P while avoiding E.
	   </t>
	   <t>
	   </li>
          <li pn="section-5.7-3.4">
	     P maintains a dedicated label space and a dedicated IP address space for E. They are referred to as "E's label space" and "E's IP address space", respectively. P uses the context ID to identify the label space and IP address space.
	   </t>
	   <t>
	   </li>
          <li pn="section-5.7-3.5">
	     If the service is an MPLS service, E also distributes the service label binding message to P. This is the same label binding message that E advertises to the ingress router, which includes the context ID. Based on the context ID, P installs the service label in an MPLS forwarding table corresponding to E's label space. If the service is an IP service, P installs an IP route in an IP forwarding table corresponding to E's IP address space. In either case, the protection service instance on P constructs the forwarding state for the label route or IP route based on P's own connectivity with the service's destination.
	   </t>
	   <t>
	   </li>
          <li pn="section-5.7-3.6">
	     P assigns a non-reserved label to the context ID. In the data plane, this label represents the context ID and indicates E's label space and IP address space. Therefore, it is called a "context label".
	   </t>
	   <t>
	   </li>
          <li pn="section-5.7-3.7">
	     The PLR may establish the egress-protection bypass tunnel to P in several manners. If the bypass tunnel is established by RSVP, the PLR signals the bypass tunnel with the context ID as the destination, and P binds the context label to the bypass tunnel. If the bypass tunnel is established by LDP, P advertises the context label for the context ID as an IP prefix FEC. Forwarding
   Equivalence Class (FEC). If the bypass tunnel is established by the PLR in a hierarchical manner, the PLR treats the context label as a one-hop LSP over a regular bypass tunnel to P (e.g., a bypass tunnel to P's loopback IP address). If the bypass tunnel is constructed by using segment routing, Segment Routing, the bypass tunnel is represented by a stack of SID Segment Identifier (SID) labels with the context label as the inner-most SID label (<xref target="bypass-estb" />). format="default" sectionFormat="of" derivedContent="Section 5.9"/>). In any case, the bypass tunnel is a ultimate-hop-popping an ultimate hop-popping (UHP) tunnel whose incoming label on P is the context label.
	   </t>
	   <t>
	   </li>
          <li pn="section-5.7-3.8">
	     During local repair, all the service packets received by P on the bypass tunnel have the context label as the top label. P first pops the context label. For an MPLS service packet, P further looks up the service label in E's label space indicated by the context label. Such kind of forwarding is called context label switching. For an IP service packet, P looks up the IP destination address in E's IP address space indicated by the context label. Such kind of forwarding is called context IP forwarding.
	   </t>
	 </list>
       </t>
	   </li>
        </ul>
      </section>
      <section anchor="adv" title = "Advertisement numbered="true" toc="include" removeInRFC="false" pn="section-5.8">
        <name slugifiedName="name-advertisement-and-path-reso">Advertisement and path resolution Path Resolution for context ID">

       <t> Context ID</name>
        <t pn="section-5.8-1">
	 Path resolution and computation for a context ID are done on ingress routers for egress-protected tunnels, tunnels and on PLRs for egress-protection bypass tunnels. Given a protected egress {E, P} and its context ID, E and P MUST <bcp14>MUST</bcp14> coordinate on the reachability of the context ID in the routing domain and the TE domain. The context ID MUST <bcp14>MUST</bcp14> be advertised in such a manner that all egress-protected tunnels MUST <bcp14>MUST</bcp14> have E as tailend, the tail end, and all egress-protection bypass tunnels MUST <bcp14>MUST</bcp14> have P as tailend the tail end while avoiding E.
        </t>

       <t>
        <t pn="section-5.8-2">
	 This document suggests three approaches:
        </t>

       <t>
	 <list style ="numbers">
	   <t>
        <ul empty="true" bare="false" spacing="normal" pn="section-5.8-3">
          <li pn="section-5.8-3.1">
            <ol spacing="normal" type="1" start="1" pn="section-5.8-3.1.1">
              <li pn="section-5.8-3.1.1.1" derivedCounter="1.">
	     The first approach is called "proxy mode". It requires E and P, but not the PLR, to have the knowledge of the egress protection schema. E and P advertise the context ID as a virtual proxy node (i.e., a logical node) connected to the two routers, with the link between the proxy node and E having more preferable IGP and TE metrics than the link between the proxy node and P. Therefore, all egress-protected tunnels destined for the context ID will automatically follow the IGP or TE paths to E. Each PLR will no longer view itself as a penultimate-hop, penultimate hop but rather as two hops away from the proxy node, via E. The PLR will be able to find a bypass path via P to the proxy node, while the bypass tunnel is actually be terminated by P.
	   </t>

	   <t>
	   </li>
              <li pn="section-5.8-3.1.1.2" derivedCounter="2.">
	     The second approach is called "alias mode". It requires P and the
PLR, but not E, to have the knowledge of the egress protection schema. E simply
advertises the context ID as an IP address. P advertises the context ID and the
context label by using a "context ID label binding" advertisement. In both
the routing domain and TE domain, the context ID is only reachable via
E. Therefore, all egress-protected tunnels destined for the context ID will
have E as tailend. the tail end. Based on the "context ID label binding" advertisement, the
PLR can establish an egress-protection bypass tunnel in several manners (<xref
target="bypass-estb"/>). target="bypass-estb" format="default" sectionFormat="of" derivedContent="Section 5.9"/>). The "context ID label binding" advertisement is
defined as the IGP mirroring context Mirroring Context segment in <xref target="RFC8402"/> target="RFC8402" format="default" sectionFormat="of" derivedContent="RFC8402"/> and <xref target="RFCYYYY"/>. target="RFC8667" format="default" sectionFormat="of" derivedContent="RFC8667"/>. These IGP extensions are generic in nature, nature and hence can be used for egress protection purposes. It is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that a similar advertisement be defined for OSPF as well.
	   </t>

	   <t>
	   </li>
              <li pn="section-5.8-3.1.1.3" derivedCounter="3.">
	     The third approach is called "stub link mode". In this mode, both E and P advertise the context ID as a link to a stub network, essentially modelling modeling the context ID as an anycast IP address owned by the two routers. E, P P, and the PLR do not need to have the knowledge of the egress protection schema. The correctness of the egress-protected tunnels and the bypass tunnels relies on the path computations for the anycast IP address performed by the ingress routers and PLR. Therefore, care MUST <bcp14>MUST</bcp14> be taken for the applicability of this approach to a network.
	   </t>
	 </list>
       </t>

       <t>
	   </li>
            </ol>
          </li>
        </ul>
        <t pn="section-5.8-4">
	 This framework considers the above approaches as technically equal, equal and the feasibility of each approach in a given network as dependent on the topology, manageability, and available protocols of the network. For a given context ID, all relevant routers, including the primary PE, protector, and PLR, MUST <bcp14>MUST</bcp14> support and agree on the chosen approach. The coordination between these routers can be achieved by configuration.
        </t>

       <t>
        <t pn="section-5.8-5">
	 In a scenario where an egress-protected tunnel is an inter-area or inter-AS inter-Autonomous-System (inter-AS) tunnel, its associated context ID MUST <bcp14>MUST</bcp14> be propagated by IGP or BGP from the original area or AS to the area or AS of the ingress router. The propagation process of the context ID SHOULD <bcp14>SHOULD</bcp14> be the same as that of an IP address in an inter-area or inter-AS environment.
        </t>
      </section>
      <section anchor="bypass-estb" title = "Egress-protection bypass tunnel establishment">
       <t> numbered="true" toc="include" removeInRFC="false" pn="section-5.9">
        <name slugifiedName="name-egress-protection-bypass-tun">Egress-Protection Bypass Tunnel Establishment</name>
        <t pn="section-5.9-1">
	 A PLR MUST <bcp14>MUST</bcp14> know the context ID of a protected egress {E, P} in order to establish an egress-protection bypass tunnel. The information is obtained from the signaling or label distribution protocol of the egress-protected tunnel. The PLR may or may not need to have the knowledge of the egress protection egress-protection schema. All it does is to set up a bypass tunnel to a context ID while avoiding the next-hop router (i.e., egress router). This is achievable by using a constraint-based computation algorithm similar to those commonly used for traffic engineering paths and loop-free alternate Loop-Free Alternate (LFA) paths. Since the context ID is advertised in the routing domain and in the TE domain by IGP according to <xref target="adv" />, format="default" sectionFormat="of" derivedContent="Section 5.8"/>, the PLR is able to resolve or establish such a bypass path with the protector as tailend. the tail end. In the case of proxy mode, the PLR may do so in the same manner as transit node protection.
        </t>

       <t>
        <t pn="section-5.9-2">
	 An egress-protection bypass tunnel may be established via several methods:
        </t>

       <t>
	 (1) It
        <ul empty="true" bare="false" spacing="normal" pn="section-5.9-3">
          <li pn="section-5.9-3.1">
            <ol spacing="normal" type="1" start="1" pn="section-5.9-3.1.1">
              <li pn="section-5.9-3.1.1.1" derivedCounter="1.">It may be established by a signaling protocol (e.g., RSVP), with the context ID as the destination. The protector binds the context label to the bypass tunnel.
       </t>

       <t>
	 (2)
        </li>
              <li pn="section-5.9-3.1.1.2" derivedCounter="2."> It may be formed by a topology driven topology-driven protocol (e.g., LDP with various LFA mechanisms). The protector advertises the context ID as an IP prefix FEC, with the context label bound to it.
       </t>

       <t>
	 (3) It
        </li>
              <li pn="section-5.9-3.1.1.3" derivedCounter="3.">It may be constructed as a hierarchical tunnel. When the protector uses the alias mode (<xref target="adv" />), format="default" sectionFormat="of" derivedContent="Section 5.8"/>), the PLR will have the knowledge of the context ID, context label, and protector (i.e., the advertiser). The PLR can then establish the bypass tunnel in a hierarchical manner, with the context label as a one-hop LSP over a regular bypass tunnel to the protector's IP address (e.g., loopback address). This regular bypass tunnel may be established by RSVP, LDP, segment routing, Segment Routing, or another protocol.
       </t>
        </li>
            </ol>
          </li>
        </ul>
      </section>
      <section anchor="local-repair" title = "Local repair on PLR">
       <t> numbered="true" toc="include" removeInRFC="false" pn="section-5.10">
        <name slugifiedName="name-local-repair-on-plr">Local Repair on PLR</name>
        <t pn="section-5.10-1">
	 In this framework, a PLR is agnostic to services and service labels. This obviates the need to maintain bypass forwarding state on a per-service basis, basis and allows bypass tunnel sharing between egress-protected tunnels. The PLR may share an egress-protection bypass tunnel for multiple egress-protected tunnels associated with a common protected egress {E, P}. During local repair, the PLR reroutes all service packets received on the egress-protected tunnels to the egress-protection bypass tunnel. Service labels remain intact in MPLS service packets.
        </t>

       <t>
        <t pn="section-5.10-2">
	 Label operation performed by the PLR depends on the bypass tunnel's characteristics. If the bypass tunnel is a single level tunnel, the rerouting will involve swapping the incoming label of an egress-protected tunnel to the outgoing label of the bypass tunnel. If the bypass tunnel is a hierarchical tunnel, the rerouting will involve swapping the incoming label of an egress-protected tunnel to a context label, label and pushing the outgoing label of a regular bypass tunnel. If the bypass tunnel is constructed by segment routing, Segment Routing, the rerouting will involve swapping the incoming label of an egress-protected tunnel to a context label, label and pushing the stack of SID labels of the bypass tunnel.
        </t>
      </section>
      <section anchor="upstream-label-distrib" title = "Service label distribution numbered="true" toc="include" removeInRFC="false" pn="section-5.11">
        <name slugifiedName="name-service-label-distribution-">Service Label Distribution from egress router Egress Router to protector">

       <t> Protector</name>
        <t pn="section-5.11-1">
	 When a protector receives a rerouted MPLS service packet, it performs context label switching based on the packet's service label label, which is assigned by the corresponding egress router. In order to achieve this, the protector MUST <bcp14>MUST</bcp14> maintain the labels of egress-protected services in dedicated label spaces on a per protected egress per-protected-egress {E, P} basis, i.e., one label space for each egress router that it protects.
        </t>

       <t>
        <t pn="section-5.11-2">
	 Also, there MUST <bcp14>MUST</bcp14> be a service label distribution protocol session between each egress router and the protector. Through this protocol, the protector learns the label binding of each egress-protected service. This is the same label binding that the egress router advertises to the service's ingress router, which includes a context ID. The corresponding protection service instance on the protector recognizes the service, service and resolves forwarding state based on its own connectivity with the service's destination. It then installs the service label with the forwarding state in the label space of the egress router, which is indicated by the context ID (i.e., context label).
        </t>

       <t>
        <t pn="section-5.11-3">
	 Different service protocols may use different mechanisms for such kind
of label distribution. Specific extensions may be needed on a per-protocol
basis
or per-service-type basis. The details of the extensions should be
specified in separate documents. As an example, <xref target="RFC8104"/> specifies the LDP extensions for pseudowire services. services are specified in <xref target="RFC8104" format="default" sectionFormat="of" derivedContent="RFC8104"/>.
        </t>
      </section>
      <section anchor="centralized" title = "Centralized protector mode">

       <t> numbered="true" toc="include" removeInRFC="false" pn="section-5.12">
        <name slugifiedName="name-centralized-protector-mode">Centralized Protector Mode</name>
        <t pn="section-5.12-1">
	 In this framework, it is assumed that the service destination of an egress-protected service MUST <bcp14>MUST</bcp14> be dual-homed to two edge routers of an MPLS network. One of them is the protected egress router, and the other is a backup egress router. So far in this document, the focus of discussion has been focusing on the scenario where a protector and a backup egress router are co-located as one router. Therefore, the number of protectors in a network is equal to the number of backup egress routers. As another scenario, a network may assign a small number of routers to serve as dedicated protectors, each protecting a subset of egress routers. These protectors are called centralized protectors.
        </t>

       <t>
        <t pn="section-5.12-2">
	 Topologically, a centralized protector may be decoupled from all backup egress routers, or it may be co-located with one backup egress router while decoupled from the other backup egress routers. The procedures in this section assume that a protector and a backup egress router are decoupled.
        </t>
        <figure align="center" anchor="Figure-2">
	 <preamble></preamble> anchor="Figure-2" align="left" suppress-title="false" pn="figure-2">
          <artwork align="center"><![CDATA[ align="center" name="" type="ascii-art" alt="" pn="section-5.12-3.1">
               services 1, ..., N
     =====================================>
     =====================================&gt; tunnel

   I ------ R1 ------- PLR --------------- E ----
ingress          penultimate-hop          penultimate hop        egress    \
                        |  .           (primary    \
                        |  .            service     \
			|  .            instances)   \
			|  .                          \
			|  . bypass                    \   service
                       R2  . tunnel                      destinations
			|  .                           / (CEs, sites)
                        |  .                          /
			|  .                         /
			|  .                        /
                        |  .    tunnel             /
                        |   =============>   =============&gt;        /
                        P ---------------- E' ---
                    protector        backup egress
                   (protection         (backup
		    service             service
		    instances)          instances)

						 ]]></artwork>
	 <postamble></postamble> </artwork>
        </figure>

       <t>
        <t pn="section-5.12-4">
	 Like a co-located protector, a centralized protector hosts protection service instances, receives rerouted service packets from PLRs, and performs context label switching and/or context IP forwarding. For each service, instead of sending service packets directly to the service destination, the protector MUST <bcp14>MUST</bcp14> send them via another transport tunnel to the corresponding backup service instance on a backup egress router. The backup service instance in turn forwards the service packets to the service destination. Specifically, if the service is an MPLS service, the protector MUST <bcp14>MUST</bcp14> swap the service label in each received service packet to the label of the backup service advertised by the backup egress router, and then push the label (or label stack) of the transport tunnel.
        </t>

       <t>
        <t pn="section-5.12-5">
	 In order for a centralized protector to map an egress-protected MPLS service to a service hosted on a backup egress router, there MUST <bcp14>MUST</bcp14> be a service label distribution protocol session between the backup egress router and the protector. Through this session, the backup egress router advertises the service label of the backup service, attached with the FEC of the egress-protected service and the context ID of the protected egress {E, P}. Based on this information, the protector associates the egress-protected service with the backup service, resolves or establishes a transport tunnel to the backup egress router, and sets up forwarding state for the label of the egress-protected service in the label space of the egress router.
        </t>

       <t>
        <t pn="section-5.12-6">
	 The service label which that the backup egress router advertises to the protector can be the same as the label which that the backup egress router advertises to the ingress router(s), if and only if the forwarding state of the label does not direct service packets towards the protected egress router. Otherwise, the label MUST NOT <bcp14>MUST NOT</bcp14> be used for egress protection, because it would create a loop for the service packets. In this case, the backup egress router MUST <bcp14>MUST</bcp14> advertise a unique service label for egress protection, protection and set up the forwarding state of the label to use the backup egress router's own connectivity with the service destination.
        </t>
      </section>
    </section>
    <section anchor="link-protection" title = "Egress link protection">

     <t> numbered="true" toc="include" removeInRFC="false" pn="section-6">
      <name slugifiedName="name-egress-link-protection">Egress Link Protection</name>
      <t pn="section-6-1">
       Egress link protection is achievable through procedures similar to that of egress node protection. In normal situations, an egress router forwards service packets to a service destination based on a service label, whose forwarding state points to an egress link. In egress link protection, the egress router acts as the PLR, PLR and performs local failure detection and local repair. Specifically, the egress router pre-establishes an egress-protection bypass tunnel to a protector, protector and sets up the bypass forwarding state for the service label to point to the bypass tunnel. During local repair, the egress router reroutes service packets via the bypass tunnel to the protector. The protector in turn forwards the packets to the service destination (in the co-located protector mode, as shown in Figure 3), <xref target="Figure-3" format="default" sectionFormat="of" derivedContent="Figure 3"/>) or forwards the packets to a backup egress router (in the centralized protector mode, as shown in Figure 4). <xref target="Figure-4" format="default" sectionFormat="of" derivedContent="Figure 4"/>).
      </t>
      <figure align="center" anchor="Figure-3">
       <preamble></preamble> anchor="Figure-3" align="left" suppress-title="false" pn="figure-3">
        <artwork align="center"><![CDATA[ align="center" name="" type="ascii-art" alt="" pn="section-6-2.1">
                     service
     =====================================>
     =====================================&gt; tunnel

   I ------ R1 -------  R2 --------------- E ----
ingress                 |  ............. egress   \
                        |  .              PLR      \
                        |  .             (primary   \
                        |  .              service    \
			|  .              instance)   \
			|  .                           \
			|  . bypass                        service
                        |  . tunnel                      destination
			|  .                           / (CE, site)
                        |  .                          /
			|  .                         /
			|  .                        /
                        |  .                       /
                        |  ...............        /
                        R3 --------------- P ----
                                       protector
                                      (protection
		                       service
		                       instance)
				       ]]></artwork>
       <postamble></postamble> </artwork>
      </figure>
      <figure align="center" anchor="Figure-4">
       <preamble></preamble> anchor="Figure-4" align="left" suppress-title="false" pn="figure-4">
        <artwork align="center"><![CDATA[ align="center" name="" type="ascii-art" alt="" pn="section-6-3.1">
                     service
     =====================================>
     =====================================&gt; tunnel

   I ------ R1 -------  R2 --------------- E ----
ingress                 |  ............. egress   \
                        |  .              PLR      \
                        |  .             (primary   \
                        |  .              service    \
			|  .              instance)   \
			|  .                           \
			|  . bypass                        service
                        |  . tunnel                      destination
			|  .                           / (CE, site)
                        |  .                          /
			|  .                         /
			|  .                        /
                        |  .    tunnel             /
                        |   =============>   =============&gt;        /
                        R3 --------------- P ----
                    protector        backup egress
                   (protection      (backup
		    service          service
		    instance)        instance)

				       ]]></artwork>
       <postamble></postamble> </artwork>
      </figure>

     <t>
      <t pn="section-6-4">
        There are two approaches to set for setting up the bypass forwarding state on the egress router, depending on whether the egress router knows the service label allocated by the backup egress router. The difference is that one approach requires the protector to perform context label switching, and the other one does not. Both approaches are equally supported by this framework.
      </t>

     <t>
       <list>
	 <t>
	   (1) The
      <ul empty="true" spacing="normal" bare="false" pn="section-6-5">
        <li pn="section-6-5.1">
          <ol spacing="normal" type="1" start="1" pn="section-6-5.1.1">
            <li pn="section-6-5.1.1.1" derivedCounter="1.">The first approach applies when the egress router does not know the service label allocated by the backup egress router. In this case, the egress router sets up the bypass forwarding state as a label push with the outgoing label of the egress-protection bypass tunnel. Rerouted packets will have the egress router's service label intact. Therefore, the protector MUST <bcp14>MUST</bcp14> perform context label switching, and the bypass tunnel MUST <bcp14>MUST</bcp14> be destined for the context ID of the protected egress {E, P} and established as described in <xref target="bypass-estb" />. format="default" sectionFormat="of" derivedContent="Section 5.9"/>. This approach is consistent with egress node protection. Hence, a protector can serve in egress node protection and egress link protection in a consistent manner, and both the co-located protector mode and the centralized protector mode are supported (Figure 3 (see Figures <xref target="Figure-3" format="counter" sectionFormat="of" derivedContent="3"/> and Figure 4).
	 </t>

	 <t>
	  (2) <xref target="Figure-4" format="counter" sectionFormat="of" derivedContent="4"/>).
	 </li>
            <li pn="section-6-5.1.1.2" derivedCounter="2."> The second approach applies when the egress router knows the service label allocated by the backup egress router, via a label distribution protocol session. In this case, the backup egress router serves as the protector for egress link protection, regardless of the protector of egress node protection, which will be the same router in the co-located protector mode but a different router in the centralized protector mode. The egress router sets up the bypass forwarding state as a label swap from the incoming service label to the service label of the backup egress router (i.e., protector), followed by a push with the outgoing label (or label stack) of the egress link protection bypass tunnel. The bypass tunnel is a regular tunnel destined for an IP address of the protector, instead of the context ID of the protected egress {E, P}. The protector simply forwards rerouted service packets based on its own service label, label rather than performing context label switching. In this approach, only the co-located protector mode is applicable.
	 </t>

       </list>
     </t>

     <t>
	 </li>
          </ol>
        </li>
      </ul>
      <t pn="section-6-6">
       Note that for a bidirectional service, the physical link of an egress link may carry service traffic bi-directionally. bidirectionally. Therefore, an egress link failure may simultaneously be an ingress link failure for the traffic in the opposite direction. Protection for ingress link failure SHOULD <bcp14>SHOULD</bcp14> be provided by a separate mechanism, mechanism and hence is out of the scope of this document.
      </t>
    </section>
    <section title = "Global repair">

     <t> numbered="true" toc="include" removeInRFC="false" pn="section-7">
      <name slugifiedName="name-global-repair">Global Repair</name>
      <t pn="section-7-1">
       This framework provides a fast but temporary repair for egress node and egress link failures. For permanent repair, the services affected by a failure SHOULD <bcp14>SHOULD</bcp14> be moved to an alternative tunnel, or replaced by alternative services, which are fully functional. This is referred to as global repair. Possible triggers of global repair include control plane control-plane notifications of tunnel status and service status, end-to-end OAM and fault detection at the tunnel and service level, and others. The alternative tunnel and services may be pre-established in standby state, state or dynamically established as a result of the triggers or network protocol convergence.
      </t>
    </section>
    <section title = "Operational Considerations">
     <t> numbered="true" toc="include" removeInRFC="false" pn="section-8">
      <name slugifiedName="name-operational-considerations">Operational Considerations</name>
      <t pn="section-8-1">
       When a PLR performs local repair, the router SHOULD <bcp14>SHOULD</bcp14> generate an alert for the event. The alert may be logged locally for tracking purposes, or it may be sent to the operator at a management station. The communication channel and protocol between the PLR and the management station may vary depending on networks, networks and are out of the scope of this document.
      </t>
    </section>
    <section title = "General context-based forwarding">
     <t> numbered="true" toc="include" removeInRFC="false" pn="section-9">
      <name slugifiedName="name-general-context-based-forwa">General Context-Based Forwarding</name>
      <t pn="section-9-1">
       So far, this document has been focusing on the cases where service
       packets are MPLS or IP packets packets, and protectors perform context label
       switching or context IP forwarding.

Although this should cover most common services, it is worth mentioning that the framework is also applicable to services or sub-modes of services where service packets are layer-2 Layer 2 packets or encapsulated in non-IP/MPLS non-IP and non-MPLS formats. The only specific in these cases is that a protector MUST <bcp14>MUST</bcp14> perform context-based forwarding based on the layer-2 Layer 2 table or corresponding lookup table table, which is indicated by a context ID (i.e., context label).
      </t>
    </section>
    <section title = "Example: Layer-3 numbered="true" toc="include" removeInRFC="false" pn="section-10">
      <name slugifiedName="name-example-layer-3-vpn-egress-">Example: Layer 3 VPN egress protection">

     <t> Egress Protection</name>
      <t pn="section-10-1">
       This section shows an example of egress protection for layer-3 Layer 3 IPv4 and IPv6 VPNs.
      </t>
      <figure align="center" anchor="Figure-5">
	 <preamble></preamble> anchor="Figure-5" align="left" suppress-title="false" pn="figure-5">
        <artwork align="center"><![CDATA[ align="center" name="" type="ascii-art" alt="" pn="section-10-2.1">
                        ---------- R1 ----------- PE2 -
                       /          (PLR)          (PLR)  \
 (          )         /            |               |     (          )
 (          )        /             |               |     (          )
 (  site 1  )-- PE1 < &lt;              |               R3    (  site 2  )
 (          )	     \		   |               |     (          )
 (          )         \            |               |     (          )
                       \           |               |    /
                        ---------- R2 ----------- PE3 -
                                              (protector)

						 ]]></artwork>
	 <postamble></postamble> </artwork>
      </figure>

     <t>
      <t pn="section-10-3">
       In this example, the core network is IPv4 and MPLS. Both of the IPv4 VPN and the IPv6 VPN VPNs consist of site sites 1 and site 2. Site 1 is connected to PE1, and site 2 is dual-homed to PE2 and PE3. Site 1 includes an IPv4 subnet 203.0.113.64/26 and an IPv6 subnet 2001:db8:1:1::/64. Site 2 includes an IPv4 subnet 203.0.113.128/26 and an IPv6 subnet 2001:db8:1:2::/64. PE2 is the primary PE for site 2, and PE3 is the backup PE. Each of PE1, PE2 PE2, and PE3 hosts an IPv4 VPN instance and an IPv6 VPN instance. The PEs use BGP to exchange VPN prefixes and VPN labels between each other. In the core network, R1 and R2 are transit routers, OSPF is used as the routing protocol, and RSVP-TE is used as the tunnel signaling protocol.
      </t>

     <t>
      <t pn="section-10-4">
       Using the framework in this document, the network assigns PE3 to be the protector of PE2 to protect the VPN traffic in the direction from site 1 to site 2. This is the co-located protector mode. PE2 and PE3 form a protected egress {PE2, PE3}. A context Context ID 198.51.100.1 is assigned to the protected egress {PE2, PE3}. (If the core network is IPv6, the context ID would be an IPv6 address.) The IPv4 and IPv6 VPN instances on PE3 serve as protection instances for the corresponding VPN instances on PE2. On PE3, a context label 100 is assigned to the context ID, and a label table pe2.mpls is created to represent PE2's label space. PE3 installs label 100 in its MPLS forwarding table, with nexthop the next hop pointing to the label table pe2.mpls. PE2 and PE3 are coordinated to use the proxy mode to advertise the context ID in the routing domain and the TE domain.
      </t>

     <t>
      <t pn="section-10-5">
       PE2 uses per-VRF the label allocation mode per Virtual Routing and Forwarding (VRF) for both of its IPv4 and IPv6 VPN instances. It assigns label 9000 to the IPv4 VRF, and label 9001 to the IPv6 VRF. For the IPv4 prefix 203.0.113.128/26 in site 2, PE2 advertises it with label 9000 and NEXT_HOP 198.51.100.1 to PE1 and PE3 via BGP. Likewise, for the IPv6 prefix 2001:db8:1:2::/64 in site 2, PE2 advertises it with label 9001 and NEXT_HOP 198.51.100.1 to PE1 and PE3 via BGP.
      </t>

     <t>
      <t pn="section-10-6">
       PE3 also uses per-VRF VPN label allocation mode for both of its IPv4 and IPv6 VPN instances. It assigns label 10000 to the IPv4 VRF, VRF and label 10001 to the IPv6 VRF. For the prefix 203.0.113.128/26 in site 2, PE3 advertises it with label 10000 and NEXT_HOP as itself to PE1 and PE2 via BGP. For the IPv6 prefix 2001:db8:1:2::/64 in site 2, PE3 advertises it with label 10001 and NEXT_HOP as itself to PE1 and PE2 via BGP.
      </t>

     <t>
      <t pn="section-10-7">
       Upon receipt of the above BGP advertisements from PE2, PE1 uses the context ID 198.51.100.1 as the destination to compute a path for an egress-protected tunnel. The resultant path is PE1->R1->PE2. PE1-&gt;R1-&gt;PE2. PE1 then uses RSVP to signal the tunnel, with the context ID 198.51.100.1 as the destination, and with the "node protection desired" flag set in the SESSION_ATTRIBUTE of the RSVP Path message. Once the tunnel comes up, PE1 maps the VPN prefixes 203.0.113.128/26 and 2001:db8:1:2::/64 to the tunnel, tunnel and installs a route for each prefix in the corresponding IPv4 or IPv6 VRF. The nexthop next hop of the route 203.0.113.128/26 is a push of the VPN label 9000, followed by a push of the outgoing label of the egress-protected tunnel. The nexthop next hop of the route 2001:db8:1:2::/64 is a push of the VPN label 9001, followed by a push of the outgoing label of the egress-protected tunnel.
      </t>

     <t>
      <t pn="section-10-8">
       Upon receipt of the above BGP advertisements from PE2, PE3 recognizes the context ID 198.51.100.1 in the NEXT_HOP attribute, attribute and installs a route for label 9000 and a route for label 9001 in the label table pe2.mpls. PE3 sets the nexthop next hop of the route 9000 to the IPv4 protection VRF, VRF and the nexthop next hop of the route 9001 to the IPv6 protection VRF. The IPv4 protection VRF contains the routes to the IPv4 prefixes in site 2. The IPv6 protection VRF contains the routes to the IPv6 prefixes in site 2. The nexthops next hops of these routes must be based on PE3's connectivity with site 2, even if the connectivity may not have the best metrics (e.g., MED, Multi-Exit Discriminator (MED), local preference, etc.) to be used in PE3's own VRF. The nexthops next hops must not use any path traversing PE2. Note that the protection VRFs are a logical concept, and they may simply be PE3's own VRFs if they satisfies satisfy the requirement.
      </t>
      <section title = "Egress node protection">
       <t> numbered="true" toc="include" removeInRFC="false" pn="section-10.1">
        <name slugifiedName="name-egress-node-protection-2">Egress Node Protection</name>
        <t pn="section-10.1-1">
	 R1, i.e., the penultimate-hop penultimate hop router of the egress-protected tunnel, serves as the PLR for egress node protection. Based on the "node protection desired" flag and the destination address (i.e., context ID 198.51.100.1) of the tunnel, R1 computes a bypass path to 198.51.100.1 while avoiding PE2. The resultant bypass path is R1->R2->PE3. R1-&gt;R2-&gt;PE3. R1 then signals the path (i.e., egress-protection bypass tunnel), with 198.51.100.1 as the destination.
        </t>

       <t>
        <t pn="section-10.1-2">
	 Upon receipt of an RSVP Path message of the egress-protection bypass tunnel, PE3 recognizes the context ID 198.51.100.1 as the destination, destination and responds with the context label 100 in an RSVP Resv message.
        </t>

       <t>
        <t pn="section-10.1-3">
	 After the egress-protection bypass tunnel comes up, R1 installs a bypass nexthop next hop for the egress-protected tunnel. The bypass nexthop next hop is a label swap from the incoming label of the egress-protected tunnel to the outgoing label of the egress-protection bypass tunnel.
        </t>

       <t>
        <t pn="section-10.1-4">
	 When R1 detects a failure of PE2, it will invoke the above bypass nexthop next hop to reroute VPN packets. Each IPv4 VPN packet will have the label of the bypass tunnel as outer label, and the IPv4 VPN label 9000 as inner label. Each IPv6 VPN packets packet will have the label of the bypass tunnel as the outer label, label and the IPv6 VPN label 9001 as the inner label. When the packets arrive at PE3, they will have the context label 100 as the outer label, label and the VPN label 9000 or 9001 as the inner label. The context label will first be popped, and then the VPN label will be looked up in the label table pe2.mpls. The lookup will cause the VPN label to be popped, popped and the IPv4 and IPv6 packets to be forwarded to site 2 based on the IPv4 and IPv6 protection VRFs, respectively.
        </t>
      </section>
      <section title = "Egress link protection">
       <t> numbered="true" toc="include" removeInRFC="false" pn="section-10.2">
        <name slugifiedName="name-egress-link-protection-2">Egress Link Protection</name>
        <t pn="section-10.2-1">
	 PE2 serves as the PLR for egress link protection. It has already learned PE3's IPv4 VPN label 10000 and IPv6 VPN label 10001. Hence Hence, it uses the approach (2) as described in <xref target="link-protection" /> format="default" sectionFormat="of" derivedContent="Section 6"/> to set up the bypass forwarding state. It signals an egress-protection bypass tunnel to PE3, by using the path PE2->R3->PE3, PE2-&gt;R3-&gt;PE3, and PE3's IP address as the destination. After the bypass tunnel comes up, PE2 installs a bypass nexthop next hop for the IPv4 VPN label 9000, 9000 and a bypass nexthop next hop for the IPv6 VPN label 9001. For label 9000, the bypass nexthop next hop is a label swap to label 10000, followed by a label push with the outgoing label of the bypass tunnel. For label 9001, the bypass nexthop next hop is a label swap to label 10001, followed by a label push with the outgoing label of the bypass tunnel.
        </t>

       <t>
        <t pn="section-10.2-2">
	 When PE2 detects a failure of the egress link, it will invoke the above bypass nexthop next hop to reroute VPN packets. Each IPv4 VPN packet will have the label of the bypass tunnel as the outer label, label and label 10000 as the inner label. Each IPv6 VPN packet will have the label of the bypass tunnel as the outer label, label and label 10001 as the inner label. When the packets arrive at PE3, the VPN label 10000 or 10001 will be popped, and the exposed IPv4 and IPv6 packets will be forwarded based on PE3's IPv4 and IPv6 VRFs, respectively.
        </t>
      </section>
      <section title = "Global repair">
       <t> numbered="true" toc="include" removeInRFC="false" pn="section-10.3">
        <name slugifiedName="name-global-repair-2">Global Repair</name>
        <t pn="section-10.3-1">
	 Eventually, global repair will take effect, as control plane control-plane protocols converge on the new topology. PE1 will choose PE3 as a new entrance to site 2. Before that happens, the VPN traffic has been protected by the above local repair.
        </t>
      </section>
      <section title = "Other modes numbered="true" toc="include" removeInRFC="false" pn="section-10.4">
        <name slugifiedName="name-other-modes-of-vpn-label-al">Other Modes of VPN label allocation">

       <t> Label Allocation</name>
        <t pn="section-10.4-1">
	 It is also possible that PE2 may use per-route or per-interface VPN label allocation mode. In either case, PE3 will have multiple VPN label routes in the pe2.mpls table, corresponding to the VPN labels advertised by PE2. PE3 forwards rerouted packets by popping a VPN label and performing an IP lookup in the corresponding protection VRF. PE3's forwarding behavior is consistent with the above case where PE2 uses per-VRF VPN label allocation mode. PE3 does not need to know PE2's VPN label allocation mode, mode or construct a specific nexthop next hop for each VPN label route in the pe2.mpls table.
        </t>
      </section>
    </section>
    <section anchor="IANA" title="IANA Considerations">
     <t> numbered="true" toc="include" removeInRFC="false" pn="section-11">
      <name slugifiedName="name-iana-considerations">IANA Considerations</name>
      <t pn="section-11-1">
      This document has no request for new IANA allocation. actions.
      </t>
    </section>
    <section anchor="Security" title="Security Considerations">
     <t> numbered="true" toc="include" removeInRFC="false" pn="section-12">
      <name slugifiedName="name-security-considerations">Security Considerations</name>
      <t pn="section-12-1">
       The framework in this document involves rerouting traffic around an egress node or link failure, via a bypass path from a PLR to a protector, and ultimately to a backup egress router. The forwarding performed by the routers in the data plane is anticipated, as part of the planning of egress protection.
      </t>

     <t>
       Control plane
      <t pn="section-12-2">
       Control-plane protocols MAY <bcp14>MAY</bcp14> be used to facilitate the provisioning of the egress protection on the routers.  In particular, the framework requires a service label distribution protocol between an egress router and a protector over a secure session.  The security properties of this provisioning and label distribution depend entirely on the underlying protocol chosen to implement these activities . activities. Their associated security considerations apply. This framework introduces no new security requirements or guarantees relative to these activities.
      </t>

     <t>
      <t pn="section-12-3">
       Also, the PLR, protector, and backup egress router are located close to the protected egress router, and which is normally in the same administrative domain.  If they are not in the same administrative domain, a certain level of trust MUST <bcp14>MUST</bcp14> be established between them in order for the protocols to run securely across the domain boundary.  The basis of this trust is the security model of the protocols (as described above), and further security considerations for inter-domain scenarios should be addressed by the protocols as a common requirement.
      </t>

     <t>
      <t pn="section-12-4">
       Security attacks may sometimes come from a customer domain. Such kind of attacks are not introduced by the framework in this document, document and may occur regardless of the existence of egress protection. In one possible case, the egress link between an egress router and a CE could become a point of attack.  An attacker that gains control of the CE might use it to simulate link failures and trigger constant and cascading activities in the network. If egress link protection is in place, egress link protection activities may also be triggered. As a general solution to defeat the attack, a damping mechanism SHOULD <bcp14>SHOULD</bcp14> be used by the egress router to promptly
   suppress the services associated with the link or CE.  The egress router would stop advertising the services, essentially detaching them from the network and eliminating the effect of the simulated link failures.
      </t>

     <t>
      <t pn="section-12-5">
       From the above perspectives, this framework does not introduce any new security threat to networks.
      </t>
    </section>

   <section anchor="ack" title="Acknowledgements">
     <t>
  </middle>
  <back>
    <displayreference target="I-D.ietf-rtgwg-bgp-pic" to="BGP-PIC"/>
    <references pn="section-13">
      <name slugifiedName="name-references">References</name>
      <references pn="section-13.1">
        <name slugifiedName="name-normative-references">Normative References</name>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" quoteTitle="true" derivedAnchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author initials="S." surname="Bradner" fullname="S. Bradner">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="1997" month="March"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document leverages work done by Yakov Rekhter, Kevin Wang and Zhaohui Zhang on MPLS egress protection. Thanks to Alexander Vainshtein, Rolf Winter, Lizhong Jin, Krzysztof Szarkowicz, Roman Danyliw, and Yuanlong Jiang for their valuable comments that helped to shape this defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and improve its clarity.
     </t>
   </section>

 </middle>

 <back>

   <references title="Normative References">

     &RFC2119;
     &RFC8174;
     &RFC8402;

<!-- requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="SR-ISIS"> value="draft-ietf-isis-segment-routing-extensions"; companion document anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" quoteTitle="true" derivedAnchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC YYYY --> 2119 Key Words</title>
            <author initials="B." surname="Leiba" fullname="B. Leiba">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2017" month="May"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor='RFCYYYY'> anchor="RFC8402" target="https://www.rfc-editor.org/info/rfc8402" quoteTitle="true" derivedAnchor="RFC8402">
          <front>
<title>IS-IS Extensions for Segment Routing</title>
            <title>Segment Routing Architecture</title>
            <author initials='S' surname='Previdi' fullname='Stefano Previdi'> initials="C." surname="Filsfils" fullname="C. Filsfils" role="editor">
              <organization /> showOnFrontPage="true"/>
            </author>
            <author initials='L' surname='Ginsberg' fullname='Les Ginsberg'> initials="S." surname="Previdi" fullname="S. Previdi" role="editor">
              <organization /> showOnFrontPage="true"/>
            </author>
            <author initials='C' surname='Filsfils' fullname='Clarence Filsfils'> initials="L." surname="Ginsberg" fullname="L. Ginsberg">
              <organization /> showOnFrontPage="true"/>
            </author>
            <author initials='A' surname='Bashandy' fullname='Ahmed Bashandy'> initials="B." surname="Decraene" fullname="B. Decraene">
              <organization /> showOnFrontPage="true"/>
            </author>
            <author initials='H' surname='Gredler' fullname='Hannes Gredler'> initials="S." surname="Litkowski" fullname="S. Litkowski">
              <organization /> showOnFrontPage="true"/>
            </author>
            <author initials='B' surname='Decraene' fullname='Bruno Decraene'> initials="R." surname="Shakir" fullname="R. Shakir">
              <organization /> showOnFrontPage="true"/>
            </author>
            <date month='May' day='19' year='2019' />

<abstract><t>Segment year="2018" month="July"/>
            <abstract>
              <t>Segment Routing (SR) allows for leverages the source routing paradigm.  A node steers a flexible definition of end-to-end paths within IGP topologies by encoding paths as sequences packet through an ordered list of topological sub-paths, instructions, called "segments".  These segments are advertised by the link-state routing protocols (IS-IS and OSPF).  This draft describes the necessary IS-IS extensions  A segment can represent any instruction, topological or service based.  A segment can have a semantic local to an SR node or global within an SR domain.  SR provides a mechanism that need allows a flow to be introduced for Segment Routing operating on an MPLS data-plane.</t></abstract>

</front>

<seriesInfo name="RFC" value="YYYY"/>
<seriesInfo name="DOI" value="10.17487/RFCYYYY"/>

</reference>

   </references>

   <references title="Informative References">
     &RFC4090;
     &RFC5286;
     &RFC7490;
     &RFC7812;
     &RFC8104;
     &RFC8400;

<!-- <reference anchor="BGP-PIC"> value="draft-ietf-rtgwg-bgp-pic-09.txt"; I-D Exists -->

<reference anchor='BGP-PIC'>
<front>
<title>BGP Prefix Independent Convergence</title>

<author initials='A' surname='Bashandy' fullname='Ahmed Bashandy'>
    <organization />
</author>

<author initials='C' surname='Filsfils' fullname='Clarence Filsfils'>
    <organization />
</author>

<author initials='P' surname='Mohapatra' fullname='Prodosh Mohapatra'>
    <organization />
</author>

<date month='April' day='1' year='2019' />

<abstract><t>In restricted to a specific topological path, while maintaining per-flow state only at the network comprising thousands of iBGP peers exchanging millions of routes, many routes are reachable via more than one next-hop. Given ingress node(s) to the large scaling targets, it is desirable SR domain.</t>
              <t>SR can be directly applied to the MPLS architecture with no change to the forwarding plane.  A segment is encoded as an MPLS label.  An ordered list of segments is encoded as a stack of labels.  The segment to process is on the top of the stack.  Upon completion of a segment, the related label is popped from the stack.</t>
              <t>SR can be applied to the IPv6 architecture, with a new type of routing header.  A segment is encoded as an IPv6 address.  An ordered list of segments is encoded as an ordered list of IPv6 addresses in the routing header.  The active segment is indicated by the Destination Address (DA) of the packet.  The next active segment is indicated by a pointer in the new routing header.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8402"/>
          <seriesInfo name="DOI" value="10.17487/RFC8402"/>
        </reference>
        <reference anchor="RFC8667" target="https://www.rfc-editor.org/info/rfc8667" quoteTitle="true" derivedAnchor="RFC8667">
          <front>
            <title>IS-IS Extensions for Segment Routing</title>
            <seriesInfo name="RFC" value="8667"/>
            <seriesInfo name="DOI" value="10.17487/RFC8667"/>
            <author initials="S" surname="Previdi" fullname="Stefano Previdi">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="L" surname="Ginsberg" fullname="Les Ginsberg">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="C" surname="Filsfils" fullname="Clarence Filsfils">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="A" surname="Bashandy" fullname="Ahmed Bashandy">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="H" surname="Gredler" fullname="Hannes Gredler">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="B" surname="Decraene" fullname="Bruno Decraene">
              <organization showOnFrontPage="true"/>
            </author>
            <date month="December" year="2019"/>
            <abstract>
              <t>Segment Routing (SR) allows for a flexible definition of end-to-end paths within IGP topologies by encoding paths as sequences of topological sub-paths, called "segments".  These segments are advertised by the link-state routing protocols (IS-IS and OSPF).  This draft describes the necessary IS-IS extensions that need to be introduced for Segment Routing operating on an MPLS data-plane.</t>
            </abstract>
          </front>
        </reference>
      </references>
      <references pn="section-13.2">
        <name slugifiedName="name-informative-references">Informative References</name>
        <reference anchor="I-D.ietf-rtgwg-bgp-pic" quoteTitle="true" target="https://tools.ietf.org/html/draft-ietf-rtgwg-bgp-pic-10" derivedAnchor="BGP-PIC">
          <front>
            <title>BGP Prefix Independent Convergence</title>
            <author initials="A" surname="Bashandy" fullname="Ahmed Bashandy">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="C" surname="Filsfils" fullname="Clarence Filsfils">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="P" surname="Mohapatra" fullname="Prodosh Mohapatra">
              <organization showOnFrontPage="true"/>
            </author>
            <date month="October" day="2" year="2019"/>
            <abstract>
              <t>In the network comprising thousands of iBGP peers exchanging millions of routes, many routes are reachable via more than one next-hop. Given the large scaling targets, it is desirable to restore traffic after failure in a time period that does not depend on the number of BGP prefixes. In this document we proposed an architecture by which traffic can be re-routed to ECMP or pre-calculated backup paths in a timeframe that does not depend on the number of BGP prefixes. The objective is achieved through organizing the forwarding data structures in a hierarchical manner and sharing forwarding elements among the maximum possible number of routes. The proposed technique achieves prefix independent convergence while ensuring incremental deployment, complete automation, and zero management and provisioning effort. It is noteworthy to mention that the benefits of BGP-PIC are hinged on the existence of more than one path whether as ECMP or primary-backup.</t></abstract> primary-backup.</t>
            </abstract>
          </front>
          <seriesInfo name='Work name="Internet-Draft" value="draft-ietf-rtgwg-bgp-pic-10"/>
          <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-ietf-rtgwg-bgp-pic-10.txt"/>
          <refcontent>Work in Progress,' value='draft-ietf-rtgwg-bgp-pic-09' /> Progress</refcontent>
        </reference>

   </references>
        <reference anchor="RFC4090" target="https://www.rfc-editor.org/info/rfc4090" quoteTitle="true" derivedAnchor="RFC4090">
          <front>
            <title>Fast Reroute Extensions to RSVP-TE for LSP Tunnels</title>
            <author initials="P." surname="Pan" fullname="P. Pan" role="editor">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="G." surname="Swallow" fullname="G. Swallow" role="editor">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="A." surname="Atlas" fullname="A. Atlas" role="editor">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2005" month="May"/>
            <abstract>
              <t>This document defines RSVP-TE extensions to establish backup label-switched path (LSP) tunnels for local repair of LSP tunnels.  These mechanisms enable the re-direction of traffic onto backup LSP tunnels in 10s of milliseconds, in the event of a failure.</t>
              <t>Two methods are defined here.  The one-to-one backup method creates detour LSPs for each protected LSP at each potential point of local repair.  The facility backup method creates a bypass tunnel to protect a potential failure point; by taking advantage of MPLS label stacking, this bypass tunnel can protect a set of LSPs that have similar backup constraints.  Both methods can be used to protect links and nodes during network failure.  The described behavior and extensions to RSVP allow nodes to implement either method or both and to interoperate in a mixed network.  [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4090"/>
          <seriesInfo name="DOI" value="10.17487/RFC4090"/>
        </reference>
        <reference anchor="RFC5286" target="https://www.rfc-editor.org/info/rfc5286" quoteTitle="true" derivedAnchor="RFC5286">
          <front>
            <title>Basic Specification for IP Fast Reroute: Loop-Free Alternates</title>
            <author initials="A." surname="Atlas" fullname="A. Atlas" role="editor">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="A." surname="Zinin" fullname="A. Zinin" role="editor">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2008" month="September"/>
            <abstract>
              <t>This document describes the use of loop-free alternates to provide local protection for unicast traffic in pure IP and MPLS/LDP networks in the event of a single failure, whether link, node, or shared risk link group (SRLG).  The goal of this technology is to reduce the packet loss that happens while routers converge after a topology change due to a failure.  Rapid failure repair is achieved through use of precalculated backup next-hops that are loop-free and safe to use until the distributed network convergence process completes. This simple approach does not require any support from other routers. The extent to which this goal can be met by this specification is dependent on the topology of the network.  [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5286"/>
          <seriesInfo name="DOI" value="10.17487/RFC5286"/>
        </reference>
        <reference anchor="RFC7490" target="https://www.rfc-editor.org/info/rfc7490" quoteTitle="true" derivedAnchor="RFC7490">
          <front>
            <title>Remote Loop-Free Alternate (LFA) Fast Reroute (FRR)</title>
            <author initials="S." surname="Bryant" fullname="S. Bryant">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="C." surname="Filsfils" fullname="C. Filsfils">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="S." surname="Previdi" fullname="S. Previdi">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="M." surname="Shand" fullname="M. Shand">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="N." surname="So" fullname="N. So">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2015" month="April"/>
            <abstract>
              <t>This document describes an extension to the basic IP fast reroute mechanism, described in RFC 5286, that provides additional backup connectivity for point-to-point link failures when none can be provided by the basic mechanisms.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7490"/>
          <seriesInfo name="DOI" value="10.17487/RFC7490"/>
        </reference>
        <reference anchor="RFC7812" target="https://www.rfc-editor.org/info/rfc7812" quoteTitle="true" derivedAnchor="RFC7812">
          <front>
            <title>An Architecture for IP/LDP Fast Reroute Using Maximally Redundant Trees (MRT-FRR)</title>
            <author initials="A." surname="Atlas" fullname="A. Atlas">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="C." surname="Bowers" fullname="C. Bowers">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="G." surname="Enyedi" fullname="G. Enyedi">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2016" month="June"/>
            <abstract>
              <t>This document defines the architecture for IP and LDP Fast Reroute using Maximally Redundant Trees (MRT-FRR).  MRT-FRR is a technology that gives link-protection and node-protection with 100% coverage in any network topology that is still connected after the failure.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7812"/>
          <seriesInfo name="DOI" value="10.17487/RFC7812"/>
        </reference>
        <reference anchor="RFC8104" target="https://www.rfc-editor.org/info/rfc8104" quoteTitle="true" derivedAnchor="RFC8104">
          <front>
            <title>Pseudowire (PW) Endpoint Fast Failure Protection</title>
            <author initials="Y." surname="Shen" fullname="Y. Shen">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="R." surname="Aggarwal" fullname="R. Aggarwal">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="W." surname="Henderickx" fullname="W. Henderickx">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="Y." surname="Jiang" fullname="Y. Jiang">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2017" month="March"/>
            <abstract>
              <t>This document specifies a fast mechanism for protecting pseudowires (PWs) transported by IP/MPLS tunnels against egress endpoint failures, including egress attachment circuit (AC) failure, egress provider edge (PE) failure, multi-segment PW terminating PE failure, and multi-segment PW switching PE failure.  Operating on the basis of multihomed customer edge (CE), redundant PWs, upstream label assignment, and context-specific label switching, the mechanism enables local repair to be performed by the router upstream adjacent to a failure.  The router can restore a PW in the order of tens of milliseconds, by rerouting traffic around the failure to a protector through a pre-established bypass tunnel.  Therefore, the mechanism can be used to reduce traffic loss before global repair reacts to the failure and the network converges on the topology changes due to the failure.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8104"/>
          <seriesInfo name="DOI" value="10.17487/RFC8104"/>
        </reference>
        <reference anchor="RFC8400" target="https://www.rfc-editor.org/info/rfc8400" quoteTitle="true" derivedAnchor="RFC8400">
          <front>
            <title>Extensions to RSVP-TE for Label Switched Path (LSP) Egress Protection</title>
            <author initials="H." surname="Chen" fullname="H. Chen">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="A." surname="Liu" fullname="A. Liu">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="T." surname="Saad" fullname="T. Saad">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="F." surname="Xu" fullname="F. Xu">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="L." surname="Huang" fullname="L. Huang">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2018" month="June"/>
            <abstract>
              <t>This document describes extensions to Resource Reservation Protocol - Traffic Engineering (RSVP-TE) for locally protecting the egress node(s) of a Point-to-Point (P2P) or Point-to-Multipoint (P2MP) Traffic Engineered (TE) Label Switched Path (LSP).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8400"/>
          <seriesInfo name="DOI" value="10.17487/RFC8400"/>
        </reference>
      </references>
    </references>
    <section anchor="ack" numbered="false" toc="include" removeInRFC="false" pn="section-appendix.a">
      <name slugifiedName="name-acknowledgements">Acknowledgements</name>
      <t pn="section-appendix.a-1">
       This document leverages work done by Yakov Rekhter, Kevin Wang, and Zhaohui Zhang on MPLS egress protection. Thanks to Alexander Vainshtein, Rolf Winter, Lizhong Jin, Krzysztof Szarkowicz, Roman Danyliw, and Yuanlong Jiang for their valuable comments that helped to shape this document and improve its clarity.
      </t>
    </section>
    <section anchor="authors-addresses" numbered="false" removeInRFC="false" toc="include" pn="section-appendix.b">
      <name slugifiedName="name-authors-addresses">Authors' Addresses</name>
      <author fullname="Yimin Shen" surname="Shen" initials="Y">
        <organization showOnFrontPage="true">Juniper Networks</organization>
        <address>
          <postal>
            <street>10 Technology Park Drive</street>
            <city>Westford</city>
            <region>MA</region>
            <code>01886</code>
            <country>United States of America</country>
          </postal>
          <phone>+1 978 589 0722</phone>
          <email>yshen@juniper.net</email>
        </address>
      </author>
      <author fullname="Minto Jeyananth" surname="Jeyananth" initials="M">
        <organization showOnFrontPage="true">Juniper Networks</organization>
        <address>
          <postal>
            <street>1133 Innovation Way</street>
            <city>Sunnyvale</city>
            <region>CA</region>
            <code>94089</code>
            <country>United States of America</country>
          </postal>
          <phone>+1 408 936 7563</phone>
          <email>minto@juniper.net</email>
        </address>
      </author>
      <author fullname="Bruno Decraene" surname="Decraene" initials="B">
        <organization showOnFrontPage="true">Orange</organization>
        <address>
          <email>bruno.decraene@orange.com</email>
        </address>
      </author>
      <author fullname="Hannes Gredler" surname="Gredler" initials="H">
        <organization showOnFrontPage="true">RtBrick Inc.</organization>
        <address>
          <email>hannes@rtbrick.com</email>
        </address>
      </author>
      <author fullname="Carsten Michel" surname="Michel" initials="C">
        <organization showOnFrontPage="true">Deutsche Telekom</organization>
        <address>
          <email>c.michel@telekom.de</email>
        </address>
      </author>
      <author fullname="Huaimo Chen" surname="Chen" initials="H">
        <organization showOnFrontPage="true">Futurewei</organization>
        <address>
          <postal>
            <street/>
            <city>Boston</city>
            <region>MA</region>
            <code/>
            <country>United States of America</country>
          </postal>
          <email>Huaimo.chen@futurewei.com</email>
        </address>
      </author>
    </section>
  </back>
</rfc>