<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd" [ ]> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <?rfc toc="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc iprnotified="no"?> <?rfc strict="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?>"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category="std" consensus="true" docName="draft-ietf-detnet-ip-07" number="8939" ipr="trust200902"submissionType="IETF">obsoletes="" updates="" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 2.46.0 --> <front> <title abbrev="DetNetIP"> DetNetData Plane: IP">Deterministic Networking (DetNet) Data Plane: IP</title> <seriesInfo name="RFC" value="8939"/> <author role="editor"fullname="Balázsfullname="Balázs Varga" initials="B." surname="Varga"> <organization>Ericsson</organization> <address> <postal> <street>Magyar Tudosok krt. 11.</street> <city>Budapest</city> <country>Hungary</country> <code>1117</code> </postal> <email>balazs.a.varga@ericsson.com</email> </address> </author> <authorfullname="Jánosfullname="János Farkas" initials="J." surname="Farkas"> <organization>Ericsson</organization> <address> <postal> <street>Magyar Tudosok krt. 11.</street> <city>Budapest</city> <country>Hungary</country> <code>1117</code> </postal> <email>janos.farkas@ericsson.com</email> </address> </author> <author fullname="Lou Berger" initials="L." surname="Berger"> <organization>LabN Consulting, L.L.C.</organization> <address> <email>lberger@labn.net</email> </address> </author> <author fullname="Don Fedyk" initials="D." surname="Fedyk"> <organization>LabN Consulting, L.L.C.</organization> <address> <email>dfedyk@labn.net</email> </address> </author> <author fullname="Stewart Bryant" initials="S." surname="Bryant"> <organization>Futurewei Technologies</organization> <address><email>stewart.bryant@gmail.com</email><email>sb@stewartbryant.com</email> </address> </author><!--author fullname="Donald Fauntleroy Duck" initials="D. F." surname="Duck"> <organization abbrev="Royal Bros.">Royal Bros.</organization> <address> <postal> <street>13 Paradise Road</street> <city>Duckburg</city> <region>Calisota</region> <country>USA</country> </postal> </address> </author--><date year="2020" month="November" /> <workgroup>DetNet</workgroup> <keyword>Application</keyword> <keyword>Endpoint</keyword> <keyword>Service Sub-layer</keyword> <keyword>Forwarding Sub-layer</keyword> <abstract> <t> This document specifies theDetNetDeterministic Networking (DetNet) data plane operation for IP hosts and routers that provide DetNet service toIP encapsulatedIP-encapsulated data. No DetNet-specific encapsulation is defined to support IP flows;insteadinstead, the existingIPIP-layer andhigher layerhigher-layer protocol header information is used to support flow identification and DetNet service delivery. This document builds on the DetNetArchitecturearchitecture (RFC 8655) andData Plane Framework.data plane framework (RFC 8938). </t> </abstract> </front><!-- *********************************************** IESG review comment resolutions in this version: DONE - Roni Even, (Gen-ART), (03-09), Ready with Nits - Sabrina Tanamal, IANA, (03-12), OK - David Black (03-12), Include ICMP - Tero Kivinen 03-12, Nits - Bob Briscoe, (03-15), Comments and Many nits To be discussed: - Security section - Deborah, (04-09), decrease authors to 5 !!! *********************************************** --><middle> <sectiontitle="Introduction" anchor="sec_intro">anchor="sec_intro" numbered="true" toc="default"> <name>Introduction</name> <t> Deterministic Networking (DetNet) is a service that can be offered by a network to DetNet flows. DetNet provides these flows with extremely low packet loss rates and assured maximum end-to-end delivery latency. General background and concepts of DetNet can be found in the DetNetArchitecturearchitecture <xreftarget="RFC8655"/>.target="RFC8655" format="default"/>. </t> <t> This document specifies the DetNet data plane operation for IP hosts and routers that provide DetNet service toIP encapsulatedIP-encapsulated data. No DetNet-specific encapsulation is defined to support IP flows;insteadinstead, the existingIPIP-layer andhigher layerhigher-layer protocol header information is used to support flow identification and DetNet service delivery. Common data plane procedures and control information for all DetNet data planes can be found in <xreftarget="I-D.ietf-detnet-data-plane-framework"/>.target="RFC8938" format="default"/>. </t> <t> The DetNetArchitecturearchitecture models theDetNet relatedDetNet-related data plane functions as two sub-layers: a service sub-layer and a forwarding sub-layer. The service sub-layer is used to provide DetNet service protection (e.g., bypacket replicationthe Packet Replication Function (PRF) andpacket elimination functions)Packet Elimination Function (PEF)) and reordering. The forwarding sub-layer is used to provide congestion protection (low loss, assured latency, and limited out-of-order delivery). The service sub-layer generally requires additional header fields to provide its service; forexampleexample, see <xreftarget="I-D.ietf-detnet-mpls"/>.target="DetNet-MPLS" format="default"/>. Since no DetNet-specific fields are added to support DetNet IP flows, only the forwarding sub-layer functions are supported using the DetNet IP defined by this document. Service protection can be provided on aper sub-netper-sub-network basis using technologies such as MPLS <xreftarget="I-D.ietf-detnet-dp-sol-mpls"/>target="DetNet-MPLS"/> andEthernetEthernet, as specifiedinby the IEEE 802.1 TSN (Time-Sensitive Networking) task group (referred to in this document simply asIEEE802.1 TSN)."IEEE 802.1 TSN"). See <xref target="IEEE802.1TSNTG"/>. </t> <t> This document provides an overview of the DetNet IP data plane in <xreftarget="sec_dt_dp"/>,target="sec_dt_dp" format="default"/> and considerations that apply to providing DetNet services via the DetNet IP data plane in <xreftarget="dn-gen-encap-solution"/>.target="dn-gen-encap-solution" format="default"/>. <xreftarget="ip-procs"/>target="ip-procs" format="default"/> provides the procedures for hosts and routers that support IP-based DetNet services. <xreftarget="ip-flow-id-info"/>target="ip-flow-id-info" format="default"/> summarizes the set of information that is needed to identify an individual DetNet flow. </t> </section> <sectiontitle="Terminology">numbered="true" toc="default"> <name>Terminology</name> <sectiontitle="Termsnumbered="true" toc="default"> <name>Terms UsedInin ThisDocument">Document</name> <t> This document uses the terminology and concepts established in the DetNet architecture <xreftarget="RFC8655"/>,target="RFC8655" format="default"/>, and it is assumed that the reader isassumed to befamiliar with that document and its terminology. </t> </section> <sectiontitle="Abbreviations">numbered="true" toc="default"> <name>Abbreviations</name> <t> The following abbreviations are used in this document:<!-- [JiK] Update later --> <list style="hanging" hangIndent="14"> <t hangText="CoS">Class of Service</t> <t hangText="DetNet">Deterministic Networking</t> <t hangText="DN">DetNet</t> <t hangText="DiffServ">Differentiated Services</t> <t hangText="DSCP">Differentiated</t> <dl newline="false" spacing="normal" indent="14"> <dt>CoS</dt> <dd>Class of Service</dd> <dt>DetNet</dt> <dd>Deterministic Networking</dd> <dt>DN</dt> <dd>DetNet</dd> <dt>Diffserv</dt> <dd>Differentiated Services</dd> <dt>DSCP</dt> <dd>Differentiated Services CodePoint</t> <t hangText="L2">Layer-2</t> <t hangText="L3">Layer-3</t> <t hangText="LSP">Label-switched path</t> <t hangText="MPLS">MultiprotocolPoint</dd> <dt>L2</dt> <dd>Layer 2</dd> <dt>L3</dt> <dd>Layer 3</dd> <dt>LSP</dt> <dd>Label Switched Path</dd> <dt>MPLS</dt> <dd>Multiprotocol LabelSwitching</t> <t hangText="PREOF">Packet Replication,Switching</dd> <dt>PEF</dt> <dd>Packet Elimination Function</dd> <dt>PREOF</dt> <dd>Packet Replication, Elimination, and OrderingFunction</t> <t hangText="QoS">Quality of Service</t> <t hangText="TSN">Time-Sensitive Networking,Functions</dd> <dt>PRF</dt> <dd>Packet Replication Function</dd> <dt>QoS</dt> <dd>Quality of Service</dd> <dt>TSN</dt> <dd>Time-Sensitive Networking. TSN is aTask Grouptask group of the IEEE 802.1 WorkingGroup.</t> </list> </t>Group.</dd> </dl> </section> <sectiontitle="Requirements Language">numbered="true" toc="default"> <name>Requirements Language</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section> </section> <sectiontitle="DetNet IP Data Plane Overview" anchor="sec_dt_dp"> <!-- LB: this section should provide the overview related to: <section title="Simplified IP-Related DetNet Data Plane Solution" anchor="simple-ip-solution"> <t> This section is the placeholder for the conclusion discussed during IETF 101 and 102. </t> <t> [Editor's note: describe the 6 tuple wayanchor="sec_dt_dp" numbered="true" toc="default"> <name>Overview ofidentifying DetNet service flows. Also stress that PREOF is per network segment as described in <xref target="nwsegments"/> <list style="symbols"> <t>DetNet flows are recognized based on 6 tuple.</t> <t>No end-to-end DN Sequence Number present in the packet.</t> <t>Links/sub-networks may use their technology specific methods to achieve DN service.</t> <t>TE information does not travel withthepacket (e.g., nailed down path ensured via Policy-Based-Routing).</t> <t>etc.</t> </list> ] </t> <t> <xref target="simplifiedip"/> illustrated the case forDetNetsimplifiedIPdata plane solution. </t> </section> -->Data Plane</name> <t> This document describes how IP is used by DetNet nodes, i.e., hosts and routers, to identify DetNet flows and provide a DetNet service using an IP data plane. From a data plane perspective, an end-to-end IP model is followed. As mentioned above, existingIPIP-layer andhigher layerhigher-layer protocol header information is used to support flow identification and DetNet service delivery. Common data plane procedures and control information for all DetNet data planes can be found in <xreftarget="I-D.ietf-detnet-data-plane-framework"/>.target="RFC8938" format="default"/>. </t> <t> The DetNet IP data plane primarily uses6-tuple based6-tuple-based flow identification, where "6-tuple" refers to information carried inIPIP-layer andhigher layerhigher-layer protocol headers. The 6-tuple referred to in this document is the same as that defined in <xreftarget="RFC3290"/>. Specificallytarget="RFC3290" format="default"/>. Specifically, the 6-tuple is destination address, source address, IP protocol, source port, destination port, anddifferentiated services (DiffServ) code point (DSCP).DSCP. General background on the use of IPheaders,headers and5-tuples,5-tuples to identify flows and support Quality of Service (QoS) can be found in <xreftarget="RFC3670"/>.target="RFC3670" format="default"/>. <xreftarget="RFC7657"/>target="RFC7657" format="default"/> also provides useful background on the delivery ofDiffServDiffserv and"tuple" basedtuple-based flow identification. Note that a 6-tuple is composed of a 5-tuple plus the addition of a DSCP component. </t> <t> For some of theprotocolsprotocols, 5-tuples and 6-tuples cannot beusedused, because the port information is not available (e.g., ICMP,IPSec ESP).IPsec, and Encapsulating Security Payload (ESP)). This is also the case for flow aggregates. In such cases, using fewer fields is appropriate,e.g.,such as a 3-tuple (2 IP addresses, IP protocol) or even a 2-tuple (all IP traffic between two IP addresses). </t> <t> The DetNet IP data plane also allows for optional matching on the IPv6flow labelFlow Label field, as defined in <xreftarget="RFC8200"/>.target="RFC8200" format="default"/>. </t> <t> Non-DetNet and DetNet IP packets have the same protocol header format on the wire.GenerallyGenerally, the fields used in flow identification are forwarded unmodified. However, standard modification of the DSCP field <xreftarget="RFC2474"/>target="RFC2474" format="default"/> is not precluded. </t> <t> DetNet flow aggregation may be enabled via the use of wildcards, masks, lists,prefixesprefixes, and ranges. IP tunnels may also be used to support flow aggregation. In these cases, it is expected that DetNet-aware intermediate nodes will provide DetNet service on the aggregate through resource allocation and congestion control mechanisms. </t> <t> The specific procedures that are required to be implemented by a DetNet node supporting this document can be found in <xreftarget="ip-procs"/>.target="ip-procs" format="default"/>. The DetNetcontroller plane,Controller Plane, as defined in <xreftarget="RFC8655"/>,target="RFC8655" format="default"/>, is responsible for providing each node with the information needed to identify and handle each DetNet flow. </t> <figurealign="center" anchor="fig_ip_detnet_simple" title="Aanchor="fig_ip_detnet_simple"> <name>A SimpleDetNet (DN) EnabledDetNet-Enabled IPNetwork"> <artwork><![CDATA[Network</name> <artwork name="" type="" align="left" alt=""><![CDATA[ DetNet IP Relay Relay DetNet IP End System Node Node End System +----------+ +----------+ | Appl. |<------------End to EndEnd-to-End Service ----------->| Appl. | +----------+ ............ ........... +----------+ | Service |<-: Service :-- DetNet flow --: Service :->| Service | +----------+ +----------+ +----------+ +----------+ |Forwarding| |Forwarding| |Forwarding| |Forwarding| +--------.-+ +-.------.-+ +-.---.----+ +-------.--+ : Link : \ ,-----. / \ ,-----. / +......+ +----[SubSub- ]----+ +-[SubSub- ]-+ [Network] [Network] `-----' `-----' |<--------------------- DetNet IP --------------------->| ]]></artwork> </figure> <t> <xreftarget="fig_ip_detnet_simple"/>target="fig_ip_detnet_simple" format="default"/> illustrates aDetNet enabledDetNet-enabled IP network. TheDetNet enabledDetNet-enabled end systems originateIP encapsulatedIP-encapsulated traffic that is identified within the DetNet domain as DetNet flows based on IP header information. Relay nodes understand the forwarding requirements of the DetNet flow and ensure that node,interfaceinterface, and sub-network resources are allocated to ensure DetNet service requirements. The dotted line around the Service component of the Relay Nodes indicates that the transit routers are DetNet service aware but do not perform any DetNet service sub-layer function, e.g.,PREOF (Packet Replication, Elimination and Ordering Function).PREOF. </t> <aside> <t> Note: The sub-network can represent a TSN, MPLSnetworknetwork, or other network technology that can carry DetNet IP traffic. </t> </aside> <figurealign="center" anchor="fig_non_detnet_ip" title="Non-DetNet-awareanchor="fig_non_detnet_ip"> <name>Non-DetNet-Aware IPend systemsEnd Systems with DetNet IPDomain"> <artwork><![CDATA[Domain</name> <artwork name="" type="" align="left" alt=""><![CDATA[ IP Edge Edge IP End System Node Node End System +----------+ +.........+ +.........+ +----------+ | Appl. |<--:Svc Proxy:-- E2E Service---:Svc Proxy:-->| Appl. | +----------+ +.........+ +.........+ +----------+ | IP |<--:IP : :Svc:---- IP flow ----:Svc: :IP :-->| IP | +----------+ +---+ +---+ +---+ +---+ +----------+ |Forwarding| |Fwd| |Fwd| |Fwd| |Fwd| |Forwarding| +--------.-+ +-.-+ +-.-+ +-.-+ +-.-+ +---.------+ : Link : \ ,-----. / / ,-----. \ +.......+ +----[SubSub- ]----+ +--[SubSub- ]--+[Network] [Network][network] [network] `-----' `-----' |<--- IP --->| |<------ DetNet IP ------>| |<--- IP --->| ]]></artwork> </figure> <t> <xreftarget="fig_non_detnet_ip"/>target="fig_non_detnet_ip" format="default"/> illustrates a variant of <xreftarget="fig_ip_detnet_simple"/>target="fig_ip_detnet_simple" format="default"/> where the end systems are not DetNet aware. In this case, edge nodes sit at the boundary of the DetNet domain and provide DetNet service proxies for the end applications by initiating and terminating DetNet service for the application's IP flows. The existing header information or an approach such as described in <xreftarget="aggregation"/>target="aggregation" format="default"/> can be used to support DetNet flow identification. </t> <t> Note that Figures <xreftarget="fig_ip_detnet_simple"/>target="fig_ip_detnet_simple" format="counter"/> and <xreftarget="fig_non_detnet_ip"/>target="fig_non_detnet_ip" format="counter"/> can be collapsed, so IP DetNetEnd Systemsend systems can communicate over a DetNet IP network with IPEnd Systems.end systems. </t> <t> As non-DetNet and DetNet IP packets have the same protocol header format on the wire, from a data plane perspective, the only difference is that there is flow-associated DetNet information on each DetNet node that defines theflow relatedflow-related characteristics and required forwarding behavior. As shown above, edge nodes provide a Service Proxy function that "associates" one or more IP flows with the appropriate DetNet flow-specific information and ensures that the flow receives the proper traffic treatment within the domain. </t> <aside> <t> Note: The operation ofIEEE802.1IEEE 802.1 TSN end systems overDetNet enabledDetNet-enabled IP networks is not described in this document. TSN over MPLS is described in <xreftarget="I-D.ietf-detnet-tsn-vpn-over-mpls"/>.target="I-D.ietf-detnet-tsn-vpn-over-mpls" format="default"/>. </t> </aside> </section><!-- ================================================================= --> <!-- =================== General Encap considerations ================ --> <!-- ================================================================= --><sectiontitle="DetNetanchor="dn-gen-encap-solution" numbered="true" toc="default"> <name>DetNet IP Data PlaneConsiderations" anchor="dn-gen-encap-solution">Considerations</name> <t> This section provides considerations related to providing DetNet service to flowswhichthat are identified based on their header information. </t> <sectiontitle="End System Specific Considerations">numbered="true" toc="default"> <name>End-System-Specific Considerations</name> <t>Data-flowsData flows requiring DetNet service are generated and terminated on end systems. This document deals only with IP end systems. The protocols used by an IP end system are specific to an application, and end systems peer with other end systems. DetNet's use of 6-tuple IP flow identification means that DetNet must be aware of not only the format of the IP header, but also of the next protocol value carried within an IP packet (see <xreftarget="nxt-proto-field"/>).target="nxt-proto-field" format="default"/>). </t> <t> ForDetNet unawareDetNet-unaware IP endsystemssystems, service-level proxy functions are needed inside the DetNet domain. </t> <t> When IP end systems areDetNet-aware,DetNet aware, no application-level or service-level proxy functions are needed inside the DetNet domain. End systems need to ensure that DetNet service requirements are met when processing packets associated to a DetNet flow. When sending packets, this means that packets are appropriately shaped on transmission and receive appropriate traffic treatment on the connected sub-network; see Sections <xreftarget="QoS"/>target="QoS" format="counter"/> and <xreftarget="dn_dom_spec_cons"/>target="dn_dom_spec_cons" format="counter"/> for more details. When receiving packets, this means that there are appropriate local node resources, e.g., buffers, to receive and process the packets of that DetNet flow. </t> <t> An important additional consideration for DetNet-aware end systems is avoiding IP fragmentation. Full 6-tuple flow identification is not possible on IPfragmentsfragments, as fragments don't include the transport headers or their port information. As such, it is important that applications and/orend-systemsend systems use an IP packet size that will avoid fragmentation within the network when sending DetNet flows. The maximum size can be learned viapathPath MTUdiscovery,Discovery <xreftarget="RFC1192"/> andtarget="RFC1191" /> <xreftarget="RFC8201"/>,target="RFC8201" format="default"/> or via thecontroller plane.Controller Plane. Note thatpathPath MTUdiscoveryDiscovery relies on ICMP, which may not follow the same path as an individual DetNet flow. </t> <t> In order to maximize reuse of existing mechanisms, DetNet-aware applications and end systemsSHOULD NOT<bcp14>SHOULD NOT</bcp14> mix DetNet and non-DetNet traffic within a single 5-tuple. </t> </section> <sectiontitle="DetNetanchor="dn_dom_spec_cons" numbered="true" toc="default"> <name>DetNet Domain-SpecificConsiderations" anchor="dn_dom_spec_cons">Considerations</name> <t> As a general rule, DetNet IP domains need to be able to forward any DetNet flow identified by the IP 6-tuple. Doing otherwise would limit the number of 6-tuple flow ID combinations that could be used by the end systems. From a practicalstandpointstandpoint, this means that all nodes along the end-to-end path of DetNet flows need to agree on what fields are used for flow identification. Possible consequences of not having such an agreement include some flows interfering with other flows, and the traffic treatment expected for a service not being provided. </t> <t> From aconnection type perspectiveconnection-type perspective, two scenarios are identified:<list style="numbers"> <t></t> <ol spacing="normal" type="1"> <li> DN attached: the end system is directly connected to an edgenode,node or the end system is behind asub-networksub-network. (See ES1 and ES2 infigure below) </t> <t><xref target="fig_es_con_types"/>.) </li> <li> DN integrated: the end system is part of the DetNet domain. (See ES3 infigure below) </t> </list> </t><xref target="fig_es_con_types"/>.) </li> </ol> <t> L3 (IP) end systems may use any of these connection types. A DetNet domain allows communication between any end systems using the same encapsulation format, independent of their connection type and DetNet capability.DN attachedDN-attached end systems have no knowledge about the DetNet domain and its encapsulation format. See <xreftarget="fig_es_con_types"/>target="fig_es_con_types" format="default"/> for L3 end system connection examples. </t> <figuretitle="Connection typesanchor="fig_es_con_types"> <name>Connection Types of L3end systems" anchor="fig_es_con_types">End Systems</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ ____+----+ +----+ _____ / | ES3| | ES1|____ / \__/ +----+___ +----+ \ / \ + | ____ \ _/ +----+ __/ \ +__ DetNet IP domain / | ES2|____/ L2/L3 |___/ \ __ __/ +----+ \_______/ \_______/ \___/]]> </artwork></figure>]]></artwork> </figure> <t> Within a DetNet domain, the DetNet-enabled IPRoutersrouters are interconnected by links and sub-networks to support end-to-end delivery of DetNet flows. From a DetNet architecture perspective, these routers are DetNet relays, as they must be DetNet service aware. Such routers identify DetNet flows based on the IP6-tuple,6-tuple and ensure that theDetNet service requiredtraffic treatment required by the DetNet service is providedbothon both the node andonany attached sub-network. </t> <t> This solution provides DetNet functionsend-to-end,end to end, but it does so on aper linkper-link andsub-networkper-sub-network basis. Congestionprotection andprotection, latencycontrolcontrol, andtheresource allocation (queuing, policing, shaping) are supported using the underlyinglink/sub-network specificlink/sub-network-specific mechanisms. However, service protection(packet replication(PRF andpacket elimination functions)PEF) is not provided end to end at the DetNetlayer end-to-end. Insteadlayer. Instead, service protection can be provided on aper underlyingper-link (underlying L2linklink) andsub-networkper-sub-network basis. </t><!-- ================================================================= <figure title="Encapsulation of DetNet Routing in simplified IP service L3 end systems" anchor="fig_simple_iprouting"> <artwork align="center"><![CDATA[ +- - - - - -+ +- - - - - -+ | X | | X | +======+ +- - - - - -+ End system | IP | | IP | - - - - -+- - - - - -+- - - - - - -+======+- - - - -+======+- - DetNet |L2/SbN| |L2/SbN| +- - - - - -+ +- - - - - -+ ]]> </artwork></figure> --><t> The DetNetService Flowservice flow is mapped to thelink/sub-network specificlink/sub-network-specific resources using an underlying system-specific means. This implies that each DetNet-aware node on the path looks into the forwarded DetNetService Flowservice flow packet andutilize e.g.,utilizes, for example, a 6-tuple to find out the required mapping within a node. </t> <t> As noted earlier, service protection must be implemented within each link/sub-network independently, using thedomain specificdomain-specific mechanisms. This is due to the lack of unified end-to-end sequencing information that could be used by the intermediate nodes. Therefore, service protection (if enabled) cannot be providedend-to-end,end to end, only within sub-networks. This is shown for athree sub-networkscenario with three sub-networks in <xreftarget="fig_pref_in_subnets"/>,target="fig_pref_in_subnets" format="default"/>, where each sub-network can provide service protection between its borders. "R" and "E" denote replication and elimination points within the sub-network. </t> <figuretitle="Replicationanchor="fig_pref_in_subnets"> <name>Replication andeliminationElimination insub-networksSub-networks for DetNet IPnetworks" anchor="fig_pref_in_subnets">Networks</name> <artworkalign="center"> <![CDATA[align="center" name="" type="" alt=""><![CDATA[ <--------------------DenNetDetNet IP ------------------------> ______ ____ / \__ ____ / \__/ \___ ______ +----+ __/ +====+ +==+ \ +----+ |src |__/SubN1Sub-N1 ) | | \SubN3 \____|Sub-N3\____| dst| +----+ \_______/ \Sub-Network2Sub-network 2 | \______/ +----+ \_ _/ \ __ __/ \_______/ \___/ +---+ +---------E--------+ +-----+ +----+ | | | | | | | +----+ |src |----R E--------R +---+ E------R E------+ dst| +----+ | | | | | | | +----+ +---+ +-----R------------+ +-----+]]> </artwork></figure>]]></artwork> </figure> <t> If end-to-end service protection is desired, it can beimplemented,implemented -- for example, by the DetNet end systems usingLayer-4Layer 4 (L4) transport protocols or application protocols. However, these protocols are out of the scope of this document. </t> <t> Note that not mixing DetNet and non-DetNet traffic within a single 5-tuple, as described above, enables simpler 5-tuple filters to be used (orre-used)reused) at the edges of a DetNet network to prevent non-congestion-responsive DetNet traffic from escaping the DetNet domain. </t> </section> <sectiontitle="Forwardingnumbered="true" toc="default"> <name>Forwarding Sub-LayerConsiderations">Considerations</name> <sectiontitle="Classnumbered="true" toc="default"> <name>Class ofService">Service</name> <t> Class of Service (CoS) for DetNet flows carried in IPv4 and IPv6 is provided using the standarddifferentiated services (DSCP)DSCP field <xreftarget="RFC2474"/>target="RFC2474" format="default"/> and related mechanisms. </t> <t> One additional consideration for DetNet nodeswhichthat support CoS services is that they must ensure that the CoS service classes do not impact the congestion protection and latency control mechanisms used to provide DetNet QoS. This requirement is similar to the requirement for MPLSLSRsLabel Switching Routers (LSRs) that CoS LSPs cannot impact the resources allocated to TE LSPs <xreftarget="RFC3473"/>.target="RFC3473" format="default"/>. </t> </section> <sectiontitle="Qualityanchor="QoS" numbered="true" toc="default"> <name>Quality ofService" anchor="QoS">Service</name> <t> Quality of Service (QoS) for DetNet service flows carried in IP must be provided locally by the DetNet-aware hosts and routers supporting DetNet flows. Such support leverages the underlying network layer such as 802.1 TSN. The node-internal traffic control mechanisms used to deliver QoS forIP encapsulatedIP-encapsulated DetNet flows are outside the scope of this document. From an encapsulation perspective, the combination of the 6-tuple (the typical 5-tuple enhanced with the DSCP) and optionally the flow label uniquely identifies a DetNet IP flow. </t> <t> Packets that are identified as part of a DetNet IP flow but that have not been the subject of a completed reservation can disrupt the QoS offered to properly reserved DetNet flows by using resources allocated to the reserved flows. Therefore, the network nodes of a DetNet networkMUST<bcp14>MUST</bcp14> ensure that noDetNet allocated resources,DetNet-allocated resource, e.g., queue or shaper, is used by such flows. There are multiple methods that may be used by an implementation to defend service delivery to reserved DetNet flows, including but not limited to:<list style="symbols"> <t></t> <ul spacing="normal"> <li> Treating packets associated with an incomplete reservation as non-DetNet traffic.</t> <t></li> <li> Discarding packets associated with an incomplete reservation.</t> <t></li> <li> Re-marking packets associated with an incomplete reservation. Re-marking can be accomplished by changing the value of the DSCP field to a value that results in the packet no longer matching any other reserved DetNet IP flow.</t> </list> </t></li> </ul> </section> <sectiontitle="Path Selection" anchor="path">anchor="path" numbered="true" toc="default"> <name>Path Selection</name> <t> While path selection algorithms and mechanisms are out of the scope of the DetNet data plane definition, it is important to highlight the implications of DetNet IP flow identification on path selection and next hops. As mentioned above, the DetNet IP data plane identifies flows using"6-tuple"6-tuple header information as well as the optional (flow label) header field. DetNet generally allows for both flow-specific traffic treatment and flow-specificnext-hops.next hops. </t> <t> In non-DetNet IP forwarding, it is generally assumed that the same series of next hops, i.e., the same path, will be used for a particular 5-tuple or, in somecases, e.g.,cases (e.g., <xreftarget="RFC5120"/>,target="RFC5120" format="default"/>), for a particular 6-tuple. Using different next hops for different 5-tuples does not take any special consideration for DetNet-aware applications. </t> <t> Care should be taken when using different next hops for the same 5-tuple. As discussed in <xreftarget="RFC7657"/>,target="RFC7657" format="default"/>, unexpected behavior can occur when a single 5-tuple application flow experiences reordering due to being split across multiple next hops. Understanding of the application and transport protocol impact of using different next hops for the same 5-tuple is required. Again, this only indirectly impacts path selection for DetNet flows and thisdocument only indirectly.document. </t> </section> </section> <sectiontitle="DetNetanchor="aggregation" numbered="true" toc="default"> <name>DetNet FlowAggregation" anchor="aggregation">Aggregation</name> <t> As described in <xreftarget="I-D.ietf-detnet-data-plane-framework"/>,target="RFC8938" format="default"/>, the ability to aggregate individualflows,flows and their associated resourcecontrol,control into a larger aggregate is an important technique for improving scaling by reducing the state per hop. DetNet IP data plane aggregation can take place within a single node, when that node maintains state about both the aggregated and individual flows. It can also take place between nodes,wherewhen one node maintains state about only flow aggregates while the other node maintains state on all or a portion of the component flows. In either case, the management or control function that provisions the aggregate flows must ensure that adequate resources are allocated and configured to provide the combined service requirements of the individual flows. As DetNet is concerned about latency and jitter, more than just bandwidth needs to be considered. </t> <t> From a single node perspective, the aggregation of IP flows impacts DetNet IP data plane flow identification and resource allocation. As discussed above, IP flow identification uses the IP"6-tuple"6-tuple for flow identification. DetNet IP flows can be aggregated using any of the 6-tuple fields and optionally also by the flow label. The use of prefixes, wildcards, lists, and value ranges allows a DetNet node to identify aggregate DetNet flows. From a resource allocation perspective, DetNet nodes ought to provide service to an aggregate rather than on a component flow basis. </t> <t> It is the responsibility of the DetNetcontroller planeController Plane to properly provision the use of these aggregation mechanisms. This includes ensuring that aggregated flows have compatible (e.g., the same or very similar) QoS and/or CoScharacteristics,characteristics; see <xreftarget="QoS"/>.target="QoS" format="default"/>. It also includes ensuring thatper component-flowper-component-flow service requirements are satisfied by theaggregate,aggregate; see <xreftarget="ip-svc"/>.target="ip-svc" format="default"/>. </t> <t> The DetNetcontroller plane MUSTController Plane <bcp14>MUST</bcp14> ensure that non-congestion-responsive DetNet traffic is not forwarded outside a DetNet domain. </t> </section> <sectiontitle="Bidirectional Traffic">numbered="true" toc="default"> <name>Bidirectional Traffic</name> <t> While the DetNet IP data plane must support bidirectional DetNet flows, there are no special bidirectional features within the data plane. The special case of co-routed bidirectional DetNet flowsareis solely represented at the management and control plane levels, without specific support or knowledge within the DetNet data plane. Fate sharing and associated or co-routed bidirectional flows can be managed at the control level. </t> <t> Control and management mechanisms need to support bidirectional flows, but the specification of such mechanismsareis out of the scope of this document. An example control plane solution for MPLS can be found in <xreftarget="RFC7551"/>.target="RFC7551" format="default"/>. </t> </section> </section><!-- ===================================================================== --> <!-- ===================================================================== --><section anchor="ip-procs"title="DetNetnumbered="true" toc="default"> <name>DetNet IP Data PlaneProcedures">Procedures</name> <t> This section provides DetNet IP data plane procedures. These procedures have been divided into the following areas: flow identification,forwardingforwarding, and traffic treatment. Flow identification includes those procedures related to matchingIPIP-layer andhigher layerhigher-layer protocol header information to DetNet flow (state) information and service requirements. Flow identification is also sometimes calledTraffic classification;"traffic classification"; forexampleexample, see <xreftarget="RFC5777"/>.target="RFC5777" format="default"/>. Forwarding includes those procedures related tonext hopnext-hop selection and delivery. Traffic treatment includes those procedures related to providing an identified flow with the required DetNet service. </t> <t> DetNet IP data plane establishment and operational procedures also have requirements on the control and management systems for DetNetflowsflows, and these are referred to in this section.SpecificallySpecifically, this section identifies a number of information elements that require support via the management and control interfaces supported by a DetNet node. The specific mechanism used for such support is out of the scope of this document. A summary of the requirements formanagementmanagement- andcontrol relatedcontrol-related information is included. Conformance language is not used in thesummarysummary, since it applies to future mechanisms such as those that may be provided in YANG models <xreftarget="I-D.ietf-detnet-yang"/>.target="I-D.ietf-detnet-yang" format="default"/>. </t> <section anchor="ip-flow-id"title="DetNetnumbered="true" toc="default"> <name>DetNet IP Flow IdentificationProcedures">Procedures</name> <t>IPIP-layer andhigher layerhigher-layer protocol header information is used to identify DetNet flows. All DetNet implementations that support this documentMUST<bcp14>MUST</bcp14> identify individual DetNet flows based on the set of information identified in this section. Note that additional requirements for flowidentification requirements,identification, e.g., to support otherhigher layerhigher-layer protocols, may be defined in the future. </t> <t> The configuration and control information used to identify an individual DetNet flowMUST<bcp14>MUST</bcp14> be ordered by an implementation. ImplementationsMUST<bcp14>MUST</bcp14> support a fixed order when identifyingflows,flows andMUST<bcp14>MUST</bcp14> identify a DetNet flow by the first set of matching flow information. </t> <t> Implementations of this documentMUST<bcp14>MUST</bcp14> support DetNet flow identification when the implementation is acting as a DetNet endsystems,system, a relay node, orasan edge node. </t> <section anchor="ip-hdr"title="IPnumbered="true" toc="default"> <name>IP HeaderInformation">Information</name> <t> Implementations of this documentMUST<bcp14>MUST</bcp14> support DetNet flow identification based on IP header information. The IPv4 header is defined in <xreftarget="RFC0791"/>target="RFC0791" format="default"/>, and the IPv6 is defined in <xreftarget="RFC8200"/>.target="RFC8200" format="default"/>. </t> <sectiontitle="Sourcenumbered="true" toc="default"> <name>Source AddressField">Field</name> <t> Implementations of this documentMUST<bcp14>MUST</bcp14> support DetNet flow identification based on the Source Address field of an IP packet. ImplementationsSHOULD<bcp14>SHOULD</bcp14> support longest prefix matching for this field (see <xreftarget="RFC1812"/>target="RFC1812" format="default"/> and <xreftarget="RFC7608"/>.)target="RFC7608" format="default"/>). Note that a prefix length of zero (0) effectively means that the field is ignored. </t> </section> <sectiontitle="Destinationnumbered="true" toc="default"> <name>Destination AddressField">Field</name> <t> Implementations of this documentMUST<bcp14>MUST</bcp14> support DetNet flow identification based on the Destination Address field of an IP packet. ImplementationsSHOULD<bcp14>SHOULD</bcp14> support longest prefix matching for this field (see <xreftarget="RFC1812"/>target="RFC1812" format="default"/> and <xreftarget="RFC7608"/>.)target="RFC7608" format="default"/>). Note that a prefix length of zero (0) effectively means that the field is ignored. </t> <aside> <t> Note: Any IP address value is allowed, including an IP multicast destination address. </t> </aside> </section> <section anchor="nxt-proto-field"title="IPv4numbered="true" toc="default"> <name>IPv4 Protocol and IPv6 Next HeaderFields">Fields</name> <t> Implementations of this documentMUST<bcp14>MUST</bcp14> support DetNet flow identification based on the IPv4 Protocol field when processing IPv4packets,packets and the IPv6 Next HeaderFieldfield when processing IPv6 packets. This includes the next protocol values defined in <xreftarget="nxt-proto"/>target="nxt-proto" format="default"/> and any other value, including zero. ImplementationsSHOULD<bcp14>SHOULD</bcp14> allow for these fields to be ignored for a specific DetNet flow. </t> </section> <sectiontitle="IPv4numbered="true" toc="default"> <name>IPv4 Type of Service and IPv6 Traffic ClassFields">Fields</name> <t> These fields are used to supportDifferentiated Servicesdifferentiated services <xreftarget="RFC2474"/>target="RFC2474" format="default"/> <xreftarget="RFC2475"/>.target="RFC2475" format="default"/>. Implementations of this documentMUST<bcp14>MUST</bcp14> support DetNet flow identification based on the DSCP field in the IPv4 Type of Service field when processing IPv4packets,packets and the DSCP field in the IPv6 Traffic ClassFieldfield when processing IPv6 packets. ImplementationsMUST<bcp14>MUST</bcp14> support list-based matching of DSCP values, where the list is composed of possible field values that are to be considered when identifying a specific DetNet flow. ImplementationsSHOULD<bcp14>SHOULD</bcp14> allow for this field to be ignored for a specific DetNet flow. </t> </section> <sectiontitle="IPv6numbered="true" toc="default"> <name>IPv6 Flow LabelField">Field</name> <t> Implementations of this documentSHOULD<bcp14>SHOULD</bcp14> support identification of DetNet flows based on the IPv6 Flow Label field. Implementations that support matching based on this fieldMUST<bcp14>MUST</bcp14> allow for it to be ignored for a specific DetNet flow. When this field is used to identify a specific DetNet flow, implementationsMAY<bcp14>MAY</bcp14> exclude the IPv6 Next Header field and next header information as part of DetNet flow identification. </t> </section> </section> <section anchor="nxt-proto"title="Othernumbered="true" toc="default"> <name>Other Protocol HeaderInformation">Information</name> <t> Implementations of this documentMUST<bcp14>MUST</bcp14> support DetNet flow identification based on header information identified in this section. Support for TCP, UDP,ICMPICMP, and IPsec flows is defined. Future documents are expected to define support for other protocols. </t> <sectiontitle="TCPnumbered="true" toc="default"> <name>TCP andUDP">UDP</name> <t> DetNet flow identification for TCP <xreftarget="RFC0793"/>target="RFC0793" format="default"/> and UDP <xreftarget="RFC0768"/>target="RFC0768" format="default"/> is achieved based on the Source and Destination Port fields carried in each protocol's header. These fields share a common format and common DetNet flow identification procedures. </t> <t> The rules defined in this section only apply when the IPv4 Protocol or IPv6 Next HeaderFieldfield contains theIANA definedIANA-defined value for UDP or TCP. </t> <sectiontitle="Sourcenumbered="true" toc="default"> <name>Source PortField">Field</name> <t> Implementations of this documentMUST<bcp14>MUST</bcp14> support DetNet flow identification based on the Source Port field of a TCP or UDP packet. ImplementationsMUST<bcp14>MUST</bcp14> support flow identification based on a particular value carried in the field, i.e., an exact value. ImplementationsSHOULD<bcp14>SHOULD</bcp14> support range-based port matching. ImplementationMUST<bcp14>MUST</bcp14> also allow for the field to be ignored for a specific DetNet flow. </t> </section> <sectiontitle="Destinationnumbered="true" toc="default"> <name>Destination PortField">Field</name> <t> Implementations of this documentMUST<bcp14>MUST</bcp14> support DetNet flow identification based on the Destination Port field of a TCP or UDP packet. ImplementationsMUST<bcp14>MUST</bcp14> support flow identification based on a particular value carried in the field, i.e., an exact value. ImplementationsSHOULD<bcp14>SHOULD</bcp14> support range-based port matching. ImplementationMUST<bcp14>MUST</bcp14> also allow for the field to be ignored for a specific DetNet flow. </t> </section> </section> <sectiontitle="ICMP">numbered="true" toc="default"> <name>ICMP</name> <t> DetNet flow identification for ICMP <xreftarget="RFC0792"/>target="RFC0792" format="default"/> is achieved based on the protocol number in the IP header. Note that ICMP type is not included in the flow definition. </t> </section> <sectiontitle="IPsecnumbered="true" toc="default"> <name>IPsec AH andESP">ESP</name> <t> IPsec Authentication Header (AH) <xreftarget="RFC4302"/>target="RFC4302" format="default"/> and Encapsulating Security Payload (ESP) <xreftarget="RFC4303"/>target="RFC4303" format="default"/> share a common format for the Security Parameters Index (SPI) field. ImplementationsMUST<bcp14>MUST</bcp14> support flow identification based on a particular value carried in the field, i.e., an exact value.Implementation SHOULDImplementations <bcp14>SHOULD</bcp14> also allow for the field to be ignored for a specific DetNet flow. </t> <t> The rules defined in this section only apply when the IPv4 Protocol or IPv6 Next HeaderFieldfield contains theIANA definedIANA-defined value for AH or ESP. </t> </section> </section> </section> <section anchor="ip-fwd"title="Forwarding Procedures">numbered="true" toc="default"> <name>Forwarding Procedures</name> <t> General requirements for IP nodes are defined in <xreftarget="RFC1122"/>,target="RFC1122" format="default"/>, <xreftarget="RFC1812"/>target="RFC1812" format="default"/>, and <xreftarget="RFC8504"/>,target="RFC8504" format="default"/> and are not modified by this document. The typical next-hop selection process is impacted by DetNet. Specifically, implementations of this documentSHALL<bcp14>SHALL</bcp14> use management and control information to select the one or more outgoing interfaces and next hops to be used for a packet associated with a DetNet flow. Specific management and control information will be defined in future documents, e.g., <xreftarget="I-D.ietf-detnet-yang"/>.target="I-D.ietf-detnet-yang" format="default"/>. </t> <t> The use of multiple paths or links, e.g., ECMP, to support a single DetNet flow isNOT RECOMMENDED.<bcp14>NOT RECOMMENDED</bcp14>. ECMPMAY<bcp14>MAY</bcp14> be used for non-DetNet flows within a DetNet domain. </t> <t> The above implies that management and control functions will be defined to support this requirement, e.g., see <xreftarget="I-D.ietf-detnet-yang"/>.target="I-D.ietf-detnet-yang" format="default"/>. </t> </section> <section anchor="ip-svc"title="DetNetnumbered="true" toc="default"> <name>DetNet IP Traffic TreatmentProcedures">Procedures</name> <t> Implementations of this document must ensure that a DetNet flow receives the traffic treatment that is provisioned for it via configuration or thecontroller plane,Controller Plane, e.g., via <xreftarget="I-D.ietf-detnet-yang"/>.target="I-D.ietf-detnet-yang" format="default"/>. General information on DetNet service can be found in <xreftarget="I-D.ietf-detnet-flow-information-model"/>.target="I-D.ietf-detnet-flow-information-model" format="default"/>. Typical mechanisms used to provide different treatment to different flowsincludesinclude the allocation of system resources (such as queues and buffers) and provisioning of related parameters (such asshaping,shaping and policing). Support can also be provided via an underlying network technology such as MPLS <xreftarget="I-D.ietf-detnet-ip-over-mpls"/>target="I-D.ietf-detnet-ip-over-mpls" format="default"/> orIEEE802.1IEEE 802.1 TSN <xreftarget="I-D.ietf-detnet-ip-over-tsn"/>.target="I-D.ietf-detnet-ip-over-tsn" format="default"/>. Other mechanisms than the ones used in the TSN case are outside the scope of this document. </t> </section> </section> <section anchor="ip-flow-id-info"title="Managementnumbered="true" toc="default"> <name>Management and Control InformationSummary">Summary</name> <t> The following summarizes the set of information that is needed to identify individual and aggregated DetNet flows:<list style="symbols"> <t>IPv4</t> <ul spacing="normal"> <li>IPv4 and IPv6source address field.</t> <t>IPv4Source Address field.</li> <li>IPv4 and IPv6 source address prefix length, where a zero (0) value effectively means that theaddressSource Address field isignored.</t> <t>IPv4ignored.</li> <li>IPv4 and IPv6destination address field.</t> <t>IPv4Destination Address field.</li> <li>IPv4 and IPv6 destination address prefix length, where a zero (0) value effectively means that theaddressDestination Address field isignored.</t> <t>IPv4 protocolignored.</li> <li>IPv4 Protocol field. A limited set of values is allowed, and the ability to ignore this field isdesirable.</t> <t>IPv6 next headerdesirable.</li> <li>IPv6 Next Header field. A limited set of values is allowed, and the ability to ignore this field isdesirable.</t>desirable.</li> <li> <t>For the IPv4 Type of Service and IPv6 Traffic ClassFields: <list style="symbols"> <t>Whetherfields: </t> <ul spacing="normal"> <li>Whether or not the DSCP field is used in flow identification. Use of the DSCP field for flow identification isoptional.</t> <t>Ifoptional.</li> <li>If the DSCP field is used to identify a flow, then the flow identification information (for that flow) includes a list of DSCPs used by thatflow.</t> </list></t> <t>IPv6 flow labelflow.</li> </ul> </li> <li>IPv6 Flow Label field. This field can be optionally used for matching. When used, this field can be used instead of matching against the Next Headerfield.</t> <t>TCPfield.</li> <li>TCP and UDP Source Port. Support for both exact and wildcard matching is required. Port ranges can optionally beused.</t> <t>TCPused.</li> <li>TCP and UDP Destination Port. Support for both exact and wildcard matching is required. Port ranges can optionally beused.</t> <t>IPsecused.</li> <li>IPsec Header SPI field. Exact matching is required. Support for wildcard matching isrecommended.</t> <t>Forrecommended.</li> <li>For end systems, an optional maximum IP packet size that should be used for that outgoing DetNet IPflow.</t> </list>flow.</li> </ul> <t> This informationMUST<bcp14>MUST</bcp14> be provisioned per DetNet flow via configuration, e.g., via thecontrollerController Plane or the management plane. </t> <t> An implementationMUST<bcp14>MUST</bcp14> support ordering of the set of informationinformationused to identify an individual DetNet flow. This can, for example, be used to provide a DetNet service for a specific UDP flow, with unique Source and Destination Port field values, while providing a different service for the aggregate of all other flows with that same UDP Destination Port value. </t> <t> It is the responsibility of the DetNetcontroller planeController Plane to properly provision both flow identification information and theflow specificflow-specific resources needed toprovidedprovide the traffic treatment needed to meet each flow's service requirements. This applies for aggregated and individual flows. </t> </section><!-- ===================================================================== --><sectiontitle="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t> Detailed security considerations for DetNet are cataloged in <xreftarget="I-D.ietf-detnet-security"/>,target="DetNet-Security" format="default"/>, and more general security considerations are described in <xreftarget="RFC8655"/>.target="RFC8655" format="default"/>. This sectionconsidersexclusively considers security considerationswhichthat are specific to the DetNet IP data plane. </t> <t> Security aspectswhichthat are unique to DetNet are those whose aim is to provide the specificquality of serviceQoS aspects of DetNet, which are primarily to deliver data flows with extremely low packet loss rates and bounded end-to-end delivery latency. Achieving such loss rates and bounded latency may not be possible in the face of a highly capable adversary, such as the one envisioned by the Internet Threat Model of BCP 72 <xref target="RFC3552"/> that can arbitrarily drop or delay any or all traffic. In order to present meaningful security considerations, we consider a somewhat weaker attacker who does not control the physical links of the DetNetdomain,domain but may have the ability to control a network node within the boundary of the DetNet domain. </t> <t> The primary consideration for the DetNet data plane is to maintain integrity of data and delivery of the associated DetNet service traversing the DetNet network. Since no DetNet-specific fields are available in the DetNet IP data plane, the integrity and confidentiality of application flows can be protected through whatever means are provided by the underlying technology. For example, encryption may be used, such as that provided byIPSecIPsec <xreftarget="RFC4301"/>target="RFC4301" format="default"/> for IP flows and/or by an underlyingsub-netsub-network usingMACSecMACsec <xreftarget="IEEE802.1AE-2018"/>target="IEEE802.1AE-2018" format="default"/> for IP over Ethernet(Layer-2)(Layer 2) flows. </t> <t> From a data planeperspectiveperspective, this document does not add or modify any header information. </t> <t> At the management and controllevellevel, DetNet flows are identified on a per-flow basis, which may providecontroller planeController Plane attackers with additional information about the data flows (when compared tocontroller planesController Planes that do not include per-flow identification). This is an inherent property of DetNetwhichthat has security implications that should be considered when determining if DetNet is a suitable technology for any given use case. </t> <t> To provide uninterrupted availability of the DetNet service, provisions can be made againstDOSDoS attacks and delay attacks. To protect againstDOSDoS attacks, excess traffic due to malicious or malfunctioning devices can be prevented ormitigated,mitigated -- forexampleexample, through the use of existingmechanismmechanisms such as policing and shaping applied at the input of a DetNet domain or within an edgeIEEE802.1IEEE 802.1 TSN domain. To prevent DetNet packets from being delayed by an entity external to a DetNet domain, DetNet technologydefinitiondefinitions can allow for the mitigation ofMan-In-The-Middle attacks,man-in-the-middle attacks -- forexampleexample, through the use of authentication and authorization of devices within the DetNet domain. </t> </section> <section anchor="iana"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t> This documentdoes not require an action from IANA.has no IANA actions. </t> </section> </middle> <back> <displayreference target="I-D.ietf-detnet-flow-information-model" to="DetNet-Flow-Info"/> <displayreference target="I-D.ietf-detnet-yang" to="DetNet-YANG"/> <displayreference target="I-D.ietf-detnet-ip-over-tsn" to="DetNet-IP-over-TSN"/> <displayreference target="I-D.ietf-detnet-ip-over-mpls" to="DetNet-IP-over-MPLS"/> <displayreference target="I-D.ietf-detnet-tsn-vpn-over-mpls" to="DetNet-TSN-over-MPLS"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.0768.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.0791.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.0792.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.0793.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1812.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2474.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4301.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4302.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4303.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7608.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8200.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8655.xml"/> <!-- draft-ietf-detnet-data-plane-framework (RFC 8938) --> <reference anchor='RFC8938'> <front> <title>Deterministic Networking (DetNet) Data Plane Framework</title> <author initials='B' surname='Varga' fullname='Balazs Varga' role="editor"> <organization /> </author> <author initials='J' surname='Farkas' fullname='Janos Farkas'> <organization /> </author> <author initials='L' surname='Berger' fullname='Lou Berger'> <organization /> </author> <author initials='A' surname='Malis' fullname='Andrew Malis'> <organization /> </author> <author initials='S' surname='Bryant' fullname='Stewart Bryant'> <organization /> </author> <date month='November' year='2020' /> </front> <seriesInfo name="RFC" value="8938"/> <seriesInfo name="DOI" value="10.17487/RFC8938"/> </reference> </references> <references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1122.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1191.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2475.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3290.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3473.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3552.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3670.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5120.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5777.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8504.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7551.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7657.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8201.xml"/> <!-- draft-ietf-detnet-mpls (RFC-EDITOR) --> <!-- Have to do long way; Balazs Varga is an editor --> <reference anchor="DetNet-MPLS" target="https://tools.ietf.org/html/draft-ietf-detnet-mpls-13"> <front> <title>DetNet Data Plane: MPLS</title> <author initials="B" surname="Varga" fullname="Balazs Varga" role="editor"> <organization/> </author> <author initials="J" surname="Farkas" fullname="Janos Farkas"> <organization/> </author> <author initials="L" surname="Berger" fullname="Lou Berger"> <organization/> </author> <author initials="A" surname="Malis" fullname="Andrew Malis"> <organization/> </author> <author initials="S" surname="Bryant" fullname="Stewart Bryant"> <organization/> </author> <author initials="J" surname="Korhonen" fullname="Jouni Korhonen"> <organization/> </author> <date day="11" month="October" year="2020"/> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-detnet-mpls-13"/> </reference> <!-- draft-ietf-detnet-flow-information-model (Waiting for Writeup) --> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-detnet-flow-information-model.xml"/> <!-- draft-ietf-detnet-security (Waiting for Writeup) --> <!-- Have to do long way; Ethan Grossman is an editor --> <reference anchor="DetNet-Security" target="https://tools.ietf.org/html/draft-ietf-detnet-security-12"> <front> <title>Deterministic Networking (DetNet) Security Considerations</title> <author initials="E" surname="Grossman" fullname="Ethan Grossman" role="editor"> <organization/> </author> <author initials="T" surname="Mizrahi" fullname="Tal Mizrahi"> <organization/> </author> <author initials="A" surname="Hacker" fullname="Andrew Hacker"> <organization/> </author> <date month="October" day="2" year="2020"/> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-detnet-security-12"/> </reference> <!-- draft-ietf-detnet-yang (I-D Exists) --> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-detnet-yang.xml"/> <!-- draft-ietf-detnet-ip-over-tsn (I-D Exists) --> <!-- Have to do long way; B Varga is an editor --> <reference anchor='I-D.ietf-detnet-ip-over-tsn'> <front> <title>DetNet Data Plane: IP over IEEE 802.1 Time Sensitive Networking (TSN)</title> <author initials='B' surname='Varga' fullname='Balazs Varga' role="editor"> <organization /> </author> <author initials='J' surname='Farkas' fullname='Janos Farkas'> <organization /> </author> <author initials='A' surname='Malis' fullname='Andrew Malis'> <organization /> </author> <author initials='S' surname='Bryant' fullname='Stewart Bryant'> <organization /> </author> <date month='November' day='2' year='2020' /> </front> <seriesInfo name='Internet-Draft' value='draft-ietf-detnet-ip-over-tsn-04' /> </reference> <!-- draft-ietf-detnet-ip-over-mpls (MISSREF) --> <!-- Have to do long way; B Varga is an editor --> <reference anchor='I-D.ietf-detnet-ip-over-mpls'> <front> <title>DetNet Data Plane: IP over MPLS</title> <author initials='B' surname='Varga' fullname='Balazs Varga' role="editor"> <organization /> </author> <author initials='L' surname='Berger' fullname='Lou Berger'> <organization /> </author> <author initials='D' surname='Fedyk' fullname='Don Fedyk'> <organization /> </author> <author initials='S' surname='Bryant' fullname='Stewart Bryant'> <organization /> </author> <author initials='J' surname='Korhonen' fullname='Jouni Korhonen'> <organization /> </author> <date month='October' day='11' year='2020' /> </front> <seriesInfo name='Internet-Draft' value='draft-ietf-detnet-ip-over-mpls-09' /> </reference> <!-- draft-ietf-detnet-tsn-vpn-over-mpls (I-D Exists) --> <!-- Had to do long way; B Varga is an editor --> <reference anchor='I-D.ietf-detnet-tsn-vpn-over-mpls'> <front> <title>DetNet Data Plane: IEEE 802.1 Time Sensitive Networking over MPLS</title> <author initials='B' surname='Varga' fullname='Balazs Varga' role="editor"> <organization /> </author> <author initials='J' surname='Farkas' fullname='Janos Farkas'> <organization /> </author> <author initials='A' surname='Malis' fullname='Andrew Malis'> <organization /> </author> <author initials='S' surname='Bryant' fullname='Stewart Bryant'> <organization /> </author> <author initials='D' surname='Fedyk' fullname='Don Fedyk'> <organization /> </author> <date month='November' day='2' year='2020' /> </front> <seriesInfo name='Internet-Draft' value='draft-ietf-detnet-tsn-vpn-over-mpls-04' /> </reference> <reference anchor="IEEE802.1AE-2018" target="https://ieeexplore.ieee.org/document/8585421"> <front> <title>IEEE Standard for Local and metropolitan area networks-Media Access Control (MAC) Security</title> <author> <organization>IEEE</organization> </author> <date year="2018" month="December"/> </front> <seriesInfo name="IEEE" value="802.1AE-2018" /> <seriesInfo name="DOI" value="10.1109/IEEESTD.2018.8585421" /> </reference> <reference anchor="IEEE802.1TSNTG" target="https://1.ieee802.org/tsn/"> <front> <title>Time-Sensitive Networking (TSN) Task Group</title> <author> <organization>IEEE</organization> </author> <date/> </front> </reference> </references> </references> <section anchor="acks"title="Acknowledgements">numbered="false" toc="default"> <name>Acknowledgements</name> <t> The authors wish to thankPat Thaler, Norman Finn, Loa Anderson, David Black, Rodney Cummings, Ethan Grossman, Tal Mizrahi, David Mozes, Craig Gunther, George Swallow, Yuanlong Jiang<contact fullname="Pat Thaler"/>, <contact fullname="Norman Finn"/>, <contact fullname="Loa Andersson"/>, <contact fullname="David Black"/>, <contact fullname="Rodney Cummings"/>, <contact fullname="Ethan Grossman"/>, <contact fullname="Tal Mizrahi"/>, <contact fullname="David Mozes"/>, <contact fullname="Craig Gunther"/>, <contact fullname="George Swallow"/>, <contact fullname="Yuanlong Jiang"/>, andCarlos<contact fullname="Carlos J.BernardosBernardos"/> for their various contributions to this work.David Black<contact fullname="David Black"/> served as technical advisor to the DetNet working group during the development of this document and provided many valuable comments. IESG comments were provided byMurray Kucherawy, Roman Danyliw, Alvaro Retana, Benjamin Kaduk, Rob Wilton, and Erik Vyncke.<contact fullname="Murray Kucherawy"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Alvaro Retana"/>, <contact fullname="Benjamin Kaduk"/>, <contact fullname="Rob Wilton"/>, and <contact fullname="Érik Vyncke"/>. </t> </section> <section anchor="contrib"title="Contributors">numbered="false" toc="default"> <name>Contributors</name> <t>RFC7322 limits the number of authors listed on the front page of a draft to a maximum of 5.The editor of this document wishes to thank and acknowledge thefollow authors for contributing textfollowing people who contributed substantially to the content of thisdraft.document and should be considered coauthors: </t><figure> <artwork><![CDATA[ Jouni Korhonen Email: jouni.nospam@gmail.com Andrew<contact fullname="Jouni Korhonen"> <address> <postal> <street></street> <city></city> <region></region><code></code> <country></country> </postal> <email>jouni.nospam@gmail.com</email> </address> </contact> <contact fullname="Andrew G.Malis Malis Consulting Email: agmalis@gmail.com ]]></artwork> </figure>Malis"> <organization>Malis Consulting</organization> <address> <postal> <street></street> <city></city> <region></region><code></code> <country></country> </postal> <email>agmalis@gmail.com</email> </address> </contact> </section></middle> <back> <references title="Normative references"> <?rfc include="reference.RFC.0768"?> <?rfc include="reference.RFC.0791"?> <?rfc include="reference.RFC.0792"?> <?rfc include="reference.RFC.0793"?> <?rfc include="reference.RFC.1812"?> <?rfc include="reference.RFC.2119"?> <?rfc include="reference.RFC.2474"?> <?rfc include="reference.RFC.4301"?> <?rfc include="reference.RFC.4302"?> <?rfc include="reference.RFC.4303"?> <?rfc include="reference.RFC.7608"?> <?rfc include="reference.RFC.8174"?> <?rfc include="reference.RFC.8200"?> <?rfc include="reference.RFC.8655"?> <?rfc include="reference.I-D.ietf-detnet-data-plane-framework'?> </references> <references title="Informative references"> <?rfc include="reference.RFC.1122"?> <?rfc include="reference.RFC.1192"?> <?rfc include="reference.RFC.2475"?> <?rfc include="reference.RFC.3290"?> <?rfc include="reference.RFC.3473"?> <?rfc include="reference.RFC.3670"?> <?rfc include="reference.RFC.5120"?> <?rfc include="reference.RFC.5777"?> <?rfc include="reference.RFC.8504"?> <?rfc include="reference.RFC.7551"?> <?rfc include="reference.RFC.7657"?> <?rfc include="reference.RFC.8201"?> <?rfc include="reference.I-D.ietf-detnet-mpls"?> <?rfc include="reference.I-D.ietf-detnet-dp-sol-mpls"?> <?rfc include="reference.I-D.ietf-detnet-flow-information-model"?> <?rfc include="reference.I-D.ietf-detnet-security"?> <?rfc include="reference.I-D.ietf-detnet-yang"?> <?rfc include="reference.I-D.ietf-detnet-ip-over-tsn'?> <?rfc include="reference.I-D.ietf-detnet-ip-over-mpls'?> <?rfc include="reference.I-D.ietf-detnet-tsn-vpn-over-mpls'?> <reference anchor="IEEE802.1AE-2018" target="https://ieeexplore.ieee.org/document/8585421"> <front> <title>IEEE Std 802.1AE-2018 MAC Security (MACsec)</title> <author> <organization>IEEE Standards Association</organization> </author> <date year="2018" /> </front> </reference> </references></back> </rfc>