rfc9015.original   rfc9015.txt 
BESS Working Group A. Farrel Internet Engineering Task Force (IETF) A. Farrel
Internet-Draft Old Dog Consulting Request for Comments: 9015 Old Dog Consulting
Intended status: Standards Track J. Drake Category: Standards Track J. Drake
Expires: February 22, 2021 E. Rosen ISSN: 2070-1721 E. Rosen
Juniper Networks Juniper Networks
J. Uttaro J. Uttaro
AT&T AT&T
L. Jalil L. Jalil
Verizon Verizon
August 21, 2020 May 2021
BGP Control Plane for the Network Service Header in Service Function BGP Control Plane for the Network Service Header in Service Function
Chaining Chaining
draft-ietf-bess-nsh-bgp-control-plane-18
Abstract Abstract
This document describes the use of BGP as a control plane for This document describes the use of BGP as a control plane for
networks that support Service Function Chaining (SFC). The document networks that support service function chaining. The document
introduces a new BGP address family called the SFC Address Family introduces a new BGP address family called the "Service Function
Identifier / Subsequent Address Family Identifier (SFC AFI/SAFI) with Chain (SFC) Address Family Identifier / Subsequent Address Family
two route types. One route type is originated by a node to advertise Identifier" (SFC AFI/SAFI) with two Route Types. One Route Type is
that it hosts a particular instance of a specified service function. originated by a node to advertise that it hosts a particular instance
This route type also provides "instructions" on how to send a packet of a specified service function. This Route Type also provides
to the hosting node in a way that indicates that the service function "instructions" on how to send a packet to the hosting node in a way
has to be applied to the packet. The other route type is used by a that indicates that the service function has to be applied to the
Controller to advertise the paths of "chains" of service functions, packet. The other Route Type is used by a controller to advertise
and to give a unique designator to each such path so that they can be the paths of "chains" of service functions and give a unique
used in conjunction with the Network Service Header defined in RFC designator to each such path so that they can be used in conjunction
8300. with the Network Service Header (NSH) defined in RFC 8300.
This document adopts the SFC architecture described in RFC 7665. This document adopts the service function chaining architecture
described in RFC 7665.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This document is a product of the Internet Engineering Task Force
Task Force (IETF). Note that other groups may also distribute (IETF). It represents the consensus of the IETF community. It has
working documents as Internet-Drafts. The list of current Internet- received public review and has been approved for publication by the
Drafts is at https://datatracker.ietf.org/drafts/current/. Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Internet-Drafts are draft documents valid for a maximum of six months Information about the current status of this document, any errata,
and may be updated, replaced, or obsoleted by other documents at any and how to provide feedback on it may be obtained at
time. It is inappropriate to use Internet-Drafts as reference https://www.rfc-editor.org/info/rfc9015.
material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 22, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 5 1.1. Requirements Language
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Terminology
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Overview
2.1. Overview of Service Function Chaining . . . . . . . . . . 6 2.1. Overview of Service Function Chaining
2.2. Control Plane Overview . . . . . . . . . . . . . . . . . 8 2.2. Control Plane Overview
3. BGP SFC Routes . . . . . . . . . . . . . . . . . . . . . . . 12 3. BGP SFC Routes
3.1. Service Function Instance Route (SFIR) . . . . . . . . . 13 3.1. Service Function Instance Route (SFIR)
3.1.1. SFIR Pool Identifier Extended Community . . . . . . . 14 3.1.1. SFIR Pool Identifier Extended Community
3.1.2. MPLS Mixed Swapping/Stacking Extended Community . . . 15 3.1.2. MPLS Mixed Swapping/Stacking Extended Community
3.2. Service Function Path Route (SFPR) . . . . . . . . . . . 16 3.2. Service Function Path Route (SFPR)
3.2.1. The SFP Attribute . . . . . . . . . . . . . . . . . . 17 3.2.1. The SFP Attribute
3.2.2. General Rules For The SFP Attribute . . . . . . . . . 23 3.2.2. General Rules for the SFP Attribute
4. Mode of Operation . . . . . . . . . . . . . . . . . . . . . . 24 4. Mode of Operation
4.1. Route Targets . . . . . . . . . . . . . . . . . . . . . . 24 4.1. Route Targets
4.2. Service Function Instance Routes . . . . . . . . . . . . 24 4.2. Service Function Instance Routes
4.3. Service Function Path Routes . . . . . . . . . . . . . . 25 4.3. Service Function Path Routes
4.4. Classifier Operation . . . . . . . . . . . . . . . . . . 27 4.4. Classifier Operation
4.5. Service Function Forwarder Operation . . . . . . . . . . 27 4.5. Service Function Forwarder Operation
4.5.1. Processing With 'Gaps' in the SI Sequence . . . . . . 28 4.5.1. Processing with "Gaps" in the SI Sequence
5. Selection within Service Function Paths . . . . . . . . . . . 30 5. Selection within Service Function Paths
6. Looping, Jumping, and Branching . . . . . . . . . . . . . . . 32 6. Looping, Jumping, and Branching
6.1. Protocol Control of Looping, Jumping, and Branching . . . 32 6.1. Protocol Control of Looping, Jumping, and Branching
6.2. Implications for Forwarding State . . . . . . . . . . . . 33 6.2. Implications for Forwarding State
7. Advanced Topics . . . . . . . . . . . . . . . . . . . . . . . 33 7. Advanced Topics
7.1. Correlating Service Function Path Instances . . . . . . . 34 7.1. Correlating Service Function Path Instances
7.2. Considerations for Stateful Service Functions . . . . . . 34 7.2. Considerations for Stateful Service Functions
7.3. VPN Considerations and Private Service Functions . . . . 35 7.3. VPN Considerations and Private Service Functions
7.4. Flow Specification for SFC Classifiers . . . . . . . . . 36 7.4. Flow Specification for SFC Classifiers
7.5. Choice of Data Plane SPI/SI Representation . . . . . . . 38 7.5. Choice of Data Plane SPI/SI Representation
7.5.1. MPLS Representation of the SPI/SI . . . . . . . . . . 39 7.5.1. MPLS Representation of the SPI/SI
7.6. MPLS Label Swapping/Stacking Operation . . . . . . . . . 39 7.6. MPLS Label Swapping/Stacking Operation
7.7. Support for MPLS-Encapsulated NSH Packets . . . . . . . . 39 7.7. Support for MPLS-Encapsulated NSH Packets
8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 40 8. Examples
8.1. Example Explicit SFP With No Choices . . . . . . . . . . 42 8.1. Example Explicit SFP with No Choices
8.2. Example SFP With Choice of SFIs . . . . . . . . . . . . . 42 8.2. Example SFP with Choice of SFIs
8.3. Example SFP With Open Choice of SFIs . . . . . . . . . . 43 8.3. Example SFP with Open Choice of SFIs
8.4. Example SFP With Choice of SFTs . . . . . . . . . . . . . 43 8.4. Example SFP with Choice of SFTs
8.5. Example Correlated Bidirectional SFPs . . . . . . . . . . 44 8.5. Example Correlated Bidirectional SFPs
8.6. Example Correlated Asymmetrical Bidirectional SFPs . . . 45 8.6. Example Correlated Asymmetrical Bidirectional SFPs
8.7. Example Looping in an SFP . . . . . . . . . . . . . . . . 45 8.7. Example Looping in an SFP
8.8. Example Branching in an SFP . . . . . . . . . . . . . . . 46 8.8. Example Branching in an SFP
8.9. Examples of SFPs with Stateful Service Functions . . . . 46 8.9. Examples of SFPs with Stateful Service Functions
8.9.1. Forward and Reverse Choice Made at the SFF . . . . . 47 8.9.1. Forward and Reverse Choice Made at the SFF
8.9.2. Parallel End-to-End SFPs with Shared SFF . . . . . . 48 8.9.2. Parallel End-to-End SFPs with Shared SFF
8.9.3. Parallel End-to-End SFPs with Separate SFFs . . . . . 50 8.9.3. Parallel End-to-End SFPs with Separate SFFs
8.9.4. Parallel SFPs Downstream of the Choice . . . . . . . 52 8.9.4. Parallel SFPs Downstream of the Choice
8.10. Examples Using IPv6 Addressing . . . . . . . . . . . . . 55 8.10. Examples Using IPv6 Addressing
8.10.1. Example Explicit SFP With No Choices . . . . . . . . 57 8.10.1. Example Explicit SFP with No Choices
8.10.2. Example SFP With Choice of SFIs . . . . . . . . . . 58 8.10.2. Example SFP with Choice of SFIs
8.10.3. Example SFP With Open Choice of SFIs . . . . . . . . 58 8.10.3. Example SFP with Open Choice of SFIs
8.10.4. Example SFP With Choice of SFTs . . . . . . . . . . 59 8.10.4. Example SFP with Choice of SFTs
9. Security Considerations . . . . . . . . . . . . . . . . . . . 60 9. Security Considerations
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 62 10. IANA Considerations
10.1. New BGP AF/SAFI . . . . . . . . . . . . . . . . . . . . 62 10.1. New BGP AF/SAFI
10.2. New BGP Path Attribute . . . . . . . . . . . . . . . . . 62 10.2. "SFP attribute" BGP Path Attribute
10.3. New SFP Attribute TLVs Type Registry . . . . . . . . . . 62 10.3. "SFP Attribute TLVs" Registry
10.4. New SFP Association Type Registry . . . . . . . . . . . 63 10.4. "SFP Association Type" Registry
10.5. New Service Function Type Registry . . . . . . . . . . . 64 10.5. "Service Function Chaining Service Function Types"
10.6. New Generic Transitive Experimental Use Extended Registry
Community Sub-Types . . . . . . . . . . . . . . . . . . 66 10.6. Flow Specification for SFC Classifiers
10.7. New BGP Transitive Extended Community Type . . . . . . . 66 10.7. New BGP Transitive Extended Community Type
10.8. New SFC Extended Community Sub-Types Registry . . . . . 66 10.8. "SFC Extended Community Sub-Types" Registry
10.9. SPI/SI Representation . . . . . . . . . . . . . . . . . 67 10.9. New SPI/SI Representation Sub-TLV
10.10. SFC SPI/SI Representation Flags Registry . . . . . . . . 67 10.10. "SFC SPI/SI Representation Flags" Registry
11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 67 11. References
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 68 11.1. Normative References
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 68 11.2. Informative References
13.1. Normative References . . . . . . . . . . . . . . . . . . 68 Acknowledgements
13.2. Informative References . . . . . . . . . . . . . . . . . 70 Contributors
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 71 Authors' Addresses
1. Introduction 1. Introduction
As described in [RFC7498], the delivery of end-to-end services can As described in [RFC7498], the delivery of end-to-end services can
require a packet to pass through a series of Service Functions (SFs) require a packet to pass through a series of Service Functions (SFs)
(e.g., WAN and application accelerators, Deep Packet Inspection (DPI) -- e.g., WAN and application accelerators, Deep Packet Inspection
engines, firewalls, TCP optimizers, and server load balancers) in a (DPI) engines, firewalls, TCP optimizers, and server load balancers
specified order: this is termed "Service Function Chaining" (SFC). -- in a specified order; this is termed "service function chaining".
There are a number of issues associated with deploying and There are a number of issues associated with deploying and
maintaining service function chaining in production networks, which maintaining service function chaining in production networks, which
are described below. are described below.
Historically, if a packet needed to travel through a particular Historically, if a packet needed to travel through a particular
service chain, the nodes hosting the service functions of that chain service chain, the nodes hosting the service functions of that chain
were placed in the network topology in such a way that the packet were placed in the network topology in such a way that the packet
could not reach its ultimate destination without first passing could not reach its ultimate destination without first passing
through all the service functions in the proper order. This need to through all the service functions in the proper order. This need to
place the service functions at particular topological locations place the service functions at particular topological locations
limited the ability to adapt a service function chain to changes in limited the ability to adapt a service function chain to changes in
network topology (e.g., link or node failures), network utilization, network topology (e.g., link or node failures), network utilization,
or offered service load. These topological restrictions on where the or offered service load. These topological restrictions on where the
service functions can be placed raised the following issues: service functions could be placed raised the following issues:
1. The process of configuring or modifying a service function chain 1. The process of configuring or modifying a service function chain
is operationally complex and may require changes to the network is operationally complex and may require changes to the network
topology. topology.
2. Alternate or redundant service functions may need to be co- 2. Alternate or redundant service functions may need to be co-
located with the primary service functions. located with the primary service functions.
3. When there is more than one path between source and destination, 3. When there is more than one path between source and destination,
forwarding may be asymmetric and it may be difficult to support forwarding may be asymmetric, and it may be difficult to support
bidirectional service function chains using simple routing bidirectional service function chains using simple routing
methodologies and protocols without adding mechanisms for traffic methodologies and protocols without adding mechanisms for traffic
steering or traffic engineering. steering or traffic engineering.
In order to address these issues, the SFC architecture describes In order to address these issues, the service function chaining
Service Function Chains that are built in their own overlay network architecture describes service function chains that are built in
(the service function overlay network), coexisting with other overlay their own overlay network (the service function overlay network),
networks, over a common underlay network [RFC7665]. A Service coexisting with other overlay networks, over a common underlay
Function Chain is a sequence of Service Functions through which network [RFC7665]. A service function chain is a sequence of service
packet flows that satisfy specified criteria will pass. functions through which packet flows that satisfy specified criteria
will pass.
This document describes the use of BGP as a control plane for This document describes the use of BGP as a control plane for
networks that support Service Function Chaining (SFC). The document networks that support service function chaining. The document
introduces a new BGP address family called the SFC Address Family introduces a new BGP address family called the "Service Function
Identifier / Subsequent Address Family Identifier (AFI/SAFI) with two Chain (SFC) Address Family Identifier / Subsequent Address Family
route types. One route type is originated by a node to advertise Identifier" (SFC AFI/SAFI) with two Route Types. One Route Type is
that it hosts a particular instance of a specified service function. originated by a node to advertise that it hosts a particular instance
This route type also provides "instructions" on how to send a packet of a specified service function. This Route Type also provides
to the hosting node in a way that indicates that the service function "instructions" on how to send a packet to the hosting node in a way
has to be applied to the packet. The other route type is used by a that indicates that the service function has to be applied to the
Controller (a centralized network component responsible for planning packet. The other Route Type is used by a controller (a centralized
and coordinating Service Function Chaining within the network) to network component responsible for planning and coordinating service
advertise the paths of "chains" of service functions, and to give a function chaining within the network) to advertise the paths of
unique designator to each such path so that they can be used in "chains" of service functions and give a unique designator to each
conjunction with the Network Service Header [RFC8300]. such path so that they can be used in conjunction with the Network
Service Header (NSH) [RFC8300].
This document adopts the SFC architecture described in [RFC7665]. This document adopts the service function chaining architecture
described in [RFC7665].
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
1.2. Terminology 1.2. Terminology
This document uses the following terms from [RFC7665]: This document uses the following terms from [RFC7665]:
o Bidirectional Service Function Chain * Bidirectional Service Function Chain
o Classifier * Classifier
o Service Function (SF) * Service Function (SF)
o Service Function Chain (SFC) * Service Function Chain (SFC)
o Service Function Forwarder (SFF) * Service Function Forwarder (SFF)
o Service Function Instance (SFI) * Service Function Instance (SFI)
o Service Function Path (SFP) * Service Function Path (SFP)
o SFC branching * SFC branching
Additionally, this document uses the following terms from [RFC8300]: Additionally, this document uses the following terms from [RFC8300]:
o Network Service Header (NSH) * Network Service Header (NSH)
o Service Index (SI) * Service Index (SI)
o Service Path Identifier (SPI) * Service Path Identifier (SPI)
This document introduces the following terms: This document introduces the following terms:
o Service Function Instance Route (SFIR). A new BGP Route Type Service Function Instance Route (SFIR): A new BGP Route Type
advertised by the node that hosts an SFI to describe the SFI and advertised by the node that hosts an SFI to describe the SFI and
to announce the way to forward a packet to the node through the to announce the way to forward a packet to the node through the
underlay network. underlay network.
o Service Function Overlay Network. The logical network comprised Service Function Overlay Network: The logical network comprised of
of Classifiers, SFFs, and SFIs that are connected by paths or classifiers, SFFs, and SFIs that are connected by paths or tunnels
tunnels through underlay transport networks. through underlay transport networks.
o Service Function Path Route (SFPR). A new BGP Route Type Service Function Path Route (SFPR): A new BGP Route Type originated
originated by Controllers to advertise the details of each SFP. by controllers to advertise the details of each SFP.
o Service Function Type (SFT). An indication of the function and Service Function Type (SFT): An indication of the function and
features of an SFI. features of an SFI.
2. Overview 2. Overview
This section provides an overview of Service Function Chaining in This section provides an overview of service function chaining in
general, and the control plane defined in this document. After general and the control plane defined in this document. After
reading this section, readers may find it helpful to look through reading this section, readers may find it helpful to look through
Section 8 for some simple worked examples. Section 8 for some simple worked examples.
2.1. Overview of Service Function Chaining 2.1. Overview of Service Function Chaining
In [RFC8300] a Service Function Chain (SFC) is an ordered list of In [RFC8300], a Service Function Chain (SFC) is an ordered list of
Service Functions (SFs). A Service Function Path (SFP) is an Service Functions (SFs). A Service Function Path (SFP) is an
indication of which instances of SFs are acceptable to be traversed indication of which instances of SFs are acceptable to be traversed
in an instantiation of an SFC in a service function overlay network. in an instantiation of an SFC in a service function overlay network.
The Service Path Identifier (SPI) is a 24-bit number that identifies The Service Path Identifier (SPI) is a 24-bit number that identifies
a specific SFP, and a Service Index (SI) is an 8-bit number that a specific SFP, and a Service Index (SI) is an 8-bit number that
identifies a specific point in that path. In the context of a identifies a specific point in that path. In the context of a
particular SFP (identified by an SPI), an SI represents a particular particular SFP (identified by an SPI), an SI represents a particular
Service Function, and indicates the order of that SF in the SFP. service function and indicates the order of that SF in the SFP.
Within the context of a specific SFP, an SI references a set of one Within the context of a specific SFP, an SI references a set of one
or more SFs. Each of those SFs may be supported by one or more or more SFs. Each of those SFs may be supported by one or more
Service Function Instances (SFIs). Thus an SI may represent a choice Service Function Instances (SFIs). Thus, an SI may represent a
of SFIs of one or more Service Function Types. By deploying multiple choice of SFIs of one or more service function types. By deploying
SFIs for a single SF, one can provide load balancing and redundancy. multiple SFIs for a single SF, one can provide load balancing and
redundancy.
A special functional element, called a Classifier, is located at each A special functional element, called a "classifier", is located at
ingress point to a service function overlay network. It assigns the each ingress point to a service function overlay network. It assigns
packets of a given packet flow to a specific Service Function Path. the packets of a given packet flow to a specific SFP. This may be
This may be done by comparing specific fields in a packet's header done by comparing specific fields in a packet's header with local
with local policy, which may be customer/network/service specific. policy, which may be customer/network/service specific. The
The Classifier picks an SFP and sets the SPI accordingly, it then classifier picks an SFP and sets the SPI accordingly; it then sets
sets the SI to the value of the SI for the first hop in the SFP, and the SI to the value of the SI for the first hop in the SFP, and then
then prepends a Network Services Header (NSH) [RFC8300] containing prepends a Network Service Header (NSH) [RFC8300] containing the
the assigned SPI/SI to that packet. Note that the Classifier and the assigned SPI/SI to that packet. Note that the classifier and the
node that hosts the first Service Function in a Service Function Path node that hosts the first SF in an SFP need not be located at the
need not be located at the same point in the service function overlay same point in the service function overlay network.
network.
Note that the presence of the NSH can make it difficult for nodes in Note that the presence of the NSH can make it difficult for nodes in
the underlay network to locate the fields in the original packet that the underlay network to locate the fields in the original packet that
would normally be used to constrain equal cost multipath (ECMP) would normally be used to constrain equal-cost multipath (ECMP)
forwarding. Therefore, it is recommended that the node prepending forwarding. Therefore, it is recommended that the node prepending
the NSH also provide some form of entropy indicator that can be used the NSH also provide some form of entropy indicator that can be used
in the underlay network. How this indicator is generated and in the underlay network. How this indicator is generated and
supplied, and how an SFF generates a new entropy indicator when it supplied, and how an SFF generates a new entropy indicator when it
forwards a packet to the next SFF, are out of scope of this document. forwards a packet to the next SFF, are out of the scope of this
document.
The Service Function Forwarder (SFF) receives a packet from the The Service Function Forwarder (SFF) receives a packet from the
previous node in a Service Function Path, removes the packet's link previous node in an SFP, removes the packet's link layer or tunnel
layer or tunnel encapsulation and hands the packet and the NSH to the encapsulation, and hands the packet and the NSH to the SFI for
Service Function Instance for processing. The SFI has no knowledge processing. The SFI has no knowledge of the SFP.
of the SFP.
When the SFF receives the packet and the NSH back from the SFI it When the SFF receives the packet and the NSH back from the SFI, it
must select the next SFI along the path using the SPI and SI in the must select the next SFI along the path using the SPI and SI in the
NSH and potentially choosing between multiple SFIs (possibly of NSH and potentially choosing between multiple SFIs (possibly of
different Service Function Types) as described in Section 5. In the different SFTs), as described in Section 5. In the normal case, the
normal case the SPI remains unchanged and the SI will have been SPI remains unchanged, and the SI will have been decremented to
decremented to indicate the next SF along the path. But other indicate the next SF along the path. But other possibilities exist
possibilities exist if the SF makes other changes to the NSH through if the SF makes other changes to the NSH through a process of
a process of re-classification: reclassification:
o The SI in the NSH may indicate:
* A previous SF in the path: known as "looping" (see Section 6). * The SI in the NSH may indicate:
* An SF further down the path: known as "jumping" (see also - A previous SF in the path; this is known as "looping" (see
Section 6). Section 6).
o The SPI and the SI may point to an SF on a different SFP: known as - An SF further down the path; this is known as "jumping" (again
"branching" (see also Section 6). see Section 6).
* The SPI and the SI may point to an SF on a different SFP; this is
known as "branching" (see Section 6).
Such modifications are limited to within the same service function Such modifications are limited to within the same service function
overlay network. That is, an SPI is known within the scope of overlay network. That is, an SPI is known within the scope of
service function overlay network. Furthermore, the new SI value is service function overlay network. Furthermore, the new SI value is
interpreted in the context of the SFP identified by the SPI. interpreted in the context of the SFP identified by the SPI.
As described in [RFC8300], an unknown or invalid SPI is treated as an As described in [RFC8300], an SPI that is unknown or not valid is
error and the SFF drops the packet: such errors should be logged, and treated as an error, and the SFF drops the packet; such errors should
such logs are subject to rate limits. be logged, and such logs are subject to rate limits.
Also, as described in [RFC8300], an SFF receiving an SI that is Also, as described in [RFC8300], an SFF receiving an SI that is
unknown in the context of the SPI can reduce the value to the next unknown in the context of the SPI can reduce the value to the next
meaningful SI value in the SFP indicated by the SPI. If no such meaningful SI value in the SFP indicated by the SPI. If no such
value exists or if the SFF does not support reducing the SI, the SFF value exists, or if the SFF does not support reducing the SI, the SFF
drops the packet and should log the event: such logs are also subject drops the packet and should log the event; such logs are also subject
to rate limits. to rate limits.
The SFF then selects an SFI that provides the SF denoted by the SPI/ The SFF then selects an SFI that provides the SF denoted by the SPI/
SI, and forwards the packet to the SFF that supports that SFI. SI and forwards the packet to the SFF that supports that SFI.
[RFC8300] makes it clear that the intended scope is for use within a [RFC8300] makes it clear that the intended scope is for use within a
single provider's operational domain. single provider's operational domain.
This document adopts the SFC architecture described in [RFC7665] and This document adopts the service function chaining architecture
adds a control plane to support the functions as described in described in [RFC7665] and adds a control plane to support the
Section 2.2. An essential component of this solution is the functions, as described in Section 2.2. An essential component of
Controller. This is a network component responsible for planning this solution is the controller. This is a network component
SFPs within the network. It gathers information about the responsible for planning SFPs within the network. It gathers
availability of SFIs and SFFs, instructs the control plane about the information about the availability of SFIs and SFFs, instructs the
SFPs to be programmed, and instructs the Classifiers how to assign control plane about the SFPs to be programmed, and instructs the
traffic flows to individual SFPs. classifiers how to assign traffic flows to individual SFPs.
2.2. Control Plane Overview 2.2. Control Plane Overview
To accomplish the function described in Section 2.1, this document To accomplish the function described in Section 2.1, this document
introduces the Service Function Type (SFT) that is the category of SF introduces the Service Function Type (SFT), which is the category of
that is supported by an SFF (such as "firewall"). An IANA registry SF that is supported by an SFF (such as "firewall"). An IANA
of Service Function Types is introduced in Section 10.5 and is registry of service function types is introduced in Section 10.5 and
consistent with types used in other work such as is consistent with types used in other work, such as [BGP-LS-SR]. An
[I-D.dawra-idr-bgp-ls-sr-service-segments]. An SFF may support SFs SFF may support SFs of multiple different SFTs, and it may support
of multiple different SFTs, and may support multiple SFIs of each SF. multiple SFIs of each SF.
The registry of SFT values (see Section 10.5) is split into three The registry of SFT values (see Section 10.5) is split into three
ranges with assignment policies per [RFC8126]: ranges with assignment policies per [RFC8126]:
o The Special Purpose SFT values range is assigned through Standards * The special-purpose SFT values range is assigned through Standards
Action. Values in that range are used for special SFC operations Action. Values in that range are used for special SFC operations
and do not apply to the types of SF that may form part of the SFP. and do not apply to the types of SF that may form part of the SFP.
o The First Come First Served range tracks assignments of STF values * The First Come First Served range tracks assignments of SFT values
made by any party that defines an SF type. Reference through an made by any party that defines an SF type. Reference through an
Internet-Draft is desirable, but not required. Internet-Draft is desirable, but not required.
o The Private Use range is not tracked by IANA and is primarily * The Private Use range is not tracked by IANA and is primarily
intended for use in private networks where the meaning of the SFT intended for use in private networks where the meaning of the SFT
values is locally tracked and under the control of a local values is locally tracked and under the control of a local
administrator. administrator.
It is envisaged that the majority of SFT values used will be assigned It is envisaged that the majority of SFT values used will be assigned
from the First Come First Served space in the registry. This will from the First Come First Served space in the registry. This will
ensure interoperability especially in situations where software and ensure interoperability, especially in situations where software and
hardware from different vendors is deployed in the same networks, or hardware from different vendors are deployed in the same networks, or
when networks are merged. However, operators of private networks may when networks are merged. However, operators of private networks may
choose to develop their own SFs and manage the configuration and choose to develop their own SFs and manage the configuration and
operation of their network through their own list of SFT values. operation of their network through their own list of SFT values.
This document also introduces a new BGP AFI/SAFI (values to be This document also introduces a new BGP AFI/SAFI (values 31 and 9,
assigned by IANA) for "SFC Routes". Two SFC Route Types are defined respectively) for "SFC Routes". Two SFC Route Types are defined by
by this document: the Service Function Instance Route (SFIR), and the this document: the Service Function Instance Route (SFIR) and the
Service Function Path Route (SFPR). As detailed in Section 3, the Service Function Path Route (SFPR). As detailed in Section 3, the
route type is indicated by a sub-field in the Network Layer Route Type is indicated by a subfield in the Network Layer
Reachability Information (NLRI). Reachability Information (NLRI).
o The SFIR is advertised by the node that provides access to the * The SFIR is advertised by the node that provides access to the
service function instance (i.e., the SFF). The SFIR describes a service function instance (i.e., the SFF). The SFIR describes a
particular instance of a particular Service Function (i.e., an particular instance of a particular SF (i.e., an SFI) and the way
SFI) and the way to forward a packet to it through the underlay to forward a packet to it through the underlay network, i.e., IP
network, i.e., IP address and encapsulation information. address and encapsulation information.
o The SFPRs are originated by Controllers. One SFPR is originated * The SFPRs are originated by controllers. One SFPR is originated
for each Service Function Path. The SFPR specifies: for each SFP. The SFPR specifies:
A. the SPI of the path A. the SPI of the path,
B. the sequence of SFTs and/or SFIs of which the path consists B. the sequence of SFTs and/or SFIs of which the path consists,
and
C. for each such SFT or SFI, the SI that represents it in the C. for each such SFT or SFI, the SI that represents it in the
identified path. identified path.
This approach assumes that there is an underlay network that provides This approach assumes that there is an underlay network that provides
connectivity between SFFs and Controllers, and that the SFFs are connectivity between SFFs and controllers and that the SFFs are
grouped to form one or more service function overlay networks through grouped to form one or more service function overlay networks through
which SFPs are built. We assume that the Controllers have BGP which SFPs are built. We assume that the controllers have BGP
connectivity to all SFFs and all Classifiers within each service connectivity to all SFFs and all classifiers within each service
function overlay network. function overlay network.
When choosing the next SFI in a path, the SFF uses the SPI and SI as When choosing the next SFI in a path, the SFF uses the SPI and SI as
well as the SFT to choose among the SFIs, applying, for example, a well as the SFT to choose among the SFIs, applying, for example, a
load balancing algorithm or direct knowledge of the underlay network load-balancing algorithm or direct knowledge of the underlay network
topology as described in Section 4. topology, as described in Section 4.
The SFF then encapsulates the packet using the encapsulation The SFF then encapsulates the packet using the encapsulation
specified by the SFIR of the selected SFI and forwards the packet. specified by the SFIR of the selected SFI and forwards the packet.
See Figure 1. See Figure 1.
Thus the SFF can be seen as a portal in the underlay network through Thus, the SFF can be seen as a portal in the underlay network through
which a particular SFI is reached. which a particular SFI is reached.
Figure 1 shows a reference model for the SFC architecture. There are Figure 1 shows a reference model for the service function chaining
four SFFs (SFF-1 through SFF-4) connected by tunnels across the architecture. There are four SFFs (SFF-1 through SFF-4) connected by
underlay network. Packets arrive at a Classifier and are channeled tunnels across the underlay network. Packets arrive at a classifier
along SFPs to destinations reachable through SFF-4. and are channeled along SFPs to destinations reachable through SFF-4.
SFF-1 and SFF-4 each have one instance of one SF attached (SFa and SFF-1 and SFF-4 each have one instance of one SF attached (SFa and
SFe). SFF-2 has two types of SF attached: there is one instance of SFe). SFF-2 has two types of SF attached: one instance of one (SFc)
one (SFc), and three instances of the other (SFb). SFF-3 has just and three instances of the other (SFb). SFF-3 has just one instance
one instance of an SF (SFd), but it in this case the type of SFd is of an SF (SFd), but in this case, the type of SFd is the same type as
the same type as SFb (SFTx). SFb (SFTx).
This figure demonstrates how load balancing can be achieved by This figure demonstrates how load balancing can be achieved by
creating several SFPs that satisfy the same SFC. Suppose an SFC creating several SFPs that satisfy the same SFC. Suppose an SFC
needs to include SFa, an SF of type SFTx, and SFc. A number of SFPs needs to include SFa, an SF of type SFTx, and SFc. A number of SFPs
can be constructed using any instance of SFb or using SFd. Load can be constructed using any instance of SFb or using SFd. Load
balancing may be applied at two places: balancing may be applied at two places:
o The Classifier may distribute different flows onto different SFPs * The classifier may distribute different flows onto different SFPs
to share the load in the network and across SFIs. to share the load in the network and across SFIs.
o SFF-2 may distribute different flows (on the same SFP) to * SFF-2 may distribute different flows (on the same SFP) to
different instances of SFb to share the processing load. different instances of SFb to share the processing load.
Note that, for convenience and clarity, Figure 1 shows only a few Note that, for convenience and clarity, Figure 1 shows only a few
tunnels between SFFs. There could be a full mesh of such tunnels, or tunnels between SFFs. There could be a full mesh of such tunnels, or
more likely, a selection of tunnels connecting key SFFs to enable the more likely, a selection of tunnels connecting key SFFs to enable the
construction of SFPs and to balance load and traffic in the network. construction of SFPs and balance load and traffic in the network.
Further, the figure does not show any controllers: these would each Further, the figure does not show any controllers; these would each
have BGP connectivity to the Classifier and all of the SFFs. have BGP connectivity to the classifier and all of the SFFs.
Packets Packets
| | | | | |
------------ ------------
| | | |
| Classifier | | Classifier |
| | | |
------+----- ------+-----
| |
---+--- --------- ------- ---+--- --------- -------
| | Tunnel | | | | | | Tunnel | | | |
| SFF-1 |===============| SFF-2 |=========| SFF-4 | | SFF-1 |===============| SFF-2 |=========| SFF-4 |
skipping to change at page 11, line 50 skipping to change at line 509
| |======| SFF-3 |====================| | | |======| SFF-3 |====================| |
---+--- | | ---+--- ---+--- | | ---+---
| ------- | | ------- |
....|.... ....|.... ....|.... ....|....
: | SFa: : | SFe: : | SFa: : | SFe:
: --+-- : : --+-- : : --+-- : : --+-- :
: | SFI | : : | SFI | : : | SFI | : : | SFI | :
: ----- : : ----- : : ----- : : ----- :
......... ......... ......... .........
Figure 1: The SFC Architecture Reference Model Figure 1: The Service Function Chaining Architecture Reference Model
As previously noted, [RFC8300] makes it clear that the mechanisms it As previously noted, [RFC8300] makes it clear that the mechanisms it
defines are intended for use within a single provider's operational defines are intended for use within a single provider's operational
domain. This reduces the requirements on the control plane function. domain. This reduces the requirements on the control plane function.
[RFC7665] sets out the functions provided by a control plane for an Section 5.2 of [RFC7665] sets out the functions provided by a control
SFC network in Section 5.2. The functions are broken down into six plane for a service function chaining network. The functions are
items the first four of which are completely covered by the broken down into six items, the first four of which are completely
mechanisms described in this document: covered by the mechanisms described in this document:
1. Visibility of all SFs and the SFFs through which they are 1. Visibility of all SFs and the SFFs through which they are
reached. reached.
2. Computation of SFPs and programming into the network. 2. Computation of SFPs and programming into the network.
3. Selection of SFIs explicitly in the SFP or dynamically within the 3. Selection of SFIs explicitly in the SFP or dynamically within the
network. network.
4. Programming of SFFs with forwarding path information. 4. Programming of SFFs with forwarding path information.
The fifth and six items in the list in RFC 7665 concern the use of The fifth and sixth items in the list in RFC 7665 concern the use of
metadata. These are more peripheral to the control plane mechanisms metadata. These are more peripheral to the control plane mechanisms
defined in this document, but are discussed in Section 4.4. defined in this document but are discussed in Section 4.4.
3. BGP SFC Routes 3. BGP SFC Routes
This document defines a new AFI/SAFI for BGP, known as "SFC", with an This document defines a new AFI/SAFI for BGP, known as "SFC", with an
NLRI that is described in this section. NLRI that is described in this section.
The format of the SFC NLRI is shown in Figure 2. The format of the SFC NLRI is shown in Figure 2.
+---------------------------------------+ +---------------------------------------+
| Route Type (2 octets) | | Route Type (2 octets) |
+---------------------------------------+ +---------------------------------------+
| Length (2 octets) | | Length (2 octets) |
+---------------------------------------+ +---------------------------------------+
| Route Type specific (variable) | | Route Type specific (variable) |
+---------------------------------------+ +---------------------------------------+
Figure 2: The Format of the SFC NLRI Figure 2: The Format of the SFC NLRI
The Route Type field determines the encoding of the rest of the route The "Route Type" field determines the encoding of the rest of the
type specific SFC NLRI. Route Type specific SFC NLRI.
The Length field indicates the length in octets of the route type The "Length" field indicates the length, in octets, of the "Route
specific field of the SFC NLRI. Type specific" field of the SFC NLRI.
This document defines the following Route Types: This document defines the following Route Types:
1. Service Function Instance Route (SFIR) 1. Service Function Instance Route (SFIR)
2. Service Function Path Route (SFPR) 2. Service Function Path Route (SFPR)
A Service Function Instance Route (SFIR) is used to identify an SFI. An SFIR is used to identify an SFI. An SFPR defines a sequence of
A Service Function Path Route (SFPR) defines a sequence of Service SFs (each of which has at least one instance advertised in an SFIR)
Functions (each of which has at least one instance advertised in an that form an SFP.
SFIR) that form an SFP.
The detailed encoding and procedures for these Route Types are The detailed encoding and procedures for these Route Types are
described in subsequent sections. described in subsequent sections.
The SFC NLRI is carried in BGP [RFC4271] using BGP Multiprotocol The SFC NLRI is carried in BGP [RFC4271] using BGP Multiprotocol
Extensions [RFC4760] with an Address Family Identifier (AFI) of TBD1 Extensions [RFC4760] with an Address Family Identifier (AFI) of 31
and a Subsequent Address Family Identifier (SAFI) of TBD2. The NLRI and a Subsequent Address Family Identifier (SAFI) of 9. The "NLRI"
field in the MP_REACH_NLRI/MP_UNREACH_NLRI attribute contains the SFC field in the MP_REACH_NLRI/MP_UNREACH_NLRI attribute contains the SFC
NLRI, encoded as specified above. NLRI, encoded as specified above.
In order for two BGP speakers to exchange SFC NLRIs, they MUST use In order for two BGP speakers to exchange SFC NLRIs, they MUST use
BGP Capabilities Advertisements to ensure that they both are capable BGP capabilities advertisements to ensure that they both are capable
of properly processing such NLRIs. This is done as specified in of properly processing such NLRIs. This is done as specified in
[RFC4760], by using capability code 1 (Multiprotocol BGP) with an AFI [RFC4760], by using capability code 1 (Multiprotocol BGP) with an AFI
of TBD1 and a SAFI of TBD2. of 31 and a SAFI of 9.
The nexthop field of the MP_REACH_NLRI attribute of the SFC NLRI MUST The "nexthop" field of the MP_REACH_NLRI attribute of the SFC NLRI
be set to a loopback address of the advertising SFF. MUST be set to a loopback address of the advertising SFF.
3.1. Service Function Instance Route (SFIR) 3.1. Service Function Instance Route (SFIR)
Figure 3 shows the Route Type specific NLRI of the SFIR. Figure 3 shows the Route Type specific NLRI of the SFIR.
+--------------------------------------------+ +--------------------------------------------+
| Route Distinguisher (RD) (8 octets) | | Route Distinguisher (RD) (8 octets) |
+--------------------------------------------+ +--------------------------------------------+
| Service Function Type (2 octets) | | Service Function Type (2 octets) |
+--------------------------------------------+ +--------------------------------------------+
Figure 3: SFIR Route Type specific NLRI Figure 3: SFIR Route Type Specific NLRI
[RFC4364] defines a Route Distinguisher (RD) to consist of a two byte [RFC4364] defines a Route Distinguisher (RD) as consisting of a two-
Type field and a six byte Value field and it defines RD types 0, 1, byte "Type" field and a six-byte "Value" field, and it defines RD
and 2. In this specification, the RD (used for the SFIR) MUST be of types 0, 1, and 2. In this specification, the RD (used for the SFIR)
type 0, 1, or 2. MUST be of type 0, 1, or 2.
If two SFIRs are originated from different administrative domains If two SFIRs are originated from different administrative domains
(within the same provier's operational domain), they MUST have (within the same provider's operational domain), they MUST have
different RDs. In particular, SFIRs from different VPNs (for different RDs. In particular, SFIRs from different VPNs (for
different service function overlay networks) MUST have different RDs, different service function overlay networks) MUST have different RDs,
and those RDs MUST be different from any non-VPN SFIRs. and those RDs MUST be different from any non-VPN SFIRs.
The Service Function Type identifies the functions/features a service The SFT identifies the functions/features an SF can offer, e.g.,
function can offer, e.g., Classifier, firewall, load balancer. There classifier, firewall, load balancer. There may be several SFIs that
may be several SFIs that can perform a given Service Function. Each can perform a given service function. Each node hosting an SFI MUST
node hosting an SFI MUST originate an SFIR for each type of SF that originate an SFIR for each type of SF that it hosts (as indicated by
it hosts (as indicated by the SFT value), and it MAY advertise an the SFT value), and it MAY advertise an SFIR for each instance of
SFIR for each instance of each type of SF. The minimal advertisement each type of SF. A minimal advertisement allows construction of
allows construction of valid SFPs and leaves the selection of SFIs to valid SFPs and leaves the selection of SFIs to the local SFF; a
the local SFF; the detailed advertisement may have scaling concerns, detailed advertisement may have scaling concerns but allows a
but allows a Controller that constructs an SFP to make an explicit controller that constructs an SFP to make an explicit choice of SFI.
choice of SFI.
Note that a node may advertise all its SFIs of one SFT in one shot Note that a node may advertise all its SFIs of one SFT in one shot
using normal BGP Update packing. That is, all of the SFIRs in an using normal BGP UPDATE packing. That is, all of the SFIRs in an
Update share a common Tunnel Encapsulation and Route Target (RT) Update share a common Tunnel Encapsulation and Route Target (RT)
attribute. See also Section 3.2.1. attribute. See also Section 3.2.1.
The SFIR representing a given SFI will contain an NLRI with RD field The SFIR representing a given SFI will contain an NLRI with "RD"
set to an RD as specified above, and with SFT field set to identify field set to an RD as specified above, and with the "SFT" field set
that SFI's Service Function Type. The values for the SFT field are to identify that SFI's SFT. The values for the "SFT" field are taken
taken from a registry administered by IANA (see Section 10). A BGP from a registry administered by IANA (see Section 10). A BGP UPDATE
Update containing one or more SFIRs MUST also include a Tunnel containing one or more SFIRs MUST also include a tunnel encapsulation
Encapsulation attribute [I-D.ietf-idr-tunnel-encaps]. If a data attribute [RFC9012]. If a data packet needs to be sent to an SFI
packet needs to be sent to an SFI identified in one of the SFIRs, it identified in one of the SFIRs, it will be encapsulated as specified
will be encapsulated as specified by the Tunnel Encapsulation by the tunnel encapsulation attribute and then transmitted through
attribute, and then transmitted through the underlay network. the underlay network.
Note that the Tunnel Encapsulation attribute MUST contain sufficient Note that the tunnel encapsulation attribute MUST contain sufficient
information to allow the advertising SFF to identify the overlay or information to allow the advertising SFF to identify the overlay or
VPN network which a received packet is transiting. This is because VPN network that a received packet is transiting. This is because
the [SPI, SI] in a received packet is specific to a particular the [SPI, SI] in a received packet is specific to a particular
overlay or VPN network. overlay or VPN network.
3.1.1. SFIR Pool Identifier Extended Community 3.1.1. SFIR Pool Identifier Extended Community
This document defines a new transitive extended community [RFC4360] This document defines a new transitive Extended Community [RFC4360]
of type TBD6 called the SFC extended community. When used with Sub- of type 0x0b called the "SFC Extended Community". When used with
Type 1, this is called the SFIR Pool Identifier extended community. Sub-Type 1, this is called the "SFIR Pool Identifier extended
It MAY be included in SFIR advertisements, and is used to indicate community". It MAY be included in SFIR advertisements, and it is
the identity of a pool of SFIRs to which an SFIR belongs. Since an used to indicate the identity of a pool of SFIRs to which an SFIR
SFIR may be a member of multiple pools, multiple of these extended belongs. Since an SFIR may be a member of more than one pool,
communities may be present on a single SFIR advertisement. multiple of these extended communities may be present on a single
SFIR advertisement.
SFIR pools allow SFIRs to be grouped for any purpose. Possible uses SFIR pools allow SFIRs to be grouped for any purpose. Possible uses
include control plane scalability and stability. A pool identifier include control plane scalability and stability. A pool identifier
may be included in an SFPR to indicate a set of SFIs that are may be included in an SFPR to indicate a set of SFIs that are
acceptable at a specific point on an SFP (see Section 3.2.1.3 and acceptable at a specific point on an SFP (see Sections 3.2.1.3 and
Section 4.3). 4.3).
The SFIR Pool Identifier extended community is encoded in 8 octets as The SFIR Pool Identifier Extended Community is encoded in 8 octets as
shown in Figure 4. shown in Figure 4.
+--------------------------------------------+ +--------------------------------------------+
| Type = TBD6 (1 octet) | | Type = 0x0b (1 octet) |
+--------------------------------------------+ +--------------------------------------------+
| Sub-Type = 1 (1 octet) | | Sub-Type = 1 (1 octet) |
+--------------------------------------------+ +--------------------------------------------+
| SFIR Pool Identifier Value (6 octets) | | SFIR Pool Identifier value (6 octets) |
+--------------------------------------------+ +--------------------------------------------+
Figure 4: The SFIR Pool Identifier Extended Community Figure 4: The SFIR Pool Identifier Extended Community
The SFIR Pool Identifier Value is encoded in a 6 octet field in The SFIR Pool Identifier value is encoded in a 6-octet field in
network byte order, and the value is unique within the scope of an network byte order, and the value is unique within the scope of an
overlay network. This means that pool identifiers need to be overlay network. This means that pool identifiers need to be
centrally managed, which is consistent with the assignment of SFIs to centrally managed, which is consistent with the assignment of SFIs to
pools. pools.
3.1.2. MPLS Mixed Swapping/Stacking Extended Community 3.1.2. MPLS Mixed Swapping/Stacking Extended Community
As noted in Section 3.1.1, this document defines a new transitive As noted in Section 3.1.1, this document defines a new transitive
extended community of type TBD6 called the SFC extended community. Extended Community of type 0x0b called the "SFC Extended Community".
When used with Sub-Type 2, this is called the MPLS Mixed Swapping/ When used with Sub-Type 2, this is called the "MPLS Mixed Swapping/
Stacking Labels extended community. The community is encoded as Stacking Labels Extended Community". The community is encoded as
shown in Figure 5. It contains a pair of MPLS labels: an SFC Context shown in Figure 5. It contains a pair of MPLS labels: an SFC Context
Label and an SF Label as described in [RFC8595]. Each label is 20 Label and an SF Label, as described in [RFC8595]. Each label is 20
bits encoded in a 3-octet (24 bit) field with 4 trailing bits that bits encoded in a 3-octet (24-bit) field with 4 trailing bits that
MUST be set to zero. MUST be set to zero.
+--------------------------------------------+ +--------------------------------------------+
| Type = TBD6 (1 octet) | | Type = 0x0b (1 octet) |
+--------------------------------------------| +--------------------------------------------|
| Sub-Type = 2 (1 octet) | | Sub-Type = 2 (1 octet) |
+--------------------------------------------| +--------------------------------------------|
| SFC Context Label (3 octets) | | SFC Context Label (3 octets) |
+--------------------------------------------| +--------------------------------------------|
| SF Label (3 octets) | | SF Label (3 octets) |
+--------------------------------------------+ +--------------------------------------------+
Figure 5: The MPLS Mixed Swapping/Stacking Extended Community Figure 5: The MPLS Mixed Swapping/Stacking Labels Extended Community
Note that it is assumed that each SFF has one or more globally unique Note that it is assumed that each SFF has one or more globally unique
SFC Context Labels and that the context label space and the SPI SFC Context Labels and that the context-label space and the SPI-
address space are disjoint (i.e., a label value cannot be used both address space are disjoint. In other words, a label value cannot be
to indicate an SFC context and an SPI, and it can be determined from used to indicate both an SFC context and an SPI, and it can be
knowledge of the label spaces whether a label indicates an SFC determined from knowledge of the label spaces whether a label
context or an SPI). indicates an SFC context or an SPI.
If an SFF supports SFP Traversal with an MPLS Label Stack it MUST If an SFF supports SFP Traversal with an MPLS Label Stack, it MUST
include this extended community with the SFIRs that it advertises. include this Extended Community with the SFIRs that it advertises.
See Section 7.6 for a description of how this extended community is See Section 7.6 for a description of how this Extended Community is
used. used.
3.2. Service Function Path Route (SFPR) 3.2. Service Function Path Route (SFPR)
Figure 6 shows the Route Type specific NLRI of the SFPR. Figure 6 shows the Route Type specific NLRI of the SFPR.
+-----------------------------------------------+ +-----------------------------------------------+
| Route Distinguisher (RD) (8 octets) | | Route Distinguisher (RD) (8 octets) |
+-----------------------------------------------+ +-----------------------------------------------+
| Service Path Identifier (SPI) (3 octets) | | Service Path Identifier (SPI) (3 octets) |
+-----------------------------------------------+ +-----------------------------------------------+
Figure 6: SFPR Route Type Specific NLRI Figure 6: SFPR Route Type Specific NLRI
[RFC4364] defines a Route Distinguisher (RD) to consist of a two byte [RFC4364] defines a Route Distinguisher (RD) as consisting of a two-
Type field and a six byte Value field and it defines RD types 0, 1, byte "Type" field and a six-byte "Value" field, and it defines RD
and 2. In this specification, the RD (used for the SFPR) MUST be of types 0, 1, and 2. In this specification, the RD (used for the SFPR)
type 0, 1, or 2. MUST be of type 0, 1, or 2.
All SFPs MUST be associated with an RD. The association of an SFP All SFPs MUST be associated with an RD. The association of an SFP
with an RD is determined by provisioning. If two SFPRs are with an RD is determined by provisioning. If two SFPRs are
originated from different Controllers they MUST have different RDs. originated from different controllers, they MUST have different RDs.
Additionally, SFPRs from different VPNs (i.e., in different service Additionally, SFPRs from different VPNs (i.e., in different service
function overlay networks) MUST have different RDs, and those RDs function overlay networks) MUST have different RDs, and those RDs
MUST be different from any non-VPN SFPRs. MUST be different from any non-VPN SFPRs.
The Service Path Identifier is defined in [RFC8300] and is the value The Service path identifier is defined in [RFC8300] and is the value
to be placed in the Service Path Identifier field of the NSH header to be placed in the "Service Path Identifier" field of the NSH of any
of any packet sent on this Service Function Path. It is expected packet sent on this SFP. It is expected that one or more controllers
that one or more Controllers will originate these routes in order to will originate these routes in order to configure a service function
configure a service function overlay network. overlay network.
The SFP is described in a new BGP Path attribute, the SFP attribute. The SFP is described in a new BGP Path attribute, the SFP attribute.
Section 3.2.1 shows the format of that attribute. Section 3.2.1 shows the format of that attribute.
3.2.1. The SFP Attribute 3.2.1. The SFP Attribute
[RFC4271] defines BGP Path attributes. This document introduces a [RFC4271] defines BGP Path attributes. This document introduces a
new Optional Transitive Path attribute called the SFP attribute with new Optional Transitive Path attribute called the "SFP attribute",
value TBD3 to be assigned by IANA. The first SFP attribute MUST be with value 37. The first SFP attribute MUST be processed, and
processed and subsequent instances MUST be ignored. subsequent instances MUST be ignored.
The common fields of the SFP attribute are set as follows: The common fields of the SFP attribute are set as follows:
o Optional bit is set to 1 to indicate that this is an optional * The Optional bit is set to 1 to indicate that this is an optional
attribute. attribute.
o The Transitive bit is set to 1 to indicate that this is a * The Transitive bit is set to 1 to indicate that this is a
transitive attribute. transitive attribute.
o The Extended Length bit is set if the length of the SFP attribute * The Extended Length bit is set if the length of the SFP attribute
is encoded in one octet (set to 0) or two octets (set to 1) as is encoded in one octet (set to 0) or two octets (set to 1), as
described in [RFC4271]. described in [RFC4271].
o The Attribute Type Code is set to TBD3. * The Attribute Type Code is set to 37.
The content of the SFP attribute is a series of Type-Length-Value The content of the SFP attribute is a series of Type-Length-Value
(TLV) constructs. Some TLVs may include sub-TLVs. All TLVs and sub- (TLV) constructs. Some TLVs may include Sub-TLVs. All TLVs and Sub-
TLVs have a common format that is: TLVs have a common format:
o Type: A single octet indicating the type of the SFP attribute TLV. Type: A single octet indicating the type of the SFP attribute TLV.
Values are taken from the registry described in Section 10.3. Values are taken from the registry described in Section 10.3.
o Length: A two octet field indicating the length of the data Length: A two-octet field indicating the length of the data
following the Length field counted in octets. following the "Length" field, counted in octets.
o Value: The contents of the TLV. Value: The contents of the TLV.
The formats of the TLVs defined in this document are shown in the The formats of the TLVs defined in this document are shown in the
following sections. The presence rules and meanings are as follows. following sections. The presence rules and meanings are as follows.
o The SFP attribute contains a sequence of zero or more Association * The SFP attribute contains a sequence of zero or more Association
TLVs. That is, the Association TLV is OPTIONAL. Each Association TLVs. That is, the Association TLV is OPTIONAL. Each Association
TLV provides an association between this SFPR and another SFPR. TLV provides an association between this SFPR and another SFPR.
Each associated SFPR is indicated using the RD with which it is Each associated SFPR is indicated using the RD with which it is
advertised (we say the SFPR-RD to avoid ambiguity). advertised (we say the SFPR-RD to avoid ambiguity).
o The SFP attribute contains a sequence of one or more Hop TLVs. * The SFP attribute contains a sequence of one or more Hop TLVs.
Each Hop TLV contains all of the information about a single hop in Each Hop TLV contains all of the information about a single hop in
the SFP. the SFP.
o Each Hop TLV contains an SI value and a sequence of one or more * Each Hop TLV contains an SI value and a sequence of one or more
SFT TLVs. Each SFT TLV contains an SFI reference for each SFT TLVs. Each SFT TLV contains an SFI reference for each
instance of an SF that is allowed at this hop of the SFP for the instance of an SF that is allowed at this hop of the SFP for the
specific SFT. Each SFI is indicated using the RD with which it is specific SFT. Each SFI is indicated using the RD with which it is
advertised (we say the SFIR-RD to avoid ambiguity). advertised (we say the SFIR-RD to avoid ambiguity).
Section 6 of [RFC4271] describes the handling of malformed BGP Section 6 of [RFC4271] describes the handling of malformed BGP
attributes, or those that are in error in some way. [RFC7606] attributes, or those that are in error in some way. [RFC7606]
revises BGP error handling specifically for the UPDATE message, revises BGP error handling specifically for the UPDATE message,
provides guidelines for the authors of documents defining new provides guidelines for the authors of documents defining new
attributes, and revises the error handling procedures for a number of attributes, and revises the error-handling procedures for a number of
existing attributes. This document introduces the SFP attribute and existing attributes. This document introduces the SFP attribute and
so defines error handling as follows: so defines error handling as follows:
o When parsing a message, an unknown Attribute Type code or a length * When parsing a message, an unknown Attribute Type Code or a length
that suggests that the attribute is longer than the remaining that suggests that the attribute is longer than the remaining
message is treated as a malformed message and the "treat-as- message is treated as a malformed message, and the "treat-as-
withdraw" approach used as per [RFC7606]. withdraw" approach is used as per [RFC7606].
o When parsing a message that contains an SFP attribute, the * When parsing a message that contains an SFP attribute, the
following cases constitute errors: following cases constitute errors:
1. Optional bit is set to 0 in SFP attribute. 1. Optional bit is set to 0 in the SFP attribute.
2. Transitive bit is set to 0 in SFP attribute. 2. Transitive bit is set to 0 in the SFP attribute.
3. Unknown TLV type field found in SFP attribute. 3. Unknown "TLV Type" field found in the SFP attribute.
4. TLV length that suggests the TLV extends beyond the end of the 4. TLV length that suggests the TLV extends beyond the end of the
SFP attribute. SFP attribute.
5. Association TLV contains an unknown SFPR-RD. 5. Association TLV contains an unknown SFPR-RD.
6. No Hop TLV found in the SFP attribute. 6. No Hop TLV found in the SFP attribute.
7. No sub-TLV found in a Hop TLV. 7. No Sub-TLV found in a Hop TLV.
8. Unknown SFIR-RD found in an SFT TLV. 8. Unknown SFIR-RD found in an SFT TLV.
o The errors listed above are treated as follows: * The errors listed above are treated as follows:
1., 2., 4., 6., 7.: The attribute MUST be treated as malformed 1, 2, 4, 6, 7: The attribute MUST be treated as malformed and the
and the "treat-as-withdraw" approach used as per [RFC7606]. "treat-as-withdraw" approach used as per [RFC7606].
3.: Unknown TLVs MUST be ignored, and message processing MUST 3: Unknown TLVs MUST be ignored, and message processing MUST
continue. continue.
5., 8.: The absence of an RD with which to correlate is nothing 5, 8: The absence of an RD with which to correlate is nothing
more than a soft error. The receiver SHOULD store the more than a soft error. The receiver SHOULD store the
information from the SFP attribute until a corresponding information from the SFP attribute until a corresponding
advertisement is received. advertisement is received.
3.2.1.1. The Association TLV 3.2.1.1. The Association TLV
The Association TLV is an optional TLV in the SFP attribute. It MAY The Association TLV is an optional TLV in the SFP attribute. It MAY
be present multiple times. Each occurrence provides an association be present multiple times. Each occurrence provides an association
with another SFP as advertised in another SFPR. The format of the with another SFP as advertised in another SFPR. The format of the
Association TLV is shown in Figure 7 Association TLV is shown in Figure 7.
+--------------------------------------------+ +--------------------------------------------+
| Type = 1 (1 octet) | | Type = 1 (1 octet) |
+--------------------------------------------| +--------------------------------------------|
| Length (2 octets) | | Length (2 octets) |
+--------------------------------------------| +--------------------------------------------|
| Association Type (1 octet) | | Association Type (1 octet) |
+--------------------------------------------| +--------------------------------------------|
| Associated SFPR-RD (8 octets) | | Associated SFPR-RD (8 octets) |
+--------------------------------------------| +--------------------------------------------|
| Associated SPI (3 octets) | | Associated SPI (3 octets) |
+--------------------------------------------+ +--------------------------------------------+
Figure 7: The Format of the Association TLV Figure 7: The Format of the Association TLV
The fields are as follows: The fields are as follows:
Type is set to 1 to indicate an Association TLV. * "Type" is set to 1 to indicate an Association TLV.
Length indicates the length in octets of the Association Type and * "Length" indicates the length in octets of the "Association Type"
Associated SFPR-RD fields. The value of the Length field is 12. and "Associated SFPR-RD" fields. The value of the "Length" field
is 12.
The Association Type field indicate the type of association. The * The "Association Type" field indicates the type of association.
values are tracked in an IANA registry (see Section 10.4). Only The values are tracked in an IANA registry (see Section 10.4).
one value is defined in this document: type 1 indicates Only one value is defined in this document: Type 1 indicates
association of two unidirectional SFPs to form a bidirectional association of two unidirectional SFPs to form a bidirectional
SFP. An SFP attribute SHOULD NOT contain more than one SFP. An SFP attribute SHOULD NOT contain more than one
Association TLV with Association Type 1: if more than one is Association TLV with Association Type 1; if more than one is
present, the first one MUST be processed and subsequent instances present, the first one MUST be processed, and subsequent instances
MUST be ignored. Note that documents that define new Association MUST be ignored. Note that documents that define new association
Types must also define the presence rules for Association TLVs of types must also define the presence rules for Association TLVs of
the new type. the new type.
The Associated SFPR-RD contains the RD of the associated SFP as * The Associated SFPR-RD contains the RD of the associated SFP as
advertised in an SFPR. advertised in an SFPR.
The Associated SPI contains the SPI of the associated SFP as * The Associated SPI contains the SPI of the associated SFP as
advertised in an SFPR. advertised in an SFPR.
Association TLVs with unknown Association Type values SHOULD be Association TLVs with unknown Association Type values SHOULD be
ignored. Association TLVs that contain an Associated SFPR-RD value ignored. Association TLVs that contain an Associated SFPR-RD value
equal to the RD of the SFPR in which they are contained SHOULD be equal to the RD of the SFPR in which they are contained SHOULD be
ignored. If the Associated SPI is not equal to the SPI advertised in ignored. If the Associated SPI is not equal to the SPI advertised in
the SFPR indicated by the Associated SFPR-RD then the Association TLV the SFPR indicated by the Associated SFPR-RD, then the Association
SHOULD be ignored. In all three of these cases an implementation MAY TLV SHOULD be ignored. In all three of these cases, an
reject the SFP attribute as malformed and use the "treat-as-withdraw" implementation MAY reject the SFP attribute as malformed and use the
approach per [RFC7606], however implementers are cautioned that such "treat-as-withdraw" approach per [RFC7606]; however, implementors are
an approach may make an implementation less flexible in the event of cautioned that such an approach may make an implementation less
future extensions to this protocol. flexible in the event of future extensions to this protocol.
Note that when two SFPRs reference each other using the Association Note that when two SFPRs reference each other using the Association
TLV, one SFPR advertisement will be received before the other. TLV, one SFPR advertisement will be received before the other.
Therefore, processing of an association MUST NOT be rejected simply Therefore, processing of an association MUST NOT be rejected simply
because the Associated SFPR-RD is unknown. because the Associated SFPR-RD is unknown.
Further discussion of correlation of SFPRs is provided in Further discussion of correlation of SFPRs is provided in
Section 7.1. Section 7.1.
3.2.1.2. The Hop TLV 3.2.1.2. The Hop TLV
skipping to change at page 21, line 19 skipping to change at line 927
+--------------------------------------------| +--------------------------------------------|
| Service Index (1 octet) | | Service Index (1 octet) |
+--------------------------------------------| +--------------------------------------------|
| Hop Details (variable) | | Hop Details (variable) |
+--------------------------------------------+ +--------------------------------------------+
Figure 8: The Format of the Hop TLV Figure 8: The Format of the Hop TLV
The fields are as follows: The fields are as follows:
Type is set to 2 to indicate a Hop TLV. * "Type" is set to 2 to indicate a Hop TLV.
Length indicates the length in octets of the Service Index and Hop * "Length" indicates the length, in octets, of the "Service Index"
Details fields. and "Hop Details" fields.
The Service Index is defined in [RFC8300] and is the value found * The Service Index is defined in [RFC8300] and is the value found
in the Service Index field of the NSH header that an SFF will use in the "Service Index" field of the NSH that an SFF will use to
to lookup to which next SFI a packet is to be sent. look up to which next SFI a packet is to be sent.
The Hop Details field consists of a sequence of one or more sub- * The "Hop Details" field consists of a sequence of one or more Sub-
TLVs. TLVs.
Each hop of the SFP may demand that a specific type of SF is Each hop of the SFP may demand that a specific type of SF is
executed, and that type is indicated in sub-TLVs of the Hop TLV. At executed, and that type is indicated in Sub-TLVs of the Hop TLV. At
least one sub-TLV MUST be present. This document defines the SFT least one Sub-TLV MUST be present. This document defines the SFT
Sub-TLV (see Section 3.2.1.3 and the MPLS Swapping/Stacking Sub-TLV Sub-TLV (see Section 3.2.1.3) and the MPLS Swapping/Stacking Sub-TLV
(see Section Section 3.2.1.4: other sub-TLVs may be defined in (see Section 3.2.1.4); other Sub-TLVs may be defined in future. The
future. This provides a list of which types of SF are acceptable at SFT Sub-TLV provides a list of which types of SF are acceptable at a
a specific hop, and for each type it allows a degree of control to be specific hop, and for each type it allows a degree of control to be
imposed on the choice of SFIs of that particular type. imposed on the choice of SFIs of that particular type. The MPLS
Swapping/Stacking Sub-TLV indicates the type of SFC encoding to use
in an MPLS label stack.
If no Hop TLV is present in an SFP Attribute, it is a malformed If no Hop TLV is present in an SFP attribute, it is a malformed
attribute attribute.
3.2.1.3. The SFT Sub-TLV 3.2.1.3. The SFT Sub-TLV
The SFT Sub-TLV MAY be included in the list of sub-TLVs of the Hop The SFT Sub-TLV MAY be included in the list of Sub-TLVs of the Hop
TLV. The format of the SFT Sub-TLV is shown in Figure 9. The Sub- TLV. The format of the SFT Sub-TLV is shown in Figure 9. The Hop
TLV contains a list of SFIR-RD values each taken from the Sub-TLV contains a list of SFIR-RD values each taken from the
advertisement of an SFI. Together they form a list of acceptable advertisement of an SFI. Together they form a list of acceptable
SFIs of the indicated type. SFIs of the indicated type.
+--------------------------------------------+ +--------------------------------------------+
| Type = 3 (1 octet) | | Type = 3 (1 octet) |
+--------------------------------------------| +--------------------------------------------|
| Length (2 octets) | | Length (2 octets) |
+--------------------------------------------| +--------------------------------------------|
| Service Function Type (2 octets) | | Service Function Type (2 octets) |
+--------------------------------------------| +--------------------------------------------|
| SFIR-RD List (variable) | | SFIR-RD List (variable) |
+--------------------------------------------+ +--------------------------------------------+
Figure 9: The Format of the SFT Sub-TLV Figure 9: The Format of the SFT Sub-TLV
The fields are as follows: The fields are as follows:
Type is set to 3 to indicate an SFT Sub-TLV. * "Type" is set to 3 to indicate an SFT Sub-TLV.
Length indicates the length in octets of the Service Function Type * "Length" indicates the length, in octets, of the "Service Function
and SFIR-RD List fields. Type" and "SFIR-RD List" fields.
The Service Function Type value indicates the category (type) of * The SFT value indicates the category (type) of SF that is to be
SF that is to be executed at this hop. The types are as executed at this hop. The types are as advertised for the SFs
advertised for the SFs supported by the SFFs. SFT values in the supported by the SFFs. SFT values in the range 1-31 are special-
range 1-31 are Special Purpose SFT values and have meanings purpose SFT values and have meanings defined by the documents that
defined by the documents that describe them - the value 'Change describe them -- the value "Change Sequence" is defined in
Sequence' is defined in Section 6.1 of this document. Section 6.1 of this document.
The hop description is further qualified beyond the specification * The hop description is further qualified beyond the specification
of the SFTs by listing, for each SFT in each hop, the SFIs that of the SFTs by listing, for each SFT in each hop, the SFIs that
may be used at the hop. The SFIs are identified using the SFIR- may be used at the hop. The SFIs are identified using the SFIR-
RDs from the advertisements of the SFIs in the SFIRs. Note that RDs from the advertisements of the SFIs in the SFIRs. Note that
if the list contains one or more SFIR Pool Identifiers, then for if the list contains one or more SFIR Pool Identifiers, then for
each the SFIR-RD list is effectively expanded to include the SFIR- each, the SFIR-RD list is effectively expanded to include the
RD of each SFIR advertised with that SFIR Pool Identifier. An SFIR-RD of each SFIR advertised with that SFIR Pool Identifier.
SFIR-RD of value zero has special meaning as described in An SFIR-RD of value zero has special meaning, as described in
Section 5. Each entry in the list is eight octets long, and the Section 5. Each entry in the list is eight octets long, and the
number of entries in the list can be deduced from the value of the number of entries in the list can be deduced from the value of the
Length field. "Length" field.
Note that an SFIR-RD is of type 0, 1, or 2 (as described in * Note that an SFIR-RD is of type 0, 1, or 2 (as described in
Section 3.1. Thus the high order octet of an RD found in an SFIR- Section 3.1). Thus, the high-order octet of an RD found in an
RD List always has a value of 0x00. However, the high order octet SFIR-RD List always has a value of 0x00. However, the high-order
of an SFIR Pool Identifier (an extended community with Type field octet of an SFIR Pool Identifier (an Extended Community with
TBD6), will always have a non-zero value. This allows the node "Type" field 0x0b) will always have a nonzero value. This allows
processing the SFIR-RD List to distinguish between the two types the node processing the SFIR-RD list to distinguish between the
of list entry. two types of list entry.
3.2.1.4. MPLS Swapping/Stacking Sub-TLV 3.2.1.4. MPLS Swapping/Stacking Sub-TLV
The MPLS Swapping/Stacking Sub-TLV (Type value 4) is a zero length The MPLS Swapping/Stacking Sub-TLV (Type value 4) is a zero-length
sub-TLV that is OPTIONAL in the Hop TLV and is used when the data Sub-TLV that is OPTIONAL in the Hop TLV and is used when the data
representation is MPLS (see Section 7.5). When present it indicates representation is MPLS (see Section 7.5). When present, it indicates
to the Classifier imposing an MPLS label stack that the current hop to the classifier imposing an MPLS label stack that the current hop
is to use an {SFC Context Label, SF label} rather than an {SPI, SF} is to use an {SFC Context Label, SF label} rather than an {SPI, SF}
label pair. See Section 7.6 for more details. label pair. See Section 7.6 for more details.
3.2.1.5. SFP Traversal With MPLS Label Stack TLV 3.2.1.5. SFP Traversal With MPLS Label Stack TLV
The SFP Traversal With MPLS Label Stack TLV (Type value 5) is a zero The SFP Traversal With MPLS Label Stack TLV (Type value 5) is a zero-
length TLV that can be carried in the SFP Attribute and indicates to length TLV that can be carried in the SFP attribute and indicates to
the Classifier and the SFFs on the SFP that an MPLS label stack with the classifier and the SFFs on the SFP that an MPLS label stack with
label swapping/stacking is to be used for packets traversing the SFP. label swapping/stacking is to be used for packets traversing the SFP.
All of the SFFs specified at each of the SFP's hops MUST have All of the SFFs specified at each of the SFP's hops MUST have
advertised an MPLS Mixed Swapping/Stacking Extended Community (see advertised an MPLS Mixed Swapping/Stacking Extended Community (see
Section 3.1.2) for the SFP to be considered usable. Section 3.1.2) for the SFP to be considered usable.
3.2.2. General Rules For The SFP Attribute 3.2.2. General Rules for the SFP Attribute
It is possible for the same SFI, as described by an SFIR, to be used It is possible for the same SFI, as described by an SFIR, to be used
in multiple SFPRs. in multiple SFPRs.
When two SFPRs have the same SPI but different SFPR-RDs there can be When two SFPRs have the same SPI but different SFPR-RDs, there can be
three cases: three cases:
o Two or more Controllers are originating SFPRs for the same SFP. 1. Two or more controllers are originating SFPRs for the same SFP.
In this case the content of the SFPRs is identical and the In this case, the content of the SFPRs is identical, and the
duplication is to ensure receipt and to provide Controller duplication is to ensure receipt and provide controller
redundancy. redundancy.
o There is a transition in content of the advertised SFP and the 2. There is a transition in content of the advertised SFP, and the
advertisements may originate from one or more Controllers. In advertisements may originate from one or more controllers. In
this case the content of the SFPRs will be different. this case, the content of the SFPRs will be different.
o The reuse of an SPI may result from a configuration error. 3. The reuse of an SPI may result from a configuration error.
In all cases, there is no way for the receiving SFF to know which There is no way in any of these cases for the receiving SFF to know
SFPR to process, and the SFPRs could be received in any order. At which SFPR to process, and the SFPRs could be received in any order.
any point in time, when multiple SFPRs have the same SPI but At any point in time, when multiple SFPRs have the same SPI but
different SFPR-RDs, the SFF MUST use the SFPR with the numerically different SFPR-RDs, the SFF MUST use the SFPR with the numerically
lowest SFPR-RD when interpreting the RDs as 8-octet integers in lowest SFPR-RD when interpreting the RDs as 8-octet integers in
network byte order. The SFF SHOULD log this occurrence to assist network byte order. The SFF SHOULD log this occurrence to assist
with debugging. with debugging.
Furthermore, a Controller that wants to change the content of an SFP Furthermore, a controller that wants to change the content of an SFP
is RECOMMENDED to use a new SPI and so create a new SFP onto which is RECOMMENDED to use a new SPI and so create a new SFP onto which
the Classifiers can transition packet flows before the SFPR for the the classifiers can transition packet flows before the SFPR for the
old SFP is withdrawn. This avoids any race conditions with SFPR old SFP is withdrawn. This avoids any race conditions with SFPR
advertisements. advertisements.
Additionally, a Controller SHOULD NOT re-use an SPI after it has Additionally, a controller SHOULD NOT reuse an SPI after it has
withdrawn the SFPR that used it until at least a configurable amount withdrawn the SFPR that used it until at least a configurable amount
of time has passed. This timer SHOULD have a default of one hour. of time has passed. This timer SHOULD have a default of one hour.
4. Mode of Operation 4. Mode of Operation
This document describes the use of BGP as a control plane to create This document describes the use of BGP as a control plane to create
and manage a service function overlay network. and manage a service function overlay network.
4.1. Route Targets 4.1. Route Targets
The main feature introduced by this document is the ability to create The main feature introduced by this document is the ability to create
multiple service function overlay networks through the use of Route multiple service function overlay networks through the use of Route
Targets (RTs) [RFC4364]. Targets (RTs) [RFC4364].
Every BGP UPDATE containing an SFIR or SFPR carries one or more RTs. Every BGP UPDATE containing an SFIR or SFPR carries one or more RTs.
The RT carried by a particular SFIR or SFPR is determined by the The RT carried by a particular SFIR or SFPR is determined by the
provisioning of the route's originator. provisioning of the route's originator.
Every node in a service function overlay network is configured with Every node in a service function overlay network is configured with
one or more import RTs. Thus, each SFF will import only the SFPRs one or more import RTs. Thus, each SFF will import only the SFPRs
with matching RTs allowing the construction of multiple service with matching RTs, allowing the construction of multiple service
function overlay networks or the instantiation of Service Function function overlay networks or the instantiation of SFCs within a Layer
Chains within an Layer 3 Virtual Private Network (L3VPN) or Ethernet 3 Virtual Private Network (L3VPN) or Ethernet VPN (EVPN) instance
VPN (EVPN) instance (see Section 7.3). An SFF that has a presence in (see Section 7.3). An SFF that has a presence in multiple service
multiple service function overlay networks (i.e., imports more than function overlay networks (i.e., one that imports more than one RT)
one RT) will usually maintain separate forwarding state for each will usually maintain separate forwarding state for each overlay
overlay network. network.
4.2. Service Function Instance Routes 4.2. Service Function Instance Routes
The SFIR (see Section 3.1) is used to advertise the existence and The SFIR (see Section 3.1) is used to advertise the existence and
location of a specific Service Function Instance and consists of: location of a specific SFI; it consists of:
o The RT as just described. * The RT as just described.
o A Service Function Type (SFT) that is the type of service function * A Service Function Type (SFT) that is the type of service function
that is provided (such as "firewall"). that is provided (such as "firewall").
o A Route Distinguisher (RD) that is unique to a specific overlay. * A Route Distinguisher (RD) that is unique to a specific overlay.
4.3. Service Function Path Routes 4.3. Service Function Path Routes
The SFPR (see Section 3.2) describes a specific path of a Service The SFPR (see Section 3.2) describes a specific path of an SFC. The
Function Chain. The SFPR contains the Service Path Identifier (SPI) SFPR contains the Service Path Identifier (SPI) used to identify the
used to identify the SFP in the NSH in the data plane. It also SFP in the NSH in the data plane. It also contains a sequence of
contains a sequence of Service Indexes (SIs). Each SI identifies a Service Indexes (SIs). Each SI identifies a hop in the SFP, and each
hop in the SFP, and each hop is a choice between one of more SFIs. hop is a choice between one or more SFIs.
As described in this document, each Service Function Path Route is As described in this document, each SFP route is identified in the
identified in the service function overlay network by an RD and an service function overlay network by an RD and an SPI. The SPI is
SPI. The SPI is unique within a single VPN instance supported by the unique within a single VPN instance supported by the underlay
underlay network. network.
The SFPR advertisement comprises: The SFPR advertisement comprises:
o An RT as described in Section 4.1. * An RT as described in Section 4.1.
o A tuple that identifies the SFPR * A tuple that identifies the SFPR.
* An RD that identifies an advertisement of an SFPR. - An RD that identifies an advertisement of an SFPR.
* The SPI that uniquely identifies this path within the VPN - The SPI that uniquely identifies this path within the VPN
instance distinguished by the RD. This SPI also appears in the instance distinguished by the RD. This SPI also appears in the
NSH. NSH.
o A series of Service Indexes. Each SI is used in the context of a * A series of SIs. Each SI is used in the context of a particular
particular SPI and identifies one or more SFs (distinguished by SPI and identifies one or more SFs (distinguished by their SFTs).
their SFTs) and for each SF a set of SFIs that instantiate the SF. For each SF, it identifies a set of SFIs that instantiate the SF.
The values of the SI indicate the order in which the SFs are to be The values of the SI indicate the order in which the SFs are to be
executed in the SFP that is represented by the SPI. executed in the SFP that is represented by the SPI.
o The SI is used in the NSH to identify the entries in the SFP. * The SI is used in the NSH to identify the entries in the SFP.
Note that the SI values have meaning only relative to a specific Note that the SI values have meaning only relative to a specific
path. They have no semantic other than to indicate the order of path. They have no semantic other than to indicate the order of
Service Functions within the path and are assumed to be SFs within the path and are assumed to be monotonically decreasing
monotonically decreasing from the start to the end of the path from the start to the end of the path [RFC8300].
[RFC8300].
o Each Service Index is associated with a set of one or more Service * Each SI is associated with a set of one or more SFIs that can be
Function Instances that can be used to provide the indexed Service used to provide the indexed SF within the path. Each member of
Function within the path. Each member of the set comprises: the set comprises:
* The RD used in an SFIR advertisement of the SFI. - The RD used in an SFIR advertisement of the SFI.
* The SFT that indicates the type of function as used in the same - The SFT that indicates the type of function as used in the same
SFIR advertisement of the SFI. SFIR advertisement of the SFI.
This may be summarized as follows where the notations "SFPR-RD" and This may be summarized as follows, where the notations "SFPR-RD" and
"SFIR-RD" are used to distinguish the two different RDs, and where "SFIR-RD" are used to distinguish the two different RDs, and where
"*" indicates a multiplier: "*" indicates a multiplier:
RT, {SFPR-RD, SPI}, m * {SI, {n * {SFT, p * SFIR-RD} } } RT, {SFPR-RD, SPI}, m * {SI, {n * {SFT, p * SFIR-RD} } }
Where: Where:
RT: Route Target RT: Route Target
SFPR-RD: The Route Descriptor of the Service Function Path Route SFPR-RD: The Route Descriptor of the SFPR advertisement
advertisement
SPI: Service Path Identifier used in the NSH SPI: Service Path Identifier used in the NSH
m: The number of hops in the Service Function Path m: The number of hops in the SFP
n: The number of choices of Service Function Type for a specific n: The number of choices of SFT for a specific hop
hop
p: The number of choices of Service Function Instance for given p: The number of choices of SFI for a given SFT in a specific hop
Service Function Type in a specific hop
SI: Service Index used in the NSH to indicate a specific hop SI: Service Index used in the NSH to indicate a specific hop
SFT: The Service Function Type used in the same advertisement of SFT: The Service Function Type used in the same advertisement of the
the Service Function Instance Route SFIR
SFIR-RD: The Route Descriptor used in an advertisement of the SFIR-RD: The Route Descriptor used in an advertisement of the SFIR
Service Function Instance Route
That is, there can be multiple SFTs at a given hop as described in That is, there can be multiple SFTs at a given hop, as described in
Section 5. Section 5.
Note that the values of SI are from the set {255, ..., 1} and are Note that the values of SI are from the set {255, ..., 1} and are
monotonically decreasing within the SFP. SIs MUST appear in order monotonically decreasing within the SFP. SIs MUST appear in order
within the SFPR (i.e., monotonically decreasing) and MUST NOT appear within the SFPR (i.e., monotonically decreasing) and MUST NOT appear
more than once. Gaps MAY appear in the sequence as described in more than once. Gaps MAY appear in the sequence, as described in
Section 4.5.1. Malformed SFPRs MUST be discarded and MUST cause any Section 4.5.1. Malformed SFPRs MUST be discarded and MUST cause any
previous instance of the SFPR (same SFPR-RD and SPI) to be discarded. previous instance of the SFPR (same SFPR-RD and SPI) to be discarded.
Note that if the SFIR-RD list in an SFT TLV contains one or more SFIR Note that if the SFIR-RD list in an SFT TLV contains one or more SFIR
Pool identifiers, then in the above expression, 'p' is the sum of the Pool Identifiers, then in the above expression, "p" is the sum of the
number of individual SFIR-RD values and the sum for each SFIR Pool number of individual SFIR-RD values and the sum for each SFIR Pool
Identifier of the number of SFIRs advertised with that SFIR Pool Identifier of the number of SFIRs advertised with that SFIR Pool
Identifier. I.e., the list of SFIR-RD values is effectively expanded Identifier. In other words, the list of SFIR-RD values is
to include the SFIR-RD of each SFIR advertised with each SFIR Pool effectively expanded to include the SFIR-RD of each SFIR advertised
Identifier in the SFIR-RD list. with each SFIR Pool Identifier in the SFIR-RD list.
The choice of SFI is explained further in Section 5. Note that an The choice of SFI is explained further in Section 5. Note that an
SFIR-RD value of zero has special meaning as described in that SFIR-RD value of zero has special meaning, as described in that
Section. section.
4.4. Classifier Operation 4.4. Classifier Operation
As shown in Figure 1, the Classifier is a component that is used to As shown in Figure 1, the classifier is a component that is used to
assign packets to an SFP. assign packets to an SFP.
The Classifier is responsible for determining to which packet flow a The classifier is responsible for determining to which packet flow a
packet belongs. The mechanism it uses to achieve that classification packet belongs. The mechanism it uses to achieve that classification
is out of scope of this document, but might include inspection of the is out of the scope of this document but might include inspection of
packet header. The Classifier has been instructed (by the Controller the packet header. The classifier has been instructed (by the
or through some other configuration mechanism - see Section 7.4) controller or through some other configuration mechanism -- see
which flows are to be assigned to which SFPs, and so it can impose an Section 7.4) which flows are to be assigned to which SFPs, and so it
NSH on each packet and initialize the NSH with the SPI of the can impose an NSH on each packet and initialize the NSH with the SPI
selected SFP and the SI of its first hop. of the selected SFP and the SI of its first hop.
Note that instructions delivered to the Classifier may include Note that instructions delivered to the classifier may include
information about the metadata to encode (and the format for that information about the metadata to encode (and the format for that
encoding) on packets that are classified by the Classifier to a encoding) on packets that are classified by the classifier to a
particular SFP. As mentioned in Section 2.2, this corresponds to the particular SFP. As mentioned in Section 2.2, this corresponds to the
fifth element of control plane functionality described in [RFC7665]. fifth element of control plane functionality described in [RFC7665].
Such instructions fall outside the scope of this specification Such instructions fall outside the scope of this specification (but
(although, see Section 7.4), as do instructions to other SFC elements see Section 7.4), as do instructions to other service function
on how to interpret metadata (as described in the sixth element of chaining elements on how to interpret metadata (as described in the
control plane functionality described in [RFC7665]. sixth element of control plane functionality described in [RFC7665]).
4.5. Service Function Forwarder Operation 4.5. Service Function Forwarder Operation
Each packet sent to an SFF is transmitted encapsulated in an NSH. Each packet sent to an SFF is transmitted encapsulated in an NSH.
The NSH includes an SPI and SI: the SPI indicates the SFPR The NSH includes an SPI and SI: the SPI indicates the SFPR
advertisement that announced the Service Function Path; the tuple advertisement that announced the SFP; the tuple SPI/SI indicates a
SPI/SI indicates a specific hop in a specific path and maps to the specific hop in a specific path and maps to the RD/SFT of a
RD/SFT of a particular SFIR advertisement. particular SFIR advertisement.
When an SFF gets an SFPR advertisement it will first determine When an SFF gets an SFPR advertisement, it will first determine
whether to import the route by examining the RT. If the SFPR is whether to import the route by examining the RT. If the SFPR is
imported the SFF then determines whether it is on the SFP by looking imported, the SFF then determines whether it is on the SFP by looking
for its own SFIR-RDs or any SFIR-RD with value zero in the SFPR. For for its own SFIR-RDs or any SFIR-RD with value zero in the SFPR. For
each occurrence in the SFP, the SFF creates forwarding state for each occurrence in the SFP, the SFF creates forwarding state for
incoming packets and forwarding state for outgoing packets that have incoming packets and forwarding state for outgoing packets that have
been processed by the specified SFI. been processed by the specified SFI.
The SFF creates local forwarding state for packets that it receives The SFF creates local forwarding state for packets that it receives
from other SFFs. This state makes the association between the SPI/SI from other SFFs. This state makes the association between the SPI/SI
in the NSH of the received packet and one or more specific local SFIs in the NSH of the received packet and one or more specific local
as identified by the SFIR-RD/SFT. If there are multiple local SFIs SFIs, as identified by the SFIR-RD/SFT. If there are multiple local
that match this is because a single advertisement was made for a set SFIs that match, this is because a single advertisement was made for
of equivalent SFIs and the SFF may use local policy (such as load a set of equivalent SFIs, and the SFF may use local policy (such as
balancing) to determine to which SFI to forward a received packet. load balancing) to determine to which SFI to forward a received
packet.
The SFF also creates next hop forwarding state for packets received The SFF also creates next-hop forwarding state for packets received
back from the local SFI that need to be forwarded to the next hop in back from the local SFI that need to be forwarded to the next hop in
the SFP. There may be a choice of next hops as described in the SFP. There may be a choice of next hops, as described in
Section 4.3. The SFF could install forwarding state for all Section 4.3. The SFF could install forwarding state for all
potential next hops, or it could choose to only install forwarding potential next hops or it could choose to only install forwarding
state to a subset of the potential next hops. If a choice is made state for a subset of the potential next hops. If a choice is made,
then it will be as described in Section 5. then it will be as described in Section 5.
The installed forwarding state may change over time reacting to The installed forwarding state may change over time, reacting to
changes in the underlay network and the availability of particular changes in the underlay network and the availability of particular
SFIs. Note that the forwarding state describes how one SFF send SFIs. Note that the forwarding state describes how one SFF sends
packets to another SFF, but not how those packets are routed through packets to another SFF, but not how those packets are routed through
the underlay network. SFFs may be connected by tunnels across the the underlay network. SFFs may be connected by tunnels across the
underlay, or packets may be sent addressed to the next SFF and routed underlay, or packets may be sent addressed to the next SFF and routed
through the underlay. In any case, transmission across the underlay through the underlay. In any case, transmission across the underlay
requires encapsulation of packets with a header for transport in the requires encapsulation of packets with a header for transport in the
underlay network. underlay network.
Note that SFFs only create and store forwarding state for the SFPs on Note that SFFs only create and store forwarding state for the SFPs on
which they are included. They do not retain state for all SFPs which they are included. They do not retain state for all SFPs
advertised. advertised.
An SFF may also install forwarding state to support looping, jumping, An SFF may also install forwarding state to support looping, jumping,
and branching. The protocol mechanism for explicit control of and branching. The protocol mechanism for explicit control of
looping, jumping, and branching uses a specific reserved SFT value at looping, jumping, and branching uses a specific reserved SFT value at
a given hop of an SFPR and is described in Section 6.1. a given hop of an SFPR and is described in Section 6.1.
4.5.1. Processing With 'Gaps' in the SI Sequence 4.5.1. Processing with "Gaps" in the SI Sequence
The behavior of an SF as described in [RFC8300] is to decrement the The behavior of an SF, as described in [RFC8300], is to decrement the
value of the SI field in the NSH by one before returning a packet to value of the "SI" field in the NSH by one before returning a packet
the local SFF for further processing. This means that there is a to the local SFF for further processing. This means that there is a
good reason to assume that the SFP is composed of a series of SFs good reason to assume that the SFP is composed of a series of SFs,
each indicated by an SI value one less than the previous. each indicated by an SI value one less than the previous.
However, there is an advantage to having non-successive SIs in an However, there is an advantage to having nonsuccessive SIs in an SPI.
SPI. Consider the case where an SPI needs to be modified by the Consider the case where an SPI needs to be modified by the insertion
insertion or removal of an SF. In the latter case this would lead to or removal of an SF. In the latter case, this would lead to a "gap"
a "gap" in the sequence of SIs, and in the former case, this could in the sequence of SIs, and in the former case, this could only be
only be achieved if a gap already existed into which the new SF with achieved if a gap already existed into which the new SF with its new
its new SI value could be inserted. Otherwise, all "downstream" SFs SI value could be inserted. Otherwise, all "downstream" SFs would
would need to be renumbered. need to be renumbered.
Now, of course, such renumbering could be performed, but would lead Now, of course, such renumbering could be performed, but it would
to a significant disruption to the SFC as all the SFFs along the SFP lead to a significant disruption to the SFC as all the SFFs along the
were "reprogrammed". Thus, to achieve dynamic modification of an SFP SFP were "reprogrammed". Thus, to achieve dynamic modification of an
(and even, in-service modification) it is desirable to be able to SFP (and even in-service modification), it is desirable to be able to
make these modifications without changing the SIs of the elements make these modifications without changing the SIs of the elements
that were present before the modification. This will produce much that were present before the modification. This will produce much
more consistent/predictable behavior during the convergence period more consistent/predictable behavior during the convergence period,
where otherwise the change would need to be fully propagated. where otherwise the change would need to be fully propagated.
Another approach says that any change to an SFP simply creates a new Another approach says that any change to an SFP simply creates a new
SFP that can be assigned a new SPI. All that would be needed would SFP that can be assigned a new SPI. All that would be needed would
be to give a new instruction to the Classifier and traffic would be be to give a new instruction to the classifier, and traffic would be
switched to the new SFP that contains the new set of SFs. This switched to the new SFP that contains the new set of SFs. This
approach is practical, but neglects to consider that the SFP may be approach is practical but neglects to consider that the SFP may be
referenced by other SFPs (through "branch" instructions) and used by referenced by other SFPs (through "branch" instructions) and used by
many Classifiers. In those cases the corresponding configuration many classifiers. In those cases, the corresponding configuration
resulting from a change in SPI may have wide ripples and give scope resulting from a change in SPI may have wide ripples and create scope
for errors that are hard to trace. for errors that are hard to trace.
Therefore, while this document requires that the SI values in an SFP Therefore, while this document requires that the SI values in an SFP
are monotonic decreasing, it makes no assumption that the SI values are monotonically decreasing, it makes no assumption that the SI
are sequential. Configuration tools may apply that rule, but they values are sequential. Configuration tools may apply that rule, but
are not required to. To support this, an SFF SHOULD process as they are not required to. To support this, an SFF SHOULD process as
follows when it receives a packet: follows when it receives a packet:
o If the SI indicates a known entry in the SFP, the SFF MUST process * If the SI indicates a known entry in the SFP, the SFF MUST process
the packet as normal, looking up the SI and determining to which the packet as normal, looking up the SI and determining to which
local SFI to deliver the packet. local SFI to deliver the packet.
o If the SI does not match an entry in the SFP, the SFF MUST reduce * If the SI does not match an entry in the SFP, the SFF MUST reduce
the SI value to the next (smaller) value present in the SFP and the SI value to the next (smaller) value present in the SFP and
process the packet using that SI. process the packet using that SI.
o If there is no smaller SI (i.e., if the end of the SFP has been * If there is no smaller SI (i.e., if the end of the SFP has been
reached) the SFF MUST treat the SI value as invalid as described reached), the SFF MUST treat the SI value as not valid, as
in [RFC8300]. described in [RFC8300].
This makes the behavior described in this document a superset of the This makes the behavior described in this document a superset of the
function in [RFC8300]. That is, an implementation that strictly function in [RFC8300]. That is, an implementation that strictly
follows RFC 8300 in performing SI decrements in units of one, is follows RFC 8300 in performing SI decrements in units of one is
perfectly in line with the mechanisms defined in this document. perfectly in line with the mechanisms defined in this document.
SFF implementations MAY choose to only support contiguous SI values SFF implementations MAY choose to only support contiguous SI values
in an SFP. Such an implementation will not support receiving an SI in an SFP. Such an implementation will not support receiving an SI
value that is not present in the SFP and will discard the packets as value that is not present in the SFP and will discard the packets as
described in [RFC8300]. described in [RFC8300].
5. Selection within Service Function Paths 5. Selection within Service Function Paths
As described in Section 2 the SPI/SI in the NSH passed back from an As described in Section 2, the SPI/SI in the NSH passed back from an
SFI to the SFF may leave the SFF with a choice of next hop SFTs, and SFI to the SFF may leave the SFF with a choice of next-hop SFTs and a
a choice of SFIs for each SFT. That is, the SPI indicates an SFPR, choice of SFIs for each SFT. That is, the SPI indicates an SFPR, and
and the SI indicates an entry in that SFPR. Each entry in an SFPR is the SI indicates an entry in that SFPR. Each entry in an SFPR is a
a set of one or more SFT/SFIR-RD pairs. The SFF MUST choose one of set of one or more SFT/SFIR-RD pairs. The SFF MUST choose one of
these, identify the SFF that supports the chosen SFI, and send the these, identify the SFF that supports the chosen SFI, and send the
packet to that next hop SFF. packet to that next-hop SFF.
The choice be may offered for load balancing across multiple SFIs, or The choice be may offered for load balancing across multiple SFIs, or
for discrimination between different actions necessary at a specific for discrimination between different actions necessary at a specific
hop in the SFP. Different SFT values may exist at a given hop in an hop in the SFP. Different SFT values may exist at a given hop in an
SFP to support several cases: SFP to support several cases:
o There may be multiple instances of similar service functions that * There may be multiple instances of similar service functions that
are distinguished by different SFT values. For example, firewalls are distinguished by different SFT values. For example, firewalls
made by vendor A and vendor B may need to be identified by made by vendor A and vendor B may need to be identified by
different SFT values because, while they have similar different SFT values because, while they have similar
functionality, their behavior is not identical. Then, some SFPs functionality, their behavior is not identical. Then, some SFPs
may limit the choice of SF at a given hop by specifying the SFT may limit the choice of SF at a given hop by specifying the SFT
for vendor A, but other SFPs might not need to control which for vendor A, but other SFPs might not need to control which
vendor's SF is used and so can indicate that either SFT can be vendor's SF is used and so can indicate that either SFT can be
used. used.
o There may be an obvious branch needed in an SFP such as the * There may be an obvious branch needed in an SFP, such as the
processing after a firewall where admitted packets continue along processing after a firewall where admitted packets continue along
the SFP, but suspect packets are diverted to a "penalty box". In the SFP, but suspect packets are diverted to a "penalty box". In
this case, the next hop in the SFP will be indicated with two this case, the next hop in the SFP will be indicated with two
different SFT values. different SFT values.
In the typical case, the SFF chooses a next hop SFF by looking at the In the typical case, the SFF chooses a next-hop SFF by looking at the
set of all SFFs that support the SFs identified by the SI (that set set of all SFFs that support the SFs identified by the SI (that set
having been advertised in individual SFIR advertisements), finding having been advertised in individual SFIR advertisements), finding
the one or more that are "nearest" in the underlay network, and the one or more that are "nearest" in the underlay network, and
choosing between next hop SFFs using its own load-balancing choosing between next-hop SFFs using its own load-balancing
algorithm. algorithm.
An SFI may influence this choice process by passing additional An SFI may influence this choice process by passing additional
information back along with the packet and NSH. This information may information back, along with the packet and NSH. This information
influence local policy at the SFF to cause it to favor a next hop SFF may influence local policy at the SFF to either cause it to favor a
(perhaps selecting one that is not nearest in the underlay), or to next-hop SFF (perhaps selecting one that is not nearest in the
influence the load-balancing algorithm. underlay) or influence the load-balancing algorithm.
This selection applies to the normal case, but also applies in the This selection applies to the normal case but also applies in the
case of looping, jumping, and branching (see Section 6). case of looping, jumping, and branching (see Section 6).
Suppose an SFF in a particular service overlay network (identified by Suppose an SFF in a particular service function overlay network
a particular import RT, RT-z) needs to forward an NSH-encapsulated (identified by a particular import RT, RT-z) needs to forward an NSH-
packet whose SPI is SPI-x and whose SI is SI-y. It does the encapsulated packet whose SPI is SPI-x and whose SI is SI-y. It does
following: the following:
1. It looks for an installed SFPR that carries RT-z and that has 1. It looks for an installed SFPR that carries RT-z and has SPI-x in
SPI-x in its NLRI. If there is none, then such packets cannot be its NLRI. If there is none, then such packets cannot be
forwarded. forwarded.
2. From the SFP attribute of that SFPR, it finds the Hop TLV with SI 2. From the SFP attribute of that SFPR, it finds the Hop TLV with SI
value set to SI-y. If there is no such Hop TLV, then such value set to SI-y. If there is no such Hop TLV, then such
packets cannot be forwarded. packets cannot be forwarded.
3. It then finds the "relevant" set of SFIRs by going through the 3. It then finds the "relevant" set of SFIRs by going through the
list of SFT TLVs contained in the Hop TLV as follows: list of SFT TLVs contained in the Hop TLV as follows:
A. An SFIR is relevant if it carries RT-z, the SFT in its NLRI A. An SFIR is relevant if it carries RT-z, the SFT in its NLRI
matches the SFT value in one of the SFT TLVs, and the RD matches the SFT value in one of the SFT TLVs, and the RD
value in its NLRI matches an entry in the list of SFIR-RDs in value in its NLRI matches an entry in the list of SFIR-RDs in
that SFT TLV. that SFT TLV.
B. If an entry in the SFIR-RD list of an SFT TLV contains the B. If an entry in the SFIR-RD list of an SFT TLV contains the
value zero, then an SFIR is relevant if it carries RT-z and value zero, then an SFIR is relevant if it carries RT-z and
the SFT in its NLRI matches the SFT value in that SFT TLV. the SFT in its NLRI matches the SFT value in that SFT TLV.
I.e., any SFIR in the service function overlay network That is, any SFIR in the service function overlay network
defined by RT-z and with the correct SFT is relevant. defined by RT-z and with the correct SFT is relevant.
C. If a pool identifier is in use then an SFIR is relevant if it C. If a pool identifier is in use, then an SFIR is relevant if
is a member of the pool. it is a member of the pool.
Each of the relevant SFIRs identifies a single SFI, and contains a Each of the relevant SFIRs identifies a single SFI and contains a
Tunnel Encapsulation attribute that specifies how to send a packet to tunnel encapsulation attribute that specifies how to send a packet to
that SFI. For a particular packet, the SFF chooses a particular SFI that SFI. For a particular packet, the SFF chooses a particular SFI
from the set of relevant SFIRs. This choice is made according to from the set of relevant SFIRs. This choice is made according to
local policy. local policy.
A typical policy might be to figure out the set of SFIs that are A typical policy might be to figure out the set of SFIs that are
closest, and to load balance among them. But this is not the only closest and load balance among them. But this is not the only
possible policy. possible policy.
Thus, at any point in time when an SFF selects its next hop, it Thus, at any point in time when an SFF selects its next hop, it
chooses from the intersection of the set of next hop RDs contained in chooses from the intersection of the set of next-hop RDs contained in
the SFPR and the RDs contained in the SFF's local set of SFIRs (i.e., the SFPR and the RDs contained in the SFF's local set of SFIRs (i.e.,
according to the determination of "relevance", above). If the according to the determination of "relevance", above). If the
intersection is null, the SFPR is unusable. Similarly, when this intersection is null, the SFPR is unusable. Similarly, when this
condition applies on the Controller that originated the SFPR, it condition applies on the controller that originated the SFPR, it
SHOULD either withdraw the SFPR or re-advertise it with a new set of SHOULD either withdraw the SFPR or re-advertise it with a new set of
RDs for the affected hop. RDs for the affected hop.
6. Looping, Jumping, and Branching 6. Looping, Jumping, and Branching
As described in Section 2 an SFI or an SFF may cause a packet to As described in Section 2, an SFI or an SFF may cause a packet to
"loop back" to a previous SF on a path in order that a sequence of "loop back" to a previous SF on a path in order that a sequence of
functions may be re-executed. This is simply achieved by replacing functions may be re-executed. This is simply achieved by replacing
the SI in the NSH with a higher value instead of decreasing it as the SI in the NSH with a higher value, instead of decreasing it as
would normally be the case to determine the next hop in the path. would normally be the case, to determine the next hop in the path.
Section 2 also describes how an SFI or an SFF may cause a packets to Section 2 also describes how an SFI or SFF may cause a packet to
"jump forward" to an SF on a path that is not the immediate next SF "jump forward" to an SF on a path that is not the immediate next SF
in the SFP. This is simply achieved by replacing the SI in the NSH in the SFP. This is simply achieved by replacing the SI in the NSH
with a lower value than would be achieved by decreasing it by the with a lower value than would be achieved by decreasing it by the
normal amount. normal amount.
A more complex option to move packets from one SFP to another is A more complex option to move packets from one SFP to another is
described in [RFC8300] and Section 2 where it is termed "branching". described in [RFC8300] and Section 2, where it is termed "branching".
This mechanism allows an SFI or SFF to make a choice of downstream This mechanism allows an SFI or SFF to make a choice of downstream
treatments for packets based on local policy and output of the local treatments for packets based on local policy and the output of the
SF. Branching is achieved by changing the SPI in the NSH to indicate local SF. Branching is achieved by changing the SPI in the NSH to
the new path and setting the SI to indicate the point in the path at indicate the new path and setting the SI to indicate the point in the
which the packets enter. path at which the packets enter.
Note that the NSH does not include a marker to indicate whether a Note that the NSH does not include a marker to indicate whether a
specific packet has been around a loop before. Therefore, the use of specific packet has been around a loop before. Therefore, the use of
NSH metadata ([RFC8300]) may be required in order to prevent infinite NSH metadata [RFC8300] may be required in order to prevent infinite
loops. loops.
6.1. Protocol Control of Looping, Jumping, and Branching 6.1. Protocol Control of Looping, Jumping, and Branching
If the SFT value in an SFT TLV in an SFPR has the Special Purpose SFT If the SFT value in an SFT TLV in an SFPR has the special-purpose SFT
value "Change Sequence" (see Section 10) then this is an indication value "Change Sequence" (see Section 10), then this is an indication
that the SFF may make a loop, jump, or branch according to local that the SFF may make a loop, jump, or branch according to local
policy and information returned by the local SFI. policy and information returned by the local SFI.
In this case, the SPI and SI of the next hop are encoded in the eight In this case, the SPI and SI of the next hop are encoded in the eight
bytes of an entry in the SFIR-RD list as follows: bytes of an entry in the SFIR-RD list as follows:
3 bytes SPI 3 bytes SPI
1 bytes SI 1 byte SI
4 bytes Reserved (SHOULD be set to zero and ignored) 4 bytes Reserved (SHOULD be set to zero and ignored)
If the SI in this encoding is not part of the SFPR indicated by the If the SI in this encoding is not part of the SFPR indicated by the
SPI in this encoding, then this is an explicit error that SHOULD be SPI in this encoding, then this is an explicit error that SHOULD be
detected by the SFF when it parses the SFPR. The SFPR SHOULD NOT detected by the SFF when it parses the SFPR. The SFPR SHOULD NOT
cause any forwarding state to be installed in the SFF and packets cause any forwarding state to be installed in the SFF, and packets
received with the SPI that indicates this SFPR SHOULD be silently received with the SPI that indicates this SFPR SHOULD be silently
discarded. discarded.
If the SPI in this encoding is unknown, the SFF SHOULD NOT install If the SPI in this encoding is unknown, the SFF SHOULD NOT install
any forwarding state for this SFPR, but MAY hold the SFPR pending any forwarding state for this SFPR but MAY hold the SFPR pending
receipt of another SFPR that does use the encoded SPI. receipt of another SFPR that does use the encoded SPI.
If the SPI matches the current SPI for the path, this is a loop or If the SPI matches the current SPI for the path, this is a loop or
jump. In this case, if the SI is greater than to the current SI it jump. In this case, if the SI is greater than or equal to the
is a loop. If the SPI matches and the SI is less than the next SI, current SI, it is a loop. If the SPI matches and the SI is less than
it is a jump. the next SI, it is a jump.
If the SPI indicates another path, this is a branch and the SI If the SPI indicates another path, this is a branch, and the SI
indicates the point at which to enter that path. indicates the point at which to enter that path.
The Change Sequence SFT is just another SFT that may appear in a set The Change Sequence SFT is just another SFT that may appear in a set
of SFI/SFT tuples within an SI and is selected as described in of SFI/SFT tuples within an SI and is selected as described in
Section 5. Section 5.
Note that Special Purpose SFTs MUST NOT be advertised in SFIRs. If Note that special-purpose SFTs MUST NOT be advertised in SFIRs. If
such an SFIR is received it SHOULD be ignored. such an SFIR is received, it SHOULD be ignored.
6.2. Implications for Forwarding State 6.2. Implications for Forwarding State
Support for looping and jumping requires that the SFF has forwarding Support for looping and jumping requires that the SFF has forwarding
state established to an SFF that provides access to an instance of state established to an SFF that provides access to an instance of
the appropriate SF. This means that the SFF must have seen the the appropriate SF. This means that the SFF must have seen the
relevant SFIR advertisements and known that it needed to create the relevant SFIR advertisements and mush have known that it needed to
forwarding state. This is a matter of local configuration and create the forwarding state. This is a matter of local configuration
implementation: for example, an implementation could be configured to and implementation; for example, an implementation could be
install forwarding state for specific looping/jumping. configured to install forwarding state for specific looping/jumping.
Support for branching requires that the SFF has forwarding state Support for branching requires that the SFF has forwarding state
established to an SFF that provides access to an instance of the established to an SFF that provides access to an instance of the
appropriate entry SF on the other SFP. This means that the SFF must appropriate entry SF on the other SFP. This means that the SFF must
have seen the relevant SFIR and SFPR advertisements and known that it have seen the relevant SFIR and SFPR advertisements and known that it
needed to create the forwarding state. This is a matter of local needed to create the forwarding state. This is a matter of local
configuration and implementation: for example, an implementation configuration and implementation; for example, an implementation
could be configured to install forwarding state for specific could be configured to install forwarding state for specific
branching (identified by SPI and SI). branching (identified by SPI and SI).
7. Advanced Topics 7. Advanced Topics
This section highlights several advanced topics introduced elsewhere This section highlights several advanced topics introduced elsewhere
in this document. in this document.
7.1. Correlating Service Function Path Instances 7.1. Correlating Service Function Path Instances
It is often useful to create bidirectional SFPs to enable packet It is often useful to create bidirectional SFPs to enable packet
flows to traverse the same set of SFs, but in the reverse order. flows to traverse the same set of SFs, but in the reverse order.
However, packets on SFPs in the data plane (per [RFC8300]) do not However, packets on SFPs in the data plane (per [RFC8300]) do not
contain a direction indicator, so each direction must use a different contain a direction indicator, so each direction must use a different
SPI. SPI.
As described in Section 3.2.1.1 an SFPR can contain one or more As described in Section 3.2.1.1, an SFPR can contain one or more
correlators encoded in Association TLVs. If the Association Type correlators encoded in Association TLVs. If the Association Type
indicates "Bidirectional SFP" then the SFP advertised in the SFPR is indicates "Bidirectional SFP", then the SFP advertised in the SFPR is
one direction of a bidirectional pair of SFPs where the other in the one direction of a bidirectional pair of SFPs, where the other in the
pair is advertised in the SFPR with RD as carried in the Associated pair is advertised in the SFPR with RD as carried in the "Associated
SFPR-RD field of the Association TLV. The SPI carried in the SFPR-RD" field of the Association TLV. The SPI carried in the
Associated SPI field of the Association TLV provides a cross-check "Associated SPI" field of the Association TLV provides a cross-check
against the SPI advertised in the SFPR with RD as carried in the against the SPI advertised in the SFPR with RD as carried in the
Associated SFPR-RD field of the Association TLV. "Associated SFPR-RD" field of the Association TLV.
As noted in Section 3.2.1.1, when SFPRs reference each other, one As noted in Section 3.2.1.1, when SFPRs reference each other, one
SFPR advertisement will be received before the other. Therefore, SFPR advertisement will be received before the other. Therefore,
processing of an association will require that the first SFPR is not processing of an association will require that the first SFPR not be
rejected simply because the Associated SFPR-RD it carries is unknown. rejected simply because the Associated SFPR-RD it carries is unknown.
However, the SFP defined by the first SFPR is valid and SHOULD be However, the SFP defined by the first SFPR is valid and SHOULD be
available for use as a unidirectional SFP even in the absence of an available for use as a unidirectional SFP, even in the absence of an
advertisement of its partner. advertisement of its partner.
Furthermore, in error cases where SFPR-a associates with SFPR-b, but Furthermore, in error cases where SFPR-a associates with SFPR-b, but
SFPR-b associates with SFPR-c such that a bidirectional pair of SFPs SFPR-b associates with SFPR-c such that a bidirectional pair of SFPs
cannot be formed, the individual SFPs are still valid and SHOULD be cannot be formed, the individual SFPs are still valid and SHOULD be
available for use as unidirectional SFPs. An implementation SHOULD available for use as unidirectional SFPs. An implementation SHOULD
log this situation because it represents a Controller error. log this situation, because it represents a controller error.
Usage of a bidirectional SFP may be programmed into the Classifiers Usage of a bidirectional SFP may be programmed into the classifiers
by the Controller. Alternatively, a Classifier may look at incoming by the controller. Alternatively, a classifier may look at incoming
packets on a bidirectional packet flow, extract the SPI from the packets on a bidirectional packet flow, extract the SPI from the
received NSH, and look up the SFPR to find the reverse direction SFP received NSH, and look up the SFPR to find the reverse-direction SFP
to use when it sends packets. to use when it sends packets.
See Section 8 for an example of how this works. See Section 8 for an example of how this works.
7.2. Considerations for Stateful Service Functions 7.2. Considerations for Stateful Service Functions
Some service functions are stateful. That means that they build and Some service functions are stateful. That means that they build and
maintain state derived from configuration or from the packet flows maintain state derived from configuration or the packet flows that
that they handle. In such cases it can be important or necessary they handle. In such cases, it can be important or necessary that
that all packets from a flow continue to traverse the same instance all packets from a flow continue to traverse the same instance of a
of a service function so that the state can be leveraged and does not service function so that the state can be leveraged and does not need
need to be regenerated. to be regenerated.
In the case of bidirectional SFPs, it may be necessary to traverse In the case of bidirectional SFPs, it may be necessary to traverse
the same instances of a stateful service function in both directions. the same instances of a stateful service function in both directions.
A firewall is a good example of such a service function. A firewall is a good example of such a service function.
This issue becomes a concern where there are multiple parallel This issue becomes a concern where there are multiple parallel
instances of a service function and a determination of which one to instances of a service function and a determination of which one to
use could normally be left to the SFF as a load-balancing or local use could normally be left to the SFF as a load-balancing or local-
policy choice. policy choice.
For the forward direction SFP, the concern is that the same choice of For the forward-direction SFP, the concern is that the same choice of
service function is made for all packets of a flow under normal SF is made for all packets of a flow under normal network conditions.
network conditions. It may be possible to guarantee that the load It may be possible to guarantee that the load-balancing functions
balancing functions applied in the SFFs are stable and repeatable, applied in the SFFs are stable and repeatable, but a controller that
but a Controller that constructs SFPs might not want to trust to constructs SFPs might not want to trust to this. The controller can,
this. The Controller can, in these cases, build a number of more in these cases, build a number of more specific SFPs, each traversing
specific SFPs each traversing a specific instance of the stateful a specific instance of the stateful SFs. In this case, the load-
SFs. In this case, the load balancing choice can be left up to the balancing choice can be left up to the classifier. Thus, the
Classifier. Thus the Classifier selects which instance of a stateful classifier selects which instance of a stateful SF is used by a
SF is used by a particular flow by selecting the SFP that the flow particular flow by selecting the SFP that the flow uses.
uses.
For bidirectional SFPs where the same instance of a stateful SF must For bidirectional SFPs where the same instance of a stateful SF must
be traversed in both directions, it is not enough to leave the choice be traversed in both directions, it is not enough to leave the choice
of service function instance as a local choice even if the load of SFI as a local choice, even if the load balancing is stable,
balancing is stable because coordination would be required between because coordination would be required between the decision points in
the decision points in the forward and reverse directions and this the forward and reverse directions, and this may be hard to achieve
may be hard to achieve in all cases except where it is the same SFF in all cases except where it is the same SFF that makes the choice in
that makes the choice in both directions. both directions.
Note that this approach necessarily increases the amount of SFP state Note that this approach necessarily increases the amount of SFP state
in the network (i.e., there are more SFPs). It is possible to in the network (i.e., there are more SFPs). It is possible to
mitigate this effect by careful construction of SFPs built from a mitigate this effect by careful construction of SFPs built from a
concatenation of other SFPs. concatenation of other SFPs.
Section 8.9 includes some simple examples of SFPs for stateful Section 8.9 includes some simple examples of SFPs for stateful SFs.
service functions.
7.3. VPN Considerations and Private Service Functions 7.3. VPN Considerations and Private Service Functions
Likely deployments include reserving specific instances of Service Likely deployments include reserving specific instances of SFs for
Functions for specific customers or allowing customers to deploy specific customers or allowing customers to deploy their own SFs
their own Service Functions within the network. Building Service within the network. Building SFs in such environments requires that
Functions in such environments requires that suitable identifiers are suitable identifiers be used to ensure that SFFs distinguish which
used to ensure that SFFs distinguish which SFIs can be used and which SFIs can be used and which cannot.
cannot.
This problem is similar to how VPNs are supported and is solved in a This problem is similar to a problem in the way that VPNs are
similar way. The RT field is used to indicate a set of Service supported and is solved in a similar way. The "RT" field is used to
Functions from which all choices must be made. indicate a set of SFs from which all choices must be made.
7.4. Flow Specification for SFC Classifiers 7.4. Flow Specification for SFC Classifiers
[I-D.ietf-idr-rfc5575bis] defines a set of BGP routes that can be [RFC8955] defines a set of BGP routes that can be used to identify
used to identify the packets in a given flow using fields in the the packets in a given flow using fields in the header of each
header of each packet, and a set of actions, encoded as extended packet, and a set of actions -- encoded as Extended Communities --
communities, that can be used to disposition those packets. This that can be used to disposition those packets. This document enables
document enables the use of these mechanisms by SFC Classifiers by the use of these mechanisms by SFC classifiers by defining a new
defining a new action extended community called "Flow Specification action Extended Community called "Flow Specification for SFC
for SFC Classifiers" identified by the value TBD4. Note that Classifiers", identified by the value 0x0d. Note that implementation
implementation of this section of this specification will be of this section of this specification will be controllers or
Controllers or Classifiers communicating with each other directly for classifiers communicating with each other directly for the purpose of
the purpose of instructing the Classifier how to place packets onto instructing the classifier how to place packets onto an SFP. So that
an SFP. In order that the implementation of Classifiers can be kept the implementation of classifiers can be kept simple, and to avoid
simple and to avoid the confusion between the purpose of different the confusion between the purposes of different Extended Communities,
extended communities, a Controller MUST NOT include other action a controller MUST NOT include other action Extended Communities at
extended communities at the same time as a "Flow Specification for the same time as a "Flow Specification for SFC Classifiers" Extended
SFC Classifiers" extended community: a "Flow Specification for SFC Community. A "Flow Specification for SFC Classifiers" Traffic
Classifiers" Traffic Filtering Action Extended Community advertised Filtering Action Extended Community advertised with any other Traffic
with any other Traffic Filtering Action Extended Community MUST be Filtering Action Extended Community MUST be treated as malformed in
treated as malformed in line with [I-D.ietf-idr-rfc5575bis] and line with [RFC8955] and result in the flow-specification UPDATE
result in the Flow Specification UPDATE message being handled as message being handled as "treat-as-withdraw", according to [RFC7606],
treat-as-withdraw according to [RFC7606] Section 2. Section 2.
To put the Flow Specification into context when multiple SFC overlays To put the flow specification into context, when multiple service
are present in one network, each FlowSpec update MUST be tagged with function chaining overlays are present in one network, each FlowSpec
the route target of the overlay or VPN network for which it is update MUST be tagged with the route target of the overlay or VPN
intended. network for which it is intended.
This extended community is encoded as an 8-octet value, as shown in This Extended Community is encoded as an 8-octet value, as shown in
Figure 10. Figure 10.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x80 | Sub-Type=TBD4 | SPI | | Type=0x80 | Sub-Type=0x0d | SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI (cont.) | SI | SFT | | SPI (cont.) | SI | SFT |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10: The Format of the Flow Specification for SFC Classifiers Figure 10: The Format of the Flow Specification for SFC
Extended Community Classifiers Extended Community
The extended community contains the Service Path Identifier (SPI), The Extended Community contains the Service Path Identifier (SPI),
Service Index (SI), and Service Function Type (SFT) as defined Service Index (SI), and Service Function Type (SFT), as defined
elsewhere in this document. Thus, each action extended community elsewhere in this document. Thus, each action extended community
defines the entry point (not necessarily the first hop) into a defines the entry point (not necessarily the first hop) into a
specific service function path. This allows, for example, different specific SFP. This allows, for example, different flows to enter the
flows to enter the same service function path at different points. same SFP at different points.
Note that according to [I-D.ietf-idr-rfc5575bis] a given Flow Note that, according to [RFC8955], a given flow-specification update
Specification update may include multiple of these action extended may include multiple of these action Extended Communities. If a
communities. If a given action extended community does not contain given action extended community does not contain an installed SFPR
an installed SFPR with the specified {SPI, SI, SFT} it MUST NOT be with the specified {SPI, SI, SFT}, it MUST NOT be used for
used for dispositioning the packets of the specified flow. dispositioning the packets of the specified flow.
The normal case of packet classification for SFC will see a packet The normal case of packet classification for service function
enter the SFP at its first hop. In this case the SI in the extended chaining will see a packet enter the SFP at its first hop. In this
community is superfluous and the SFT may also be unnecessary. To case, the SI in the Extended Community is superfluous, and the SFT
allow these cases to be handled, a special meaning is assigned to a may also be unnecessary. To allow these cases to be handled, a
Service Index of zero (not a valid value) and an SFT of zero (a special meaning is assigned to an SI of zero (not a valid value) and
reserved value in the registry - see Section 10.5). an SFT of zero (a reserved value in the registry -- see
Section 10.5).
o If an SFC Classifiers Extended Community is received with SI = 0 * If an SFC Classifiers Extended Community is received with SI = 0,
then it means that the first hop of the SFP indicated by the SPI then it means that the first hop of the SFP indicated by the SPI
MUST be used. MUST be used.
o If an SFC Classifiers Extended Community is received with SFT = 0 * If an SFC Classifiers Extended Community is received with SFT = 0,
then there are two sub-cases: then there are two subcases:
* If there is a choice of SFT in the hop indicated by the value - If there is a choice of SFT in the hop indicated by the value
of the SI (including SI = 0) then SFT = 0 means there is a free of the SI (including SI = 0), then SFT = 0 means there is a
choice according to local policy of which SFT to use). free choice of which SFT to use, according to local policy).
* If there is no choice of SFT in the hop indicated by the value - If there is no choice of SFT in the hop indicated by the value
of SI, then SFT = 0 means that the value of the SFT at that hop of SI, then SFT = 0 means that the value of the SFT at that
as indicated in the SFPR for the indicated SPI MUST be used. hop, as indicated in the SFPR for the indicated SPI, MUST be
used.
One of the filters that the Flow Specification may describe is the One of the filters that the flow specification may describe is the
VPN to which the traffic belongs. Additionally, as noted above, to VPN to which the traffic belongs. Additionally, as noted above, to
put the indicated SPI into context when multiple SFC overlays are put the indicated SPI into context when multiple SFC overlays are
present in one network, each FlowSpec update MUST be tagged with the present in one network, each FlowSpec update MUST be tagged with the
route target of the overlay or VPN network for which it is intended. route target of the overlay or VPN network for which it is intended.
Note that future extensions might be made to the Flow Specification Note that future extensions might be made to the Flow Specification
for SFC Classifiers Extended Community to provide instruction to the for SFC Classifiers Extended Community to provide instruction to the
Classifier about what metadata to add to packets that it classifies classifier about what metadata to add to packets that it classifies
for forwarding on a specific SFP, but that is outside the scope of for forwarding on a specific SFP; however, that is outside the scope
this document. of this document.
7.5. Choice of Data Plane SPI/SI Representation 7.5. Choice of Data Plane SPI/SI Representation
This document ties together the control and data planes of an SFC This document ties together the control and data planes of a service
overlay network through the use of the SPI/SI which is nominally function chaining overlay network through the use of the SPI/SI that
carried in the NSH of a given packet. However, in order to handle is nominally carried in the NSH of a given packet. However, in order
situations in which the NSH is not ubiquitously deployed, it is also to handle situations in which the NSH is not ubiquitously deployed,
possible to use alternative data plane representations of the SPI/SI it is also possible to use alternative data plane representations of
by carrying the identical semantics in other protocol fields such as the SPI/SI by carrying the identical semantics in other protocol
MPLS labels [RFC8595]. fields, such as MPLS labels [RFC8595].
This document defines a new sub-TLV for the Tunnel Encapsulation This document defines a new Sub-TLV for the tunnel encapsulation
attribute [I-D.ietf-idr-tunnel-encaps], the SPI/SI Representation attribute [RFC9012], the SPI/SI Representation Sub-TLV of type 16.
sub-TLV of type TBD5. This sub-TLV MAY be present in each Tunnel TLV This Sub-TLV MAY be present in each Tunnel TLV contained in a tunnel
contained in a Tunnel Encapsulation attribute when the attribute is encapsulation attribute when the attribute is carried by an SFIR.
carried by an SFIR. The value field of this sub-TLV is a two octet The "Value" field of this Sub-TLV is a two-octet field of flags
field of flags numbered counting from the the most significant bit, numbered counting from the most significant bit, each of which
each of which describes how the originating SFF expects to see the describes how the originating SFF expects to see the SPI/SI
SPI/SI represented in the data plane for packets carried in the represented in the data plane for packets carried in the tunnels
tunnels described by the Tunnel TLV. described by the Tunnel TLV.
The following bits are defined by this document and are tracked in an The following bits are defined by this document and are tracked in an
IANA registry described in Section 10.10: IANA registry described in Section 10.10:
Bit TBD9: If this bit is set the NSH is to be used to carry the SPI/ Bit 0: If this bit is set, the NSH is to be used to carry the SPI/SI
SI in the data plane. in the data plane.
Bit TBD10: If this bit is set two labels in an MPLS label stack are Bit 1: If this bit is set, two labels in an MPLS label stack are to
to be used as described in Section 7.5.1. be used as described in Section 7.5.1.
If a given Tunnel TLV does not contain an SPI/SI Representation sub- If a given Tunnel TLV does not contain an SPI/SI Representation Sub-
TLV then it MUST be processed as if such a sub-TLV is present with TLV, then it MUST be processed as if such a Sub-TLV is present with
Bit TBD9 set and no other bits set. That is, the absence of the sub- Bit 0 set and no other bits set. That is, the absence of the Sub-TLV
TLV SHALL be interpreted to mean that the NSH is to be used. SHALL be interpreted to mean that the NSH is to be used.
If a given Tunnel TLV contains an SPI/SI Representation sub-TLV with If a given Tunnel TLV contains an SPI/SI Representation Sub-TLV with
value field that has no flag set then the tunnel indicated by the a "Value" field that has no flag set, then the tunnel indicated by
Tunnel TLV MUST NOT be used for forwarding SFC packets. If a given the Tunnel TLV MUST NOT be used for forwarding SFC packets. If a
Tunnel TLV contains an SPI/SI Representation sub-TLV with both bit given Tunnel TLV contains an SPI/SI Representation Sub-TLV with both
TBD9 and bit TBD10 set then the tunnel indicated by the Tunnel TLV bit 0 and bit 1 set, then the tunnel indicated by the Tunnel TLV MUST
MUST NOT be used for forwarding SFC packets. The meaning and rules NOT be used for forwarding SFC packets. The meaning and rules for
for presence of other bits is to be defined in future documents, but the presence of other bits is to be defined in future documents, but
implementations of this specification MUST set other bits to zero and implementations of this specification MUST set other bits to zero and
ignore them on receipt. ignore them on receipt.
If a given Tunnel TLV contains more than one SPI/SI Representation If a given Tunnel TLV contains more than one SPI/SI Representation
sub-TLV then the first one MUST be considered and subsequent Sub-TLV, then the first one MUST be considered and subsequent
instances MUST be ignored. instances MUST be ignored.
Note that the MPLS representation of the logical NSH may be used even Note that the MPLS representation of the logical NSH may be used even
if the tunnel is not an MPLS tunnel. Conversely, MPLS tunnels may be if the tunnel is not an MPLS tunnel. Conversely, MPLS tunnels may be
used to carry other encodings of the logical NSH (specifically, the used to carry other encodings of the logical NSH (specifically, the
NSH itself). It is a requirement that both ends of a tunnel over the NSH itself). It is a requirement that both ends of a tunnel over the
underlay network know that the tunnel is used for SFC and know what underlay network know that the tunnel is used for service function
form of NSH representation is used. The signaling mechanism chaining and know what form of NSH representation is used. The
described here allows coordination of this information. signaling mechanism described here allows coordination of this
information.
7.5.1. MPLS Representation of the SPI/SI 7.5.1. MPLS Representation of the SPI/SI
If bit TBD10 is set in the in the SPI/SI Representation sub-TLV then If bit 1 is set in the SPI/SI Representation Sub-TLV, then labels in
labels in the MPLS label stack are used to indicate SFC forwarding the MPLS label stack are used to indicate SFC forwarding and
and processing instructions to achieve the semantics of a logical processing instructions to achieve the semantics of a logical NSH.
NSH. The label stack is encoded as shown in [RFC8595]. The label stack is encoded as shown in [RFC8595].
7.6. MPLS Label Swapping/Stacking Operation 7.6. MPLS Label Swapping/Stacking Operation
When a Classifier constructs an MPLS label stack for an SFP it starts When a classifier constructs an MPLS label stack for an SFP, it
with that SFP's last hop. If the last hop requires an {SPI, SI} starts with that SFP's last hop. If the last hop requires an {SPI,
label pair for label swapping, it pushes the SI (set to the SI value SI} label pair for label swapping, it pushes the SI (set to the SI
of the last hop) and the SFP's SPI onto the MPLS label stack. If the value of the last hop) and the SFP's SPI onto the MPLS label stack.
last hop requires a {context label, SFI label} label pair for label If the last hop requires a {context label, SFI label} label pair for
stacking it selects a specific SFIR and pushes that SFIR's SFI label label stacking, it selects a specific SFIR and pushes that SFIR's SFI
and context label onto the MPLS label stack. label and context label onto the MPLS label stack.
The Classifier then moves sequentially back through the SFP one hop The classifier then moves sequentially back through the SFP one hop
at a time. For each hop, if the hop requires an {SPI, SI]} and there at a time. For each hop, if the hop requires an {SPI, SI} and there
is an {SPI, SI} at the top of the MPLS label stack, the SI is set to is an {SPI, SI} at the top of the MPLS label stack, the SI is set to
the SI value of the current hop. If there is not an {SPI, SI} at the the SI value of the current hop. If there is not an {SPI, SI} at the
top of the MPLS label stack, it pushes the SI (set to the SI value of top of the MPLS label stack, it pushes the SI (set to the SI value of
the current hop) and the SFP's SPI onto the MPLS label stack. the current hop) and the SFP's SPI onto the MPLS label stack.
If the hop requires a {context label, SFI label}, it selects a If the hop requires a {context label, SFI label}, it selects a
specific SFIR and pushes that SFIR's SFI label and context label onto specific SFIR and pushes that SFIR's SFI label and context label onto
the MPLS label stack. the MPLS label stack.
7.7. Support for MPLS-Encapsulated NSH Packets 7.7. Support for MPLS-Encapsulated NSH Packets
[RFC8596] describes how to transport SFC packets using the NSH over [RFC8596] describes how to transport SFC packets using the NSH over
an MPLS transport network. Signaling MPLS encapsulation of SFC an MPLS transport network. Signaling that this approach is in use is
packets using the NSH is also supported by this document by using the supported by this document as follows:
"BGP Tunnel Encapsulation Attribute Sub-TLV" with the codepoint 10
(representing "MPLS Label Stack") from the "BGP Tunnel Encapsulation
Attribute Sub-TLVs" registry defined in [I-D.ietf-idr-tunnel-encaps],
and also using the "SFP Traversal With MPLS Label Stack TLV" and the
"SPI/SI Representation sub-TLV" with bit TBD9 set and bit TBD10
cleared.
In this case the MPLS label stack constructed by the SFF to forward a * A "BGP Tunnel Encapsulation Attribute" Sub-TLV is included with
packet to the next SFF on the SFP will consist of the labels needed the codepoint 10 (representing "MPLS Label Stack") from the "BGP
to reach that SFF, and if label stacking is used it will also include Tunnel Encapsulation Attribute Sub-TLVs" registry defined in
the labels advertised in the MPLS Label Stack sub-TLV and the labels [RFC9012].
remaining in the stack needed to traverse the remainder of the SFP.
* An "SFP Traversal With MPLS Label Stack" TLV is included
containing an "SPI/SI Representation" Sub-TLV with bit 0 set and
bit 1 cleared.
In this case, the MPLS label stack constructed by the SFF to forward
a packet to the next SFF on the SFP will consist of the labels needed
to reach that SFF, and if label stacking is used, it will also
include the labels advertised in the MPLS Label Stack Sub-TLV and the
labels remaining in the stack needed to traverse the remainder of the
SFP.
8. Examples 8. Examples
Most of the examples in this section use IPv4 addressing. But there Most of the examples in this section use IPv4 addressing. But there
is nothing special about IPv4 in the mechanisms described in this is nothing special about IPv4 in the mechanisms described in this
document, and they are equally applicable to IPv6. A few examples document, and they are equally applicable to IPv6. A few examples
using IPv6 addressing are provided in Section 8.10. using IPv6 addressing are provided in Section 8.10.
Assume we have a service function overlay network with four SFFs Assume we have a service function overlay network with four SFFs
(SFF1, SFF3, SFF3, and SFF4). The SFFs have addresses in the (SFF1, SFF2, SFF3, and SFF4). The SFFs have addresses in the
underlay network as follows: underlay network as follows:
SFF1 192.0.2.1 SFF1 192.0.2.1
SFF2 192.0.2.2 SFF2 192.0.2.2
SFF3 192.0.2.3 SFF3 192.0.2.3
SFF4 192.0.2.4 SFF4 192.0.2.4
Each SFF provides access to some SFIs from the four Service Function Each SFF provides access to some SFIs from the four SFTs, SFT=41,
Types SFT=41, SFT=42, SFT=43, and SFT=44 as follows: SFT=42, SFT=43, and SFT=44, as follows:
SFF1 SFT=41 and SFT=42 SFF1 SFT=41 and SFT=42
SFF2 SFT=41 and SFT=43 SFF2 SFT=41 and SFT=43
SFF3 SFT=42 and SFT=44 SFF3 SFT=42 and SFT=44
SFF4 SFT=43 and SFT=44 SFF4 SFT=43 and SFT=44
The service function network also contains a Controller with address The service function network also contains a controller with address
198.51.100.1. 198.51.100.1.
This example service function overlay network is shown in Figure 11. This example service function overlay network is shown in Figure 11.
-------------- --------------
| Controller | | Controller |
| 198.51.100.1 | ------ ------ ------ ------ | 198.51.100.1 | ------ ------ ------ ------
-------------- | SFI | | SFI | | SFI | | SFI | -------------- | SFI | | SFI | | SFI | | SFI |
|SFT=41| |SFT=42| |SFT=41| |SFT=43| |SFT=41| |SFT=42| |SFT=41| |SFT=43|
------ ------ ------ ------ ------ ------ ------ ------
skipping to change at page 41, line 30 skipping to change at line 1871
--------- --------- --------- ---------
/ \ / \ / \ / \
------ ------ ------ ------ ------ ------ ------ ------
| SFI | | SFI | | SFI | | SFI | | SFI | | SFI | | SFI | | SFI |
|SFT=42| |SFT=44| |SFT=43| |SFT=44| |SFT=42| |SFT=44| |SFT=43| |SFT=44|
------ ------ ------ ------ ------ ------ ------ ------
Figure 11: Example Service Function Overlay Network Figure 11: Example Service Function Overlay Network
The SFFs advertise routes to the SFIs they support. These The SFFs advertise routes to the SFIs they support. These
advertisements contain Route Distinguishers that are set according to advertisements contain RDs that are set according to the network
the network operator's configuration model. In all of these IPv4 operator's configuration model. In all of these IPv4 examples, we
examples we use RDs of type 1 such that the available six octets are use RDs of Type 1 such that the available six octets are partitioned
partitioned as four octets for the IPv4 address of the advertising as four octets for the IPv4 address of the advertising SFF, and two
SFF, and two octets that are a local index of the SFI. This scheme octets that are a local index of the SFI. This scheme is chosen
is chosen purely for convenience of documentation, and an operator is purely for convenience of documentation, and an operator is totally
totally free to use any other scheme so long as it conforms to the free to use any other scheme so long as it conforms to the
definitions of SFIR and SFPR in Section 3.1 and Section 3.2. definitions of SFIR and SFPR in Sections 3.1 and 3.2.
Thus we see the following SFIRs advertised: Thus, we see the following SFIRs advertised:
RD = 192.0.2.1/1, SFT = 41 RD = 192.0.2.1/1, SFT = 41
RD = 192.0.2.1/2, SFT = 42 RD = 192.0.2.1/2, SFT = 42
RD = 192.0.2.2/1, SFT = 41 RD = 192.0.2.2/1, SFT = 41
RD = 192.0.2.2/2, SFT = 43 RD = 192.0.2.2/2, SFT = 43
RD = 192.0.2.3/7, SFT = 42 RD = 192.0.2.3/7, SFT = 42
RD = 192.0.2.3/8, SFT = 44 RD = 192.0.2.3/8, SFT = 44
RD = 192.0.2.4/5, SFT = 43 RD = 192.0.2.4/5, SFT = 43
RD = 192.0.2.4/6, SFT = 44 RD = 192.0.2.4/6, SFT = 44
Note that the addressing used for communicating between SFFs is taken Note that the addressing used for communicating between SFFs is taken
from the Tunnel Encapsulation attribute of the SFIR and not from the from the tunnel encapsulation attribute of the SFIR and not from the
SFIR-RD. SFIR-RD.
8.1. Example Explicit SFP With No Choices 8.1. Example Explicit SFP with No Choices
Consider the following SFPR. Consider the following SFPR.
SFP1: RD = 198.51.100.1/101, SPI = 15, SFP1: RD = 198.51.100.1/101, SPI = 15,
[SI = 255, SFT = 41, RD = 192.0.2.1/1], [SI = 255, SFT = 41, RD = 192.0.2.1/1],
[SI = 250, SFT = 43, RD = 192.0.2.2/2] [SI = 250, SFT = 43, RD = 192.0.2.2/2]
The Service Function Path consists of an SF of type 41 located at The SFP consists of an SF of Type 41 located at SFF1, followed by an
SFF1 followed by an SF of type 43 located at SFF2. This path is SF of Type 43 located at SFF2. This path is fully explicit, and each
fully explicit and each SFF is offered no choice in forwarding SFF is offered no choice in forwarding packets along the path.
packets along the path.
SFF1 will receive packets on the path from the Classifier and will SFF1 will receive packets on the path from the classifier and will
identify the path from the SPI (15). The initial SI will be 255 and identify the path from the SPI (15). The initial SI will be 255, and
so SFF1 will deliver the packets to the SFI for SFT 41. so SFF1 will deliver the packets to the SFI for SFT 41.
When the packets are returned to SFF1 by the SFI the SI will be When the packets are returned to SFF1 by the SFI, the SI will be
decreased to 250 for the next hop. SFF1 has no flexibility in the decreased to 250 for the next hop. SFF1 has no flexibility in the
choice of SFF to support the next hop SFI and will forward the packet choice of SFF to support the next-hop SFI and will forward the packet
to SFF2 which will send the packets to the SFI that supports SFT 43 to SFF2, which will send the packets to the SFI that supports SFT 43
before forwarding the packets to their destinations. before forwarding the packets to their destinations.
8.2. Example SFP With Choice of SFIs 8.2. Example SFP with Choice of SFIs
SFP2: RD = 198.51.100.1/102, SPI = 16, SFP2: RD = 198.51.100.1/102, SPI = 16,
[SI = 255, SFT = 41, RD = 192.0.2.1/1], [SI = 255, SFT = 41, RD = 192.0.2.1/1],
[SI = 250, SFT = 43, {RD = 192.0.2.2/2, [SI = 250, SFT = 43, {RD = 192.0.2.2/2,
RD = 192.0.2.4/5 } ] RD = 192.0.2.4/5 } ]
In this example the path also consists of an SF of type 41 located at In this example, the path also consists of an SF of Type 41 located
SFF1 and this is followed by an SF of type 43, but in this case the at SFF1, and this is followed by an SF of Type 43. However, in this
SI = 250 contains a choice between the SFI located at SFF2 and the case, the SI = 250 contains a choice between the SFI located at SFF2
SFI located at SFF4. and the SFI located at SFF4.
SFF1 will receive packets on the path from the Classifier and will SFF1 will receive packets on the path from the classifier and will
identify the path from the SPI (16). The initial SI will be 255 and identify the path from the SPI (16). The initial SI will be 255, and
so SFF1 will deliver the packets to the SFI for SFT 41. so SFF1 will deliver the packets to the SFI for SFT 41.
When the packets are returned to SFF1 by the SFI the SI will be When the packets are returned to SFF1 by the SFI, the SI will be
decreased to 250 for the next hop. SFF1 now has a choice of next hop decreased to 250 for the next hop. SFF1 now has a choice of next-hop
SFF to execute the next hop in the path. It can either forward SFFs to execute the next hop in the path. It can either forward
packets to SFF2 or SFF4 to execute a function of type 43. It uses packets to SFF2 or SFF4 to execute a function of Type 43. It uses
its local load balancing algorithm to make this choice. The chosen its local load-balancing algorithm to make this choice. The chosen
SFF will send the packets to the SFI that supports SFT 43 before SFF will send the packets to the SFI that supports SFT 43 before
forwarding the packets to their destinations. forwarding the packets to their destinations.
8.3. Example SFP With Open Choice of SFIs 8.3. Example SFP with Open Choice of SFIs
SFP3: RD = 198.51.100.1/103, SPI = 17, SFP3: RD = 198.51.100.1/103, SPI = 17,
[SI = 255, SFT = 41, RD = 192.0.2.1/1], [SI = 255, SFT = 41, RD = 192.0.2.1/1],
[SI = 250, SFT = 44, RD = 0] [SI = 250, SFT = 44, RD = 0]
In this example the path also consists of an SF of type 41 located at In this example, the path also consists of an SF of Type 41 located
SFF1 and this is followed by an SI with an RD of zero and SF of type at SFF1, and this is followed by an SI with an RD of zero and SF of
44. This means that a choice can be made between any SFF that Type 44. This means that a choice can be made between any SFF that
supports an SFI of type 44. supports an SFI of Type 44.
SFF1 will receive packets on the path from the Classifier and will SFF1 will receive packets on the path from the classifier and will
identify the path from the SPI (17). The initial SI will be 255 and identify the path from the SPI (17). The initial SI will be 255, and
so SFF1 will deliver the packets to the SFI for SFT 41. so SFF1 will deliver the packets to the SFI for SFT 41.
When the packets are returned to SFF1 by the SFI the SI will be When the packets are returned to SFF1 by the SFI, the SI will be
decreased to 250 for the next hop. SFF1 now has a free choice of decreased to 250 for the next hop. SFF1 now has a free choice of
next hop SFF to execute the next hop in the path selecting between next-hop SFFs to execute the next hop in the path, selecting between
all SFFs that support SFs of type 44. Looking at the SFIRs it has all SFFs that support SFs of Type 44. Looking at the SFIRs it has
received, SFF1 knows that SF type 44 is supported by SFF3 and SFF4. received, SFF1 knows that SF Type 44 is supported by SFF3 and SFF4.
SFF1 uses its local load balancing algorithm to make this choice. SFF1 uses its local load-balancing algorithm to make this choice.
The chosen SFF will send the packets to the SFI that supports SFT 44 The chosen SFF will send the packets to the SFI that supports SFT 44
before forwarding the packets to their destinations. before forwarding the packets to their destinations.
8.4. Example SFP With Choice of SFTs 8.4. Example SFP with Choice of SFTs
SFP4: RD = 198.51.100.1/104, SPI = 18, SFP4: RD = 198.51.100.1/104, SPI = 18,
[SI = 255, SFT = 41, RD = 192.0.2.1/1], [SI = 255, SFT = 41, RD = 192.0.2.1/1],
[SI = 250, {SFT = 43, RD = 192.0.2.2/2, [SI = 250, {SFT = 43, RD = 192.0.2.2/2,
SFT = 44, RD = 192.0.2.3/8 } ] SFT = 44, RD = 192.0.2.3/8 } ]
This example provides a choice of SF type in the second hop in the This example provides a choice of SF type in the second hop in the
path. The SI of 250 indicates a choice between SF type 43 located at path. The SI of 250 indicates a choice between SF Type 43 located at
SF2 and SF type 44 located at SF3. SF2 and SF Type 44 located at SF3.
SFF1 will receive packets on the path from the Classifier and will SFF1 will receive packets on the path from the classifier and will
identify the path from the SPI (18). The initial SI will be 255 and identify the path from the SPI (18). The initial SI will be 255, and
so SFF1 will deliver the packets to the SFI for SFT 41. so SFF1 will deliver the packets to the SFI for SFT 41.
When the packets are returned to SFF1 by the SFI the SI will be When the packets are returned to SFF1 by the SFI, the SI will be
decreased to 250 for the next hop. SFF1 now has a free choice of decreased to 250 for the next hop. SFF1 now has a free choice of
next hop SFF to execute the next hop in the path selecting between next-hop SFFs to execute the next hop in the path, selecting between
all SFFs that support an SF of type 43 and SFF3 that supports an SF all SFFs that support an SF of Type 43 and SFF3, which supports an SF
of type 44. These may be completely different functions that are to of Type 44. These may be completely different functions that are to
be executed dependent on specific conditions, or may be similar be executed dependent on specific conditions, or they may be similar
functions identified with different type identifiers (such as functions identified with different type identifiers (such as
firewalls from different vendors). SFF1 uses its local policy and firewalls from different vendors). SFF1 uses its local policy and
load balancing algorithm to make this choice, and may use additional load-balancing algorithm to make this choice and may use additional
information passed back from the local SFI to help inform its information passed back from the local SFI to help inform its
selection. The chosen SFF will send the packets to the SFI that selection. The chosen SFF will send the packets to the SFI that
supports the chose SFT before forwarding the packets to their supports the chosen SFT before forwarding the packets to their
destinations. destinations.
8.5. Example Correlated Bidirectional SFPs 8.5. Example Correlated Bidirectional SFPs
SFP5: RD = 198.51.100.1/105, SPI = 19, SFP5: RD = 198.51.100.1/105, SPI = 19,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/106, Assoc-SPI = 20, Assoc-Type = 1, Assoc-RD = 198.51.100.1/106, Assoc-SPI = 20,
[SI = 255, SFT = 41, RD = 192.0.2.1/1], [SI = 255, SFT = 41, RD = 192.0.2.1/1],
[SI = 250, SFT = 43, RD = 192.0.2.2/2] [SI = 250, SFT = 43, RD = 192.0.2.2/2]
SFP6: RD = 198.51.100.1/106, SPI = 20, SFP6: RD = 198.51.100.1/106, SPI = 20,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/105, Assoc-SPI = 19, Assoc-Type = 1, Assoc-RD = 198.51.100.1/105, Assoc-SPI = 19,
[SI = 254, SFT = 43, RD = 192.0.2.2/2], [SI = 254, SFT = 43, RD = 192.0.2.2/2],
[SI = 249, SFT = 41, RD = 192.0.2.1/1] [SI = 249, SFT = 41, RD = 192.0.2.1/1]
This example demonstrates correlation of two SFPs to form a This example demonstrates correlation of two SFPs to form a
bidirectional SFP as described in Section 7.1. bidirectional SFP, as described in Section 7.1.
Two SFPRs are advertised by the Controller. They have different SPIs Two SFPRs are advertised by the controller. They have different SPIs
(19 and 20) so they are known to be separate SFPs, but they both have (19 and 20), so they are known to be separate SFPs, but they both
Association TLVs with Association Type set to 1 indicating have Association TLVs with Association Type set to 1, indicating
bidirectional SFPs. Each has an Associated SFPR-RD field containing bidirectional SFPs. Each has an "Associated SFPR-RD" field
the value of the other SFPR-RD to correlated the two SFPs as a containing the value of the other SFPR-RD to correlate the two SFPs
bidirectional pair. as a bidirectional pair.
As can be seen from the SFPRs in this example, the paths are As can be seen from the SFPRs in this example, the paths are
symmetric: the hops in SFP5 appear in the reverse order in SFP6. symmetric: the hops in SFP5 appear in the reverse order in SFP6.
8.6. Example Correlated Asymmetrical Bidirectional SFPs 8.6. Example Correlated Asymmetrical Bidirectional SFPs
SFP7: RD = 198.51.100.1/107, SPI = 21, SFP7: RD = 198.51.100.1/107, SPI = 21,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/108, Assoc-SPI = 22, Assoc-Type = 1, Assoc-RD = 198.51.100.1/108, Assoc-SPI = 22,
[SI = 255, SFT = 41, RD = 192.0.2.1/1], [SI = 255, SFT = 41, RD = 192.0.2.1/1],
[SI = 250, SFT = 43, RD = 192.0.2.2/2] [SI = 250, SFT = 43, RD = 192.0.2.2/2]
skipping to change at page 45, line 22 skipping to change at line 2036
SFP8: RD = 198.51.100.1/108, SPI = 22, SFP8: RD = 198.51.100.1/108, SPI = 22,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/107, Assoc-SPI = 21, Assoc-Type = 1, Assoc-RD = 198.51.100.1/107, Assoc-SPI = 21,
[SI = 254, SFT = 44, RD = 192.0.2.4/6], [SI = 254, SFT = 44, RD = 192.0.2.4/6],
[SI = 249, SFT = 41, RD = 192.0.2.1/1] [SI = 249, SFT = 41, RD = 192.0.2.1/1]
Asymmetric bidirectional SFPs can also be created. This example Asymmetric bidirectional SFPs can also be created. This example
shows a pair of SFPs with distinct SPIs (21 and 22) that are shows a pair of SFPs with distinct SPIs (21 and 22) that are
correlated in the same way as in the example in Section 8.5. correlated in the same way as in the example in Section 8.5.
However, unlike in that example, the SFPs are different in each However, unlike in that example, the SFPs are different in each
direction. Both paths include a hop of SF type 41, but SFP7 includes direction. Both paths include a hop of SF Type 41, but SFP7 includes
a hop of SF type 43 supported at SFF2 while SFP8 includes a hop of SF a hop of SF Type 43 supported at SFF2, while SFP8 includes a hop of
type 44 supported at SFF4. SF Type 44 supported at SFF4.
8.7. Example Looping in an SFP 8.7. Example Looping in an SFP
SFP9: RD = 198.51.100.1/109, SPI = 23, SFP9: RD = 198.51.100.1/109, SPI = 23,
[SI = 255, SFT = 41, RD = 192.0.2.1/1], [SI = 255, SFT = 41, RD = 192.0.2.1/1],
[SI = 250, SFT = 44, RD = 192.0.2.4/5], [SI = 250, SFT = 44, RD = 192.0.2.4/5],
[SI = 245, {SFT = 1, RD = {SPI=23, SI=255, Rsv=0}, [SI = 245, {SFT = 1, RD = {SPI=23, SI=255, Rsv=0},
SFT = 42, RD = 192.0.2.3/7 } ] SFT = 42, RD = 192.0.2.3/7 } ]
Looping and jumping are described in Section 6. This example shows Looping and jumping are described in Section 6. This example shows
an SFP that contains an explicit loop-back instruction that is an SFP that contains an explicit loop-back instruction that is
presented as a choice within an SFP hop. presented as a choice within an SFP hop.
The first two hops in the path (SI = 255 and SI = 250) are normal. The first two hops in the path (SI = 255 and SI = 250) are normal.
That is, the packets will be delivered to SFF1 and SFF4 in turn for That is, the packets will be delivered to SFF1 and SFF4 in turn for
execution of SFs of type 41 and 44 respectively. execution of SFs of Type 41 and 44, respectively.
The third hop (SI = 245) presents SFF4 with a choice of next hop. It The third hop (SI = 245) presents SFF4 with a choice of next hop. It
can either forward the packets to SFF3 for an SF of type 42 (the can either forward the packets to SFF3 for an SF of Type 42 (the
second choice), or it can loop back. second choice) or it can loop back.
The loop-back entry in the SFPR for SI = 245 is indicated by the The loop-back entry in the SFPR for SI = 245 is indicated by the
special purpose SFT value 1 ("Change Sequence"). Within this hop, special-purpose SFT value 1 ("Change Sequence"). Within this hop,
the RD is interpreted as encoding the SPI and SI of the next hop (see the RD is interpreted as encoding the SPI and SI of the next hop (see
Section 6.1. In this case the SPI is 23 which indicates that this is Section 6.1). In this case, the SPI is 23, which indicates that this
loop or branch: i.e., the next hop is on the same SFP. The SI is set is a loop or branch, i.e., the next hop is on the same SFP. The SI
to 255: this is a higher number than the current SI (245) indicating is set to 255; this is a higher number than the current SI (245),
a loop. indicating a loop.
SFF4 must make a choice between these two next hops. Either the SFF4 must make a choice between these two next hops. The packet will
packets will be forwarded to SFF3 with the NSH SI decreased to 245 or be either forwarded to SFF3 with the NSH SI decreased to 245 or
looped back to SFF1 with the NSH SI reset to 255. This choice will looped back to SFF1 with the NSH SI reset to 255. This choice will
be made according to local policy, information passed back by the be made according to local policy, information passed back by the
local SFI, and details in the packets' metadata that are used to local SFI, and details in the packets' metadata that are used to
prevent infinite looping. prevent infinite looping.
8.8. Example Branching in an SFP 8.8. Example Branching in an SFP
SFP10: RD = 198.51.100.1/110, SPI = 24, SFP10: RD = 198.51.100.1/110, SPI = 24,
[SI = 254, SFT = 42, RD = 192.0.2.3/7], [SI = 254, SFT = 42, RD = 192.0.2.3/7],
[SI = 249, SFT = 43, RD = 192.0.2.2/2] [SI = 249, SFT = 43, RD = 192.0.2.2/2]
SFP11: RD = 198.51.100.1/111, SPI = 25, SFP11: RD = 198.51.100.1/111, SPI = 25,
[SI = 255, SFT = 41, RD = 192.0.2.1/1], [SI = 255, SFT = 41, RD = 192.0.2.1/1],
[SI = 250, SFT = 1, RD = {SPI=24, SI=254, Rsv=0}] [SI = 250, SFT = 1, RD = {SPI=24, SI=254, Rsv=0}]
Branching follows a similar procedure to that for looping (and Branching follows a similar procedure to that for looping (and
jumping) as shown in Section 8.7 however there are two SFPs involved. jumping), as shown in Section 8.7. However, there are two SFPs
involved.
SFP10 shows a normal path with packets forwarded to SFF3 and SFF2 for SFP10 shows a normal path with packets forwarded to SFF3 and SFF2 for
execution of service functions of type 42 and 43 respectively. execution of service functions of Type 42 and 43, respectively.
SFP11 starts as normal (SFF1 for an SF of type 41), but then SFF1 SFP11 starts as normal (SFF1 for an SF of Type 41), but then SFF1
processes the next hop in the path and finds a "Change Sequence" processes the next hop in the path and finds a "Change Sequence"
Special Purpose SFT. The SFIR-RD field includes an SPI of 24 which special-purpose SFT. The "SFIR-RD" field includes an SPI of 24,
indicates SFP10, not the current SFP. The SI in the SFIR-RD is 254, which indicates SFP10, not the current SFP. The SI in the SFIR-RD is
so SFF1 knows that it must set the SPI/SI in the NSH to 24/254 and 254, so SFF1 knows that it must set the SPI/SI in the NSH to 24/254
send the packets to the appropriate SFF as advertised in the SFPR for and send the packets to the appropriate SFF, as advertised in the
SFP10 (that is, SFF3). SFPR for SFP10 (that is, SFF3).
8.9. Examples of SFPs with Stateful Service Functions 8.9. Examples of SFPs with Stateful Service Functions
This section provides some examples to demonstrate establishing SFPs This section provides some examples to demonstrate establishing SFPs
when there is a choice of service functions at a particular hop, and when there is a choice of service functions at a particular hop, and
where consistency of choice is required in both directions. The where consistency of choice is required in both directions. The
scenarios that give rise to this requirement are discussed in scenarios that give rise to this requirement are discussed in
Section 7.2. Section 7.2.
8.9.1. Forward and Reverse Choice Made at the SFF 8.9.1. Forward and Reverse Choice Made at the SFF
skipping to change at page 47, line 24 skipping to change at line 2127
|SFT=41| |SFT=42| |SFT=42| |SFT=42| |SFT=43| |SFT=41| |SFT=42| |SFT=42| |SFT=42| |SFT=43|
------ ------\ ------ /------ ------ ------ ------\ ------ /------ ------
\ \ | / / \ \ | / /
--------- --------- --------- --------- --------- ---------
---------- | SFF1 | | SFF2 | | SFF3 | ---------- | SFF1 | | SFF2 | | SFF3 |
--> | |..|192.0.2.1|...|192.0.2.2|...|192.0.2.3|--> --> | |..|192.0.2.1|...|192.0.2.2|...|192.0.2.3|-->
--> |Classifier| --------- --------- --------- --> |Classifier| --------- --------- ---------
| | | |
---------- ----------
Figure 12: Example Where Choice is Made at the SFF Figure 12: Example Where Choice Is Made at the SFF
This leads to the following SFIRs being advertised. This leads to the following SFIRs being advertised.
RD = 192.0.2.1/11, SFT = 41 RD = 192.0.2.1/11, SFT = 41
RD = 192.0.2.2/11, SFT = 42 (for SFIa) RD = 192.0.2.2/11, SFT = 42 (for SFIa)
RD = 192.0.2.2/12, SFT = 42 (for SFIb) RD = 192.0.2.2/12, SFT = 42 (for SFIb)
RD = 192.0.2.2/13, SFT = 42 (for SFIc) RD = 192.0.2.2/13, SFT = 42 (for SFIc)
RD = 192.0.2.3/11, SFT = 43 RD = 192.0.2.3/11, SFT = 43
The controller can create a single forward SFP (SFP12) giving SFF2 The controller can create a single forward SFP (SFP12), giving SFF2
the choice of which SFI to use to provide function of SFT 42 as the choice of which SFI to use to provide a function of SFT 42, as
follows. The load-balancing choice between the three available SFIs follows. The load-balancing choice between the three available SFIs
is assumed to be within the capabilities of the SFF and if the SFs is assumed to be within the capabilities of the SFF, and if the SFs
are stateful it is assumed that the SFF knows this and arranges load are stateful, it is assumed that the SFF knows this and arranges load
balancing in a stable, flow-dependent way. balancing in a stable, flow-dependent way.
SFP12: RD = 198.51.100.1/112, SPI = 26, SFP12: RD = 198.51.100.1/112, SPI = 26,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/113, Assoc-SPI = 27, Assoc-Type = 1, Assoc-RD = 198.51.100.1/113, Assoc-SPI = 27,
[SI = 255, SFT = 41, RD = 192.0.2.1/11], [SI = 255, SFT = 41, RD = 192.0.2.1/11],
[SI = 254, SFT = 42, {RD = 192.0.2.2/11, [SI = 254, SFT = 42, {RD = 192.0.2.2/11,
192.0.2.2/12, 192.0.2.2/12,
192.0.2.2/13 }], 192.0.2.2/13 }],
[SI = 253, SFT = 43, RD = 192.0.2.3/11] [SI = 253, SFT = 43, RD = 192.0.2.3/11]
The reverse SFP (SFP13) in this case may also be created as shown The reverse SFP (SFP13) in this case may also be created as shown
below using association with the forward SFP and giving the load- below, using association with the forward SFP and giving the load-
balancing choice to SFF2. This is safe, even in the case that the balancing choice to SFF2. This is safe, even in the case that the
SFs of type 42 are stateful because SFF2 is doing the load balancing SFs of Type 42 are stateful, because SFF2 is doing the load balancing
in both directions and can apply the same algorithm to ensure that in both directions and can apply the same algorithm to ensure that
packets associated with the same flow use the same SFI regardless of packets associated with the same flow use the same SFI regardless of
the direction of travel. the direction of travel.
SFP13: RD = 198.51.100.1/113, SPI = 27, SFP13: RD = 198.51.100.1/113, SPI = 27,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/112, Assoc-SPI = 26, Assoc-Type = 1, Assoc-RD = 198.51.100.1/112, Assoc-SPI = 26,
[SI = 255, SFT = 43, RD = 192.0.2.3/11], [SI = 255, SFT = 43, RD = 192.0.2.3/11],
[SI = 254, SFT = 42, {RD = 192.0.2.2/11, [SI = 254, SFT = 42, {RD = 192.0.2.2/11,
192.0.2.2/12, 192.0.2.2/12,
192.0.2.2/13 }], 192.0.2.2/13 }],
[SI = 253, SFT = 41, RD = 192.0.2.1/11] [SI = 253, SFT = 41, RD = 192.0.2.1/11]
How an SFF knows that an attached SFI is stateful is out of scope of How an SFF knows that an attached SFI is stateful is out of the scope
this document. It is assumed that this will form part of the process of this document. It is assumed that this will form part of the
by which SFIs are registered as local to SFFs. Section 7.2 provides process by which SFIs are registered as local to SFFs. Section 7.2
additional observations about the coordination of the use of stateful provides additional observations about the coordination of the use of
SFIs in the case of bidirectional SFPs. stateful SFIs in the case of bidirectional SFPs.
In general, the problems of load balancing and the selection of the In general, the problems of load balancing and the selection of the
same SFIs in both directions of a bidirectional SFP can be addressed same SFIs in both directions of a bidirectional SFP can be addressed
by using sufficiently precisely specified SFPs (specifying the exact by using sufficiently precisely specified SFPs (specifying the exact
SFIs to use) and suitable programming of the Classifiers at each end SFIs to use) and suitable programming of the classifiers at each end
of the SFPs to make sure that the matching pair of SFPs are used. of the SFPs to make sure that the matching pair of SFPs are used.
8.9.2. Parallel End-to-End SFPs with Shared SFF 8.9.2. Parallel End-to-End SFPs with Shared SFF
The mechanism described in Section 8.9.1 might not be desirable The mechanism described in Section 8.9.1 might not be desirable
because of the functional assumptions it places on SFF2 to be able to because of the functional assumptions it places on SFF2 to be able to
load balance with suitable flow identification, stability, and load balance with suitable flow identification, stability, and
equality in both directions. Instead, it may be desirable to place equality in both directions. Instead, it may be desirable to place
the responsibility for flow classification in the Classifier and let the responsibility for flow classification in the classifier and let
it determine load balancing with the implied choice of SFIs. it determine load balancing with the implied choice of SFIs.
Consider the network graph as shown in Figure 12 and with the same Consider the network graph as shown in Figure 12 and with the same
set of SFIRs as listed in Section 8.9.1. In this case the controller set of SFIRs as listed in Section 8.9.1. In this case, the
could specify three forward SFPs with their corresponding associated controller could specify three forward SFPs with their corresponding
reverse SFPs. Each bidirectional pair of SFPs uses a different SFI associated reverse SFPs. Each bidirectional pair of SFPs uses a
for the SF of type 42. The controller can instruct the Classifier different SFI for the SF of Type 42. The controller can instruct the
how to place traffic on the three bidirectional SFPs, or can treat classifier how to place traffic on the three bidirectional SFPs, or
them as a group leaving the Classifier responsible for balancing the it can treat them as a group, leaving the classifier responsible for
load. balancing the load.
SFP14: RD = 198.51.100.1/114, SPI = 28, SFP14: RD = 198.51.100.1/114, SPI = 28,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/117, Assoc-SPI = 31, Assoc-Type = 1, Assoc-RD = 198.51.100.1/117, Assoc-SPI = 31,
[SI = 255, SFT = 41, RD = 192.0.2.1/11], [SI = 255, SFT = 41, RD = 192.0.2.1/11],
[SI = 254, SFT = 42, RD = 192.0.2.2/11], [SI = 254, SFT = 42, RD = 192.0.2.2/11],
[SI = 253, SFT = 43, RD = 192.0.2.3/11] [SI = 253, SFT = 43, RD = 192.0.2.3/11]
SFP15: RD = 198.51.100.1/115, SPI = 29, SFP15: RD = 198.51.100.1/115, SPI = 29,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/118, Assoc-SPI = 32, Assoc-Type = 1, Assoc-RD = 198.51.100.1/118, Assoc-SPI = 32,
[SI = 255, SFT = 41, RD = 192.0.2.1/11], [SI = 255, SFT = 41, RD = 192.0.2.1/11],
skipping to change at page 50, line 7 skipping to change at line 2236
[SI = 253, SFT = 41, RD = 192.0.2.1/11] [SI = 253, SFT = 41, RD = 192.0.2.1/11]
SFP19: RD = 198.51.100.1/119, SPI = 33, SFP19: RD = 198.51.100.1/119, SPI = 33,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/116, Assoc-SPI = 30, Assoc-Type = 1, Assoc-RD = 198.51.100.1/116, Assoc-SPI = 30,
[SI = 255, SFT = 43, RD = 192.0.2.3/11], [SI = 255, SFT = 43, RD = 192.0.2.3/11],
[SI = 254, SFT = 42, RD = 192.0.2.2/13], [SI = 254, SFT = 42, RD = 192.0.2.2/13],
[SI = 253, SFT = 41, RD = 192.0.2.1/11] [SI = 253, SFT = 41, RD = 192.0.2.1/11]
8.9.3. Parallel End-to-End SFPs with Separate SFFs 8.9.3. Parallel End-to-End SFPs with Separate SFFs
While the examples in Section 8.9.1 and Section 8.9.2 place the While the examples in Sections 8.9.1 and 8.9.2 place the choice of
choice of SFI as subtended from the same SFF, it is also possible SFI as subtended from the same SFF, it is also possible that the SFIs
that the SFIs are each subtended from a different SFF as shown in are each subtended from a different SFF, as shown in Figure 13. In
Figure 13. In this case it is harder to coordinate the choices for this case, it is harder to coordinate the choices for forward and
forward and reverse paths without some form of coordination between reverse paths without some form of coordination between SFF1 and
SFF1 and SFF3. Therefore it would be normal to consider end-to-end SFF3. Therefore, it would be normal to consider end-to-end parallel
parallel SFPs as described in Section 8.9.2. SFPs, as described in Section 8.9.2.
------ ------
| SFIa | | SFIa |
|SFT=42| |SFT=42|
------ ------
------ | ------ |
| SFI | --------- | SFI | ---------
|SFT=41| | SFF5 | |SFT=41| | SFF5 |
------ ..|192.0.2.5|.. ------ ..|192.0.2.5|..
| ..: --------- :.. | ..: --------- :..
skipping to change at page 50, line 44 skipping to change at line 2273
:.---------.: :.---------.:
| SFF7 | | SFF7 |
|192.0.2.7| |192.0.2.7|
--------- ---------
| |
------ ------
| SFIc | | SFIc |
|SFT=42| |SFT=42|
------ ------
Figure 13: Second Example With Parallel End-to-End SFPs Figure 13: Second Example with Parallel End-to-End SFPs
In this case, five SFIRs are advertised as follows: In this case, five SFIRs are advertised as follows:
RD = 192.0.2.1/11, SFT = 41 RD = 192.0.2.1/11, SFT = 41
RD = 192.0.2.5/11, SFT = 42 (for SFIa) RD = 192.0.2.5/11, SFT = 42 (for SFIa)
RD = 192.0.2.6/11, SFT = 42 (for SFIb) RD = 192.0.2.6/11, SFT = 42 (for SFIb)
RD = 192.0.2.7/11, SFT = 42 (for SFIc) RD = 192.0.2.7/11, SFT = 42 (for SFIc)
RD = 192.0.2.3/11, SFT = 43 RD = 192.0.2.3/11, SFT = 43
In this case the controller could specify three forward SFPs with In this case, the controller could specify three forward SFPs with
their corresponding associated reverse SFPs. Each bidirectional pair their corresponding associated reverse SFPs. Each bidirectional pair
of SFPs uses a different SFF and SFI for middle hop (for an SF of of SFPs uses a different SFF and SFI for the middle hop (for an SF of
type 42). The controller can instruct the Classifier how to place Type 42). The controller can instruct the classifier how to place
traffic on the three bidirectional SFPs, or can treat them as a group traffic on the three bidirectional SFPs, or it can treat them as a
leaving the Classifier responsible for balancing the load. group, leaving the classifier responsible for balancing the load.
SFP20: RD = 198.51.100.1/120, SPI = 34, SFP20: RD = 198.51.100.1/120, SPI = 34,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/123, Assoc-SPI = 37, Assoc-Type = 1, Assoc-RD = 198.51.100.1/123, Assoc-SPI = 37,
[SI = 255, SFT = 41, RD = 192.0.2.1/11], [SI = 255, SFT = 41, RD = 192.0.2.1/11],
[SI = 254, SFT = 42, RD = 192.0.2.5/11], [SI = 254, SFT = 42, RD = 192.0.2.5/11],
[SI = 253, SFT = 43, RD = 192.0.2.3/11] [SI = 253, SFT = 43, RD = 192.0.2.3/11]
SFP21: RD = 198.51.100.1/121, SPI = 35, SFP21: RD = 198.51.100.1/121, SPI = 35,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/124, Assoc-SPI = 38, Assoc-Type = 1, Assoc-RD = 198.51.100.1/124, Assoc-SPI = 38,
[SI = 255, SFT = 41, RD = 192.0.2.1/11], [SI = 255, SFT = 41, RD = 192.0.2.1/11],
skipping to change at page 52, line 46 skipping to change at line 2331
Assoc-Type = 1, Assoc-RD = 198.51.100.1/122, Assoc-SPI = 36, Assoc-Type = 1, Assoc-RD = 198.51.100.1/122, Assoc-SPI = 36,
[SI = 255, SFT = 43, RD = 192.0.2.3/11], [SI = 255, SFT = 43, RD = 192.0.2.3/11],
[SI = 254, SFT = 42, RD = 192.0.2.7/11], [SI = 254, SFT = 42, RD = 192.0.2.7/11],
[SI = 253, SFT = 41, RD = 192.0.2.1/11] [SI = 253, SFT = 41, RD = 192.0.2.1/11]
8.9.4. Parallel SFPs Downstream of the Choice 8.9.4. Parallel SFPs Downstream of the Choice
The mechanism of parallel SFPs demonstrated in Section 8.9.3 is The mechanism of parallel SFPs demonstrated in Section 8.9.3 is
perfectly functional and may be practical in many environments. perfectly functional and may be practical in many environments.
However, there may be scaling concerns because of the large amount of However, there may be scaling concerns because of the large amount of
state (knowledge of SFPs, i.e., SFPR advertisements retained) if state (knowledge of SFPs -- i.e., SFPR advertisements retained) if
there is a very large amount of choice of SFIs (for example, tens of there is a very large number of possible SFIs (for example, tens of
instances of the same stateful SF), or if there are multiple choices instances of the same stateful SF) or if there are multiple choices
of stateful SF along a path. This situation may be mitigated using of stateful SF along a path. This situation may be mitigated using
SFP fragments that are combined to form the end to end SFPs. SFP fragments that are combined to form the end-to-end SFPs.
The example presented here is necessarily simplistic, but should The example presented here is necessarily simplistic but should
convey the basic principle. The example presented in Figure 14 is convey the basic principle. The example presented in Figure 14 is
similar to that in Section 8.9.3 but with an additional first hop. similar to that in Section 8.9.3 but with an additional first hop.
------ ------
| SFIa | | SFIa |
|SFT=43| |SFT=43|
------ ------
------ ------ | ------ ------ |
| SFI | | SFI | --------- | SFI | | SFI | ---------
|SFT=41| |SFT=42| | SFF5 | |SFT=41| |SFT=42| | SFF5 |
skipping to change at page 53, line 38 skipping to change at line 2370
:.---------.: :.---------.:
| SFF7 | | SFF7 |
|192.0.2.7| |192.0.2.7|
--------- ---------
| |
------ ------
| SFIc | | SFIc |
|SFT=43| |SFT=43|
------ ------
Figure 14: Example With Parallel SFPs Downstream of Choice Figure 14: Example with Parallel SFPs Downstream of Choice
The six SFIs are advertised as follows: The six SFIs are advertised as follows:
RD = 192.0.2.1/11, SFT = 41 RD = 192.0.2.1/11, SFT = 41
RD = 192.0.2.2/11, SFT = 42 RD = 192.0.2.2/11, SFT = 42
RD = 192.0.2.5/11, SFT = 43 (for SFIa) RD = 192.0.2.5/11, SFT = 43 (for SFIa)
RD = 192.0.2.6/11, SFT = 43 (for SFIb) RD = 192.0.2.6/11, SFT = 43 (for SFIb)
RD = 192.0.2.7/11, SFT = 43 (for SFIc) RD = 192.0.2.7/11, SFT = 43 (for SFIc)
RD = 192.0.2.3/11, SFT = 44 RD = 192.0.2.3/11, SFT = 44
SFF2 is the point at which a load balancing choice must be made. So SFF2 is the point at which a load-balancing choice must be made. So
"tail-end" SFPs are constructed as follows. Each takes in a "tail-end" SFPs are constructed as follows. Each takes in a
different SFF that provides access to an SF of type 43. different SFF that provides access to an SF of Type 43.
SFP26: RD = 198.51.100.1/126, SPI = 40, SFP26: RD = 198.51.100.1/126, SPI = 40,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/130, Assoc-SPI = 44, Assoc-Type = 1, Assoc-RD = 198.51.100.1/130, Assoc-SPI = 44,
[SI = 255, SFT = 43, RD = 192.0.2.5/11], [SI = 255, SFT = 43, RD = 192.0.2.5/11],
[SI = 254, SFT = 44, RD = 192.0.2.3/11] [SI = 254, SFT = 44, RD = 192.0.2.3/11]
SFP27: RD = 198.51.100.1/127, SPI = 41, SFP27: RD = 198.51.100.1/127, SPI = 41,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/131, Assoc-SPI = 45, Assoc-Type = 1, Assoc-RD = 198.51.100.1/131, Assoc-SPI = 45,
[SI = 255, SFT = 43, RD = 192.0.2.6/11], [SI = 255, SFT = 43, RD = 192.0.2.6/11],
[SI = 254, SFT = 44, RD = 192.0.2.3/11] [SI = 254, SFT = 44, RD = 192.0.2.3/11]
SFP28: RD = 198.51.100.1/128, SPI = 42, SFP28: RD = 198.51.100.1/128, SPI = 42,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/132, Assoc-SPI = 46, Assoc-Type = 1, Assoc-RD = 198.51.100.1/132, Assoc-SPI = 46,
[SI = 255, SFT = 43, RD = 192.0.2.7/11], [SI = 255, SFT = 43, RD = 192.0.2.7/11],
[SI = 254, SFT = 44, RD = 192.0.2.3/11] [SI = 254, SFT = 44, RD = 192.0.2.3/11]
Now an end-to-end SFP with load balancing choice can be constructed Now an end-to-end SFP with load-balancing choice can be constructed
as follows. The choice made by SFF2 is expressed in terms of as follows. The choice made by SFF2 is expressed in terms of
entering one of the three "tail end" SFPs. entering one of the three "tail-end" SFPs.
SFP29: RD = 198.51.100.1/129, SPI = 43, SFP29: RD = 198.51.100.1/129, SPI = 43,
[SI = 255, SFT = 41, RD = 192.0.2.1/11], [SI = 255, SFT = 41, RD = 192.0.2.1/11],
[SI = 254, SFT = 42, RD = 192.0.2.2/11], [SI = 254, SFT = 42, RD = 192.0.2.2/11],
[SI = 253, {SFT = 1, RD = {SPI=40, SI=255, Rsv=0}, [SI = 253, {SFT = 1, RD = {SPI=40, SI=255, Rsv=0},
RD = {SPI=41, SI=255, Rsv=0}, RD = {SPI=41, SI=255, Rsv=0},
RD = {SPI=42, SI=255, Rsv=0} } ] RD = {SPI=42, SI=255, Rsv=0} } ]
Now, despite the load balancing choice being made other than at the Now, despite the load-balancing choice being made elsewhere than at
initial Classifier, it is possible for the reverse SFPs to be well- the initial classifier, it is possible for the reverse SFPs to be
constructed without any ambiguity. The three reverse paths appear as well constructed without any ambiguity. The three reverse paths
follows. appear as follows.
SFP30: RD = 198.51.100.1/130, SPI = 44, SFP30: RD = 198.51.100.1/130, SPI = 44,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/126, Assoc-SPI = 40, Assoc-Type = 1, Assoc-RD = 198.51.100.1/126, Assoc-SPI = 40,
[SI = 255, SFT = 44, RD = 192.0.2.4/11], [SI = 255, SFT = 44, RD = 192.0.2.4/11],
[SI = 254, SFT = 43, RD = 192.0.2.5/11], [SI = 254, SFT = 43, RD = 192.0.2.5/11],
[SI = 253, SFT = 42, RD = 192.0.2.2/11], [SI = 253, SFT = 42, RD = 192.0.2.2/11],
[SI = 252, SFT = 41, RD = 192.0.2.1/11] [SI = 252, SFT = 41, RD = 192.0.2.1/11]
SFP31: RD = 198.51.100.1/131, SPI = 45, SFP31: RD = 198.51.100.1/131, SPI = 45,
Assoc-Type = 1, Assoc-RD = 198.51.100.1/127, Assoc-SPI = 41, Assoc-Type = 1, Assoc-RD = 198.51.100.1/127, Assoc-SPI = 41,
skipping to change at page 55, line 44 skipping to change at line 2455
Assume we have a service function overlay network with four SFFs Assume we have a service function overlay network with four SFFs
(SFF1, SFF3, SFF3, and SFF4). The SFFs have addresses in the (SFF1, SFF3, SFF3, and SFF4). The SFFs have addresses in the
underlay network as follows: underlay network as follows:
SFF1 2001:db8::192:0:2:1 SFF1 2001:db8::192:0:2:1
SFF2 2001:db8::192:0:2:2 SFF2 2001:db8::192:0:2:2
SFF3 2001:db8::192:0:2:3 SFF3 2001:db8::192:0:2:3
SFF4 2001:db8::192:0:2:4 SFF4 2001:db8::192:0:2:4
Each SFF provides access to some SFIs from the four Service Function Each SFF provides access to some SFIs from the four service function
Types SFT=41, SFT=42, SFT=43, and SFT=44 just as before: types SFT=41, SFT=42, SFT=43, and SFT=44, just as before:
SFF1 SFT=41 and SFT=42 SFF1 SFT=41 and SFT=42
SFF2 SFT=41 and SFT=43 SFF2 SFT=41 and SFT=43
SFF3 SFT=42 and SFT=44 SFF3 SFT=42 and SFT=44
SFF4 SFT=43 and SFT=44 SFF4 SFT=43 and SFT=44
The service function network also contains a Controller with address The service function network also contains a controller with address
2001:db8::198:51:100:1. 2001:db8::198:51:100:1.
This example service function overlay network is shown in Figure 15. This example service function overlay network is shown in Figure 15.
------------------------ ------------------------
| Controller | | Controller |
| 2001:db8::198:51:100:1 | | 2001:db8::198:51:100:1 |
------------------------ ------------------------
------ ------ ------ ------ ------ ------ ------ ------
| SFI | | SFI | | SFI | | SFI | | SFI | | SFI | | SFI | | SFI |
skipping to change at page 56, line 46 skipping to change at line 2499
------------------- ------------------- ------------------- -------------------
/ \ / \ / \ / \
------ ------ ------ ------ ------ ------ ------ ------
| SFI | | SFI | | SFI | | SFI | | SFI | | SFI | | SFI | | SFI |
|SFT=42| |SFT=44| |SFT=43| |SFT=44| |SFT=42| |SFT=44| |SFT=43| |SFT=44|
------ ------ ------ ------ ------ ------ ------ ------
Figure 15: Example Service Function Overlay Network Figure 15: Example Service Function Overlay Network
The SFFs advertise routes to the SFIs they support. These The SFFs advertise routes to the SFIs they support. These
advertisements contain Route Distinguishers that are set according to advertisements contain RDs that are set according to the network
the network operator's configuration model. Note that in an IPv6 operator's configuration model. Note that in an IPv6 network, the RD
network, the RD is not large enough to contain the full IPv6 address is not large enough to contain the full IPv6 address, as only six
as only six octets are available so, in all of these IPv6 examples, octets are available. So, in all of these IPv6 examples, we use RDs
we use RDs of type 1 such that the available six octets are of Type 1 such that the available six octets are partitioned as four
partitioned as four octets for an IPv4 address of the advertising octets for an IPv4 address of the advertising SFF, and two octets
SFF, and two octets that are a local index of the SFI. Furthermore, that are a local index of the SFI. Furthermore, we have chosen an
we have chosen an IPv6 addressing scheme so that the low order four IPv6 addressing scheme so that the low-order four octets of the IPv6
octets of the IPv6 address match an IPv4 address of the advertising address match an IPv4 address of the advertising node. This scheme
node. This scheme is chosen purely for convenience of documentation, is chosen purely for convenience of documentation, and an operator is
and an operator is totally free to use any other scheme so long as it totally free to use any other scheme so long as it conforms to the
conforms to the definitions of SFIR and SFPR in Section 3.1 and definitions of SFIR and SFPR in Sections 3.1 and 3.2.
Section 3.2.
Observant readers will notice that this makes the BGP advertisements Observant readers will notice that this makes the BGP advertisements
shown in these examples exactly the same as in the previous examples. shown in these examples exactly the same as in the previous examples.
All that is different is that the advertising SFFs and Controller All that is different is that the advertising SFFs and controller
have IPv6 addresses. have IPv6 addresses.
Thus we see the following SFIRs advertised: Thus, we see the following SFIRs advertised.
The SFFs advertise routes to the SFIs they support. So we see the The SFFs advertise routes to the SFIs they support. So we see the
following SFIRs: following SFIRs:
RD = 192.0.2.1/1, SFT = 41 RD = 192.0.2.1/1, SFT = 41
RD = 192.0.2.1/2, SFT = 42 RD = 192.0.2.1/2, SFT = 42
RD = 192.0.2.2/1, SFT = 41 RD = 192.0.2.2/1, SFT = 41
RD = 192.0.2.2/2, SFT = 43 RD = 192.0.2.2/2, SFT = 43
RD = 192.0.2.3/7, SFT = 42 RD = 192.0.2.3/7, SFT = 42
RD = 192.0.2.3/8, SFT = 44 RD = 192.0.2.3/8, SFT = 44
RD = 192.0.2.4/5, SFT = 43 RD = 192.0.2.4/5, SFT = 43
RD = 192.0.2.4/6, SFT = 44 RD = 192.0.2.4/6, SFT = 44
Note that the addressing used for communicating between SFFs is taken Note that the addressing used for communicating between SFFs is taken
from the Tunnel Encapsulation attribute of the SFIR and not from the from the tunnel encapsulation attribute of the SFIR and not from the
SFIR-RD. SFIR-RD.
8.10.1. Example Explicit SFP With No Choices 8.10.1. Example Explicit SFP with No Choices
Consider the following SFPR similar to that in Section 8.1. Consider the following SFPR similar to that in Section 8.1.
SFP1: RD = 198.51.100.1/101, SPI = 15, SFP1: RD = 198.51.100.1/101, SPI = 15,
[SI = 255, SFT = 41, RD = 192.0.2.1/1], [SI = 255, SFT = 41, RD = 192.0.2.1/1],
[SI = 250, SFT = 43, RD = 192.0.2.2/2] [SI = 250, SFT = 43, RD = 192.0.2.2/2]
The Service Function Path consists of an SF of type 41 located at The SFP consists of an SF of Type 41 located at SFF1, followed by an
SFF1 followed by an SF of type 43 located at SFF2. This path is SF of Type 43 located at SFF2. This path is fully explicit, and each
fully explicit and each SFF is offered no choice in forwarding packet SFF is offered no choice in forwarding a packet along the path.
along the path.
SFF1 will receive packets on the path from the Classifier and will SFF1 will receive packets on the path from the classifier and will
identify the path from the SPI (15). The initial SI will be 255 and identify the path from the SPI (15). The initial SI will be 255, and
so SFF1 will deliver the packets to the SFI for SFT 41. so SFF1 will deliver the packets to the SFI for SFT 41.
When the packets are returned to SFF1 by the SFI the SI will be When the packets are returned to SFF1 by the SFI, the SI will be
decreased to 250 for the next hop. SFF1 has no flexibility in the decreased to 250 for the next hop. SFF1 has no flexibility in the
choice of SFF to support the next hop SFI and will forward the packet choice of SFF to support the next-hop SFI and will forward the packet
to SFF2 which will send the packets to the SFI that supports SFT 43 to SFF2, which will send the packets to the SFI that supports SFT 43
before forwarding the packets to their destinations. before forwarding the packets to their destinations.
8.10.2. Example SFP With Choice of SFIs 8.10.2. Example SFP with Choice of SFIs
SFP2: RD = 198.51.100.1/102, SPI = 16, SFP2: RD = 198.51.100.1/102, SPI = 16,
[SI = 255, SFT = 41, RD = 192.0.2.1/1], [SI = 255, SFT = 41, RD = 192.0.2.1/1],
[SI = 250, SFT = 43, {RD = 192.0.2.2/2, [SI = 250, SFT = 43, {RD = 192.0.2.2/2,
RD = 192.0.2.4/5 } ] RD = 192.0.2.4/5 } ]
In this example, like that in Section 8.2, the path also consists of In this example, like that in Section 8.2, the path also consists of
an SF of type 41 located at SFF1 and this is followed by an SF of an SF of Type 41 located at SFF1, and this is followed by an SF of
type 43, but in this case the SI = 250 contains a choice between the Type 43; but in this case, the SI = 250 contains a choice between the
SFI located at SFF2 and the SFI located at SFF4. SFI located at SFF2 and the SFI located at SFF4.
SFF1 will receive packets on the path from the Classifier and will SFF1 will receive packets on the path from the classifier and will
identify the path from the SPI (16). The initial SI will be 255 and identify the path from the SPI (16). The initial SI will be 255, and
so SFF1 will deliver the packets to the SFI for SFT 41. so SFF1 will deliver the packets to the SFI for SFT 41.
When the packets are returned to SFF1 by the SFI the SI will be When the packets are returned to SFF1 by the SFI, the SI will be
decreased to 250 for the next hop. SFF1 now has a choice of next hop decreased to 250 for the next hop. SFF1 now has a choice of next-hop
SFF to execute the next hop in the path. It can either forward SFFs to execute the next hop in the path. It can either forward
packets to SFF2 or SFF4 to execute a function of type 43. It uses packets to SFF2 or SFF4 to execute a function of Type 43. It uses
its local load balancing algorithm to make this choice. The chosen its local load-balancing algorithm to make this choice. The chosen
SFF will send the packets to the SFI that supports SFT 43 before SFF will send the packets to the SFI that supports SFT 43 before
forwarding the packets to their destinations. forwarding the packets to their destinations.
8.10.3. Example SFP With Open Choice of SFIs 8.10.3. Example SFP with Open Choice of SFIs
SFP3: RD = 198.51.100.1/103, SPI = 17, SFP3: RD = 198.51.100.1/103, SPI = 17,
[SI = 255, SFT = 41, RD = 192.0.2.1/1], [SI = 255, SFT = 41, RD = 192.0.2.1/1],
[SI = 250, SFT = 44, RD = 0] [SI = 250, SFT = 44, RD = 0]
In this example, like that in Section 8.3 the path also consists of In this example, like that in Section 8.3, the path also consists of
an SF of type 41 located at SFF1 and this is followed by an SI with an SF of Type 41 located at SFF1, and this is followed by an SI with
an RD of zero and SF of type 44. This means that a choice can be an RD of zero and SF of Type 44. This means that a choice can be
made between any SFF that supports an SFI of type 44. made between any SFF that supports an SFI of Type 44.
SFF1 will receive packets on the path from the Classifier and will SFF1 will receive packets on the path from the classifier and will
identify the path from the SPI (17). The initial SI will be 255 and identify the path from the SPI (17). The initial SI will be 255, and
so SFF1 will deliver the packets to the SFI for SFT 41. so SFF1 will deliver the packets to the SFI for SFT 41.
When the packets are returned to SFF1 by the SFI the SI will be When the packets are returned to SFF1 by the SFI, the SI will be
decreased to 250 for the next hop. SFF1 now has a free choice of decreased to 250 for the next hop. SFF1 now has a free choice of
next hop SFF to execute the next hop in the path selecting between next-hop SFFs to execute the next hop in the path, selecting between
all SFFs that support SFs of type 44. Looking at the SFIRs it has all SFFs that support SFs of Type 44. Looking at the SFIRs it has
received, SFF1 knows that SF type 44 is supported by SFF3 and SFF4. received, SFF1 knows that SF Type 44 is supported by SFF3 and SFF4.
SFF1 uses its local load balancing algorithm to make this choice. SFF1 uses its local load-balancing algorithm to make this choice.
The chosen SFF will send the packets to the SFI that supports SFT 44 The chosen SFF will send the packets to the SFI that supports SFT 44
before forwarding the packets to their destinations. before forwarding the packets to their destinations.
8.10.4. Example SFP With Choice of SFTs 8.10.4. Example SFP with Choice of SFTs
SFP4: RD = 198.51.100.1/104, SPI = 18, SFP4: RD = 198.51.100.1/104, SPI = 18,
[SI = 255, SFT = 41, RD = 192.0.2.1/1], [SI = 255, SFT = 41, RD = 192.0.2.1/1],
[SI = 250, {SFT = 43, RD = 192.0.2.2/2, [SI = 250, {SFT = 43, RD = 192.0.2.2/2,
SFT = 44, RD = 192.0.2.3/8 } ] SFT = 44, RD = 192.0.2.3/8 } ]
This example, similar to that in Section 8.4 provides a choice of SF This example, similar to that in Section 8.4, provides a choice of SF
type in the second hop in the path. The SI of 250 indicates a choice type in the second hop in the path. The SI of 250 indicates a choice
between SF type 43 located through SF2 and SF type 44 located at SF3. between SF Type 43 located through SF2 and SF Type 44 located at SF3.
SFF1 will receive packets on the path from the Classifier and will SFF1 will receive packets on the path from the classifier and will
identify the path from the SPI (18). The initial SI will be 255 and identify the path from the SPI (18). The initial SI will be 255, and
so SFF1 will deliver the packets to the SFI for SFT 41. so SFF1 will deliver the packets to the SFI for SFT 41.
When the packets are returned to SFF1 by the SFI the SI will be When the packets are returned to SFF1 by the SFI, the SI will be
decreased to 250 for the next hop. SFF1 now has a free choice of decreased to 250 for the next hop. SFF1 now has a free choice of
next hop SFF to execute the next hop in the path selecting between next-hop SFFs to execute the next hop in the path, selecting between
all SFFs that support an SF of type 43 and SFF3 that supports an SF all SFFs that support an SF of Type 43 and SFF3, which supports an SF
of type 44. These may be completely different functions that are to of Type 44. These may be completely different functions that are to
be executed dependent on specific conditions, or may be similar be executed dependent on specific conditions, or they may be similar
functions identified with different type identifiers (such as functions identified with different type identifiers (such as
firewalls from different vendors). SFF1 uses its local policy and firewalls from different vendors). SFF1 uses its local policy and
load balancing algorithm to make this choice, and may use additional load-balancing algorithm to make this choice, and it may use
information passed back from the local SFI to help inform its additional information passed back from the local SFI to help inform
selection. The chosen SFF will send the packets to the SFI that its selection. The chosen SFF will send the packets to the SFI that
supports the chose SFT before forwarding the packets to their supports the chosen SFT before forwarding the packets to their
destinations. destinations.
9. Security Considerations 9. Security Considerations
The mechanisms in this document use BGP for the control plane. The mechanisms in this document use BGP for the control plane.
Hence, techniques such as those discussed in [RFC5925]] can be used Hence, techniques such as those discussed in [RFC5925] can be used to
to help authenticate BGP sessions and thus the messages between BGP help authenticate BGP sessions and, thus, the messages between BGP
peers, making it harder to spoof updates (which could be used to peers, making it harder to spoof updates (which could be used to
install bogus SFPs or to advertise false SIs) or withdrawals. install bogus SFPs or advertise false SIs) or withdrawals.
Further discussion of security considerations for BGP may be found in Further discussion of security considerations for BGP may be found in
the BGP specification itself [RFC4271] and in the security analysis the BGP specification itself [RFC4271] and the security analysis for
for BGP [RFC4272]. The original discussion of the use of the TCP MD5 BGP [RFC4272]. [RFC5925] contains a discussion of the
signature option to protect BGP sessions is found in [RFC5925], while inappropriateness of the TCP MD5 signature option for protecting BGP
[RFC6952] includes an analysis of BGP keying and authentication sessions. [RFC6952] includes an analysis of BGP keying and
issues. authentication issues.
Additionally, this document depends on other documents that specify Additionally, this document depends on other documents that specify
BGP Multiprotocol Extensions and the documents that define the BGP Multiprotocol Extensions and the documents that define the
attributes that are carried by BGP UPDATEs of the SFC AFI/SAFI. attributes that are carried by BGP UPDATEs of the SFC AFI/SAFI.
[RFC4760] observes that the use of AFI/SAFI does not change the [RFC4760] observes that the use of AFI/SAFI does not change the
underlying security issues inherent in the existing BGP. Relevant underlying security issues inherent in the existing BGP. Relevant
additional security measures are considered in additional security measures are considered in [RFC9012].
[I-D.ietf-idr-tunnel-encaps].
This document does not fundamentally change the security behavior of This document does not fundamentally change the security behavior of
BGP deployments, which depend considerably on the network operator's BGP deployments, which depend considerably on the network operator's
perception of risk in their network. It may be observed that the perception of risk in their network. It may be observed that the
application of the mechanisms described in this document are scoped application of the mechanisms described in this document is scoped to
to a single domain as implied by [RFC8300] noted in Section 2.1 of a single domain, as implied by [RFC8300] and noted in Section 2.1 of
this document. Applicability of BGP within a single domain may this document. Applicability of BGP within a single domain may
enable a network operator to make easier and more consistent enable a network operator to make easier and more consistent
decisions about what security measures to apply, and the domain decisions about what security measures to apply, and the domain
boundary, which BGP enforces by definition, provides a safeguard that boundary, which BGP enforces by definition, provides a safeguard that
prevents leakage of SFC programming in either direction at the prevents leakage of SFC programming in either direction at the
boundary. boundary.
Service Function Chaining provides a significant attack opportunity: Service function chaining provides a significant attack opportunity;
packets can be diverted from their normal paths through the network, packets can be diverted from their normal paths through the network,
packets can be made to execute unexpected functions, and the packets can be made to execute unexpected functions, and the
functions that are instantiated in software can be subverted. functions that are instantiated in software can be subverted.
However, this specification does not change the existence of Service However, this specification does not change the existence of service
Function Chaining and security issues specific to Service Function function chaining, and security issues specific to service function
Chaining are covered in [RFC7665] and [RFC8300]. chaining are covered in [RFC7665] and [RFC8300].
This document defines a control plane for Service Function Chaining. This document defines a control plane for service function chaining.
Clearly, this provides an attack vector for a Service Function Clearly, this provides an attack vector for a service function
Chaining system as an attack on this control plane could be used to chaining system, as an attack on this control plane could be used to
make the system misbehave. Thus, the security of the BGP system is make the system misbehave. Thus, the security of the BGP system is
critically important to the security of the whole Service Function critically important to the security of the whole service function
Chaining system. The control plane mechanisms are very similar to chaining system. The control plane mechanisms are very similar to
those used for BGP/MPLS IP VPNs as described in [RFC4364], and so the those used for BGP/MPLS IP VPNs as described in [RFC4364], and so the
security considerations in that document (Section 13) provide good security considerations in that document (Section 13) provide good
guidance for securing SFC systems reliant on this specification. Of guidance for securing service function chaining systems reliant on
particular relevance is the need to securely distinguish between this specification. Of particular relevance is the need to securely
messages intended for the control of different SFC overlays which is distinguish between messages intended for the control of different
similar to the need to distinguish between different VPNs. SFC overlays, which is similar to the need to distinguish between
Section 19 of [RFC7432] also provides useful guidance on the use of different VPNs. Section 19 of [RFC7432] also provides useful
BGP in a similar environment. guidance on the use of BGP in a similar environment.
Note that a component of an SFC system that uses the procedures Note that a component of a service function chaining system that uses
described in this document also requires communications between a the procedures described in this document also requires
Controller and the SFC network elements (specifically the SFFs and communications between a controller and the service function chaining
Classifiers). This communication covers instructing the Classifiers network elements (specifically the SFFs and classifiers). This
using BGP mechanisms (see Section 7.4), thus the use of BGP security communication covers instructing the classifiers using BGP mechanisms
is strongly recommended. But it also covers other mechanisms for (see Section 7.4); therefore, the use of BGP security is strongly
programming the Classifier and instructing the SFFs and SFs (for recommended. But it also covers other mechanisms for programming the
example, to bind SFs to an SFF, and to cause the establishment of classifier and instructing the SFFs and SFs (for example, to bind SFs
tunnels between SFFs). This document does not cover these latter to an SFF, and to cause the establishment of tunnels between SFFs).
mechanisms and so their security is out of scope, but it should be This document does not cover these latter mechanisms, and so their
noted that these communications provide an attack vector on the SFC security is out of scope, but it should be noted that these
system and so attention must be paid to ensuring that they are communications provide an attack vector on the service function
secure. chaining system, and so attention must be paid to ensuring that they
are secure.
There is an intrinsic assumption in SFC systems that nodes that There is an intrinsic assumption in service function chaining systems
announce support for specific SFs actually offer those functions, and that nodes that announce support for specific SFs actually offer
that SFs are not, themselves, attacked or subverted. This is those functions and that SFs are not, themselves, attacked or
particularly important when the SFs are implemented as software that subverted. This is particularly important when the SFs are
can be updated. Protection against this sort of concern forms part implemented as software that can be updated. Protection against this
of the security of any SFC system and so is outside the scope of the sort of concern forms part of the security of any service function
control plane mechanisms described in this document. chaining system and so is outside the scope of the control plane
mechanisms described in this document.
Similarly, there is a vulnerability if a rogue or subverted Similarly, there is a vulnerability if a rogue or subverted
Controller announces SFPs especially if that controller "takes over" controller announces SFPs, especially if that controller "takes over"
an existing SFP and changes its contents. This is corresponds to a an existing SFP and changes its contents. This corresponds to a
rogue BGP speaker entering a routing system, or even to a Route rogue BGP speaker entering a routing system, or even a Route
Reflector becoming subverted. Protection mechanisms, as above, Reflector becoming subverted. Protection mechanisms, as above,
include securing BGP sessions and protecting software loads on the include securing BGP sessions and protecting software loads on the
controllers. controllers.
In an environment where there is concern that rogue Controllers might In an environment where there is concern that rogue controllers might
be introduced to the network and inject false SFPRs or take over and be introduced to the network and inject false SFPRs or take over and
change existing SFPRs, it is RECOMMENDED that each SFF and Classifier change existing SFPRs, it is RECOMMENDED that each SFF and classifier
be configured with the identities of authorized Controllers. Thus, be configured with the identities of authorized controllers. Thus,
the announcement of an SFPR by any other BGP peer would be rejected. the announcement of an SFPR by any other BGP peer would be rejected.
Lastly, note that Section 3.2.2 makes two operational suggestions Lastly, note that Section 3.2.2 makes two operational suggestions
that have implications for the stability and security of the that have implications for the stability and security of the
mechanisms described in this document: mechanisms described in this document:
o That modifications to active SFPs not be made. * That modifications to active SFPs not be made.
o That SPIs not be immediately re-used. * That SPIs not be immediately reused.
10. IANA Considerations 10. IANA Considerations
10.1. New BGP AF/SAFI 10.1. New BGP AF/SAFI
IANA maintains a registry of "Address Family Numbers". IANA is IANA maintains the "Address Family Numbers" registry. IANA has
requested to assign a new Address Family Number from the "Standards assigned a new Address Family Number from the "Standards Action"
Action" range called "BGP SFC" (TBD1 in this document) with this range called "BGP SFC" (31), with this document as a reference.
document as a reference.
IANA maintains a registry of "Subsequent Address Family Identifiers IANA maintains the "Subsequent Address Family Identifiers (SAFI)
(SAFI) Parameters". IANA is requested to assign a new SAFI value Parameters" registry. IANA has assigned a new SAFI value from the
from the "Standards Action" range called "BGP SFC" (TBD2 in this "Standards Action" range called "BGP SFC" (9), with this document as
document) with this document as a reference. a reference.
10.2. New BGP Path Attribute 10.2. "SFP attribute" BGP Path Attribute
IANA maintains a registry of "Border Gateway Protocol (BGP) IANA maintains a registry of "Border Gateway Protocol (BGP)
Parameters" with a subregistry of "BGP Path Attributes". IANA is Parameters" with a subregistry of "BGP Path Attributes". IANA has
requested to assign a new Path attribute called "SFP attribute" (TBD3 assigned a new Path attribute called "SFP attribute" with a value of
in this document) with this document as a reference. 37 and with this document as a reference.
10.3. New SFP Attribute TLVs Type Registry 10.3. "SFP Attribute TLVs" Registry
IANA maintains a registry of "Border Gateway Protocol (BGP) IANA maintains a registry of "Border Gateway Protocol (BGP)
Parameters". IANA is request to create a new subregistry called the Parameters". IANA has created a new subregistry called the "SFP
"SFP Attribute TLVs" registry. Attribute TLVs" registry.
Valid values are in the range 0 to 65535. Valid values are in the range 0 to 65535.
o Values 0 and 65535 are to be marked "Reserved, not to be * Values 0 and 65535 are marked "Reserved".
allocated".
o Values 1 through 65534 are to be assigned according to the "First * Values 1 through 65534 are to be assigned according to the "First
Come First Served" policy [RFC8126]. Come First Served" policy [RFC8126].
This document should be given as a reference for this registry. This document is a reference for this registry.
The new registry should track: The registry tracks:
o Type * Type
o Name
o Reference Document or Contact * Name
o Registration Date * Reference
The registry should initially be populated as follows: * Registration Date
Type | Name | Reference | Date The registry is initially populated as follows:
------+-------------------------+---------------+---------------
1 | Association TLV | [This.I-D] | Date-to-be-set
2 | Hop TLV | [This.I-D] | Date-to-be-set
3 | SFT TLV | [This.I-D] | Date-to-be-set
4 | MPLS Swapping/Stacking | [This.I-D] | Date-to-be-set
5 | SFP Traversal With MPLS | [This.I-D] | Date-to-be-set
10.4. New SFP Association Type Registry +======+=========================+===========+===================+
| Type | Name | Reference | Registration Date |
+======+=========================+===========+===================+
| 1 | Association TLV | RFC 9015 | 2020-09-02 |
+------+-------------------------+-----------+-------------------+
| 2 | Hop TLV | RFC 9015 | 2020-09-02 |
+------+-------------------------+-----------+-------------------+
| 3 | SFT TLV | RFC 9015 | 2020-09-02 |
+------+-------------------------+-----------+-------------------+
| 4 | MPLS Swapping/Stacking | RFC 9015 | 2020-09-02 |
+------+-------------------------+-----------+-------------------+
| 5 | SFP Traversal With MPLS | RFC 9015 | 2020-09-02 |
+------+-------------------------+-----------+-------------------+
Table 1: SFP Attribute TLVs Subregistry Initial Contents
10.4. "SFP Association Type" Registry
IANA maintains a registry of "Border Gateway Protocol (BGP) IANA maintains a registry of "Border Gateway Protocol (BGP)
Parameters". IANA is request to create a new subregistry called the Parameters". IANA has created a new subregistry called the "SFP
"SFP Association Type" registry. Association Type" registry.
Valid values are in the range 0 to 65535. Valid values are in the range 0 to 65535.
o Values 0 and 65535 are to be marked "Reserved, not to be * Values 0 and 65535 are marked "Reserved".
allocated".
o Values 1 through 65534 are to be assigned according to the "First * Values 1 through 65534 are assigned according to the "First Come
Come First Served" policy [RFC8126]. First Served" policy [RFC8126].
This document should be given as a reference for this registry. This document is given as a reference for this registry.
The new registry should track: The new registry tracks:
o Association Type * Association Type
o Name * Name
o Reference Document or Contact * Reference
o Registration Date * Registration Date
The registry should initially be populated as follows: The registry should initially be populated as follows:
Association Type | Name | Reference | Date +==================+===================+===========+============+
-----------------+--------------------+------------+--------------- | Association Type | Name | Reference | Date |
1 | Bidirectional SFP | [This.I-D] | Date-to-be-set +==================+===================+===========+============+
| 1 | Bidirectional SFP | RFC 9015 | 2020-09-02 |
+------------------+-------------------+-----------+------------+
10.5. New Service Function Type Registry Table 2: SFP Association Type Subregistry Initial Contents
IANA is request to create a new top-level registry called "Service 10.5. "Service Function Chaining Service Function Types" Registry
Function Chaining Service Function Types".
IANA has created a new top-level registry called "Service Function
Chaining Service Function Types".
Valid values are in the range 0 to 65535. Valid values are in the range 0 to 65535.
o Values 0 and 65535 are to be marked "Reserved, not to be * Values 0 and 65535 are marked "Reserved".
allocated".
o Values 1 through 31 are to be assigned by "Standards Action" * Values 1 through 31 are to be assigned by "Standards Action"
[RFC8126] and are referred to as the Special Purpose SFT values. [RFC8126] and are referred to as the "special-purpose SFT values".
o Values 32 through 64495 are to be assigned according to the "First * Values 32 through 64495 are to be assigned according to the "First
Come First Served" policy [RFC8126]. Come First Served" policy [RFC8126].
o Values 64496 through 65534 are for Private Use and are not to be * Values 64496 through 65534 are for Private Use and are not to be
recorded by IANA. recorded by IANA.
This document should be given as a reference for this registry. This document is given as a reference for this registry.
The new registry should track: The registry tracks:
o Value * Value
o Name * Name
o Reference Document or Contact * Reference
o Registration Date * Registration Date
The registry should initially be populated as follows where The registry is initially populated as follows.
[I-D.darwa] should be expanded to
[I-D.dawra-idr-bgp-ls-sr-service-segments].
Value | Name | Reference | Date +=============+===================+=============+============+
------+-------------------------+------------+--------------- | Value | Name | Reference | Date |
0 | Reserved, not to be | [This.I-D] | Date-to-be-set +=============+===================+=============+============+
| allocated | | | 0 | Reserved | RFC 9015 | 2020-09-02 |
1 | Change Sequence | [This.I-D] | Date-to-be-set +-------------+-------------------+-------------+------------+
2-31 | Unassigned | | | 1 | Change Sequence | RFC 9015 | 2020-09-02 |
32 | Classifier | [This.I-D] | Date-to-be-set +-------------+-------------------+-------------+------------+
| | [I-D.dawra]| | 2-31 | Unassigned | | |
33 | Firewall | [This.I-D] | Date-to-be-set +-------------+-------------------+-------------+------------+
| | [I-D.dawra]| | 32 | Classifier | RFC 9015, | 2020-09-02 |
34 | Load balancer | [This.I-D] | Date-to-be-set | | | [BGP-LS-SR] | |
| | [I-D.dawra]| +-------------+-------------------+-------------+------------+
35 | Deep packet inspection | [This.I-D] | Date-to-be-set | 33 | Firewall | RFC 9015, | 2020-09-02 |
| engine | [I-D.dawra]| | | | [BGP-LS-SR] | |
36 | Penalty box | [This.I-D] | Date-to-be-set +-------------+-------------------+-------------+------------+
| | [RFC8300] | | 34 | Load balancer | RFC 9015, | 2020-09-02 |
37 | WAN accelerator | [This.I-D] | Date-to-be-set | | | [BGP-LS-SR] | |
| | [RFC7665] | +-------------+-------------------+-------------+------------+
| | [RFC8300] | | 35 | Deep packet | RFC 9015, | 2020-09-02 |
38 | Application accelerator | [This.I-D] | Date-to-be-set | | inspection engine | [BGP-LS-SR] | |
| | [RFC7665] | +-------------+-------------------+-------------+------------+
39 | TCP optimizer | [This.I-D] | Date-to-be-set | 36 | Penalty box | RFC 9015, | 2020-09-02 |
| | [RFC7665] | | | | [RFC8300] | |
40 | Network Address | [This.I-D] | Date-to-be-set +-------------+-------------------+-------------+------------+
| Translator | [RFC7665] | | 37 | WAN accelerator | RFC 9015, | 2020-09-02 |
41 | NAT44 | [This.I-D] | Date-to-be-set | | | [RFC7665], | |
| | [RFC7665] | | | | [RFC8300] | |
| | [RFC3022] | +-------------+-------------------+-------------+------------+
42 | NAT64 | [This.I-D] | Date-to-be-set | 38 | Application | RFC 9015, | 2020-09-02 |
| | [RFC7665] | | | accelerator | [RFC7665] | |
| | [RFC6146] | +-------------+-------------------+-------------+------------+
43 | NPTv6 | [This.I-D] | Date-to-be-set | 39 | TCP optimizer | RFC 9015, | 2020-09-02 |
| | [RFC7665] | | | | [RFC7665] | |
| | [RFC6296] | +-------------+-------------------+-------------+------------+
44 | Lawful intercept | [This.I-D] | Date-to-be-set | 40 | Network Address | RFC 9015, | 2020-09-02 |
| | [RFC7665] | | | Translator | [RFC7665] | |
45 | HOST_ID injection | [This.I-D] | Date-to-be-set +-------------+-------------------+-------------+------------+
| | [RFC7665] | | 41 | NAT44 | RFC 9015, | 2020-09-02 |
46 | HTTP header enrichment | [This.I-D] | Date-to-be-set | | | [RFC7665], | |
| | [RFC7665] | | | | [RFC3022] | |
47 | Caching engine | [This.I-D] | Date-to-be-set +-------------+-------------------+-------------+------------+
| | [RFC7665] | | 42 | NAT64 | RFC 9015, | 2020-09-02 |
48- | | | | | | [RFC7665], | |
-65534|Unassigned | | | | | [RFC6146] | |
65535 | Reserved, not to be | | +-------------+-------------------+-------------+------------+
| allocated | [This.I-D] | Date-to-be-set | 43 | NPTv6 | RFC 9015, | 2020-09-02 |
| | | [RFC7665], | |
| | | [RFC6296] | |
+-------------+-------------------+-------------+------------+
| 44 | Lawful intercept | RFC 9015, | 2020-09-02 |
| | | [RFC7665] | |
+-------------+-------------------+-------------+------------+
| 45 | HOST_ID injection | RFC 9015, | 2020-09-02 |
| | | [RFC7665] | |
+-------------+-------------------+-------------+------------+
| 46 | HTTP header | RFC 9015, | 2020-09-02 |
| | enrichment | [RFC7665] | |
+-------------+-------------------+-------------+------------+
| 47 | Caching engine | RFC 9015, | 2020-09-02 |
| | | [RFC7665] | |
+-------------+-------------------+-------------+------------+
| 48-64495 | Unassigned | | |
+-------------+-------------------+-------------+------------+
| 64496-65534 | Reserved for | | |
| | Private Use | | |
+-------------+-------------------+-------------+------------+
| 65535 | Reserved, not to | RFC 9015 | 2020-09-02 |
| | be allocated | | |
+-------------+-------------------+-------------+------------+
10.6. New Generic Transitive Experimental Use Extended Community Sub- Table 3: Service Function Chaining Service Function Types
Types Registry Initial Contents
IANA maintains a registry of "Border Gateway Protocol (BGP) 10.6. Flow Specification for SFC Classifiers
Parameters" with a subregistry of "Generic Transitive Experimental
Use Extended Community Sub-Type". IANA is requested to assign a new
sub-type as follows:
"Flow Specification for SFC Classifiers" (TBD4 in this document) IANA maintains a registry of "Border Gateway Protocol (BGP) Extended
Communities" with a subregistry of "Generic Transitive Experimental
Use Extended Community Sub-Types". IANA has assigned a new subtype
as follows:
"Flow Specification for SFC Classifiers" with a value of 0x0d and
with this document as the reference. with this document as the reference.
10.7. New BGP Transitive Extended Community Type 10.7. New BGP Transitive Extended Community Type
IANA maintains a registry of "Border Gateway Protocol (BGP) IANA maintains a registry of "Border Gateway Protocol (BGP) Extended
Parameters" with a subregistry of "BGP Transitive Extended Community Communities" with a subregistry of "BGP Transitive Extended Community
Types". IANA is requested to assign a new type as follows: Types". IANA has assigned a new type as follows:
o SFC (Sub-Types are defined in the "SFC Extended Community Sub- SFC (Sub-Types are defined in the "SFC Extended Community Sub-
Types" registry) (TBD6 in this document) with this document as the Types" registry) with a value of 0x0b and with this document as
reference. the reference.
10.8. New SFC Extended Community Sub-Types Registry 10.8. "SFC Extended Community Sub-Types" Registry
IANA maintains a registry of "Border Gateway Protocol (BGP) IANA maintains a registry of "Border Gateway Protocol (BGP)
Parameters". IANA is requested to create a new sub-registry called Parameters". IANA has created a new subregistry called the "SFC
the "SFC Extended Community Sub-Types Registry". Extended Community Sub-Types" registry.
IANA should include the following note replacing the string "TBD6" IANA has included the following note:
with the value assigned for Section 10.7:
This registry contains values of the second octet (the "Sub-Type" | This registry contains values of the second octet (the "Sub-
field) of an extended community when the value of the first octet | Type" field) of an extended community when the value of the
(the "Type" field) is set to TBD6. | first octet (the "Type" field) is set to 0x0b.
The allocation policy for this registry should be First Come First The allocation policy for this registry is First Come First Served.
Served.
Valid values are 0 to 255. The value 0 is reserved and should not be Valid values are 0 to 255. The value 0 is reserved and should not be
allocated. allocated.
IANA is requested to populate this registry with the following IANA has populated this registry with the following entries:
entries:
Sub-Type | | | +==========+==========================+===========+============+
Value | Name | Reference | Date | Sub-Type | Name | Reference | Date |
---------+----------------------+-------------+--------------- | Value | | | |
0 | Reserved, not to be | | +==========+==========================+===========+============+
| allocated | | | 0 | Reserved | RFC 9015 | |
1 | SFIR Pool Identifier | [This.I-D] | Date-to-be-set +----------+--------------------------+-----------+------------+
2 | MPLS Label Stack | [This.I-D] | Date-to-be-set | 1 | SFIR pool identifier | RFC 9015 | 2020-09-02 |
| Mixed Swapping/ | | +----------+--------------------------+-----------+------------+
| Stacking Labels | | | 2 | MPLS Label Stack Mixed | RFC 9015 | 2020-09-02 |
3-255 | Unassigned | | | | Swapping/Stacking Labels | | |
+----------+--------------------------+-----------+------------+
| 3-255 | Unassigned | | |
+----------+--------------------------+-----------+------------+
All other values should be marked "Unassigned". Table 4: SFC Extended Community Sub-Types Subregistry
Initial Contents
10.9. SPI/SI Representation 10.9. New SPI/SI Representation Sub-TLV
IANA is requested to assign a codepoint from the "BGP Tunnel IANA has assigned a codepoint from the "BGP Tunnel Encapsulation
Encapsulation Attribute Sub-TLVs" registry for the "SPI/SI Attribute Sub-TLVs" registry for the "SPI/SI Representation Sub-TLV"
Representation Sub-TLV" (TBD5 in this document) with this document with a value of 16 and with this document as the reference.
being the reference.
10.10. SFC SPI/SI Representation Flags Registry 10.10. "SFC SPI/SI Representation Flags" Registry
IANA maintains the "BGP Tunnel Encapsulation Attribute Sub-TLVs" IANA maintains the "BGP Tunnel Encapsulation Attribute Sub-TLVs"
registry and is requested to create an associated registry called the registry and has created an associated registry called the "SFC SPI/
"SFC SPI/SI Representation Flags" registry. SI Representation Flags" registry.
Bits are to be assigned by Standards Action. The field is 16 bits Bits are to be assigned by Standards Action. The field is 16 bits
long, and bits are counted from the the most significant bit as bit long, and bits are counted from the most significant bit as bit zero.
zero.
IANA is requested to populate the registry as follows:
Bit number | Name | Reference
-----------+----------------------+-----------
TBD9 | NSH data plane | [This.I-D]
TBD10 | MPLS data plane | [This.I-D]
11. Contributors
Stuart Mackie
Juniper Networks
Email: wsmackie@juinper.net
Keyur Patel
Arrcus, Inc.
Email: keyur@arrcus.com
Avinash Lingala
AT&T
Email: ar977m@att.com
12. Acknowledgements
Thanks to Tony Przygienda, Jeff Haas, and Andy Malis for helpful
comments, and to Joel Halpern for discussions that improved this
document. Yuanlong Jiang provided a useful review and caught some
important issues. Stephane Litkowski did an exceptionally good and
detailed document shepherd review.
Andy Malis contributed text that formed the basis of Section 7.7.
Brian Carpenter and Martin Vigoureux provided useful reviews during IANA has populated the registry as follows:
IETF last call. Thanks also to Sheng Jiang, Med Boucadair, Ravi
Singh, Benjamin Kaduk, Roman Danyliw, Adam Roach, Alvaro Retana,
Barry Leiba, and Murray Kucherawy for review comments. Ketan
Talaulikar provided helpful discussion of the SFT code point
registry. Ron Bonica kept us honest on the difference between an RD
and RT; Benjamin Kaduk kept us on message about the differnce between
an RD and an extended community.
13. References +=======+=================+===========+
| Value | Name | Reference |
+=======+=================+===========+
| 0 | NSH data plane | RFC 9015 |
+-------+-----------------+-----------+
| 1 | MPLS data plane | RFC 9015 |
+-------+-----------------+-----------+
13.1. Normative References Table 5: SFC SPI/SI Representation
Flags Registry Initial Contents
[I-D.ietf-idr-rfc5575bis] 11. References
Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M.
Bacher, "Dissemination of Flow Specification Rules",
draft-ietf-idr-rfc5575bis-26 (work in progress), August
2020.
[I-D.ietf-idr-tunnel-encaps] 11.1. Normative References
Patel, K., Velde, G., Sangli, S., and J. Scudder, "The BGP
Tunnel Encapsulation Attribute", draft-ietf-idr-tunnel-
encaps-17 (work in progress), July 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271, Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006, DOI 10.17487/RFC4271, January 2006,
<https://www.rfc-editor.org/info/rfc4271>. <https://www.rfc-editor.org/info/rfc4271>.
skipping to change at page 70, line 25 skipping to change at line 3091
Forwarding Plane for Service Function Chaining", RFC 8595, Forwarding Plane for Service Function Chaining", RFC 8595,
DOI 10.17487/RFC8595, June 2019, DOI 10.17487/RFC8595, June 2019,
<https://www.rfc-editor.org/info/rfc8595>. <https://www.rfc-editor.org/info/rfc8595>.
[RFC8596] Malis, A., Bryant, S., Halpern, J., and W. Henderickx, [RFC8596] Malis, A., Bryant, S., Halpern, J., and W. Henderickx,
"MPLS Transport Encapsulation for the Service Function "MPLS Transport Encapsulation for the Service Function
Chaining (SFC) Network Service Header (NSH)", RFC 8596, Chaining (SFC) Network Service Header (NSH)", RFC 8596,
DOI 10.17487/RFC8596, June 2019, DOI 10.17487/RFC8596, June 2019,
<https://www.rfc-editor.org/info/rfc8596>. <https://www.rfc-editor.org/info/rfc8596>.
13.2. Informative References [RFC8955] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M.
Bacher, "Dissemination of Flow Specification Rules",
RFC 8955, DOI 10.17487/RFC8955, December 2020,
<https://www.rfc-editor.org/info/rfc8955>.
[I-D.dawra-idr-bgp-ls-sr-service-segments] [RFC9012] Patel, K., Van de Velde, G., Sangli, S., and J. Scudder,
"The BGP Tunnel Encapsulation Attribute", RFC 9012,
DOI 10.17487/RFC9012, April 2021,
<https://www.rfc-editor.org/info/rfc9012>.
11.2. Informative References
[BGP-LS-SR]
Dawra, G., Filsfils, C., Talaulikar, K., Clad, F., Dawra, G., Filsfils, C., Talaulikar, K., Clad, F.,
daniel.bernier@bell.ca, d., Uttaro, J., Decraene, B., Bernier, D., Uttaro, J., Decraene, B., Elmalky, H., Xu,
Elmalky, H., Xu, X., Guichard, J., and C. Li, "BGP-LS X., Guichard, J., and C. Li, "BGP-LS Advertisement of
Advertisement of Segment Routing Service Segments", draft- Segment Routing Service Segments", Work in Progress,
dawra-idr-bgp-ls-sr-service-segments-04 (work in Internet-Draft, draft-dawra-idr-bgp-ls-sr-service-
progress), August 2020. segments-05, 15 February 2021,
<https://tools.ietf.org/html/draft-dawra-idr-bgp-ls-sr-
service-segments-05>.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, Address Translator (Traditional NAT)", RFC 3022,
DOI 10.17487/RFC3022, January 2001, DOI 10.17487/RFC3022, January 2001,
<https://www.rfc-editor.org/info/rfc3022>. <https://www.rfc-editor.org/info/rfc3022>.
[RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis",
RFC 4272, DOI 10.17487/RFC4272, January 2006, RFC 4272, DOI 10.17487/RFC4272, January 2006,
<https://www.rfc-editor.org/info/rfc4272>. <https://www.rfc-editor.org/info/rfc4272>.
skipping to change at page 71, line 20 skipping to change at line 3146
BGP, LDP, PCEP, and MSDP Issues According to the Keying BGP, LDP, PCEP, and MSDP Issues According to the Keying
and Authentication for Routing Protocols (KARP) Design and Authentication for Routing Protocols (KARP) Design
Guide", RFC 6952, DOI 10.17487/RFC6952, May 2013, Guide", RFC 6952, DOI 10.17487/RFC6952, May 2013,
<https://www.rfc-editor.org/info/rfc6952>. <https://www.rfc-editor.org/info/rfc6952>.
[RFC7498] Quinn, P., Ed. and T. Nadeau, Ed., "Problem Statement for [RFC7498] Quinn, P., Ed. and T. Nadeau, Ed., "Problem Statement for
Service Function Chaining", RFC 7498, Service Function Chaining", RFC 7498,
DOI 10.17487/RFC7498, April 2015, DOI 10.17487/RFC7498, April 2015,
<https://www.rfc-editor.org/info/rfc7498>. <https://www.rfc-editor.org/info/rfc7498>.
Acknowledgements
Thanks to Tony Przygienda, Jeff Haas, and Andy Malis for helpful
comments, and to Joel Halpern for discussions that improved this
document. Yuanlong Jiang provided a useful review and caught some
important issues. Stephane Litkowski did an exceptionally good and
detailed Document Shepherd review.
Andy Malis contributed text that formed the basis of Section 7.7.
Brian Carpenter and Martin Vigoureux provided useful reviews during
IETF Last Call. Thanks also to Sheng Jiang, Med Boucadair, Ravi
Singh, Benjamin Kaduk, Roman Danyliw, Adam Roach, Alvaro Retana,
Barry Leiba, and Murray Kucherawy for review comments. Ketan
Talaulikar provided helpful discussion of the SFT codepoint registry.
Ron Bonica kept us honest on the difference between an RD and an RT;
Benjamin Kaduk kept us on message about the difference between an RD
and an Extended Community.
Contributors
Stuart Mackie
Juniper Networks
Email: wsmackie@juinper.net
Keyur Patel
Arrcus, Inc.
Email: keyur@arrcus.com
Avinash Lingala
AT&T
Email: ar977m@att.com
Authors' Addresses Authors' Addresses
Adrian Farrel Adrian Farrel
Old Dog Consulting Old Dog Consulting
Email: adrian@olddog.co.uk Email: adrian@olddog.co.uk
John Drake John Drake
Juniper Networks Juniper Networks
 End of changes. 469 change blocks. 
1251 lines changed or deleted 1293 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/