<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd" [ ]> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <?rfc toc="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc iprnotified="no"?> <?rfc strict="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?>"rfc2629-xhtml.ent"> <rfccategory="std"xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-detnet-ip-over-mpls-09" number="9056" ipr="trust200902"submissionType="IETF">submissionType="IETF" category="std" consensus="true" obsoletes="" updates="" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version="3"> <front> <title abbrev="DetNet Data Plane: IP overDetNet MPLS Data Plane"> DetNetMPLS"> Deterministic Networking (DetNet) Data Plane: IP over MPLS</title> <seriesInfo name="RFC" value="9056"/> <author role="editor"fullname="Balázsfullname="Balázs Varga" initials="B." surname="Varga"> <organization>Ericsson</organization> <address> <postal> <street>Magyar Tudosok krt. 11.</street> <city>Budapest</city> <country>Hungary</country> <code>1117</code> </postal> <email>balazs.a.varga@ericsson.com</email> </address> </author><!-- <author fullname="János Farkas" initials="J." surname="Farkas"> <organization>Ericsson</organization> <address> <postal> <street>Magyar Tudosok krt. 11.</street> <city>Budapest</city> <country>Hungary</country> <code>1117</code> </postal> <email>janos.farkas@ericsson.com</email> </address> </author> --><author fullname="Lou Berger" initials="L." surname="Berger"> <organization>LabN Consulting, L.L.C.</organization> <address> <email>lberger@labn.net</email> </address> </author> <author fullname="Don Fedyk" initials="D." surname="Fedyk"> <organization>LabN Consulting, L.L.C.</organization> <address> <email>dfedyk@labn.net</email> </address> </author><!-- <author fullname="Andrew G. Malis" initials="A.G." surname="Malis"> <organization>Independent</organization> <address> <email>agmalis@gmail.com</email> </address> </author> --><author fullname="Stewart Bryant" initials="S." surname="Bryant"> <organization>Futurewei Technologies</organization> <address><email>stewart.bryant@gmail.com</email><email>sb@stewartbryant.com</email> </address> </author> <author fullname="Jouni Korhonen" initials="J." surname="Korhonen"><!--organization abbrev="Nordic">Nordic Semiconductor</organization--><address> <email>jouni.nospam@gmail.com</email> </address> </author><!--author fullname="Donald Fauntleroy Duck" initials="D. F." surname="Duck"> <organization abbrev="Royal Bros.">Royal Bros.</organization> <address> <postal> <street>13 Paradise Road</street> <city>Duckburg</city> <region>Calisota</region> <country>USA</country> </postal> </address> </author--><date year="2021" month="October" /> <workgroup>DetNet</workgroup> <keyword>sub-network</keyword> <abstract> <t> This document specifies the Deterministic Networking data plane when encapsulating IP over an MPLSpacket switchedpacket-switched network. </t> </abstract> </front> <middle> <sectiontitle="Introduction" anchor="sec_intro">anchor="sec_intro" numbered="true" toc="default"> <name>Introduction</name> <t> Deterministic Networking (DetNet) is a service that can be offered by a network to DetNet flows. DetNet provides a capability for the delivery of data flows with extremely low packet loss rates and bounded end-to-end delivery latency. General background and concepts of DetNet can be found in the DetNetArchitecture <xref target="RFC8655"/>. </t> <!-- <t> This document specifies the DetNet data plane operation for IP hosts and routers that provide DetNet service to IP encapsulated data. No DetNet specific encapsulation is defined to support IP flows, rather existing IP and higher layer protocol header information is used to support flow identification and DetNet service delivery. </t> <t> The DetNet Architecture decomposes the DetNet related data plane functions into two sub-layers: a service sub-layer and a forwarding sub-layer. The service sub-layer is used to provide DetNet service protection and reordering. The forwarding sub-layer is used to provides congestion protection (low loss, assured latency, and limited reordering). Since no DetNet specific headers are added to support DetNet IP flows, only the forwarding sub-layer functions are supported using the DetNet IP defined by this document. Service protection can be provided on a per sub-net basis using technologies such as MPLSarchitecture <xreftarget="I-D.ietf-detnet-mpls"/> and IEEE802.1 TSN.target="RFC8655" format="default"/>. </t>--><t> This document specifies use of the IP DetNet encapsulation over an MPLS network. It maps the IP data plane encapsulation described in <xreftarget="I-D.ietf-detnet-ip"/>target="RFC8939" format="default"/> to the DetNet MPLS data plane defined in <xreftarget="I-D.ietf-detnet-mpls"/>.target="RFC8964" format="default"/>. </t> </section> <sectiontitle="Terminology">numbered="true" toc="default"> <name>Terminology</name> <sectiontitle="Termsnumbered="true" toc="default"> <name>Terms UsedInin ThisDocument">Document</name> <t> This document uses the terminology and concepts established in the DetNet architecture <xreftarget="RFC8655"/>target="RFC8655" format="default"/> and in <xreftarget="I-D.ietf-detnet-data-plane-framework"/>, thetarget="RFC8938" format="default"/>. The reader is assumed to be familiar with these documents and their terminology. </t> </section> <sectiontitle="Abbreviations">numbered="true" toc="default"> <name>Abbreviations</name> <t> This document uses the abbreviations defined in the DetNet architecture <xreftarget="RFC8655"/>target="RFC8655" format="default"/> and in <xreftarget="I-D.ietf-detnet-data-plane-framework"/>.target="RFC8938" format="default"/>. This document uses the following abbreviations:<list style="hanging" hangIndent="14"> <t hangText="CE">Customer</t> <dl newline="false" spacing="normal" indent="14"> <dt>CE</dt> <dd>Customer Edgeequipment.</t> <t hangText="d-CW">DetNet(equipment)</dd> <dt>d-CW</dt> <dd>DetNet ControlWord.</t> <t hangText="DetNet">Deterministic Networking.</t> <t hangText="DF">DetNet Flow.</t> <t hangText="DN">DetNet.</t> <t hangText="L2">Layer-2.</t> <t hangText="LSP">Label-switched path.</t> <t hangText="MPLS">MultiprotocolWord</dd> <dt>DetNet</dt> <dd>Deterministic Networking</dd> <dt>DF</dt> <dd>DetNet Flow</dd> <dt>DN</dt> <dd>DetNet</dd> <dt>L2</dt> <dd>Layer 2</dd> <dt>LSP</dt> <dd>Label-Switched Path</dd> <dt>MPLS</dt> <dd>Multiprotocol LabelSwitching.</t> <t hangText="PEF">PacketSwitching</dd> <dt>PEF</dt> <dd>Packet EliminationFunction.</t> <t hangText="PRF">PacketFunction</dd> <dt>PRF</dt> <dd>Packet ReplicationFunction.</t> <t hangText="PREOF">PacketFunction</dd> <dt>PREOF</dt> <dd>Packet Replication,EliminationElimination, and OrderingFunctions.</t> <t hangText="POF">PacketFunctions</dd> <dt>POF</dt> <dd>Packet OrderingFunction.</t> <t hangText="PW">Pseudowire.</t> <t hangText="S-Label">DetNetFunction</dd> <dt>PW</dt> <dd>Pseudowire</dd> <dt>S-Label</dt> <dd>DetNet "service"label.</t> <t hangText="S-PE">SwitchingLabel</dd> <dt>S-PE</dt> <dd>Switching ProviderEdge.</t> <t hangText="T-PE">TerminatingEdge</dd> <dt>T-PE</dt> <dd>Terminating ProviderEdge.</t> <t hangText="TE">Traffic Engineering.</t> <t hangText="TSN">Time-Sensitive Networking,Edge</dd> <dt>TE</dt> <dd>Traffic Engineering</dd> <dt>TSN</dt> <dd>Time-Sensitive Networking; TSN is a Task Group of the IEEE 802.1 WorkingGroup.</t> </list> </t>Group</dd> </dl> </section> <sectiontitle="Requirements Language">numbered="true" toc="default"> <name>Requirements Language</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xreftarget="RFC2119"/>target="RFC2119" format="default"/> <xreftarget="RFC8174"/>target="RFC8174" format="default"/> when, and only when, they appear in all capitals, as shown here. </t> </section> </section> <sectiontitle="DetNetanchor="sec_dt_dp" numbered="true" toc="default"> <name>DetNet IP Data PlaneOverview" anchor="sec_dt_dp">Overview</name> <t> <xreftarget="fig_ip_detnet"/>target="fig_ip_detnet" format="default"/> illustrates an IPDetNet,DetNet with anMPLS basedMPLS-based DetNet network as a sub-network between the relay nodes. An IP flow is mapped to one or more PWs and MPLS (TE) LSPs. The end systems still originateIP encapsulatedIP-encapsulated traffic, identified as DetNet flows. The relay nodes follow procedures defined in <xreftarget="ip-over-mpls"/>target="ip-over-mpls" format="default"/> to map each DetNet flow to MPLS LSPs. While not shown, relay nodes can provide service sub-layer functions such as PREOF using DetNet over MPLS, and this is indicated by the solid line for theMPLS facingMPLS-facing portion of the Service component. Note that the Transit node is MPLS (TE) LSP aware and performs switching based on MPLSlabels, andlabels; it need not have any specific knowledge of the DetNet service or the corresponding DetNet flow identification. See <xreftarget="ip-over-mpls"/>target="ip-over-mpls" format="default"/> for details on the mapping of IP flows to MPLS, and <xreftarget="I-D.ietf-detnet-mpls"/>target="RFC8964" format="default"/> for general support of DetNet services using MPLS. </t> <figurealign="center" anchor="fig_ip_detnet" title="Architecture:anchor="fig_ip_detnet"> <name>Architecture: DetNet IPOverover DetNet MPLSNetwork"> <artwork><![CDATA[Network</name> <artwork name="" type="" align="left" alt=""><![CDATA[ DetNet IP Relay Transit Relay DetNet IP End System Node Node Node End System +----------+ +----------+ | Appl. |<------------- End to End Service ---------->| Appl. | +----------+ .....-----+ +-----..... +----------+ | Service |<--: Service |--DetNet flow ---| Service :-->| Service | | | : |<-DN MPLS flow ->| : | | +----------+ +---------+ +----------+ +---------+ +----------+ |Forwarding| |Fwd| |Fwd| |Forwarding| |Fwd| |Fwd| |Forwarding| +-------.--+ +-.-+ +-.-+ +----.---.-+ +-.-+ +-.-+ +---.------+ : Link : / ,-----. \ : Link : / ,-----. \ +........+ +-[ Sub ]-+ +......+ +-[ Sub ]-+ [Network] [Network] `-----' `-----' |<---- DetNet MPLS ---->| |<--------------------- DetNet IP ------------------>| ]]></artwork> </figure> </section><!-- ===================================================================== --><section anchor="ip-over-mpls"title="IPnumbered="true" toc="default"> <name>DetNet IP over DetNetMPLS">MPLS</name> <t> This section defines howIP encapsulatedIP-encapsulated flows are carried over a DetNet MPLS data plane as defined in <xreftarget="I-D.ietf-detnet-mpls"/>.target="RFC8964" format="default"/>. Since bothNon-DetNetnon-DetNet and DetNet IPpacketpackets are identical on the wire, this section is applicable to any node that supports IP over DetNet MPLS, and this section refers to both cases as DetNet IP over DetNet MPLS. </t> <sectiontitle="IP Overanchor="sec_ip_mpls_dt_dp_scen" numbered="true" toc="default"> <name>DetNet IP over DetNet MPLS Data PlaneScenarios" anchor="sec_ip_mpls_dt_dp_scen">Scenarios</name> <t> An example use of DetNet IP over DetNet MPLS is presented here. </t> <t> <xreftarget="fig_ip_detnet"/>target="fig_ip_detnet" format="default"/> illustrates IPDetNet enabledDetNet-enabled End Systems (hosts) connected toDetNet (DN) enabledDetNet-enabled IPnetworks,networks (DN IP), operating over aDetNet awareDetNet-aware MPLS network. In thisFigurefigure, we have a case where theRelayrelay nodes act as T-PEs and sit at the boundary of the MPLS domain since the non-MPLS domain is DetNet aware. This case is very similar to the DetNet MPLS NetworkFigure(Figure 2 in <xreftarget="I-D.ietf-detnet-mpls"/>.target="RFC8964" format="default"/>). However, in<xref target="I-D.ietf-detnet-mpls"/>Figure2,2 of <xref target="RFC8964" format="default"/>, the T-PEs are located at the end system and MPLS spans the whole DetNet service. The primary difference in this document is that theRelayrelay nodes are at the edges of the MPLS domain and therefore function as T-PEs, and that MPLS service sub-layer functions are not provided over the DetNet IP network. The transit node functions shown above are identical to those described in <xreftarget="I-D.ietf-detnet-mpls"/>.target="RFC8964" format="default"/>. </t> <t> <xreftarget="fig_ip_pw_detnet"/>target="fig_ip_pw_detnet" format="default"/> illustrates how relay nodes can provide service protection over an MPLS domain. In this case, CE1 and CE2 are IP DetNet end systemswhichthat are interconnected viaaan MPLS domain such as that described in <xreftarget="I-D.ietf-detnet-mpls"/>.target="RFC8964" format="default"/>. Note that R1 and R3 sit at the edges of an MPLS domain and therefore are similar to T-PEs, while R2 sits in the middle of the domain and is therefore similar to an S-PE. </t> <figurealign="center" anchor="fig_ip_pw_detnet" title="Serviceanchor="fig_ip_pw_detnet"> <name>Service ProtectionOverover DetNet MPLS Network for DetNetIP"> <artwork><![CDATA[IP</name> <artwork name="" type="" align="left" alt=""><![CDATA[ DetNet DetNet IP Service Transit Transit Service IP DetNet |<-Tnl->| |<-Tnl->| DetNet End | V 1 V V 2 V | End System | +--------+ +--------+ +--------+ | System +---+ | | R1 |=======| R2 |=======| R3 | | +---+ | |-------|._X_....|..DF1..|.__ ___.|..DF3..|...._X_.|-------| | |CE1| | | \ | | X | | / | | |CE2| | | | | \_.|..DF2..|._/ \__.|..DF4..|._/ | | | | +---+ | |=======| |=======| | +---+ ^ +--------+ +--------+ +--------+ ^ | Relay Node Relay Node Relay Node | | (T-PE) (S-PE) (T-PE) | | | |<-DN IP-> <-------- DetNet MPLS ---------------> <-DN IP->| | | |<-------------- End to End DetNet Service --------------->| -------------------------- Data Flow -------------------------> X = Service protection (PRF, PREOF, PEF/POF) DFx = DetNet member flow x over a TE LSP ]]></artwork> </figure> <t> <xreftarget="fig_ip_detnet"/>target="fig_ip_detnet" format="default"/> illustratesDetNet enabled End SystemsDetNet-enabled end systems connected toDetNetDetNet-enabled (DN)enabledMPLSnetwork.networks. A similar situation occurs when end systems are not DetNet aware. In this case, edge nodes sit at the boundary of the MPLS domain since it is also a DetNet domain boundary. The edge nodes provide DetNet service proxies for the end applications by initiating and terminating DetNet service for the application's IP flows. While the node types differ, there is essentially no difference in data plane processing betweenrelayrelays and edges. There are likely to be differences incontroller planeController Plane operation, particularly when distributed control plane protocols are used. </t> <t> It is still possible to provide DetNet service protection fornon-DetNet awarenon-DetNet-aware end systems. This case is basically the same as <xreftarget="fig_ip_pw_detnet"/>,target="fig_ip_pw_detnet" format="default"/>, with the exception that CE1 and CE2 arenon-DetNet awarenon-DetNet-aware end systems and R1 and R3 become edge nodes. </t> </section> <section anchor="iom-overview"title="DetNetnumbered="true" toc="default"> <name>DetNet IP over DetNet MPLSEncapsulation">Encapsulation</name> <t> The basic encapsulation approach is to treat a DetNet IP flow as anapp-flowApp-flow from the DetNet MPLS perspective. The corresponding example DetNetSub-NetworkSub-network format is shown in <xreftarget="fig_dn_ip_mpls_sn_ex"/>.target="fig_dn_ip_mpls_sn_ex" format="default"/>. </t><!-- <t> [Editor's note: several proposed changes on the figure. Intention is to clarify relationship of the various flows.] </t> --><figuretitle="Exampleanchor="fig_dn_ip_mpls_sn_ex"> <name>Example DetNet IP over MPLSSub-Network Formats" anchor="fig_dn_ip_mpls_sn_ex">Sub-network Formats</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ /-> +------+ +------+ +------+ ^ ^ | | X | | X | | X |<-App-FlowApp-flow : : | +------+ +------+ +------+ : :App-FlowApp-flow <-+ |NProto| |NProto| |NProto| : :(1) for MPLS | +------+ +------+ +------+ : : | | IP | | IP | | IP | : v \-> +---+======+--+======+--+======+-----+ : DetNet-MPLS | d-CW | | d-CW | | d-CW | : +------+ +------+ +------+ :(2) |Labels| |Labels| |Labels| v +---+======+--+======+--+======+-----+Link/Sub-NetworkLink/Sub-network | L2 | | TSN | | UDP | +------+ +------+ +------+ | IP | +------+ | L2 | +------+ (1) DetNet IP Flow (or simply IP flow) (2) DetNet MPLS Flow]]> </artwork>]]></artwork> </figure> <t> In <xreftarget="fig_dn_ip_mpls_sn_ex"/> "App-Flow"target="fig_dn_ip_mpls_sn_ex" format="default"/>, "App-flow" indicates the payload carried by the DetNet IP data plane. "IP" and "NProto" indicate the fields described inSection 5.1.1.Sections <xref target="RFC8939" sectionFormat="bare" section="5.1.1"/> (IP Header Information) andSection 5.1.2.<xref target="RFC8939" sectionFormat="bare" section="5.1.2"/> (Other Protocol Header Information) of <xreftarget="I-D.ietf-detnet-ip"/>,target="RFC8939" format="default"/>, respectively."App-Flow"App-flow for MPLS" indicates that an individual DetNet IP flow is the payload from the perspective of the DetNet MPLS data plane defined in <xreftarget="I-D.ietf-detnet-mpls"/>.target="RFC8964" format="default"/>. </t> <t> PerSection 5.1 of<xreftarget="I-D.ietf-detnet-mpls"/>,target="RFC8964" sectionFormat="of" section="5.1" format="default"/>, the DetNet MPLS data plane uses a single S-Label to support a singleapp flow.App-flow. DetNet IP Flow Identification Procedures inSection 4.4 of<xreftarget="I-D.ietf-detnet-ip"/>target="RFC8939" sectionFormat="of" section="5.1" format="default"/> states that a single DetNet flow is identified based onIP,IP- andnext level protocol,next-level protocol header information.Section 4.4. (Aggregation Considerations) of<xreftarget="I-D.ietf-detnet-ip"/>target="RFC8939" sectionFormat="of" section="4.4" format="default"/> (DetNet Flow Aggregation) defines the ways in which aggregation is supported through the use of prefixes, wildcards, lists, and port ranges. Collectively, this results in the fairly straightforward procedures defined in the next section. </t> <t> As shown in <xreftarget="fig_ip_pw_detnet"/>,target="fig_ip_pw_detnet" format="default"/>, DetNet relay nodes are responsible for the mapping of a DetNet flow, at the service sub-layer, from the IP to MPLS DetNet data planes and back again. Their related DetNet IP over DetNet MPLS data plane operation is comprised of two sets of procedures: the mapping of flowidentifiers,identifiers and ensuring proper traffic treatment. </t> <t> Mapping of IP to DetNet MPLS is similar for DetNet IP flows and IP flows. The six-tuple of IP is mapped to the S-Label in both cases. The various fields may be mapped or ignored when going from IP to MPLS. </t> </section> </section> <section anchor="iom-proc"title="IPnumbered="true" toc="default"> <name>DetNet IP over DetNet MPLSProcedures">Procedures</name> <t> The main differences of mapping IP to DetNet MPLS (compared to plain MPLS) are that (1) there is a mandatory flow identification to make the forwarding decision (i.e., forwarding is not based on FEC), (2) the d-CW (DetNet Control Word) is mandatory for the MPLSencapsulationencapsulation, and (3) during forwarding over the DetNet MPLSnetwork DetNet flow specificnetwork, treatment specific to DetNet flows is needed. </t> <section anchor="iom-ids"title="DetNetnumbered="true" toc="default"> <name>DetNet IP over DetNet MPLS Flow Identification and AggregationProcedures"> <!-- <t> [Editor's note: several proposed changes to clarify referred components. Confusing usage of app-flow terminology.] </t> -->Procedures</name> <t> A DetNet relay node (ingress T-PE) that sends a DetNet IP flow over a DetNet MPLS networkMUST<bcp14>MUST</bcp14> map a DetNet IP flow, as identified in <xreftarget="I-D.ietf-detnet-ip"/>target="RFC8939" format="default"/>, into a single MPLS DetNet flow andMUST<bcp14>MUST</bcp14> process it in accordance to the procedures defined in <xreftarget="I-D.ietf-detnet-mpls"/>.target="RFC8964" format="default"/>. PRFMAY<bcp14>MAY</bcp14> be supported at the MPLS level for DetNet IP flows sent overana DetNet MPLS network. AggregationMAY<bcp14>MAY</bcp14> be supported as defined in <xreftarget="I-D.ietf-detnet-mpls"/> Section 4.4.sectionFormat="of" section="4.4" target="RFC8964" format="default"/>. Aggregation considerations in <xreftarget="I-D.ietf-detnet-ip"/> MAYtarget="RFC8939" format="default"/> <bcp14>MAY</bcp14> be used to identify an individual DetNet IP flow. The provisioning of the mapping of DetNet IP flows to DetNet MPLS flowsMUST<bcp14>MUST</bcp14> be supported via configuration, e.g., via thecontroller plane.Controller Plane. </t> <t> A DetNet relay node (egress T-PE)MAY<bcp14>MAY</bcp14> be provisioned to handle packets received via the DetNet MPLS data plane as DetNet IP flows. A single incoming DetNet MPLS flowMAY<bcp14>MAY</bcp14> be treated as a single DetNet IP flow, without examination of IP headers. Alternatively, packets received via the DetNet MPLS data planeMAY<bcp14>MAY</bcp14> follow the normal DetNet IP flow identification procedures defined in <xreftarget="I-D.ietf-detnet-ip"/> Section 5.1.target="RFC8939" sectionFormat="of" section="5.1" format="default"/>. </t> <t> An implementationMUST<bcp14>MUST</bcp14> support the provisioning for handling any packet flows received via the DetNet MPLS data plane as DetNet IP flows via configuration. Note that such configurationMAY<bcp14>MAY</bcp14> include support from PREOF on the incoming DetNet MPLS flow. </t> <aside> <t> Note:using Layer-4Using Layer 4 (L4) transport protocolse.g.,(e.g., formultipathmultipath) are out of scope of this document both for a single flow and aggregate flows. </t> </aside> </section> <section anchor="iom-svc"title="DetNetnumbered="true" toc="default"> <name>DetNet IP over DetNet MPLS Traffic TreatmentProcedures">Procedures</name> <t> The traffic treatment required for a particular DetNet IP flow is provisioned via configuration or thecontroller plane.Controller Plane. When a DetNet IP flow is sent over DetNet MPLS, a DetNet relay nodeMUST<bcp14>MUST</bcp14> ensure that the provisioned DetNet IP traffic treatment is provided at the forwarding sub-layer as described in <xreftarget="I-D.ietf-detnet-mpls"/> Section 5.2.target="RFC8964" sectionFormat="of" section="5.2" format="default"/>. Note thatthePRFfunction MAY<bcp14>MAY</bcp14> be utilized when sending IP over MPLS. </t> <t> Traffic treatment for DetNet IP flows received over the DetNet MPLS data planeMUST<bcp14>MUST</bcp14> followSection 5.3 DetNet<xref target="RFC8939" sectionFormat="of" section="5.3" format="default"/> (DetNet IP Traffic TreatmentProcedures in <xref target="I-D.ietf-detnet-ip"/>.Procedures). </t> </section> </section><!-- ===================================================================== --><section anchor="mc_summary"title="Managementnumbered="true" toc="default"> <name>Management and Control InformationSummary">Summary</name> <t> The following summarizes the set of information that is needed to support DetNet IP over DetNet MPLS at the MPLS ingress node:<list style="symbols"> <t></t> <ul spacing="normal"> <li> Each MPLS App-Flow isidentifiedselected from the incoming IP traffic using the IP flow identification informationasdefined in <xreftarget="I-D.ietf-detnet-ip"/>. Thetarget="RFC8939" format="default"/>. This information is summarized in Section5.1<xref target="RFC8939" sectionFormat="bare" section="5.1"/> of thatdocument,document and includes all wildcards, portrangesranges, and the ability to ignore specific IP fields.</t> <t></li> <li> The DetNet MPLS service that is to be used to send the matching IP traffic. This matching information is provided in <xreftarget="I-D.ietf-detnet-mpls"/> Section 5.1,target="RFC8964" sectionFormat="of" section="5.1" format="default"/> and includes both service and traffic delivery information.</t> </list> </t></li> </ul> <t> The following summarizes the set of information that is needed to support DetNet IP over DetNet MPLS at the MPLS egress node:<list style="symbols"> <t></t> <ul spacing="normal"> <li> The S-Labelvaluesvalue thatare carrying MPLS over IPidentifies the encapsulated App-flow traffic.</t> <t></li> <li> For each S-Label, how the received traffic is to be handled. The traffic may be processedaccordingas any other DetNet IP traffic as defined in this document or in <xreftarget="I-D.ietf-detnet-ip"/>,target="RFC8939" format="default"/>, or the traffic may be directly treated as an MPLS App-flow for additional processing according to <xreftarget="I-D.ietf-detnet-mpls"/>. </t> </list> </t>target="RFC8964" format="default"/>. </li> </ul> <t> It is the responsibility of the DetNetcontroller planeController Plane to properly provision both flow identification information and the flow-specific resources needed to provide the traffic treatment to meet each flow's service requirements. This applies for aggregated and individual flows. </t> </section> <sectiontitle="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t> General security considerations for DetNet are described in detail in <xreftarget="I-D.ietf-detnet-security"/>.target="RFC9055" format="default"/>. DetNet MPLS and DetNet IP security considerations equally apply to this document and are described in <xreftarget="I-D.ietf-detnet-mpls"/>target="RFC8964" format="default"/> and <xreftarget="I-D.ietf-detnet-ip"/>.target="RFC8939" format="default"/>. </t> <t> Security aspectswhichthat are unique to DetNet are those whose aim is to protect the support of specificquality of servicequality-of-service aspects of DetNet, which are primarily to deliver data flows with extremely low packet loss rates and bounded end-to-end delivery latency. </t> <t> The primary considerations for the data plane are to maintain integrity of data and delivery of the associated DetNet service traversing the DetNet network. Application flows can be protected through whatever means is provided by the underlying technology. For example, encryption may be used, such as that provided byIPSecIPsec <xreftarget="RFC4301"/>target="RFC4301" format="default"/> for IP flows and/or by an underlying sub-net usingMACSecMACsec <xreftarget="IEEE802.1AE-2018"/>target="IEEE802.1AE-2018" format="default"/> forIP over Ethernet (Layer-2)IP-over-Ethernet (Layer 2) flows. </t> <t> From a data planeperspectiveperspective, this document does not add or modify any header information. </t> <t> At the management and controllevellevel, DetNet flows are identified on a per-flow basis, which may providecontroller planeController Plane attackers with additional information about the data flows (when compared tocontroller planesController Planes that do not include per-flow identification). This is an inherent property ofDetNetDetNet, which has security implications that should be considered when determining if DetNet is a suitable technology for any given use case. </t> <t> To provide uninterrupted availability of the DetNet service, provisions can be made againstDOSDoS attacks and delay attacks. To protect againstDOSDoS attacks, excess traffic due to malicious or malfunctioning devices can be prevented or mitigated, forexampleexample, through the use of existingmechanismmechanisms such as policing and shaping applied at the input of a DetNet domain. To prevent DetNet packets from being delayed by an entity external to a DetNet domain, DetNet technologydefinitiondefinitions can allow for the mitigation ofMan-In-The-Middle attacks, for exampleman-in-the-middle attacks (for example, through use of authentication and authorization of devices within the DetNetdomain.domain). </t> </section> <section anchor="iana"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t> This documentmakeshas no IANArequests.actions. </t> </section> </middle> <back> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8655.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8939.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8938.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8964.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9055.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4301.xml"/> <reference anchor="IEEE802.1AE-2018" target="https://ieeexplore.ieee.org/document/8585421"> <front> <title>IEEE Standard for Local and metropolitan area networks-Media Access Control (MAC) Security</title> <author> <organization>IEEE</organization> </author> <date month="December" year="2018"/> </front> <seriesInfo name="DOI" value="10.1109/IEEESTD.2018.8585421"/> <refcontent>IEEE 802.1AE-2018</refcontent> </reference> </references> </references> <section anchor="acks"title="Acknowledgements">numbered="false" toc="default"> <name>Acknowledgements</name> <t> The authors wish to thankPat Thaler, Norman Finn, Loa Anderson, David Black, Rodney Cummings, Ethan Grossman, Tal Mizrahi, David Mozes, Craig Gunther, George Swallow, Yuanlong Jiang<contact fullname="Pat Thaler"/>, <contact fullname="Norman Finn"/>, <contact fullname="Loa Andersson"/>, <contact fullname="David Black"/>, <contact fullname="Rodney Cummings"/>, <contact fullname="Ethan Grossman"/>, <contact fullname="Tal Mizrahi"/>, <contact fullname="David Mozes"/>, <contact fullname="Craig Gunther"/>, <contact fullname="George Swallow"/>, <contact fullname="Yuanlong Jiang"/>, andCarlos<contact fullname="Carlos J.BernardosBernardos"/> for their various contributions to this work. </t> </section> <section anchor="contrib"title="Contributors">numbered="false" toc="default"> <name>Contributors</name> <t>RFC7322RFC 7322 limits the number of authors listed on the front pageof a draftto a maximum of 5. The editor wishes to thank and acknowledge thefollowfollowing authors for contributing text to thisdraft.document. </t><figure> <artwork><![CDATA[ Janos Farkas Ericsson Email: janos.farkas@ericsson.com Andrew<author fullname="János Farkas" initials="J." surname="Farkas"> <organization>Ericsson</organization> <address> <email>janos.farkas@ericsson.com</email> </address> </author> <author fullname="Andrew G.Malis Malis Consulting Email: agmalis@gmail.com ]]></artwork> </figure> <!-- </section> -->Malis" initials="A. G." surname="Malis"> <organization>Malis Consulting</organization> <address> <email>agmalis@gmail.com</email> </address> </author> <t>Janos Farkas<contact fullname="János Farkas"/> contributed substantially to the content of this document. </t> </section></middle> <back> <references title="Normative references"> <?rfc include="reference.RFC.2119"?> <?rfc include="reference.RFC.8174"?> <?rfc include="reference.RFC.8655"?> <?rfc include="reference.I-D.ietf-detnet-data-plane-framework"?> <?rfc include="reference.I-D.ietf-detnet-mpls'?> <?rfc include="reference.I-D.ietf-detnet-ip'?> <?rfc include="reference.I-D.ietf-detnet-security"?> </references> <references title="Informative references"> <?rfc include="reference.RFC.4301"?> <reference anchor="IEEE802.1AE-2018" target="https://ieeexplore.ieee.org/document/8585421"> <front> <title>IEEE Std 802.1AE-2018 MAC Security (MACsec)</title> <author> <organization>IEEE Standards Association</organization> </author> <date year="2018" /> </front> </reference> </references></back> </rfc>