--- 1/draft-ietf-6man-spring-srv6-oam-12.txt 2022-01-23 23:13:18.070700911 -0800 +++ 2/draft-ietf-6man-spring-srv6-oam-13.txt 2022-01-23 23:13:18.122702212 -0800 @@ -1,25 +1,25 @@ 6man Z. Ali Internet-Draft C. Filsfils Intended status: Standards Track Cisco Systems -Expires: June 1, 2022 S. Matsushima +Expires: July 27, 2022 S. Matsushima Softbank D. Voyer Bell Canada M. Chen Huawei - November 28, 2021 + January 23, 2022 Operations, Administration, and Maintenance (OAM) in Segment Routing Networks with IPv6 Data plane (SRv6) - draft-ietf-6man-spring-srv6-oam-12 + draft-ietf-6man-spring-srv6-oam-13 Abstract This document describes how the existing IPv6 mechanisms for ping and traceroute can be used in an SRv6 network. The document also specifies the OAM flag in the Segment Routing Header (SRH) for performing controllable and predictable flow sampling from segment endpoints. In addition, the document describes how a centralized monitoring system performs a path continuity check between any nodes within an SRv6 domain. @@ -32,25 +32,25 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on June 1, 2022. + This Internet-Draft will expire on July 27, 2022. Copyright Notice - Copyright (c) 2021 IETF Trust and the persons identified as the + Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as @@ -59,38 +59,38 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.2. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 3 1.3. Terminology and Reference Topology . . . . . . . . . . . 4 2. OAM Mechanisms . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. O-flag in Segment Routing Header . . . . . . . . . . . . 5 2.1.1. O-flag Processing . . . . . . . . . . . . . . . . . . 6 2.2. OAM Operations . . . . . . . . . . . . . . . . . . . . . 8 - 3. Illustrations . . . . . . . . . . . . . . . . . . . . . . . . 8 - 3.1. Ping in SRv6 Networks . . . . . . . . . . . . . . . . . . 9 - 3.1.1. Pinging an IPv6 Address via a Segment-list . . . . . 9 - 3.1.2. Pinging a SID . . . . . . . . . . . . . . . . . . . . 10 - 3.2. Traceroute . . . . . . . . . . . . . . . . . . . . . . . 11 - 3.2.1. Traceroute to an IPv6 Address via a Segment-list . . 11 - 3.2.2. Traceroute to a SID . . . . . . . . . . . . . . . . . 13 - 3.3. A Hybrid OAM Using O-flag . . . . . . . . . . . . . . . . 15 - 3.4. Monitoring of SRv6 Paths . . . . . . . . . . . . . . . . 17 - 4. Implementation Status . . . . . . . . . . . . . . . . . . . . 18 - 5. Security Considerations . . . . . . . . . . . . . . . . . . . 18 - 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 19 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 - 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 - 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 20 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 - 10.1. Normative References . . . . . . . . . . . . . . . . . . 21 - 10.2. Informative References . . . . . . . . . . . . . . . . . 22 + 3. Implementation Status . . . . . . . . . . . . . . . . . . . . 8 + 4. Security Considerations . . . . . . . . . . . . . . . . . . . 9 + 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 10 + 7.2. Informative References . . . . . . . . . . . . . . . . . 10 + Appendix A. Illustrations . . . . . . . . . . . . . . . . . . . 12 + A.1. Ping in SRv6 Networks . . . . . . . . . . . . . . . . . . 12 + A.1.1. Pinging an IPv6 Address via a Segment-list . . . . . 13 + A.1.2. Pinging a SID . . . . . . . . . . . . . . . . . . . . 14 + A.2. Traceroute . . . . . . . . . . . . . . . . . . . . . . . 15 + A.2.1. Traceroute to an IPv6 Address via a Segment-list . . 15 + A.2.2. Traceroute to a SID . . . . . . . . . . . . . . . . . 17 + A.3. A Hybrid OAM Using O-flag . . . . . . . . . . . . . . . . 18 + A.4. Monitoring of SRv6 Paths . . . . . . . . . . . . . . . . 21 + Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 22 + Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 1. Introduction As Segment Routing with IPv6 data plane (SRv6) [RFC8402] simply adds a new type of Routing Extension Header, existing IPv6 OAM mechanisms can be used in an SRv6 network. This document describes how the existing IPv6 mechanisms for ping and traceroute can be used in an SRv6 network. This includes illustrations of pinging an SRv6 SID to verify that the SID is reachable and is locally programmed at the @@ -306,47 +306,47 @@ If the penultimate segment of a segment-list is a Penultimate Segment Pop (PSP) SID, telemetry data from the ultimate segment cannot be requested. This is because, when the penultimate segment is a PSP SID, the SRH is removed at the penultimate segment and the O-flag is not processed at the ultimate segment. The processing node MUST rate-limit the number of packets punted to the OAM process to a configurable rate. This is to avoid hitting any performance impact on the OAM and the telemetry collection processes. Failure in implementing the rate limit can lead to a denial-of- - service attack, as detailed in Section 5. + service attack, as detailed in section 4. The OAM process MUST NOT process the copy of the packet or respond to any upper-layer header (like ICMP, UDP, etc.) payload to prevent multiple evaluations of the datagram. The OAM process is expected to be located on the routing node processing the packet. Although the specification of the OAM process or the external controller operations are beyond the scope of this document, the OAM process SHOULD NOT be topologically distant from the routing node, as this is likely to create significant security and congestion issues. How to correlate the data collected from different nodes at an external controller is also outside the scope - of the document. Section 3 illustrates use of the O-flag for + of the document. Appendix A illustrates use of the O-flag for implementing a hybrid OAM mechanism, where the "hybrid" classification is based on RFC7799 [RFC7799]. 2.2. OAM Operations IPv6 OAM operations can be performed for any SRv6 SID whose behavior allows Upper Layer Header processing for an applicable OAM payload (e.g., ICMP, UDP). Ping to an SRv6 SID is used to verify that the SID is reachable and is locally programmed at the target node. Traceroute to a SID is used for hop-by-hop fault localization as well as path tracing to a - SID. Section 3 illustrates the ICMPv6 based ping and the UDP based + SID. Appendix A illustrates the ICMPv6 based ping and the UDP based traceroute mechanisms for ping and traceroute to an SRv6 SID. Although this document only illustrates ICMPv6 ping and UDP based traceroute to an SRv6 SID, the procedures are equally applicable to other IPv6 OAM probing to an SRv6 SID (e.g., Bidirectional Forwarding Detection (BFD) [RFC5880], Seamless BFD (SBFD) [RFC7880], STAMP probe message processing [I-D.gandhi-spring-stamp-srpm], etc.). Specifically, as long as local configuration allows the Upper-layer Header processing of the applicable OAM payload for SRv6 SIDs, the existing IPv6 OAM techniques can be used to target a probe to a (remote) SID. @@ -357,39 +357,212 @@ exercise all of its processing depending on its behavior definition. For example, ping to an End.X SID [RFC8986] only validates the SID is locally programmed at the target node and does not validate switching to the correct outgoing interface. To exercise the behavior of a target SID, the OAM operation should construct the probe in a manner similar to a data packet that exercises the SID behavior, i.e. to include that SID as a transit SID in either an SRH or IPv6 DA of an outer IPv6 header or as appropriate based on the definition of the SID behavior. -3. Illustrations +3. Implementation Status - This section shows how some of the existing IPv6 OAM mechanisms can + This section is to be removed prior to publishing as an RFC. + + See [I-D.matsushima-spring-srv6-deployment-status] for updated + deployment and interoperability reports. + +4. Security Considerations + + [RFC8754] defines the notion of an SR domain and use of SRH within + the SR domain. The use of OAM procedures described in this document + is restricted to an SR domain. For example, similar to the SID + manipulation, O-flag manipulation is not considered as a threat + within the SR domain. Procedures for securing an SR domain are + defined the section 5.1 and section 7 of [RFC8754]. + + As noted in section 7.1 of [RFC8754], compromised nodes within the SR + domain may mount attacks. The O-flag may be set by an attacking node + attempting a denial-of-service attack on the OAM process at the + segment endpoint node. An implementation correctly implementing the + rate limiting in section 2.1.1 is not susceptible to that denial-of- + service attack. Additionally, SRH Flags are protected by the HMAC + TLV, as described in section 2.1.2.1 of [RFC8754]. Once an HMAC is + generated for a segment list with the O-flag set, it can be used for + an arbitrary amount of traffic using that segment list with O-flag + set. + + The security properties of the channel used to send exported packets + marked by the O-flag will depend on the specific OAM processes used. + An on-path attacker able to observe this OAM channel could conduct + traffic analysis, or potentially eavesdropping (depending on the OAM + configuration), of this telemetry for the entire SR domain from such + a vantage point. + + This document does not impose any additional security challenges to + be considered beyond security threats described in [RFC4884], + [RFC4443], [RFC0792], [RFC8754] and [RFC8986]. + +5. Privacy Considerations + + The per-packet marking capabilities of the O-flag provides a granular + mechanism to collect telemetry. When this collection is deployed by + an operator with knowledge and consent of the users, it will enable a + variety of diagnostics and monitoring to support the OAM and security + operations use cases needed for resilient network operations. + However, this collection mechanism will also provide an explicit + protocol mechanism to operators for surveillance and pervasive + monitoring use cases done contrary to the user's consent. + +6. IANA Considerations + + This document requests that IANA allocate the following registration + in the "Segment Routing Header Flags" sub-registry for the "Internet + Protocol Version 6 (IPv6) Parameters" registry maintained by IANA: + + +-------+------------------------------+---------------+ + | Bit | Description | Reference | + +=======+==============================+===============+ + | 2 | O-flag | This document | + +-------+------------------------------+---------------+ + +7. References + +7.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + . + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, . + + [RFC8754] Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J., + Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header + (SRH)", RFC 8754, DOI 10.17487/RFC8754, March 2020, + . + + [RFC8986] Filsfils, C., Ed., Camarillo, P., Ed., Leddy, J., Voyer, + D., Matsushima, S., and Z. Li, "Segment Routing over IPv6 + (SRv6) Network Programming", RFC 8986, + DOI 10.17487/RFC8986, February 2021, + . + +7.2. Informative References + + [I-D.gandhi-spring-stamp-srpm] + Gandhi, R., Filsfils, C., Voyer, D., Chen, M., Janssens, + B., and R. Foote, "Performance Measurement Using Simple + TWAMP (STAMP) for Segment Routing Networks", draft-gandhi- + spring-stamp-srpm-07 (work in progress), July 2021. + + [I-D.ietf-ippm-ioam-data] + Brockners, F., Bhandari, S., and T. Mizrahi, "Data Fields + for In-situ OAM", draft-ietf-ippm-ioam-data-11 (work in + progress), November 2020. + + [I-D.matsushima-spring-srv6-deployment-status] + Matsushima, S., Filsfils, C., Ali, Z., Li, Z., and K. + Rajaraman, "SRv6 Implementation and Deployment Status", + draft-matsushima-spring-srv6-deployment-status-11 (work in + progress), February 2021. + + [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, + RFC 792, DOI 10.17487/RFC0792, September 1981, + . + + [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, + DOI 10.17487/RFC2328, April 1998, + . + + [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet + Control Message Protocol (ICMPv6) for the Internet + Protocol Version 6 (IPv6) Specification", STD 89, + RFC 4443, DOI 10.17487/RFC4443, March 2006, + . + + [RFC4884] Bonica, R., Gan, D., Tappan, D., and C. Pignataro, + "Extended ICMP to Support Multi-Part Messages", RFC 4884, + DOI 10.17487/RFC4884, April 2007, + . + + [RFC5476] Claise, B., Ed., Johnson, A., and J. Quittek, "Packet + Sampling (PSAMP) Protocol Specifications", RFC 5476, + DOI 10.17487/RFC5476, March 2009, + . + + [RFC5837] Atlas, A., Ed., Bonica, R., Ed., Pignataro, C., Ed., Shen, + N., and JR. Rivers, "Extending ICMP for Interface and + Next-Hop Identification", RFC 5837, DOI 10.17487/RFC5837, + April 2010, . + + [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection + (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, + . + + [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, + "Specification of the IP Flow Information Export (IPFIX) + Protocol for the Exchange of Flow Information", STD 77, + RFC 7011, DOI 10.17487/RFC7011, September 2013, + . + + [RFC7012] Claise, B., Ed. and B. Trammell, Ed., "Information Model + for IP Flow Information Export (IPFIX)", RFC 7012, + DOI 10.17487/RFC7012, September 2013, + . + + [RFC7799] Morton, A., "Active and Passive Metrics and Methods (with + Hybrid Types In-Between)", RFC 7799, DOI 10.17487/RFC7799, + May 2016, . + + [RFC7880] Pignataro, C., Ward, D., Akiya, N., Bhatia, M., and S. + Pallagatti, "Seamless Bidirectional Forwarding Detection + (S-BFD)", RFC 7880, DOI 10.17487/RFC7880, July 2016, + . + + [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., + Decraene, B., Litkowski, S., and R. Shakir, "Segment + Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, + July 2018, . + + [RFC8403] Geib, R., Ed., Filsfils, C., Pignataro, C., Ed., and N. + Kumar, "A Scalable and Topology-Aware MPLS Data-Plane + Monitoring System", RFC 8403, DOI 10.17487/RFC8403, July + 2018, . + + [RFC8571] Ginsberg, L., Ed., Previdi, S., Wu, Q., Tantsura, J., and + C. Filsfils, "BGP - Link State (BGP-LS) Advertisement of + IGP Traffic Engineering Performance Metric Extensions", + RFC 8571, DOI 10.17487/RFC8571, March 2019, + . + +Appendix A. Illustrations + + This appendix shows how some of the existing IPv6 OAM mechanisms can be used in an SRv6 network. It also illustrates an OAM mechanism for performing controllable and predictable flow sampling from segment endpoints. How centralized OAM technique in [RFC8403] can be - extended for SRv6 is also described in this Section. + extended for SRv6 is also described in this appendix. -3.1. Ping in SRv6 Networks +A.1. Ping in SRv6 Networks The existing mechanism to perform the reachability checks, along the shortest path, continues to work without any modification. Any IPv6 node (SRv6 capable or a non-SRv6 capable) can initiate, transit, and egress a ping packet. The following subsections outline some additional use cases of the ICMPv6 ping in the SRv6 networks. -3.1.1. Pinging an IPv6 Address via a Segment-list +A.1.1. Pinging an IPv6 Address via a Segment-list If an SRv6-capable ingress node wants to ping an IPv6 address via an arbitrary segment list , it needs to initiate an ICMPv6 ping with an SR header containing the SID list . This is illustrated using the topology in Figure 1. User issues a ping from node N1 to a loopback of node N5, via segment list <2001:db8:K:2:X31::, 2001:db8:K:4:X52::>. The SID behavior used in the example is End.X SID, as described in [RFC8986], but the procedure is equally applicable to any other (transit) SID type. @@ -434,21 +607,21 @@ packets and OAM probes. Specifically, if 2001:db8:K:4:X52:: is a PSP SID, node N4 executes the SID like any other data packet with DA = 2001:db8:K:4:X52:: and removes the SRH. o The echo request packet at N5 arrives as an IPv6 packet with or without an SRH. If N5 receives the packet with SRH, it skips SRH processing (SL=0). In either case, Node N5 performs the standard ICMPv6 processing on the echo request and responds with the echo reply message to N1. The echo reply message is IP routed. -3.1.2. Pinging a SID +A.1.2. Pinging a SID The ping mechanism described above applies equally to perform SID reachability check and to validate the SID is locally programmed at the target node. This is explained using an example in the following. The example uses ping to an END SID, as described in [RFC8986], but the procedure is equally applicable to ping any other SID behaviors. Consider the example where the user wants to ping a remote SID 2001:db8:K:4::, via 2001:db8:K:2:X31::, from node N1. The ICMPv6 @@ -475,31 +648,31 @@ o If the target SID (2001:db8:K:4::) is not locally instantiated and does not represent a local interface, the packet is discarded o If the target SID (2001:db8:K:4::) is locally instantiated or represents a local interface, the node processes the upper layer header. As part of the upper layer header processing node N4 respond to the ICMPv6 echo request message and responds with the echo reply message. The echo reply message is IP routed. -3.2. Traceroute +A.2. Traceroute The existing traceroute mechanisms, along the shortest path, continues to work without any modification. Any IPv6 node (SRv6 capable or a non-SRv6 capable) can initiate, transit, and egress a traceroute probe. The following subsections outline some additional use cases of the traceroute in the SRv6 networks. -3.2.1. Traceroute to an IPv6 Address via a Segment-list +A.2.1. Traceroute to an IPv6 Address via a Segment-list If an SRv6-capable ingress node wants to traceroute to IPv6 address via an arbitrary segment list , it needs to initiate a traceroute probe with an SR header containing the SID list . User issues a traceroute from node N1 to a loopback of node N5, via segment list <2001:db8:K:2:X31::, 2001:db8:K:4:X52::>. The SID behavior used in the example is End.X SID, as described in [RFC8986], but the procedure is equally applicable to any other (transit) SID type. Figure 3 contains sample output for the traceroute request. @@ -522,64 +695,65 @@ Figure 3 A sample traceroute output at an SRv6-capable node In the sample traceroute output, the information displayed at each hop is obtained using the contents of the "Time Exceeded" or "Destination Unreachable" ICMPv6 responses. These ICMPv6 responses are IP routed. In the sample traceroute output, the information for link3 is returned by N3, which is a non-SRv6 capable node. Nonetheless, the ingress node is able to display SR header contents as the packet - travels through the IPv6 classic node. This is because the "Time + travels through the non-SRv6 capable node. This is because the "Time Exceeded Message" ICMPv6 message can contain as much of the invoking packet as possible without the ICMPv6 packet exceeding the minimum IPv6 MTU [RFC4443]. The SR header is included in these ICMPv6 messages initiated by the non-SRv6 capable transit nodes that are not running SRv6 software. Specifically, a node generating ICMPv6 message containing a copy of the invoking packet does not need to understand the extension header(s) in the invoking packet. The segment list information returned for the first hop is returned by N2, which is an SRv6-capable node. Just like for the second hop, the ingress node is able to display SR header contents for the first hop. There is no difference in processing of the traceroute probe at an - IPv6 classic node and an SRv6-capable node. Similarly, both IPv6 - classic and SRv6-capable nodes may use the address of the interface - on which probe was received as the source address in the ICMPv6 - response. ICMPv6 extensions defined in [RFC5837] can be used to - display information about the IP interface through which the datagram - would have been forwarded had it been forwardable, and the IP next - hop to which the datagram would have been forwarded, the IP interface - upon which a datagram arrived, the sub-IP component of an IP - interface upon which a datagram arrived. + SRv6-capable and a non-SRv6 capable node. Similarly, both + SRv6-capable and non-SRv6 capable nodes may use the address of the + interface on which probe was received as the source address in the + ICMPv6 response. ICMPv6 extensions defined in [RFC5837] can be used + to display information about the IP interface through which the + datagram would have been forwarded had it been forwardable, and the + IP next hop to which the datagram would have been forwarded, the IP + interface upon which a datagram arrived, the sub-IP component of an + IP interface upon which a datagram arrived. The IP address of the interface on which the traceroute probe was received is useful. This information can also be used to verify if SIDs 2001:db8:K:2:X31:: and 2001:db8:K:4:X52:: are executed correctly by N2 and N4, respectively. Specifically, the information displayed for the second hop contains the incoming interface address 2001:db8:2:3:31:: at N3. This matches with the expected interface bound to End.X behavior 2001:db8:K:2:X31:: (link3). Similarly, the information displayed for the fourth hop contains the incoming interface address 2001:db8:4:5::52:: at N5. This matches with the expected interface bound to the End.X behavior 2001:db8:K:4:X52:: (link10). -3.2.2. Traceroute to a SID +A.2.2. Traceroute to a SID - The classic traceroute described in the previous section applies - equally to traceroute a remote SID behavior, as explained using an - example in the following. The example uses traceroute to an END SID, - as described in [RFC8986], but the procedure is equally applicable to - tracerouting any other SID behaviors. + The mechanism to traceroute an IPv6 Address via a Segment-list + described in the previous section applies equally to traceroute a + remote SID behavior, as explained using an example in the following. + The example uses traceroute to an END SID, as described in [RFC8986], + but the procedure is equally applicable to tracerouting any other SID + behaviors. Please note that traceroute to a SID is exemplified using UDP probes. However, the procedure is equally applicable to other implementations of traceroute mechanism. The UDP encoded message to traceroute a SID would use the UDP ports assigned by IANA for "traceroute use". Consider the example where the user wants to traceroute a remote SID 2001:db8:K:4::, via 2001:db8:K:2:X31::, from node N1. The traceroute probe is processed at the individual nodes along the path as follows: @@ -635,21 +809,21 @@ SRH:(2001:db8:K:4:X52::, 2001:db8:K:2:X31::; SL=1) 2 2001:db8:3:2:21:: 0.721 msec 0.810 msec 0.795 msec DA: 2001:db8:K:4:X52::, SRH:(2001:db8:K:4:X52::, 2001:db8:K:2:X31::; SL=0) 3 2001:db8:4:3:41:: 0.921 msec 0.816 msec 0.759 msec DA: 2001:db8:K:4:X52::, SRH:(2001:db8:K:4:X52::, 2001:db8:K:2:X31::; SL=0) Figure 4 A sample output for hop-by-hop traceroute to a SID -3.3. A Hybrid OAM Using O-flag +A.3. A Hybrid OAM Using O-flag This section illustrates a hybrid OAM mechanism using the the O-flag. Without loss of the generality, the illustration assumes N100 is a centralized controller. The illustration is different than the In-situ OAM defined in [I.D- draft-ietf-ippm-ioam-data]. This is because In-situ OAM records operational and telemetry information in the packet as the packet traverses a path between two points in the network [I.D-draft-ietf- ippm-ioam-data]. The illustration in this subsection does not @@ -745,21 +920,21 @@ 2. o The controller N100 processes and correlates the copy of the packets sent from nodes N1, N4 and N7 to find segment-by-segment delays and provide other hybrid OAM information related to packet P1. For segment-by-segment delay computation, it is assumed that clock are synchronized time across the SR domain. o The process continues for any other sampled packets. -3.4. Monitoring of SRv6 Paths +A.4. Monitoring of SRv6 Paths In the recent past, network operators demonstrated interest in performing network OAM functions in a centralized manner. [RFC8403] describes such a centralized OAM mechanism. Specifically, the document describes a procedure that can be used to perform path continuity check between any nodes within an SR domain from a centralized monitoring system. However, the document focuses on SR networks with MPLS data plane. This document describes how the concept can be used to perform path monitoring in an SRv6 network from a centralized controller. @@ -808,88 +983,27 @@ o Node N100 executes the standard SRv6 END behavior. It decapsulates the header and consume the probe for OAM processing. The information in the OAM payload is used to detect any missing probes, round trip delay, etc. The OAM payload type or the information carried in the OAM probe is a local implementation decision at the controller and is outside the scope of this document. -4. Implementation Status - - This section is to be removed prior to publishing as an RFC. - - See [I-D.matsushima-spring-srv6-deployment-status] for updated - deployment and interoperability reports. - -5. Security Considerations - - [RFC8754] defines the notion of an SR domain and use of SRH within - the SR domain. The use of OAM procedures described in this document - is restricted to an SR domain. For example, similar to the SID - manipulation, O-flag manipulation is not considered as a threat - within the SR domain. Procedures for securing an SR domain are - defined the section 5.1 and section 7 of [RFC8754]. - - As noted in section 7.1 of [RFC8754], compromised nodes within the SR - domain may mount attacks. The O-flag may be set by an attacking node - attempting a denial-of-service attack on the OAM process at the - segment endpoint node. An implementation correctly implementing the - rate limiting in section 2.1.1 is not susceptible to that denial-of- - service attack. Additionally, SRH Flags are protected by the HMAC - TLV, as described in Section 2.1.2.1 of [RFC8754]. Once an HMAC is - generated for a segment list with the O-flag set, it can be used for - an arbitrary amount of traffic using that segment list with O-flag - set. - - The security properties of the channel used to send exported packets - marked by the O-flag will depend on the specific OAM processes used. - An on-path attacker able to observe this OAM channel could conduct - traffic analysis, or potentially eavesdropping (depending on the OAM - configuration), of this telemetry for the entire SR domain from such - a vantage point. - - This document does not impose any additional security challenges to - be considered beyond security threats described in [RFC4884], - [RFC4443], [RFC0792], [RFC8754] and [RFC8986]. - -6. Privacy Considerations - - The per-packet marking capabilities of the O-flag provides a granular - mechanism to collect telemetry. When this collection is deployed by - an operator with knowledge and consent of the users, it will enable a - variety of diagnostics and monitoring to support the OAM and security - operations use cases needed for resilient network operations. - However, this collection mechanism will also provide an explicit - protocol mechanism to operators for surveillance and pervasive - monitoring use cases done contrary to the user's consent. - -7. IANA Considerations - - This document requests that IANA allocate the following registration - in the "Segment Routing Header Flags" sub-registry for the "Internet - Protocol Version 6 (IPv6) Parameters" registry maintained by IANA: - - +-------+------------------------------+---------------+ - | Bit | Description | Reference | - +=======+==============================+===============+ - | 2 | O-flag | This document | - +-------+------------------------------+---------------+ - -8. Acknowledgements +Appendix B. Acknowledgements The authors would like to thank Joel M. Halpern, Greg Mirsky, Bob Hinden, Loa Andersson, Gaurav Naik, Ketan Talaulikar and Haoyu Song for their review comments. -9. Contributors +Appendix C. Contributors The following people have contributed to this document: Robert Raszuk Bloomberg LP Email: robert@raszuk.net John Leddy Individual Email: john@leddy.net @@ -924,132 +1038,20 @@ Email: ddukes@cisco.com Cheng Li Huawei Email: chengli13@huawei.com Faisal Iqbal Individual Email: faisal.ietf@gmail.com -10. References - -10.1. Normative References - - [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, - DOI 10.17487/RFC2119, March 1997, - . - - [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC - 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, - May 2017, . - - [RFC8754] Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J., - Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header - (SRH)", RFC 8754, DOI 10.17487/RFC8754, March 2020, - . - - [RFC8986] Filsfils, C., Ed., Camarillo, P., Ed., Leddy, J., Voyer, - D., Matsushima, S., and Z. Li, "Segment Routing over IPv6 - (SRv6) Network Programming", RFC 8986, - DOI 10.17487/RFC8986, February 2021, - . - -10.2. Informative References - - [I-D.gandhi-spring-stamp-srpm] - Gandhi, R., Filsfils, C., Voyer, D., Chen, M., Janssens, - B., and R. Foote, "Performance Measurement Using Simple - TWAMP (STAMP) for Segment Routing Networks", draft-gandhi- - spring-stamp-srpm-07 (work in progress), July 2021. - - [I-D.ietf-ippm-ioam-data] - Brockners, F., Bhandari, S., and T. Mizrahi, "Data Fields - for In-situ OAM", draft-ietf-ippm-ioam-data-11 (work in - progress), November 2020. - - [I-D.matsushima-spring-srv6-deployment-status] - Matsushima, S., Filsfils, C., Ali, Z., Li, Z., and K. - Rajaraman, "SRv6 Implementation and Deployment Status", - draft-matsushima-spring-srv6-deployment-status-11 (work in - progress), February 2021. - - [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, - RFC 792, DOI 10.17487/RFC0792, September 1981, - . - - [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, - DOI 10.17487/RFC2328, April 1998, - . - - [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet - Control Message Protocol (ICMPv6) for the Internet - Protocol Version 6 (IPv6) Specification", STD 89, - RFC 4443, DOI 10.17487/RFC4443, March 2006, - . - - [RFC4884] Bonica, R., Gan, D., Tappan, D., and C. Pignataro, - "Extended ICMP to Support Multi-Part Messages", RFC 4884, - DOI 10.17487/RFC4884, April 2007, - . - - [RFC5476] Claise, B., Ed., Johnson, A., and J. Quittek, "Packet - Sampling (PSAMP) Protocol Specifications", RFC 5476, - DOI 10.17487/RFC5476, March 2009, - . - - [RFC5837] Atlas, A., Ed., Bonica, R., Ed., Pignataro, C., Ed., Shen, - N., and JR. Rivers, "Extending ICMP for Interface and - Next-Hop Identification", RFC 5837, DOI 10.17487/RFC5837, - April 2010, . - - [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection - (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, - . - - [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, - "Specification of the IP Flow Information Export (IPFIX) - Protocol for the Exchange of Flow Information", STD 77, - RFC 7011, DOI 10.17487/RFC7011, September 2013, - . - - [RFC7012] Claise, B., Ed. and B. Trammell, Ed., "Information Model - for IP Flow Information Export (IPFIX)", RFC 7012, - DOI 10.17487/RFC7012, September 2013, - . - - [RFC7799] Morton, A., "Active and Passive Metrics and Methods (with - Hybrid Types In-Between)", RFC 7799, DOI 10.17487/RFC7799, - May 2016, . - - [RFC7880] Pignataro, C., Ward, D., Akiya, N., Bhatia, M., and S. - Pallagatti, "Seamless Bidirectional Forwarding Detection - (S-BFD)", RFC 7880, DOI 10.17487/RFC7880, July 2016, - . - - [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., - Decraene, B., Litkowski, S., and R. Shakir, "Segment - Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, - July 2018, . - - [RFC8403] Geib, R., Ed., Filsfils, C., Pignataro, C., Ed., and N. - Kumar, "A Scalable and Topology-Aware MPLS Data-Plane - Monitoring System", RFC 8403, DOI 10.17487/RFC8403, July - 2018, . - - [RFC8571] Ginsberg, L., Ed., Previdi, S., Wu, Q., Tantsura, J., and - C. Filsfils, "BGP - Link State (BGP-LS) Advertisement of - IGP Traffic Engineering Performance Metric Extensions", - RFC 8571, DOI 10.17487/RFC8571, March 2019, - . - Authors' Addresses Zafar Ali Cisco Systems Email: zali@cisco.com Clarence Filsfils Cisco Systems Email: cfilsfil@cisco.com