From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc8300.txt | 2243 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2243 insertions(+) create mode 100644 doc/rfc/rfc8300.txt (limited to 'doc/rfc/rfc8300.txt') diff --git a/doc/rfc/rfc8300.txt b/doc/rfc/rfc8300.txt new file mode 100644 index 0000000..481b72b --- /dev/null +++ b/doc/rfc/rfc8300.txt @@ -0,0 +1,2243 @@ + + + + + + +Internet Engineering Task Force (IETF) P. Quinn, Ed. +Request for Comments: 8300 Cisco +Category: Standards Track U. Elzur, Ed. +ISSN: 2070-1721 Intel + C. Pignataro, Ed. + Cisco + January 2018 + + + Network Service Header (NSH) + +Abstract + + This document describes a Network Service Header (NSH) imposed on + packets or frames to realize Service Function Paths (SFPs). The NSH + also provides a mechanism for metadata exchange along the + instantiated service paths. The NSH is the Service Function Chaining + (SFC) encapsulation required to support the SFC architecture (defined + in RFC 7665). + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc8300. + +Copyright Notice + + Copyright (c) 2018 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + +Quinn, et al. Standards Track [Page 1] + +RFC 8300 Network Service Header (NSH) January 2018 + + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. Applicability ..............................................4 + 1.2. Requirements Language ......................................4 + 1.3. Definition of Terms ........................................4 + 1.4. Problem Space ..............................................6 + 1.5. NSH-Based Service Chaining .................................6 + 2. Network Service Header ..........................................7 + 2.1. Network Service Header Format ..............................7 + 2.2. NSH Base Header ............................................8 + 2.3. Service Path Header .......................................11 + 2.4. NSH MD Type 1 .............................................12 + 2.5. NSH MD Type 2 .............................................13 + 2.5.1. Optional Variable-Length Metadata ..................13 + 3. NSH Actions ....................................................15 + 4. NSH Transport Encapsulation ....................................16 + 5. Fragmentation Considerations ...................................17 + 6. Service Path Forwarding with NSH ...............................18 + 6.1. SFFs and Overlay Selection ................................18 + 6.2. Mapping the NSH to Network Topology .......................21 + 6.3. Service Plane Visibility ..................................21 + 6.4. Service Graphs ............................................22 + 7. Policy Enforcement with NSH ....................................22 + 7.1. NSH Metadata and Policy Enforcement .......................22 + 7.2. Updating/Augmenting Metadata ..............................24 + 7.3. Service Path Identifier and Metadata ......................25 + 8. Security Considerations ........................................26 + 8.1. NSH Security Considerations from Operators' Environments ..27 + 8.2. NSH Security Considerations from the SFC Architecture .....28 + 8.2.1. Integrity ..........................................29 + 8.2.2. Confidentiality ....................................31 + 9. IANA Considerations ............................................32 + 9.1. NSH Parameters ............................................32 + 9.1.1. NSH Base Header Bits ...............................32 + 9.1.2. NSH Version ........................................32 + 9.1.3. NSH MD Types .......................................33 + 9.1.4. NSH MD Class .......................................33 + 9.1.5. NSH IETF-Assigned Optional Variable-Length + Metadata Types .....................................34 + 9.1.6. NSH Next Protocol ..................................35 + 10. NSH-Related Codepoints ........................................35 + 10.1. NSH Ethertype ............................................35 + 11. References ....................................................36 + Acknowledgments ...................................................38 + Contributors ......................................................39 + Authors' Addresses ................................................40 + + + + +Quinn, et al. Standards Track [Page 2] + +RFC 8300 Network Service Header (NSH) January 2018 + + +1. Introduction + + Service Functions are widely deployed and essential in many networks. + These Service Functions provide a range of features such as security, + WAN acceleration, and server load balancing. Service Functions may + be instantiated at different points in the network infrastructure + such as the WAN, data center, and so forth. + + Prior to development of the SFC architecture [RFC7665] and the + protocol specified in this document, current Service Function + deployment models have been relatively static and bound to topology + for insertion and policy selection. Furthermore, they do not adapt + well to elastic service environments enabled by virtualization. + + New data-center network and cloud architectures require more flexible + Service Function deployment models. Additionally, the transition to + virtual platforms demands an agile service insertion model that + supports dynamic and elastic service delivery. Specifically, the + following functions are necessary: + + 1. The movement of Service Functions and application workloads in + the network. + + 2. The ability to easily bind service policy to granular + information, such as per-subscriber state. + + 3. The capability to steer traffic to the requisite Service + Function(s). + + This document, the Network Service Header (NSH) specification, + defines a new data-plane protocol, which is an encapsulation for + SFCs. The NSH is designed to encapsulate an original packet or frame + and, in turn, be encapsulated by an outer transport encapsulation + (which is used to deliver the NSH to NSH-aware network elements), as + shown in Figure 1: + + +------------------------------+ + | Transport Encapsulation | + +------------------------------+ + | Network Service Header (NSH) | + +------------------------------+ + | Original Packet / Frame | + +------------------------------+ + + Figure 1: Network Service Header Encapsulation + + + + + + +Quinn, et al. Standards Track [Page 3] + +RFC 8300 Network Service Header (NSH) January 2018 + + + The NSH is composed of the following elements: + + 1. Service Function Path identification. + + 2. Indication of location within a Service Function Path. + + 3. Optional, per-packet metadata (fixed-length or variable). + + [RFC7665] provides an overview of a service chaining architecture + that clearly defines the roles of the various elements and the scope + of a SFC encapsulation. Figure 3 of [RFC7665] depicts the SFC + architectural components after classification. The NSH is the SFC + encapsulation referenced in [RFC7665]. + +1.1. Applicability + + The NSH is designed to be easy to implement across a range of + devices, both physical and virtual, including hardware platforms. + + The intended scope of the NSH is for use within a single provider's + operational domain. This deployment scope is deliberately + constrained, as explained also in [RFC7665], and limited to a single + network administrative domain. In this context, a "domain" is a set + of network entities within a single administration. For example, a + network administrative domain can include a single data center, or an + overlay domain using virtual connections and tunnels. A corollary is + that a network administrative domain has a well-defined perimeter. + + An NSH-aware control plane is outside the scope of this document. + +1.2. Requirements Language + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + +1.3. Definition of Terms + + Byte: All references to "bytes" in this document refer to 8-bit + bytes, or octets. + + Classification: Defined in [RFC7665]. + + Classifier: Defined in [RFC7665]. + + + + + +Quinn, et al. Standards Track [Page 4] + +RFC 8300 Network Service Header (NSH) January 2018 + + + Metadata (MD): Defined in [RFC7665]. The metadata, or context + information shared between Classifiers and SFs, and among SFs, is + carried on the NSH's Context Headers. It allows summarizing a + classification result in the packet itself, avoiding subsequent + re-classifications. Examples of metadata include classification + information used for policy enforcement and network context for + forwarding after service delivery. + + Network Locator: Data-plane address, typically IPv4 or IPv6, used to + send and receive network traffic. + + Network Node/Element: Device that forwards packets or frames based + on an outer header (i.e., transport encapsulation) information. + + Network Overlay: Logical network built on top of an existing network + (the underlay). Packets are encapsulated or tunneled to create + the overlay network topology. + + NSH-aware: NSH-aware means SFC-encapsulation-aware, where the NSH + provides the SFC encapsulation. This specification uses NSH-aware + as a more specific term from the more generic term "SFC-aware" + [RFC7665]. + + Service Classifier: Logical entity providing classification + function. Since they are logical, Classifiers may be co-resident + with SFC elements such as SFs or SFFs. Service Classifiers + perform classification and impose the NSH. The initial Classifier + imposes the initial NSH and sends the NSH packet to the first SFF + in the path. Non-initial (i.e., subsequent) classification can + occur as needed and can alter, or create a new service path. + + Service Function (SF): Defined in [RFC7665]. + + Service Function Chain (SFC): Defined in [RFC7665]. + + Service Function Forwarder (SFF): Defined in [RFC7665]. + + Service Function Path (SFP): Defined in [RFC7665]. + + Service Plane: The collection of SFFs and associated SFs creates a + service-plane overlay in which all SFs and SFC Proxies reside + [RFC7665]. + + SFC Proxy: Defined in [RFC7665]. + + + + + + + +Quinn, et al. Standards Track [Page 5] + +RFC 8300 Network Service Header (NSH) January 2018 + + +1.4. Problem Space + + The NSH addresses several limitations associated with Service + Function deployments. [RFC7498] provides a comprehensive review of + those issues. + +1.5. NSH-Based Service Chaining + + The NSH creates a dedicated service plane; more specifically, the NSH + enables: + + 1. Topological Independence: Service forwarding occurs within the + service plane, so the underlying network topology does not + require modification. The NSH provides an identifier used to + select the network overlay for network forwarding. + + 2. Service Chaining: The NSH enables service chaining per [RFC7665]. + The NSH contains path identification information needed to + realize a service path. Furthermore, the NSH provides the + ability to monitor and troubleshoot a service chain, end-to-end + via service-specific Operations, Administration, and Maintenance + (OAM) messages. The NSH fields can be used by administrators + (for example, via a traffic analyzer) to verify the path + specifics (e.g., accounting, ensuring correct chaining, providing + reports, etc.) of packets being forwarded along a service path. + + 3. The NSH provides a mechanism to carry shared metadata between + participating entities and Service Functions. The semantics of + the shared metadata are communicated via a control plane (which + is outside the scope of this document) to participating nodes. + Section 3.3 of [SFC-CONTROL-PLANE] provides an example of this. + Examples of metadata include classification information used for + policy enforcement and network context for forwarding post + service delivery. Sharing the metadata allows Service Functions + to share initial and intermediate classification results with + downstream Service Functions saving re-classification, where + enough information was enclosed. + + 4. The NSH offers a common and standards-based header for service + chaining to all network and service nodes. + + 5. Transport Encapsulation Agnostic: The NSH is transport + encapsulation independent: meaning it can be transported by a + variety of encapsulation protocols. An appropriate (for a given + deployment) encapsulation protocol can be used to carry NSH- + encapsulated traffic. This transport encapsulation may form an + + + + + +Quinn, et al. Standards Track [Page 6] + +RFC 8300 Network Service Header (NSH) January 2018 + + + overlay network; and if an existing overlay topology provides the + required service path connectivity, that existing overlay may be + used. + +2. Network Service Header + + An NSH is imposed on the original packet/frame. This NSH contains + service path information and, optionally, metadata that are added to + a packet or frame and used to create a service plane. Subsequently, + an outer transport encapsulation is imposed on the NSH, which is used + for network forwarding. + + A Service Classifier adds the NSH. The NSH is removed by the last + SFF in the service chain or by an SF that consumes the packet. + +2.1. Network Service Header Format + + The NSH is composed of a 4-byte Base Header, a 4-byte Service Path + Header, and optional Context Headers, as shown in Figure 2. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Base Header | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Service Path Header | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + ~ Context Header(s) ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 2: Network Service Header + + Base Header: Provides information about the service header and the + payload protocol. + + Service Path Header: Provides path identification and location + within a service path. + + Context Header: Carries metadata (i.e., context data) along a + service path. + + + + + + + + + +Quinn, et al. Standards Track [Page 7] + +RFC 8300 Network Service Header (NSH) January 2018 + + +2.2. NSH Base Header + + Figure 3 depicts the NSH Base Header: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Ver|O|U| TTL | Length |U|U|U|U|MD Type| Next Protocol | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 3: NSH Base Header + + The field descriptions are as follows: + + Version: The Version field is used to ensure backward compatibility + going forward with future NSH specification updates. It MUST be + set to 0x0 by the sender, in this first revision of the NSH. If a + packet presumed to carry an NSH header is received at an SFF, and + the SFF does not understand the version of the protocol as + indicated in the base header, the packet MUST be discarded, and + the event SHOULD be logged. Given the widespread implementation + of existing hardware that uses the first nibble after an MPLS + label stack for Equal-Cost Multipath (ECMP) decision processing, + this document reserves version 01b. This value MUST NOT be used + in future versions of the protocol. Please see [RFC7325] for + further discussion of MPLS-related forwarding requirements. + + O bit: Setting this bit indicates an OAM packet (see [RFC6291]). + The actual format and processing of SFC OAM packets is outside the + scope of this specification (for example, see [SFC-OAM-FRAMEWORK] + for one approach). + + The O bit MUST be set for OAM packets and MUST NOT be set for + non-OAM packets. The O bit MUST NOT be modified along the SFP. + + SF/SFF/SFC Proxy/Classifier implementations that do not support + SFC OAM procedures SHOULD discard packets with O bit set, but MAY + support a configurable parameter to enable forwarding received SFC + OAM packets unmodified to the next element in the chain. + Forwarding OAM packets unmodified by SFC elements that do not + support SFC OAM procedures may be acceptable for a subset of OAM + functions, but it can result in unexpected outcomes for others; + thus, it is recommended to analyze the impact of forwarding an OAM + packet for all OAM functions prior to enabling this behavior. The + configurable parameter MUST be disabled by default. + + + + + + +Quinn, et al. Standards Track [Page 8] + +RFC 8300 Network Service Header (NSH) January 2018 + + + TTL: Indicates the maximum SFF hops for an SFP. This field is used + for service-plane loop detection. The initial TTL value SHOULD be + configurable via the control plane; the configured initial value + can be specific to one or more SFPs. If no initial value is + explicitly provided, the default initial TTL value of 63 MUST be + used. Each SFF involved in forwarding an NSH packet MUST + decrement the TTL value by 1 prior to NSH forwarding lookup. + Decrementing by 1 from an incoming value of 0 shall result in a + TTL value of 63. The packet MUST NOT be forwarded if TTL is, + after decrement, 0. + + This TTL field is the primary loop-prevention mechanism. This TTL + mechanism represents a robust complement to the Service Index (see + Section 2.3), as the TTL is decremented by each SFF. The handling + of an incoming 0 TTL allows for better, although not perfect, + interoperation with pre-standard implementations that do not + support this TTL field. + + Length: The total length, in 4-byte words, of the NSH including the + Base Header, the Service Path Header, the Fixed-Length Context + Header, or Variable-Length Context Header(s). The length MUST be + 0x6 for MD Type 0x1, and it MUST be 0x2 or greater for MD Type + 0x2. The length of the Network Service Header MUST be an integer + multiple of 4 bytes; thus, variable-length metadata is always + padded out to a multiple of 4 bytes. + + Unassigned bits: All other flag fields, marked U, are unassigned and + available for future use; see Section 9.1.1. Unassigned bits MUST + be set to zero upon origination, and they MUST be ignored and + preserved unmodified by other NSH supporting elements. At + reception, all elements MUST NOT modify their actions based on + these unknown bits. + + Metadata (MD) Type: Indicates the format of the NSH beyond the + mandatory NSH Base Header and the Service Path Header. MD Type + defines the format of the metadata being carried. Please see the + IANA Considerations in Section 9.1.3. + + This document specifies the following four MD Type values: + + 0x0: This is a reserved value. Implementations SHOULD silently + discard packets with MD Type 0x0. + + 0x1: This indicates that the format of the header includes a + Fixed-Length Context Header (see Figure 5 below). + + + + + + +Quinn, et al. Standards Track [Page 9] + +RFC 8300 Network Service Header (NSH) January 2018 + + + 0x2: This does not mandate any headers beyond the Base Header and + Service Path Header, but may contain optional Variable- + Length Context Header(s). With MD Type 0x2, a length of 0x2 + implies there are no Context Headers. The semantics of the + Variable-Length Context Header(s) are not defined in this + document. The format of the optional Variable-Length + Context Headers is provided in Section 2.5.1. + + 0xF: This value is reserved for experimentation and testing, as + per [RFC3692]. Implementations not explicitly configured to + be part of an experiment SHOULD silently discard packets + with MD Type 0xF. + + The format of the Base Header and the Service Path Header is + invariant and not affected by MD Type. + + The NSH MD Type 1 and MD Type 2 are described in detail in + Sections 2.4 and 2.5, respectively. NSH implementations MUST + support MD Types 0x1 and 0x2 (where the length is 0x2). NSH + implementations SHOULD support MD Type 0x2 with length greater + than 0x2. Devices that do not support MD Type 0x2 with a length + greater than 0x2 MUST ignore any optional Context Headers and + process the packet without them; the Base Header Length field can + be used to determine the original payload offset if access to the + original packet/frame is required. This specification does not + disallow the MD Type value from changing along an SFP; however, + the specification of the necessary mechanism to allow the MD Type + to change along an SFP are outside the scope of this document and + would need to be defined for that functionality to be available. + Packets with MD Type values not supported by an implementation + MUST be silently dropped. + + Next Protocol: Indicates the protocol type of the encapsulated data. + The NSH does not alter the inner payload, and the semantics on the + inner protocol remain unchanged due to NSH SFC. Please see the + IANA Considerations in Section 9.1.6. + + This document defines the following Next Protocol values: + + 0x1: IPv4 + 0x2: IPv6 + 0x3: Ethernet + 0x4: NSH + 0x5: MPLS + 0xFE: Experiment 1 + 0xFF: Experiment 2 + + + + + +Quinn, et al. Standards Track [Page 10] + +RFC 8300 Network Service Header (NSH) January 2018 + + + The functionality of hierarchical NSH using a Next Protocol value + of 0x4 (NSH) is outside the scope of this specification. Packets + with Next Protocol values not supported SHOULD be silently dropped + by default, although an implementation MAY provide a configuration + parameter to forward them. Additionally, an implementation not + explicitly configured for a specific experiment [RFC3692] SHOULD + silently drop packets with Next Protocol values 0xFE and 0xFF. + +2.3. Service Path Header + + Figure 4 shows the format of the Service Path Header: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Service Path Identifier (SPI) | Service Index | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Service Path Identifier (SPI): 24 bits + Service Index (SI): 8 bits + + Figure 4: NSH Service Path Header + + The meaning of these fields is as follows: + + Service Path Identifier (SPI): Uniquely identifies a Service Function + Path (SFP). Participating nodes MUST use this identifier for SFP + selection. The initial Classifier MUST set the appropriate SPI for a + given classification result. + + Service Index (SI): Provides location within the SFP. The initial + Classifier for a given SFP SHOULD set the SI to 255; however, the + control plane MAY configure the initial value of the SI as + appropriate (i.e., taking into account the length of the SFP). The + Service Index MUST be decremented by a value of 1 by Service + Functions or by SFC Proxy nodes after performing required services; + the new decremented SI value MUST be used in the egress packet's NSH. + The initial Classifier MUST send the packet to the first SFF in the + identified SFP for forwarding along an SFP. If re-classification + occurs, and that re-classification results in a new SPI, the + (re-)Classifier is, in effect, the initial Classifier for the + resultant SPI. + + The SI is used in conjunction with the Service Path Identifier for + SFP selection and for determining the next SFF/SF in the path. The + SI is also valuable when troubleshooting or reporting service paths. + While the TTL provides the primary SFF-based loop prevention for this + mechanism, SI decrement by SF serves as a limited loop-prevention + + + +Quinn, et al. Standards Track [Page 11] + +RFC 8300 Network Service Header (NSH) January 2018 + + + mechanism. NSH packets, as described above, are discarded when an + SFF decrements the TTL to 0. In addition, an SFF that is not the + terminal SFF for an SFP will discard any NSH packet with an SI of 0, + as there will be no valid next SF information. + +2.4. NSH MD Type 1 + + When the Base Header specifies MD Type 0x1, a Fixed-Length Context + Header (16-bytes) MUST be present immediately following the Service + Path Header, as per Figure 5. The value of a Fixed-Length Context + Header that carries no metadata MUST be set to zero. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Ver|O|U| TTL | Length |U|U|U|U|MD Type| Next Protocol | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Service Path Identifier | Service Index | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + | Fixed-Length Context Header | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 5: NSH MD Type 0x1 + + This specification does not make any assumptions about the content of + the 16-byte Context Header that must be present when the MD Type + field is set to 1, and it does not describe the structure or meaning + of the included metadata. + + An SFC-aware SF or SFC Proxy needs to receive the data structure and + semantics first in order to process the data placed in the mandatory + context field. The data structure and semantics include both the + allocation schema and order as well as the meaning of the included + data. How an SFC-aware SF or SFC Proxy gets the data structure and + semantics is outside the scope of this specification. + + An SF or SFC Proxy that does not know the format or semantics of the + Context Header for an NSH with MD Type 1 MUST discard any packet with + such an NSH (i.e., MUST NOT ignore the metadata that it cannot + process), and MUST log the event at least once per the SPI for which + the event occurs (subject to thresholding). + + [NSH-DC-ALLOCATION] and [NSH-BROADBAND-ALLOCATION] provide specific + examples of how metadata can be allocated. + + + + + +Quinn, et al. Standards Track [Page 12] + +RFC 8300 Network Service Header (NSH) January 2018 + + +2.5. NSH MD Type 2 + + When the Base Header specifies MD Type 0x2, zero or more Variable- + Length Context Headers MAY be added, immediately following the + Service Path Header (see Figure 6). Therefore, Length = 0x2, + indicates that only the Base Header and Service Path Header are + present (and in that order). The optional Variable-Length Context + Headers MUST be of an integer number of 4-bytes. The Base Header + Length field MUST be used to determine the offset to locate the + original packet or frame for SFC nodes that require access to that + information. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Ver|O|U| TTL | Length |U|U|U|U|MD Type| Next Protocol | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Service Path Identifier | Service Index | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + ~ Variable-Length Context Headers (opt.) ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 6: NSH MD Type 0x2 + +2.5.1. Optional Variable-Length Metadata + + The format of the optional Variable-Length Context Headers, is as + depicted in Figure 7. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Metadata Class | Type |U| Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Variable-Length Metadata | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 7: Variable-Length Context Headers + + Metadata Class (MD Class): Defines the scope of the Type field to + provide a hierarchical namespace. Section 9.1.4 defines how the + MD Class values can be allocated to standards bodies, vendors, and + others. + + + + + + +Quinn, et al. Standards Track [Page 13] + +RFC 8300 Network Service Header (NSH) January 2018 + + + Type: Indicates the explicit type of metadata being carried. The + definition of the Type is the responsibility of the MD Class + owner. + + Unassigned bit: One unassigned bit is available for future use. + This bit MUST NOT be set, and it MUST be ignored on receipt. + + Length: Indicates the length of the variable-length metadata, in + bytes. In case the metadata length is not an integer number of + 4-byte words, the sender MUST add pad bytes immediately following + the last metadata byte to extend the metadata to an integer number + of 4-byte words. The receiver MUST round the Length field up to + the nearest 4-byte-word boundary, to locate and process the next + field in the packet. The receiver MUST access only those bytes in + the metadata indicated by the Length field (i.e., actual number of + bytes) and MUST ignore the remaining bytes up to the nearest + 4-byte-word boundary. The length may be 0 or greater. + + A value of 0 denotes a Context Header without a Variable-Length + Metadata field. + + This specification does not make any assumption about Context Headers + that are mandatory to implement or those that are mandatory to + process. These considerations are deployment specific. However, the + control plane is entitled to instruct SFC-aware SFs with the data + structure of the Context Header together with its scoping (see e.g., + Section 3.3.3 of [SFC-CONTROL-PLANE]). + + Upon receipt of a packet that belongs to a given SFP, if a mandatory- + to-process Context Header is missing in that packet, the SFC-aware SF + MUST NOT process the packet and MUST log an error at least once per + the SPI for which the mandatory metadata is missing. + + If multiple mandatory-to-process Context Headers are required for a + given SFP, the control plane MAY instruct the SFC-aware SF with the + order to consume these Context Headers. If no instructions are + provided and the SFC-aware SF will make use of or modify the specific + Context Header, then the SFC-aware SF MUST process these Context + Headers in the order they appear in an NSH packet. + + If multiple instances of the same metadata are included in an NSH + packet, but the definition of that Context Header does not allow for + it, the SFC-aware SF MUST process the first instance and ignore + subsequent instances. The SFC-aware SF MAY log or increase a counter + for this event. + + + + + + +Quinn, et al. Standards Track [Page 14] + +RFC 8300 Network Service Header (NSH) January 2018 + + +3. NSH Actions + + NSH-aware nodes (which include Service Classifiers, SFFs, SFs, and + SFC Proxies) may alter the contents of the NSH headers. These nodes + have several possible NSH-related actions: + + 1. Insert or remove the NSH: These actions can occur respectively at + the start and end of a service path. Packets are classified, and + if determined to require servicing, an NSH will be imposed. A + + Service Classifier MUST insert an NSH at the start of an SFP. An + imposed NSH MUST contain both a valid Base Header and Service + Path Header. At the end of an SFP, an SFF MUST remove the NSH + before forwarding or delivering the un-encapsulated packet. + Therefore, it is the last node operating on the service header. + + Multiple logical Classifiers may exist within a given service + path. Non-initial Classifiers may re-classify data, and that + re-classification MAY result in the selection of a different SFP. + When the logical Classifier performs re-classification that + results in a change of service path, it MUST replace the existing + NSH with a new NSH with the Base Header and Service Path Header + reflecting the new service path information and MUST set the + initial SI. The O bit, the TTL field, and unassigned flags MUST + be copied transparently from the old NSH to a new NSH. Metadata + MAY be preserved in the new NSH. + + 2. Select service path: The Service Path Header provides service + path information and is used by SFFs to determine correct service + path selection. SFFs MUST use the Service Path Header for + selecting the next SF or SFF in the service path. + + 3. Update the NSH: SFs MUST decrement the service index by one. If + an SFF receives a packet with an SPI and SI that do not + correspond to a valid next hop in a valid SFP, that packet MUST + be dropped by the SFF. + + Classifiers MAY update Context Headers if new/updated context is + available. + + If an SFC proxy is in use (acting on behalf of an NSH-unaware + Service Function for NSH actions), then the proxy MUST update the + Service Index and MAY update contexts. When an SFC Proxy + receives an NSH-encapsulated packet, it MUST remove the NSH + before forwarding it to an NSH-unaware SF. When the SFC Proxy + receives a packet back from an NSH-unaware SF, it MUST + re-encapsulate it with the correct NSH, and it MUST decrement the + Service Index by one. + + + +Quinn, et al. Standards Track [Page 15] + +RFC 8300 Network Service Header (NSH) January 2018 + + + 4. Service policy selection: Service Functions derive policy (i.e., + service actions such as permit or deny) selection and enforcement + from the NSH. Metadata shared in the NSH can provide a range of + service-relevant information such as traffic classification. + + Figure 8 maps each of the four actions above to the components in the + SFC architecture that can perform it. + + +-----------+-----------------------+-------+---------------+-------+ + | | Insert, remove, or |Forward| Update |Service| + | | replace the NSH |the NSH| the NSH |policy | + | | |packets| |sel. | + |Component +-------+-------+-------+ +-------+-------+ | + | | | | | |Dec. |Update | | + | |Insert |Remove |Replace| |Service|Context| | + | | | | | |Index |Header | | + +-----------+-------+-------+-------+-------+-------+-------+-------+ + | | + | | + | | | + | | + |Classifier | | | | | | | | + +-----------+-------+-------+-------+-------+-------+-------+-------+ + |Service | | + | | + | | | | + |Function | | | | | | | | + |Forwarder | | | | | | | | + |(SFF) | | | | | | | | + +-----------+-------+-------+-------+-------+-------+-------+-------+ + |Service | | | | | + | + | + | + |Function | | | | | | | | + |(SF) | | | | | | | | + +-----------+-------+-------+-------+-------+-------+-------+-------+ + | | + | + | | | + | + | | + |SFC Proxy | | | | | | | | + +-----------+-------+-------+-------+-------+-------+-------+-------+ + + Figure 8: NSH Action and Role Mapping + +4. NSH Transport Encapsulation + + Once the NSH is added to a packet, an outer transport encapsulation + is used to forward the original packet and the associated metadata to + the start of a service chain. The encapsulation serves two purposes: + + 1. Creates a topologically independent services plane. Packets are + forwarded to the required services without changing the + underlying network topology. + + + + + + + +Quinn, et al. Standards Track [Page 16] + +RFC 8300 Network Service Header (NSH) January 2018 + + + 2. Transit network nodes simply forward the encapsulated packets + without modification. + + The service header is independent of the transport encapsulation + used. Existing transport encapsulations can be used. The presence + of an NSH is indicated via a protocol type or another indicator in + the outer transport encapsulation. + +5. Fragmentation Considerations + + The NSH and the associated transport encapsulation header are "added" + to the encapsulated packet/frame. This additional information + increases the size of the packet. + + Within a managed administrative domain, an operator can ensure that + the underlay MTU is sufficient to carry SFC traffic without requiring + fragmentation. Given that the intended scope of the NSH is within a + single provider's operational domain, that approach is sufficient. + + However, although explicitly outside the scope of this specification, + there might be cases where the underlay MTU is not large enough to + carry the NSH traffic. Since the NSH does not provide fragmentation + support at the service plane, the transport encapsulation protocol + ought to provide the requisite fragmentation handling. For instance, + Section 9 of [RTG-ENCAP] provides exemplary approaches and guidance + for those scenarios. + + When the transport encapsulation protocol supports fragmentation, and + fragmentation procedures needs to be used, such fragmentation is part + of the transport encapsulation logic. If, as it is common, + fragmentation is performed by the endpoints of the transport + encapsulation, then fragmentation procedures are performed at the + sending NSH entity as part of the transport encapsulation, and + reassembly procedures are performed at the receiving NSH entity + during transport de-encapsulation handling logic. In no case would + such fragmentation result in duplication of the NSH header. + + For example, when the NSH is encapsulated in IP, IP-level + fragmentation coupled with Path MTU Discovery (PMTUD) (e.g., + [RFC8201]) is used. Since PMTUD relies on ICMP messages, an operator + should ensure ICMP packets are not blocked. When, on the other hand, + the underlay does not support fragmentation procedures, an error + message SHOULD be logged when dropping a packet too big. Lastly, + NSH-specific fragmentation and reassembly methods may be defined as + well, but these methods are outside the scope of this document and + subject for future work. + + + + + +Quinn, et al. Standards Track [Page 17] + +RFC 8300 Network Service Header (NSH) January 2018 + + +6. Service Path Forwarding with NSH + +6.1. SFFs and Overlay Selection + + As described above, the NSH contains a Service Path Identifier (SPI) + and a Service Index (SI). The SPI is, as per its name, an + identifier. The SPI alone cannot be used to forward packets along a + service path. Rather, the SPI provides a level of indirection + between the service path / topology and the network transport + encapsulation. Furthermore, there is no requirement for, or + expectation of, an SPI being bound to a predetermined or static + network path. + + The Service Index provides an indication of location within a service + path. The combination of SPI and SI provides the identification of a + logical SF and its order within the service plane. This combination + is used to select the appropriate network locator(s) for overlay + forwarding. The logical SF may be a single SF or a set of eligible + SFs that are equivalent. In the latter case, the SFF provides load + distribution amongst the collection of SFs as needed. + + SI serves as a mechanism for detecting invalid SFPs. In particular, + an SI value of zero indicates that forwarding is incorrect and the + packet must be discarded. + + This indirection -- SPI to overlay -- creates a true service plane. + That is, the SFF/SF topology is constructed without impacting the + network topology, but, more importantly, service-plane-only + participants (i.e., most SFs) need not be part of the network overlay + topology and its associated infrastructure (e.g., control plane, + routing tables, etc.). SFs need to be able to return a packet to an + appropriate SFF (i.e., has the requisite NSH information) when + service processing is complete. This can be via the overlay or + underlay and, in some cases, can require additional configuration on + the SF. As mentioned above, an existing overlay topology may be + used, provided it offers the requisite connectivity. + + The mapping of SPI to transport encapsulation occurs on an SFF (as + discussed above, the first SFF in the path gets an NSH encapsulated + packet from the Classifier). The SFF consults the SPI/ID values to + determine the appropriate overlay transport encapsulation protocol + (several may be used within a given network) and next hop for the + requisite SF. Table 1 depicts an example of a single next-hop SPI/ + SI-to-network overlay network locator mapping. + + + + + + + +Quinn, et al. Standards Track [Page 18] + +RFC 8300 Network Service Header (NSH) January 2018 + + + +------+------+---------------------+-------------------------+ + | SPI | SI | Next Hop(s) | Transport Encapsulation | + +------+------+---------------------+-------------------------+ + | 10 | 255 | 192.0.2.1 | VXLAN-gpe | + | | | | | + | 10 | 254 | 198.51.100.10 | GRE | + | | | | | + | 10 | 251 | 198.51.100.15 | GRE | + | | | | | + | 40 | 251 | 198.51.100.15 | GRE | + | | | | | + | 50 | 200 | 01:23:45:67:89:ab | Ethernet | + | | | | | + | 15 | 212 | Null (end of path) | None | + +------+------+---------------------+-------------------------+ + + Table 1: SFF NSH Mapping Example + + Additionally, further indirection is possible: the resolution of the + required SF network locator may be a localized resolution on an SFF, + rather than an SFC control plane responsibility, as per Tables 2 and + 3. + + Please note: VXLAN-gpe and GRE in the above table refer to + [VXLAN-GPE] and [RFC2784] [RFC7676], respectively. + + +------+-----+----------------+ + | SPI | SI | Next Hop(s) | + +------+-----+----------------+ + | 10 | 3 | SF2 | + | | | | + | 245 | 12 | SF34 | + | | | | + | 40 | 9 | SF9 | + +------+-----+----------------+ + + Table 2: NSH-to-SF Mapping Example + + + + + + + + + + + + + + +Quinn, et al. Standards Track [Page 19] + +RFC 8300 Network Service Header (NSH) January 2018 + + + +------+-------------------+-------------------------+ + | SF | Next Hop(s) | Transport Encapsulation | + +------+-------------------+-------------------------+ + | SF2 | 192.0.2.2 | VXLAN-gpe | + | | | | + | SF34 | 198.51.100.34 | UDP | + | | | | + | SF9 | 2001:db8::1 | GRE | + +------+-------------------+-------------------------+ + + Table 3: SF Locator Mapping Example + + Since the SPI is a representation of the service path, the lookup may + return more than one possible next hop within a service path for a + given SF, essentially a series of weighted (equally or otherwise) + paths to be used (for load distribution, redundancy, or policy); see + Table 4. The metric depicted in Table 4 is an example to help + illustrate weighing SFs. In a real network, the metric will range + from a simple preference (similar to routing next-hop) to a true + dynamic composite metric based on the state of a Service Function + (including load, session state, capacity, etc.). + + +------+-----+--------------+---------+ + | SPI | SI | NH | Metric | + +------+-----+--------------+---------+ + | 10 | 3 | 203.0.113.1 | 1 | + | | | | | + | | | 203.0.113.2 | 1 | + | | | | | + | 20 | 12 | 192.0.2.1 | 1 | + | | | | | + | | | 203.0.113.4 | 1 | + | | | | | + | 30 | 7 | 192.0.2.10 | 10 | + | | | | | + | | | 198.51.100.1 | 5 | + +------+-----+--------------+---------+ + + (encapsulation type omitted for formatting) + + Table 4: NSH Weighted Service Path + + The information contained in Tables 1-4 may be received from the + control plane, but the exact mechanism is outside the scope of this + document. + + + + + + +Quinn, et al. Standards Track [Page 20] + +RFC 8300 Network Service Header (NSH) January 2018 + + +6.2. Mapping the NSH to Network Topology + + As described above, the mapping of the SPI to network topology may + result in a single path, or it might result in a more complex + topology. Furthermore, the SPI-to-overlay mapping occurs at each SFF + independently. Any combination of topology selection is possible. + Please note, there is no requirement to create a new overlay topology + if a suitable one already exists. NSH packets can use any (new or + existing) overlay, provided the requisite connectivity requirements + are satisfied. + + Examples of mapping for a topology: + + 1. Next SF is located at SFFb with locator 2001:db8::1 + SFFa mapping: SPI=10 --> VXLAN-gpe, dst-ip: 2001:db8::1 + + 2. Next SF is located at SFFc with multiple network locators for + load-distribution purposes: + SFFb mapping: SPI=10 --> VXLAN-gpe, dst_ip:203.0.113.1, + 203.0.113.2, 203.0.113.3, equal cost + + 3. Next SF is located at SFFd with two paths from SFFc, one for + redundancy: + SFFc mapping: SPI=10 --> VXLAN-gpe, dst_ip:192.0.2.10 cost=10, + 203.0.113.10, cost=20 + + In the above example, each SFF makes an independent decision about + the network overlay path and policy for that path. In other words, + there is no a priori mandate about how to forward packets in the + network (only the order of services that must be traversed). + + The network operator retains the ability to engineer the network + paths as required. For example, the overlay path between SFFs may + utilize traffic engineering, QoS marking, or ECMP, without requiring + complex configuration and network protocol support to be extended to + the service path explicitly. In other words, the network operates as + expected, and evolves as required, as does the service plane. + +6.3. Service Plane Visibility + + The SPI and SI serve an important function for visibility into the + service topology. An operator can determine what service path a + packet is "on" and its location within that path simply by viewing + NSH information (packet capture, IP Flow Information Export (IPFIX), + etc.). The information can be used for service scheduling and + placement decisions, troubleshooting, and compliance verification. + + + + + +Quinn, et al. Standards Track [Page 21] + +RFC 8300 Network Service Header (NSH) January 2018 + + +6.4. Service Graphs + + While a given realized SFP is a specific sequence of Service + Functions, the service, as seen by a user, can actually be a + collection of SFPs, with the interconnection provided by Classifiers + (in-service path, non-initial re-classification). These internal re- + Classifiers examine the packet at relevant points in the network, + and, if needed, SPI and SI are updated (whether this update is a re- + write, or the imposition of a new NSH with new values is + implementation specific) to reflect the "result" of the + classification. These Classifiers may, of course, also modify the + metadata associated with the packet. + Section 2.1 of [RFC7665] describes Service Graphs in detail. + +7. Policy Enforcement with NSH + +7.1. NSH Metadata and Policy Enforcement + + As described in Section 2, NSH provides the ability to carry metadata + along a service path. This metadata may be derived from several + sources. Common examples include: + + Network nodes/devices: Information provided by network nodes can + indicate network-centric information (such as VPN Routing and + Forwarding (VRF) or tenant) that may be used by Service Functions + or conveyed to another network node post service path egress. + + External (to the network) systems: External systems, such as + orchestration systems, often contain information that is valuable + for Service Function policy decisions. In most cases, this + information cannot be deduced by network nodes. For example, a + cloud orchestration platform placing workloads "knows" what + application is being instantiated and can communicate this + information to all NSH nodes via metadata carried in the Context + Header(s). + + Service Functions: A Classifier co-resident with Service Functions + often performs very detailed and valuable classification. + + Regardless of the source, metadata reflects the "result" of + classification. The granularity of classification may vary. For + example, a network switch, acting as a Classifier, might only be able + to classify based on a 2-tuple, or based on a 5-tuple, while a + Service Function may be able to inspect application information. + Regardless of granularity, the classification information can be + represented in the NSH. + + + + + +Quinn, et al. Standards Track [Page 22] + +RFC 8300 Network Service Header (NSH) January 2018 + + + Once the data is added to the NSH, it is carried along the service + path. NSH-aware SFs receive the metadata, and can use that metadata + for local decisions and policy enforcement. Figures 9 and 10 + highlight the relationship between metadata and policy. + + +-------+ +-------+ +-------+ + | SFF )------->( SFF |------->| SFF | + +---+---+ +---+---+ +---+---+ + ^ | | + ,-|-. ,-|-. ,-|-. + / \ / \ / \ + ( Class ) ( SF1 ) ( SF2 ) + \ ify / \ / \ / + `---' `---' `---' + 5-tuple: Permit Inspect + Tenant A Tenant A AppY + AppY + + Figure 9: Metadata and Policy + + +-----+ +-----+ +-----+ + | SFF |---------> | SFF |----------> | SFF | + +--+--+ +--+--+ +--+--+ + ^ | | + ,-+-. ,-+-. ,-+-. + / \ / \ / \ + ( Class ) ( SF1 ) ( SF2 ) + \ ify / \ / \ / + `-+-' `---' `---' + | Permit Deny AppZ + +---+---+ employees + | | + +-------+ + External + system: + Employee + AppZ + + Figure 10: External Metadata and Policy + + In both of the examples above, the Service Functions perform policy + decisions based on the result of the initial classification: the SFs + did not need to perform re-classification; instead, they rely on an + antecedent classification for local policy enforcement. + + Depending on the information carried in the metadata, data privacy + impact needs to be considered. For example, if the metadata conveys + tenant information, that information may need to be authenticated + + + +Quinn, et al. Standards Track [Page 23] + +RFC 8300 Network Service Header (NSH) January 2018 + + + and/or encrypted between the originator and the intended recipients + (which may include intended SFs only); one approach to an optional + capability to do this is explored in [NSH-ENCRYPT]. The NSH itself + does not provide privacy functions, rather it relies on the transport + encapsulation/overlay. An operator can select the appropriate set of + transport encapsulation protocols to ensure confidentiality (and + other security) considerations are met. Metadata privacy and + security considerations are a matter for the documents that define + metadata format. + +7.2. Updating/Augmenting Metadata + + Post-initial metadata imposition (typically, performed during initial + service path determination), the metadata may be augmented or + updated: + + 1. Metadata Augmentation: Information may be added to the NSH's + existing metadata, as depicted in Figure 11. For example, if the + initial classification returns the tenant information, a + secondary classification (perhaps co-resident with deep packet + inspection (DPI) or server load balancing (SLB)) may augment the + tenant classification with application information, and impose + that new information in NSH metadata. The tenant classification + is still valid and present, but additional information has been + added to it. + + 2. Metadata Update: Subsequent Classifiers may update the initial + classification if it is determined to be incorrect or not + descriptive enough. For example, the initial Classifier adds + metadata that describes the traffic as "Internet", but a security + Service Function determines that the traffic is really "attack". + Figure 12 illustrates an example of updating metadata. + + + + + + + + + + + + + + + + + + + +Quinn, et al. Standards Track [Page 24] + +RFC 8300 Network Service Header (NSH) January 2018 + + + +-----+ +-----+ +-----+ + | SFF |---------> | SFF |----------> | SFF | + +--+--+ +--+--+ +--+--+ + ^ | | + ,---. ,---. ,---. + / \ / \ / \ + ( Class ) ( SF1 ) ( SF2 ) + \ / \ / \ / + `-+-' `---' `---' + | Inspect Deny + +---+---+ employees employee+ + | | Class=AppZ appZ + +-------+ + External + system: + Employee + + Figure 11: Metadata Augmentation + + +-----+ +-----+ +-----+ + | SFF |---------> | SFF |----------> | SFF | + +--+--+ +--+--+ +--+--+ + ^ | | + ,---. ,---. ,---. + / \ / \ / \ + ( Class ) ( SF1 ) ( SF2 ) + \ / \ / \ / + `---' `---' `---' + 5-tuple: Inspect Deny + Tenant A Tenant A attack + --> attack + + Figure 12: Metadata Update + +7.3. Service Path Identifier and Metadata + + Metadata information may influence the service path selection since + the Service Path Identifier values can represent the result of + classification. A given SPI can be defined based on classification + results (including metadata classification). The imposition of the + SPI and SI results in the packet being placed on the newly specified + SFP at the position indicated by the imposed SPI and SI. + + This relationship provides the ability to create a dynamic service + plane based on complex classification, without requiring each node to + be capable of such classification or requiring a coupling to the + network topology. This yields Service Graph functionality as + + + + +Quinn, et al. Standards Track [Page 25] + +RFC 8300 Network Service Header (NSH) January 2018 + + + described in Section 6.4. Figure 13 illustrates an example of this + behavior. + + +-----+ +-----+ +-----+ + | SFF |---------> | SFF |------+---> | SFF | + +--+--+ +--+--+ | +--+--+ + | | | | + ,---. ,---. | ,---. + / \ / SF1 \ | / \ + ( SCL ) ( + ) | ( SF2 ) + \ / \SCL2 / | \ / + `---' `---' +-----+ `---' + 5-tuple: Inspect | SFF | Original + Tenant A Tenant A +--+--+ next SF + --> DoS | + V + ,-+-. + / \ + ( SF10 ) + \ / + `---' + DoS + "Scrubber" + + Legend: + SCL = Service Classifier + + Figure 13: Path ID and Metadata + + Specific algorithms for mapping metadata to an SPI are outside the + scope of this document. + +8. Security Considerations + + NSH security must be considered in the contexts of the SFC + architecture and operators' environments. One important + characteristic of NSH is that it is not an end-to-end protocol. As + opposed to a protocol that "starts" on a host and "ends" on a server + or another host, NSH is typically imposed by a network device on + ingress to the SFC domain and removed at the egress of the SFC + domain. As such, and as with any other network-centric protocols + (e.g., IP Tunneling, Traffic Engineering, MPLS, or Provider- + Provisioned Virtual Private Networks), there is an underlying trust + in the network devices responsible for imposing, removing, and acting + on NSH information. + + The following sections detail an analysis and present a set of + requirements and recommendations in those two areas. + + + +Quinn, et al. Standards Track [Page 26] + +RFC 8300 Network Service Header (NSH) January 2018 + + +8.1. NSH Security Considerations from Operators' Environments + + Trusted Devices + + All Classifiers, SFFs and SFs (hereinafter referred to as "SFC + devices") within an operator's environment are assumed to have + been selected, vetted, and actively maintained; therefore, they + are trusted by that operator. This assumption differs from the + oft held view that devices are untrusted, often referred to as the + "zero-trust model". Operators SHOULD regularly monitor (i.e., + continuously audit) these devices to help ensure compliant + behavior. This trust, therefore, extends into NSH operations: SFC + devices are not, themselves, considered to be attack vectors. + This assumption, and the resultant conclusion is reasonable since + this is the very basis of an operator posture; the operator + depends on this reality to function. If these devices are not + trusted, and indeed are compromised, almost the entirety of the + operator's standard-based IP and MPLS protocol suites are + vulnerable; therefore, the operation of the entire network is + compromised. Although there are well-documented monitoring-based + methods for detecting compromise (such as included continuous + monitoring and audit and log review), these may not be sufficient + to contain damage by a completely compromised element. + + Methods and best practices to secure devices are also widely + documented and outside the scope of this document. + + Single Domain Boundary + + As per [RFC7665], NSH is designed for use within a single + administrative domain. This scoping provides two important + characteristics: + + i) Clear NSH boundaries + + NSH egress devices MUST strip the NSH headers before they send the + users' packets or frames out of the NSH domain. + + Means to prevent leaking privacy-related information outside an + administrative domain are natively supported by the NSH given that + the last SFF of a service path will systematically remove the NSH + encapsulation before forwarding a packet exiting the service path. + + The second step in such prevention is to filter the transport + encapsulation protocol used by NSH at the domain edge. The + transport encapsulation protocol MUST be filtered and MUST NOT + leave the domain edge. + + + + +Quinn, et al. Standards Track [Page 27] + +RFC 8300 Network Service Header (NSH) January 2018 + + + Depending upon the transport encapsulation protocol used for NSH, + this can be done either by completely blocking the transport + encapsulation (e.g., if MPLS is the chosen NSH transport + encapsulation protocol, it is therefore never allowed to leave the + domain) or by examining the carried protocol with the transport + encapsulation (e.g., if VXLAN-gpe is used as the NSH transport + encapsulation protocol, all domain edges need to filter based on + the carried protocol in the VXLAN-gpe.) + + The other consequence of this bounding is that ingress packets + MUST also be filtered to prevent attackers from sending in NSH + packets with service path identification and metadata of their own + selection. The same filters as described above for both the NSH + at SFC devices and for the transport encapsulation protocol as + general edge protections MUST be applied on ingress. + + In summary, packets originating outside the SFC-enabled domain + MUST be dropped if they contain an NSH. Similarly, packets + exiting the SFC-enabled domain MUST be dropped if they contain an + NSH. + + ii) Mitigation of external threats + + As per the trusted SFC device points raised above, given that NSH + is scoped within an operator's domain, that operator can ensure + that the environment and its transitive properties comply with + that operator's required security posture. Continuous audits for + assurance are recommended with this reliance on a fully trusted + environment. The term "continuous audits" describes a method + (automated or manual) of checking security-control compliance on a + regular basis, at some set period of time. + +8.2. NSH Security Considerations from the SFC Architecture + + The SFC architecture defines functional roles (e.g., SFF), as well as + protocol elements (e.g., Metadata). This section considers each role + and element in the context of threats posed in the areas of integrity + and confidentiality. As with routing, the distributed computation + model assumes a distributed trust model. + + An important consideration is that NSH contains mandatory-to-mute + fields, and further, the SFC architecture describes cases where other + fields in NSH change, all on a possible SFP hop-by-hop basis. This + means that any cryptographic solution requires complex key + distribution and life-cycle operations. + + + + + + +Quinn, et al. Standards Track [Page 28] + +RFC 8300 Network Service Header (NSH) January 2018 + + +8.2.1. Integrity + + SFC devices + + SFC devices MAY perform various forms of verification on received + NSH packets such as only accepting NSH packets from expected + devices, checking that NSH SPI and SI values received from + expected devices conform to expected values and so on. + Implementation of these additional checks are a local matter and, + thus, out of scope of this document. + + NSH Base and Service Path Headers + + Attackers who can modify packets within the operator's network may + be able to modify the SFP, path position, and/or the metadata + associated with a packet. + + One specific concern is an attack in which a malicious + modification of the SPI/SI results in an alteration of the path to + avoid security devices. The options discussed in this section + help thwart that attack, and so does the use of the optional + "Proof of Transit" method [PROOF-OF-TRANSIT]. + + As stated above, SFC devices are trusted; in the case where an SFC + device is compromised, NSH integrity protection would be subject + to forging (in many cases) as well. + + NSH itself does not mandate protocol-specific integrity + protection. However, if an operator deems protection is required, + several options are viable: + + 1. SFF/SF NSH verification + + Although, strictly speaking, not integrity protection, some of + the techniques mentioned above, such as checking expected NSH + values are received from expected SFC device(s), can provide a + form of verification without incurring the burden of a full- + fledged integrity-protection deployment. + + 2. Transport Security + + NSH is always encapsulated by an outer transport encapsulation + as detailed in Section 4 of this specification, and as + depicted in Figure 1. If an operator deems cryptographic + integrity protection necessary due to their risk analysis, + then an outer transport encapsulation that provides such + protection [RFC6071], such as IPsec, MUST be used. + + + + +Quinn, et al. Standards Track [Page 29] + +RFC 8300 Network Service Header (NSH) January 2018 + + + Although the threat model and recommendations of Section 5 of + BCP 72 [RFC3552] would normally require cryptographic data + origin authentication for the header, this document does not + mandate such mechanisms in order to reflect the operational + and technical realities of deployment. + + Given that NSH is transport independent, as mentioned above, a + secure transport, such as IPsec can be used for carry NSH. + IPsec can be used either alone or in conjunction with other + transport encapsulation protocols, in turn, encapsulating NSH. + + Operators MUST ensure the selected transport encapsulation + protocol can be supported by the transport encapsulation/ + underlay of all relevant network segments as well as SFFs, + SFs, and SFC Proxies in the service path. + + If connectivity between SFC-enabled devices traverses the + public Internet, then such connectivity MUST be secured at the + transport encapsulation layer. IPsec is an example of such a + transport. + + 3. NSH Variable Header-Based Integrity + + Lastly, NSH MD Type 2 provides, via variable-length headers, + the ability to append cryptographic integrity protection to + the NSH packet. The implementation of such a scheme is + outside the scope of this document. + + NSH metadata + + As with the Base and Service Path Headers, if an operator deems + cryptographic integrity protection needed, then an existing, + standard transport protocol MUST be used since the integrity + protection applies to entire encapsulated NSH packets. As + mentioned above, a risk assessment that deems data-plane traffic + subject to tampering will apply not only to NSH but to the + transport information; therefore, the use of a secure transport is + likely needed already to protect the entire stack. + + If an MD Type 2 variable header integrity scheme is in place, then + the integrity of the metadata can be ensured via that mechanism as + well. + + + + + + + + + +Quinn, et al. Standards Track [Page 30] + +RFC 8300 Network Service Header (NSH) January 2018 + + +8.2.2. Confidentiality + + SFC devices + + SFC devices can "see" (and need to use) NSH information. + + NSH Base and Service Path Headers + + SPI and other base / service path information does not typically + require confidentiality; however, if an operator does deem + confidentiality to be required, then, as with integrity, an + existing transport encapsulation that provides encryption MUST be + utilized. + + NSH metadata + + An attacker with access to the traffic in an operator's network + can potentially observe the metadata NSH carries with packets, + potentially discovering privacy-sensitive information. + + Much of the metadata carried by NSH is not sensitive. It often + reflects information that can be derived from the underlying + packet or frame. Direct protection of such information is not + necessary, as the risks are simply those of carrying the + underlying packet or frame. + + Implementers and operators MUST be aware that metadata can have + privacy implications, and those implications are sometimes hard to + predict. Therefore, attached metadata should be limited to that + necessary for correct operation of the SFP. Further, [RFC8165] + defines metadata considerations that operators can take into + account when using NSH. + + Protecting NSH metadata information between SFC components can be + done using transport encapsulation protocols with suitable + security capabilities, along the lines discussed above. If a + security analysis deems these protections necessary, then security + features in the transport encapsulation protocol (such as IPsec) + MUST be used. + + One useful element of providing privacy protection for sensitive + metadata is described under the "SFC Encapsulation" area of the + Security Considerations of [RFC7665]. Operators can and should + use indirect identification for metadata deemed to be sensitive + (such as personally identifying information), significantly + mitigating the risk of a privacy violation. In particular, + subscriber-identifying information should be handled carefully, + and, in general, SHOULD be obfuscated. + + + +Quinn, et al. Standards Track [Page 31] + +RFC 8300 Network Service Header (NSH) January 2018 + + + For those situations where obfuscation is either inapplicable or + judged to be insufficient, an operator can also encrypt the + metadata. An approach to an optional capability to do this was + explored in [NSH-ENCRYPT]. For other situations where greater + assurance is desired, optional mechanisms such as + [PROOF-OF-TRANSIT] can be used. + +9. IANA Considerations + +9.1. NSH Parameters + + IANA has created a new "Network Service Header (NSH) Parameters" + registry. The following subsections detail new registries within the + "Network Service Header (NSH) Parameters" registry. + +9.1.1. NSH Base Header Bits + + There are five unassigned bits (U bits) in the NSH Base Header, and + one assigned bit (O bit). New bits are assigned via Standards Action + [RFC8126]. + + Bit 2 - O (OAM) bit + Bit 3 - Unassigned + Bits 16-19 - Unassigned + +9.1.2. NSH Version + + IANA has set up the "NSH Version" registry. New values are assigned + via Standards Action [RFC8126]. + + +-------------+---------------------------------+-----------+ + | Version | Description | Reference | + +-------------+---------------------------------+-----------+ + | Version 00b | Protocol as defined by RFC 8300 | RFC 8300 | + | Version 01b | Reserved | RFC 8300 | + | Version 10b | Unassigned | | + | Version 11b | Unassigned | | + +-------------+---------------------------------+-----------+ + + Table 5: NSH Version + + + + + + + + + + + +Quinn, et al. Standards Track [Page 32] + +RFC 8300 Network Service Header (NSH) January 2018 + + +9.1.3. NSH MD Types + + IANA has set up the "NSH MD Types" registry, which contains 4-bit + values. MD Type values 0x0, 0x1, 0x2, and 0xF are specified in this + document; see Table 6. Registry entries are assigned via the "IETF + Review" policy defined in RFC 8126 [RFC8126]. + + +-----------+-----------------+-----------+ + | MD Type | Description | Reference | + +-----------+-----------------+-----------+ + | 0x0 | Reserved | RFC 8300 | + | | | | + | 0x1 | NSH MD Type 1 | RFC 8300 | + | | | | + | 0x2 | NSH MD Type 2 | RFC 8300 | + | | | | + | 0x3 - 0xE | Unassigned | | + | | | | + | 0xF | Experimentation | RFC 8300 | + +-----------+-----------------+-----------+ + + Table 6: MD Type Values + +9.1.4. NSH MD Class + + IANA has set up the "NSH MD Class" registry, which contains 16-bit + values. New allocations are to be made according to the following + policies: + + 0x0000 to 0x01ff: IETF Review + 0x0200 to 0xfff5: Expert Review + + IANA has assigned the values as follows: + + +------------------+------------------------+------------+ + | Value | Meaning | Reference | + +------------------+------------------------+------------+ + | 0x0000 | IETF Base NSH MD Class | RFC 8300 | + | | | | + | 0xfff6 to 0xfffe | Experimental | RFC 8300 | + | | | | + | 0xffff | Reserved | RFC 8300 | + +------------------+------------------------+------------+ + + Table 7: NSH MD Class + + A registry for Types for the MD Class of 0x0000 is defined in + Section 9.1.5. + + + +Quinn, et al. Standards Track [Page 33] + +RFC 8300 Network Service Header (NSH) January 2018 + + + Designated Experts evaluating new allocation requests from the + "Expert Review" range should principally consider whether a new MD + class is needed compared to adding MD Types to an existing class. + The Designated Experts should also encourage the existence of an + associated and publicly visible registry of MD Types although this + registry need not be maintained by IANA. + + When evaluating a request for an allocation, the Expert should verify + that the allocation plan includes considerations to handle privacy + and security issues associated with the anticipated individual MD + Types allocated within this class. These plans should consider, when + appropriate, alternatives such as indirection, encryption, and + limited-deployment scenarios. Information that can't be directly + derived from viewing the packet contents should be examined for + privacy and security implications. + +9.1.5. NSH IETF-Assigned Optional Variable-Length Metadata Types + + The Type values within the IETF Base NSH MD Class, i.e., when the MD + Class is set to 0x0000 (see Section 9.1.4), are the Types owned by + the IETF. Per this document, IANA has created a registry for the + Type values for the IETF Base NSH MD Class called the "NSH IETF- + Assigned Optional Variable-Length Metadata Types" registry, as + specified in Section 2.5.1. + + The type values are assigned via Standards Action [RFC8126]. + + No initial values are assigned at the creation of the registry. + + + + + + + + + + + + + + + + + + + + + + + +Quinn, et al. Standards Track [Page 34] + +RFC 8300 Network Service Header (NSH) January 2018 + + +9.1.6. NSH Next Protocol + + IANA has set up the "NSH Next Protocol" registry, which contains + 8-bit values. Next Protocol values 0, 1, 2, 3, 4, and 5 are defined + in this document (see Table 8). New values are assigned via "Expert + Review" as per [RFC8126]. + + +---------------+--------------+-----------+ + | Next Protocol | Description | Reference | + +---------------+--------------+-----------+ + | 0x00 | Unassigned | | + | | | | + | 0x01 | IPv4 | RFC 8300 | + | | | | + | 0x02 | IPv6 | RFC 8300 | + | | | | + | 0x03 | Ethernet | RFC 8300 | + | | | | + | 0x04 | NSH | RFC 8300 | + | | | | + | 0x05 | MPLS | RFC 8300 | + | | | | + | 0x06 - 0xFD | Unassigned | | + | | | | + | 0xFE | Experiment 1 | RFC 8300 | + | | | | + | 0xFF | Experiment 2 | RFC 8300 | + +---------------+--------------+-----------+ + + Table 8: NSH Base Header Next Protocol Values + + Expert Review requests MUST include a single codepoint per request. + Designated Experts evaluating new allocation requests from this + registry should consider the potential scarcity of codepoints for an + 8-bit value, and check both for duplications and availability of + documentation. If the actual assignment of the Next Protocol field + allocation reaches half of the range (that is, when there are 128 + unassigned values), IANA needs to alert the IESG. At that point, a + new more strict allocation policy SHOULD be considered. + +10. NSH-Related Codepoints + +10.1. NSH Ethertype + + An IEEE Ethertype, 0x894F, has been allocated for NSH. + + + + + + +Quinn, et al. Standards Track [Page 35] + +RFC 8300 Network Service Header (NSH) January 2018 + + +11. References + +11.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + . + + [RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function + Chaining (SFC) Architecture", RFC 7665, + DOI 10.17487/RFC7665, October 2015, + . + + [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for + Writing an IANA Considerations Section in RFCs", BCP 26, + RFC 8126, DOI 10.17487/RFC8126, June 2017, + . + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, . + +11.2. Informative References + + [NSH-BROADBAND-ALLOCATION] + Napper, J., Kumar, S., Muley, P., Henderickx, W., and M. + Boucadair, "NSH Context Header Allocation -- Broadband", + Work in Progress, draft-napper-sfc-nsh-broadband- + allocation-04, November 2017. + + [NSH-DC-ALLOCATION] + Guichard, J., Smith, M., Kumar, S., Majee, S., Agarwal, + P., Glavin, K., Laribi, Y., and T. Mizrahi, "Network + Service Header (NSH) MD Type 1: Context Header Allocation + (Data Center)", Work in Progress, + draft-guichard-sfc-nsh-dc-allocation-07, August 2017. + + [NSH-ENCRYPT] + Reddy, T., Patil, P., Fluhrer, S., and P. Quinn, + "Authenticated and encrypted NSH service chains", Work in + Progress, draft-reddy-sfc-nsh-encrypt-00, April 2015. + + + + + + + + + +Quinn, et al. Standards Track [Page 36] + +RFC 8300 Network Service Header (NSH) January 2018 + + + [PROOF-OF-TRANSIT] + Brockners, F., Bhandari, S., Dara, S., Pignataro, C., + Leddy, J., Youell, S., Mozes, D., and T. Mizrahi, "Proof + of Transit", Work in Progress, draft-brockners-proof- + of-transit-04, October 2017. + + [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. + Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, + DOI 10.17487/RFC2784, March 2000, + . + + [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC + Text on Security Considerations", BCP 72, RFC 3552, + DOI 10.17487/RFC3552, July 2003, + . + + [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers + Considered Useful", BCP 82, RFC 3692, + DOI 10.17487/RFC3692, January 2004, + . + + [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and + Internet Key Exchange (IKE) Document Roadmap", RFC 6071, + DOI 10.17487/RFC6071, February 2011, + . + + [RFC6291] Andersson, L., van Helvoort, H., Bonica, R., Romascanu, + D., and S. Mansfield, "Guidelines for the Use of the "OAM" + Acronym in the IETF", BCP 161, RFC 6291, + DOI 10.17487/RFC6291, June 2011, + . + + [RFC7325] Villamizar, C., Ed., Kompella, K., Amante, S., Malis, A., + and C. Pignataro, "MPLS Forwarding Compliance and + Performance Requirements", RFC 7325, DOI 10.17487/RFC7325, + August 2014, . + + [RFC7498] Quinn, P., Ed. and T. Nadeau, Ed., "Problem Statement for + Service Function Chaining", RFC 7498, + DOI 10.17487/RFC7498, April 2015, + . + + [RFC7676] Pignataro, C., Bonica, R., and S. Krishnan, "IPv6 Support + for Generic Routing Encapsulation (GRE)", RFC 7676, + DOI 10.17487/RFC7676, October 2015, + . + + + + + +Quinn, et al. Standards Track [Page 37] + +RFC 8300 Network Service Header (NSH) January 2018 + + + [RFC8165] Hardie, T., "Design Considerations for Metadata + Insertion", RFC 8165, DOI 10.17487/RFC8165, May 2017, + . + + [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., + "Path MTU Discovery for IP version 6", STD 87, RFC 8201, + DOI 10.17487/RFC8201, July 2017, + . + + [RTG-ENCAP] + Nordmark, E., Tian, A., Gross, J., Hudson, J., Kreeger, + L., Garg, P., Thaler, P., and T. Herbert, "Encapsulation + Considerations", Work in Progress, + draft-ietf-rtgwg-dt-encap-02, October 2016. + + [SFC-CONTROL-PLANE] + Boucadair, M., "Service Function Chaining (SFC) Control + Plane Components & Requirements", Work in Progress, + draft-ietf-sfc-control-plane-08, October 2016. + + [SFC-OAM-FRAMEWORK] + Aldrin, S., Pignataro, C., Kumar, N., Akiya, N., Krishnan, + R., and A. Ghanwani, "Service Function Chaining (SFC) + Operation, Administration and Maintenance (OAM) + Framework", Work in Progress, + draft-ietf-sfc-oam-framework-03, September 2017. + + [VXLAN-GPE] + Maino, F., Kreeger, L., and U. Elzur, "Generic Protocol + Extension for VXLAN", Work in Progress, + draft-ietf-nvo3-vxlan-gpe-05, October 2017. + +Acknowledgments + + The authors would like to thank Sunil Vallamkonda, Nagaraj Bagepalli, + Abhijit Patra, Peter Bosch, Darrel Lewis, Pritesh Kothari, Tal + Mizrahi, and Ken Gray for their detailed reviews, comments, and + contributions. + + A special thank you goes to David Ward and Tom Edsall for their + guidance and feedback. + + Additionally, the authors would like to thank Larry Kreeger for his + invaluable ideas and contributions, which are reflected throughout + this document. + + Loa Andersson provided a thorough review and valuable comments; we + thank him for that. + + + +Quinn, et al. Standards Track [Page 38] + +RFC 8300 Network Service Header (NSH) January 2018 + + + Reinaldo Penno deserves a particular thank you for his architecture + and implementation work that helped guide the protocol concepts and + design. + + The editors also acknowledge comprehensive reviews and respective + useful suggestions by Med Boucadair, Adrian Farrel, Juergen + Schoenwaelder, Acee Lindem, and Kathleen Moriarty. + + Lastly, David Dolson has provided significant review, feedback, and + suggestions throughout the evolution of this document. His + contributions are very much appreciated. + +Contributors + + This WG document originated as draft-quinn-sfc-nsh; the following are + its coauthors and contributors along with their respective + affiliations at the time of WG adoption. The editors of this + document would like to thank and recognize them and their + contributions. These coauthors and contributors provided invaluable + concepts and content for this document's creation. + + o Jim Guichard, Cisco Systems, Inc. + o Surendra Kumar, Cisco Systems, Inc. + o Michael Smith, Cisco Systems, Inc. + o Wim Henderickx, Alcatel-Lucent + o Tom Nadeau, Brocade + o Puneet Agarwal + o Rajeev Manur, Broadcom + o Abhishek Chauhan, Citrix + o Joel Halpern, Ericsson + o Sumandra Majee, F5 + o David Melman, Marvell + o Pankaj Garg, Microsoft + o Brad McConnell, Rackspace + o Chris Wright, Red Hat, Inc. + o Kevin Glavin, Riverbed + o Hong (Cathy) Zhang, Huawei US R&D + o Louis Fourie, Huawei US R&D + o Ron Parker, Affirmed Networks + o Myo Zarny, Goldman Sachs + o Andrew Dolganow, Alcatel-Lucent + o Rex Fernando, Cisco Systems, Inc. + o Praveen Muley, Alcatel-Lucent + o Navindra Yadav, Cisco Systems, Inc. + + + + + + + +Quinn, et al. Standards Track [Page 39] + +RFC 8300 Network Service Header (NSH) January 2018 + + +Authors' Addresses + + Paul Quinn (editor) + Cisco Systems, Inc. + + Email: paulq@cisco.com + + + Uri Elzur (editor) + Intel + + Email: uri.elzur@intel.com + + + Carlos Pignataro (editor) + Cisco Systems, Inc. + + Email: cpignata@cisco.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Quinn, et al. Standards Track [Page 40] + -- cgit v1.2.3