1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
|
Internet Engineering Task Force (IETF) H. Chen, Ed.
Request for Comments: 8424 Huawei Technologies
Category: Experimental R. Torvi, Ed.
ISSN: 2070-1721 Juniper Networks
August 2018
Extensions to RSVP-TE for Label Switched Path (LSP)
Ingress Fast Reroute (FRR) Protection
Abstract
This document describes extensions to Resource Reservation Protocol -
Traffic Engineering (RSVP-TE) for locally protecting the ingress node
of a Point-to-Point (P2P) or Point-to-Multipoint (P2MP) Traffic
Engineered (TE) Label Switched Path (LSP). It extends the Fast
Reroute (FRR) protection for transit nodes of an LSP to the ingress
node of the LSP. The procedures described in this document are
experimental.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are candidates for any level of
Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8424.
Chen & Torvi Experimental [Page 1]
^L
RFC 8424 LSP Ingress Protection August 2018
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Chen & Torvi Experimental [Page 2]
^L
RFC 8424 LSP Ingress Protection August 2018
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Ingress Local Protection Example . . . . . . . . . . . . 5
1.2. Ingress Local Protection Overview . . . . . . . . . . . . 6
2. Conventions Used in This Document . . . . . . . . . . . . . . 7
3. Ingress Failure Detection . . . . . . . . . . . . . . . . . . 7
3.1. Source Detects Failure . . . . . . . . . . . . . . . . . 7
3.2. Backup and Source Detect Failure . . . . . . . . . . . . 8
4. Backup Forwarding State . . . . . . . . . . . . . . . . . . . 9
4.1. Forwarding State for Backup LSP . . . . . . . . . . . . . 9
5. Protocol Extensions . . . . . . . . . . . . . . . . . . . . . 9
5.1. INGRESS_PROTECTION Object . . . . . . . . . . . . . . . . 10
5.1.1. Class Number and Class Type . . . . . . . . . . . . . 10
5.1.2. Object Format . . . . . . . . . . . . . . . . . . . . 11
5.1.3. Subobject: Backup Ingress IPv4 Address . . . . . . . 12
5.1.4. Subobject: Backup Ingress IPv6 Address . . . . . . . 13
5.1.5. Subobject: Ingress IPv4 Address . . . . . . . . . . . 13
5.1.6. Subobject: Ingress IPv6 Address . . . . . . . . . . . 13
5.1.7. Subobject: TRAFFIC_DESCRIPTOR . . . . . . . . . . . . 14
5.1.8. Subobject: Label-Routes . . . . . . . . . . . . . . . 15
6. Behavior of Ingress Protection . . . . . . . . . . . . . . . 15
6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 15
6.1.1. Relay-Message Method . . . . . . . . . . . . . . . . 15
6.1.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . 16
6.2. Ingress Behavior . . . . . . . . . . . . . . . . . . . . 17
6.2.1. Relay-Message Method . . . . . . . . . . . . . . . . 17
6.2.2. Proxy-Ingress Method . . . . . . . . . . . . . . . . 18
6.3. Backup Ingress Behavior . . . . . . . . . . . . . . . . . 19
6.3.1. Backup Ingress Behavior in the Off-Path Case . . . . 20
6.3.2. Backup Ingress Behavior in the On-Path Case . . . . . 22
6.3.3. Failure Detection and Refresh PATH Messages . . . . . 23
6.4. Revertive Behavior . . . . . . . . . . . . . . . . . . . 23
6.4.1. Revert to Primary Ingress . . . . . . . . . . . . . . 24
6.4.2. Global Repair by Backup Ingress . . . . . . . . . . . 24
7. Security Considerations . . . . . . . . . . . . . . . . . . . 24
8. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 24
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 25
10.1. Normative References . . . . . . . . . . . . . . . . . . 25
10.2. Informative References . . . . . . . . . . . . . . . . . 26
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 26
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
Chen & Torvi Experimental [Page 3]
^L
RFC 8424 LSP Ingress Protection August 2018
1. Introduction
For an MPLS Traffic Engineered (TE) Label Switched Path (LSP),
protecting the failures of its transit nodes using Fast Reroute (FRR)
is covered in [RFC4090] for Point-to-Point (P2P) LSPs and [RFC4875]
for Point-to-Multipoint (P2MP) LSPs. However, protecting the failure
of its ingress node using FRR is not covered in either [RFC4090] or
[RFC4875]. The MPLS Transport Profile (MPLS-TP) Linear Protection
described in [RFC6378] can provide a protection against the failure
of any transit node of an LSP between the ingress node and the egress
node of the LSP, but it cannot protect against the failure of the
ingress node.
To protect against the failure of the (primary) ingress node of a
primary end-to-end P2MP (or P2P) TE LSP, a typical existing solution
is to set up a secondary backup end-to-end P2MP (or P2P) TE LSP. The
backup LSP is from a backup ingress node to backup egress nodes (or
node). The backup ingress node is different from the primary ingress
node. The backup egress nodes (or node) are (or is) different from
the primary egress nodes (or node) of the primary LSP. For a P2MP TE
LSP, on each of the primary (and backup) egress nodes, a P2P LSP is
created from the egress node to its primary (backup) ingress node and
configured with Bidirectional Forwarding Detection (BFD). This is
used to detect the failure of the primary (backup) ingress node for
the receiver to switch to the backup (or primary) egress node to
receive the traffic after the primary (or backup) ingress node fails
when both the primary LSP and the secondary LSP carry the traffic.
In addition, FRR may be used to provide protections against the
failures of the transit nodes and the links of the primary and
secondary end-to-end TE LSPs.
There are a number of issues in this solution:
o It consumes lots of network resources. Double states need to be
maintained in the network since two end-to-end TE LSPs are
created. Double link bandwidth is reserved and used when both the
primary and the secondary end-to-end TE LSPs carry the traffic at
the same time.
o More operations are needed, which include the configuration of two
end-to-end TE LSPs and BFDs from each of the egress nodes to its
corresponding ingress node.
o The detection of the failure of the ingress node may not be
reliable. Any failure on the path of the BFD from an egress node
to an ingress node may cause the BFD to indicate the failure of
the ingress node.
Chen & Torvi Experimental [Page 4]
^L
RFC 8424 LSP Ingress Protection August 2018
o The speed of protection against the failure of the ingress node
may be slow.
This specification defines a simple extension to RSVP-TE for local
protection (FRR) of the ingress node of a P2MP or P2P LSP to resolve
these issues. Ingress local protection and ingress FRR protection
will be used interchangeably.
Note that this document is an Experimental RFC. Two different
approaches are proposed to transfer the information for ingress
protection. They both use the same new INGRESS_PROTECTION object,
which is sent in both PATH and RESV messages between a primary
ingress and a backup ingress. One approach is the Relay-Message
Method (refer to Sections 6.1.1 and 6.2.1), the other is the Proxy-
Ingress Method (refer to Sections 6.1.2 and 6.2.2). Each of them has
advantages and disadvantages. It is hard to decide which one is used
as a standard approach now. It is expected that the experiment on
the ingress local protection with these two approaches will provide
quantities to help choose one. The quantities include the numbers on
control traffic, states, codes, and operations. After one approach
is selected, the document will be revised to reflect that selection
and any other items learned from the experiment. The revised
document is expected to be submitted for publication on the standards
track.
1.1. Ingress Local Protection Example
Figure 1 shows an example of using a backup P2MP LSP to locally
protect the ingress of a primary P2MP LSP, which is from ingress Ia
to three egresses: L1, L2, and L3. The backup LSP is from backup
ingress Ib to the next hops of ingress Ia: R2 and R4.
Chen & Torvi Experimental [Page 5]
^L
RFC 8424 LSP Ingress Protection August 2018
******* ******* S Source
[R2]-----[R3]-----[L1] Ix Ingress
*/ & Rx Transit
*/ & Lx Egress
*/ & *** Primary LSP
*/ & &&& Backup LSP across
*/ & Logical Hop
*/ &
*/ ******** ******** *******
[S]---[Ia]--------[R4]------[R5]-----[L2]
\ | & & *\
\ | & & *\
\ | & & *\
\ | & & *\
\ | & & *\
\ |& & *\
[Ib]&&& [L3]
Figure 1: Ingress Local Protection
In normal operations, source S sends the traffic to primary ingress
Ia. Ia imports the traffic into the primary LSP.
When source S detects the failure of Ia, it switches the traffic to
backup ingress Ib, which imports the traffic from S into the backup
LSP to Ia's next hops, R2 and R4, where the traffic is merged into
the primary LSP and then sent to egresses L1, L2, and L3.
Note that the backup ingress is one logical hop away from the
ingress. A logical hop is a direct link or a tunnel (such as a GRE
tunnel) over which RSVP-TE messages may be exchanged.
1.2. Ingress Local Protection Overview
There are four parts in ingress local protection:
o setting up the necessary backup LSP forwarding state based on the
information received for ingress local protection;
o detecting the primary ingress failure and providing the fast
repair (as discussed in Sections 3 and 4);
o maintaining the RSVP-TE control-plane state until a global repair
is done; and,
o performing the global repair (see Section 6.4.2).
Chen & Torvi Experimental [Page 6]
^L
RFC 8424 LSP Ingress Protection August 2018
The primary ingress of a primary LSP sends the backup ingress the
information for ingress protection in a PATH message with a new
INGRESS_PROTECTION object. The backup ingress sets up the backup
LSP(s) and forwarding state after receiving the necessary information
for ingress protection. Then, it sends the primary ingress the
status of ingress protection in a RESV message with a new
INGRESS_PROTECTION object.
When the primary ingress fails, the backup ingress sends or refreshes
the next hops of the primary ingress the PATH messages without any
INGRESS_PROTECTION object after verifying the failure. Thus, the
RSVP-TE control-plane state of the primary LSP is maintained.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Ingress Failure Detection
Exactly how to detect the failure of the ingress is out of scope.
However, it is necessary to discuss different modes for detecting the
failure because they determine what is the required behavior for the
source and backup ingress.
3.1. Source Detects Failure
Source Detects Failure, or Source-Detect for short, means that the
source is responsible for "fast detecting" the failure of the primary
ingress of an LSP. Fast detecting the failure means detecting the
failure in a few or tens of milliseconds. The backup ingress is
ready to import the traffic from the source into the backup LSP(s)
after the backup LSP(s) is up.
In normal operations, the source sends the traffic to the primary
ingress. When the source detects the failure of the primary ingress,
it switches the traffic to the backup ingress, which delivers the
traffic to the next hops of the primary ingress through the backup
LSP(s), where the traffic is merged into the primary LSP.
For an LSP, after the primary ingress fails, the backup ingress MUST
use a method to verify the failure of the primary ingress before the
PATH message for the LSP expires at the next hop of the primary
ingress. After verifying the failure, the backup ingress sends/
Chen & Torvi Experimental [Page 7]
^L
RFC 8424 LSP Ingress Protection August 2018
refreshes the PATH message to the next hop through the backup LSP as
needed. The method may verify the failure of the primary ingress
slowly, such as in seconds.
After the primary ingress fails, it will not be reachable after
routing convergence. Thus, checking whether the primary ingress
(address) is reachable is a possible method.
When the previously failed primary ingress of a primary LSP becomes
available again and the primary LSP has recovered from its primary
ingress, the source may switch the traffic to the primary ingress
from the backup ingress. An operator may control the traffic switch
through using a command on the source node after seeing that the
primary LSP has recovered.
3.2. Backup and Source Detect Failure
Backup and Source Detect Failure, or Backup-Source-Detect for short,
means that both the backup ingress and the source are concurrently
responsible for fast detecting the failure of the primary ingress.
Note that one of the differences between Source-Detect and Backup-
Source-Detect is the following: in the former, the backup ingress
verifies the failure of the primary ingress slowly, such as in
seconds; in the latter, the backup ingress detects the failure fast,
such as in a few or tens of milliseconds.
In normal operations, the source sends the traffic to the primary
ingress. It switches the traffic to the backup ingress when it
detects the failure of the primary ingress.
The backup ingress does not import any traffic from the source into
the backup LSP in normal operations. When it detects the failure of
the primary ingress, it imports the traffic from the source into the
backup LSP to the next hops of the primary ingress, where the traffic
is merged into the primary LSP.
The Source-Detect is preferred. It is simpler than the Backup-
Source-Detect, which needs both the source and the backup ingress to
detect the ingress failure quickly.
Chen & Torvi Experimental [Page 8]
^L
RFC 8424 LSP Ingress Protection August 2018
4. Backup Forwarding State
Before the primary ingress fails, the backup ingress is responsible
for creating the necessary backup LSPs. These LSPs might be multiple
bypass P2P LSPs that avoid the ingress. Alternately, the backup
ingress could choose to use a single backup P2MP LSP as a bypass or
detour to protect the primary ingress of a primary P2MP LSP.
The backup ingress may be "off path" or "on path" of an LSP. If a
backup ingress is not any node of the LSP, it is off path. If a
backup ingress is a next hop of the primary ingress of the LSP, it is
on path. When a backup ingress for protecting the primary ingress is
configured, the backup ingress MUST not be on the LSP except for if
it is the next hop of the primary ingress. If it is on path, the
primary forwarding state associated with the primary LSP SHOULD be
clearly separated from the backup LSP(s) state.
4.1. Forwarding State for Backup LSP
A forwarding entry for a backup LSP is created on the backup ingress
after the LSP is set up. Depending on the failure-detection mode
(e.g., Source-Detect), it may be used to forward received traffic or
simply be inactive (e.g., Backup-Source-Detect) until required. In
either case, when the primary ingress fails, this entry is used to
import the traffic into the backup LSP to the next hops of the
primary ingress, where the traffic is merged into the primary LSP.
The forwarding entry for a backup LSP is a local implementation
issue. In one device, it may have an inactive flag. This inactive
forwarding entry is not used to forward any traffic normally. When
the primary ingress fails, it is changed to active; thus, the traffic
from the source is imported into the backup LSP.
5. Protocol Extensions
A new object, INGRESS_PROTECTION, is defined for signaling ingress
local protection. The primary ingress of a primary LSP sends the
backup ingress this object in a PATH message. In this case, the
object contains the information needed to set up ingress protection.
The information includes:
o the Backup Ingress IP Address, which indicates the backup ingress;
o the TRAFFIC_DESCRIPTOR, which describes the traffic that the
primary LSP transports (this traffic is imported into the backup
LSP(s) on the backup ingress when the primary ingress fails);
Chen & Torvi Experimental [Page 9]
^L
RFC 8424 LSP Ingress Protection August 2018
o the Labels and Routes, which indicate the first hops of the
primary LSP, each of which is paired with its label; and,
o the Desire options on ingress protection, such as a P2MP option,
which indicates a desire to use a backup P2MP LSP to protect the
primary ingress of a primary P2MP LSP.
The backup ingress sends the primary ingress this object in a RESV
message. In this case, the object contains the information about the
status on the ingress protection.
5.1. INGRESS_PROTECTION Object
5.1.1. Class Number and Class Type
The Class Number for the INGRESS_PROTECTION object MUST be of the
form 0bbbbbbb to enable implementations that do not recognize the
object to reject the entire message and return an "Unknown Object
Class" error [RFC2205]. It is suggested that a Class Number value
from the Private Use range (124-127) [RFC3936] specified for the
0bbbbbbb octet be chosen for this experiment. It is also suggested
that a Class Type value of 1 be used for this object in this
experiment.
The INGRESS_PROTECTION object with the FAST_REROUTE object in a PATH
message is used to control the backup for protecting the primary
ingress of a primary LSP. The primary ingress MUST insert this
object into the PATH message to be sent to the backup ingress for
protecting the primary ingress.
Chen & Torvi Experimental [Page 10]
^L
RFC 8424 LSP Ingress Protection August 2018
5.1.2. Object Format
The INGRESS_PROTECTION object has the following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length (bytes) | Class-Num | C-Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved (zero) | NUB | Flags | Options |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ (Subobjects) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Flags
0x01 Ingress local protection available
0x02 Ingress local protection in use
0x04 Bandwidth protection
Options
0x01 Revert to Ingress
0x02 P2MP Backup
For protecting the ingress of a P2MP LSP, if the backup ingress
doesn't have a backup LSP to each of the next hops of the primary
ingress, it SHOULD clear "Ingress local protection available" and set
the Number of Unprotected Branches (NUB) to the number of the next
hops to which there is no backup LSP.
The flags are used to communicate status information from the backup
ingress to the primary ingress.
o Ingress local protection available: The backup ingress MUST set
this flag after backup LSPs are up and ready for locally protecting
the primary ingress. The backup ingress sends this to the primary
ingress to indicate that the primary ingress is locally protected.
o Ingress local protection in use: The backup ingress MUST set this
flag when it detects a failure in the primary ingress and actively
redirects the traffic into the backup LSPs. The backup ingress
records this flag and does not send any RESV messages with this
flag to the primary ingress since the primary ingress is down.
o Bandwidth protection: The backup ingress MUST set this flag if the
backup LSPs guarantee to provide the desired bandwidth for the
protected LSP against the primary ingress failure.
Chen & Torvi Experimental [Page 11]
^L
RFC 8424 LSP Ingress Protection August 2018
The options are used by the primary ingress to specify the desired
behavior to the backup ingress.
o Revert to Ingress: The primary ingress sets this option, which
indicates that the traffic for the primary LSP, if successfully
resignaled, will be switched back to the primary ingress from the
backup ingress when the primary ingress is restored.
o P2MP Backup: This option is set to ask for the backup ingress to
use backup P2MP LSP to protect the primary ingress.
The INGRESS_PROTECTION object may contain some subobjects of
following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |Reserved (zero)|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Contents / Body of Subobject |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
where Type is the type of a subobject and Length is the total size of
the subobject in bytes, including Type, Length, and Contents fields.
5.1.3. Subobject: Backup Ingress IPv4 Address
When the primary ingress of a protected LSP sends a PATH message with
an INGRESS_PROTECTION object to the backup ingress, the object MUST
have a Backup Ingress IPv4 Address subobject containing an IPv4
address belonging to the backup ingress if IPv4 is used. The Type of
the subobject is 1, and the body of the subobject is given below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Backup Ingress IPv4 Address (4 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Backup Ingress IPv4 Address: An IPv4 host address of backup ingress
Chen & Torvi Experimental [Page 12]
^L
RFC 8424 LSP Ingress Protection August 2018
5.1.4. Subobject: Backup Ingress IPv6 Address
When the primary ingress of a protected LSP sends a PATH message with
an INGRESS_PROTECTION object to the backup ingress, the object MUST
have a Backup Ingress IPv6 Address subobject containing an IPv6
address belonging to the backup ingress if IPv6 is used. The Type of
the subobject is 2, the body of the subobject is given below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Backup Ingress IPv6 Address (16 bytes) |
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Backup Ingress IPv6 Address: An IPv6 host address of backup ingress
5.1.5. Subobject: Ingress IPv4 Address
The INGRESS_PROTECTION object may have an Ingress IPv4 Address
subobject containing an IPv4 address belonging to the primary ingress
if IPv4 is used. The Type of the subobject is 3. The subobject has
the following body:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Ingress IPv4 Address (4 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Ingress IPv4 Address: An IPv4 host address of ingress
5.1.6. Subobject: Ingress IPv6 Address
The INGRESS_PROTECTION object may have an Ingress IPv6 Address
subobject containing an IPv6 address belonging to the primary ingress
if IPv6 is used. The Type of the subobject is 4. The subobject has
the following body:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Ingress IPv6 Address (16 bytes) |
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Ingress IPv6 Address: An IPv6 host address of ingress
Chen & Torvi Experimental [Page 13]
^L
RFC 8424 LSP Ingress Protection August 2018
5.1.7. Subobject: TRAFFIC_DESCRIPTOR
The INGRESS_PROTECTION object may have a TRAFFIC_DESCRIPTOR subobject
describing the traffic to be mapped to the backup LSP on the backup
ingress for locally protecting the primary ingress. The subobject
types for Interface, IPv4 Prefix, IPv6 Prefix, and Application
Identifier are 5, 6, 7, and 8, respectively. The subobject has the
following body:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Traffic Element 1 |
~ ~
| Traffic Element n |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The TRAFFIC_DESCRIPTOR subobject may contain multiple Traffic
Elements of the same type as follows:
o Interface Traffic: Each of the Traffic Elements is a 32-bit index
of an interface from which the traffic is imported into the backup
LSP.
o IPv4 Prefix Traffic: Each of the Traffic Elements is an IPv4
prefix that contains an 8-bit prefix length followed by an IPv4
address prefix (whose length, in bits, is specified by the prefix
length) that is padded to a byte boundary.
o IPv6 Prefix Traffic Each of the Traffic Elements is an IPv6
prefix, containing an 8-bit prefix length followed by an IPv6
address prefix (whose length, in bits, is specified by the prefix
length) that is padded to a byte boundary.
o Application Traffic: Each of the Traffic Elements is a 32-bit
identifier of an application from which the traffic is imported
into the backup LSP.
Chen & Torvi Experimental [Page 14]
^L
RFC 8424 LSP Ingress Protection August 2018
5.1.8. Subobject: Label-Routes
The INGRESS_PROTECTION object in a PATH message from the primary
ingress to the backup ingress may have a Label-Routes subobject
containing the labels and routes that the next hops of the ingress
use. The Type of the subobject is 9. The subobject has the
following body:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Subobjects ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Subobjects in Label-Routes are copied from those in the
RECORD_ROUTE objects in the RESV messages that the primary ingress
receives from its next hops for the primary LSP. They MUST contain
the first hops of the LSP, each of which is paired with its label.
6. Behavior of Ingress Protection
6.1. Overview
There are two different proposed signaling approaches to transfer the
information for ingress protection. They both use the same new
INGRESS_PROTECTION object. The object is sent in both PATH and RESV
messages.
6.1.1. Relay-Message Method
The primary ingress relays the information for ingress protection of
an LSP to the backup ingress via PATH messages. Once the LSP is
created, the ingress of the LSP sends the backup ingress a PATH
message with an INGRESS_PROTECTION object with a Label-Routes
subobject, which is populated with the next hops and labels. This
provides sufficient information for the backup ingress to create the
appropriate forwarding state and backup LSP(s).
The ingress also sends the backup ingress all the other PATH messages
for the LSP with an empty INGRESS_PROTECTION object. An
INGRESS_PROTECTION object without any TRAFFIC_DESCRIPTOR subobject is
called an empty INGRESS_PROTECTION object. Thus, the backup ingress
has access to all the PATH messages needed for modification to
refresh the control-plane state after a failure.
The empty INGRESS_PROTECTION object is for efficient processing of
ingress protection for a P2MP LSP. A P2MP LSP's primary ingress may
have more than one PATH message, each of which is sent to a next hop
Chen & Torvi Experimental [Page 15]
^L
RFC 8424 LSP Ingress Protection August 2018
along a branch of the P2MP LSP. The PATH message along a branch will
be selected and sent to the backup ingress with an INGRESS_PROTECTION
object containing the TRAFFIC_DESCRIPTOR subobject; all the PATH
messages along the other branches will be sent to the backup ingress
containing an INGRESS_PROTECTION object without any
TRAFFIC_DESCRIPTOR subobject (empty INGRESS_PROTECTION object). For
a P2MP LSP, the backup ingress only needs one TRAFFIC_DESCRIPTOR.
6.1.2. Proxy-Ingress Method
Conceptually, a proxy ingress is created that starts the RSVP
signaling. The explicit path of the LSP goes from the proxy ingress
to the backup ingress and then to the real ingress. The behavior and
signaling for the proxy ingress is done by the real ingress; the use
of a proxy-ingress address avoids problems with loop detection. Note
that the proxy ingress MUST reside within the same router as the real
ingress.
[ Traffic Source ] *** Primary LSP
$ $ --- Backup LSP
$ $ $$ Link
$ $
[ Proxy Ingress ] [ Backup ]
[ & Ingress ] |
* |
*****[ MP ]----|
Figure 2: Example of a Protected LSP with a Proxy-Ingress Node
The backup ingress MUST know the merge points or next hops and their
associated labels. This is accomplished by having the RSVP PATH and
RESV messages go through the backup ingress, although the forwarding
path need not go through the backup ingress. If the backup ingress
fails, the ingress simply removes the INGRESS_PROTECTION object and
forwards the PATH messages to the LSP's next hop(s). If the ingress
has its LSP configured for ingress protection, then the ingress can
add the backup ingress and itself to the Explicit Route Object (ERO)
and start forwarding the PATH messages to the backup ingress.
Slightly different behavior can apply for the on-path and off-path
cases. In the on-path case, the backup ingress is a next-hop node
after the ingress for the LSP. In the off-path case, the backup
ingress is not any next-hop node after the ingress for all associated
sub-LSPs.
The key advantage of this approach is that it minimizes the special
handling code required. Because the backup ingress is on the
signaling path, it can receive various notifications. It easily has
Chen & Torvi Experimental [Page 16]
^L
RFC 8424 LSP Ingress Protection August 2018
access to all the PATH messages needed for a modification to be sent
to refresh the control-plane state after a failure.
6.2. Ingress Behavior
The primary ingress MUST be configured with a couple of pieces of
information for ingress protection.
o Backup Ingress Address: The primary ingress MUST know the IP
address of the backup ingress it wants to be used before it can use
the INGRESS_PROTECTION object.
o Proxy-Ingress-Id (only needed for Proxy-Ingress Method): The
Proxy-Ingress-Id is only used in the RECORD_ROUTE object for
recording the proxy ingress. If no Proxy-Ingress-Id is specified,
then a local interface address that will not otherwise be included
in the RECORD_ROUTE object can be used. A similar technique is
used in Section 6.1.1. of [RFC4090].
o Application Traffic Identifier: The primary ingress and backup
ingress MUST both know what application traffic should be directed
into the LSP. If a list of prefixes in the TRAFFIC_DESCRIPTOR
subobject will not suffice, then a commonly understood Application
Traffic Identifier can be sent between the primary ingress and
backup ingress. The exact meaning of the identifier should be
configured similarly at both the primary ingress and backup
ingress. The Application Traffic Identifier is understood within
the unique context of the primary ingress and backup ingress.
o A Connection between Backup Ingress and Primary Ingress: If there
is not any direct link between the primary ingress and the backup
ingress, a tunnel MUST be configured between them.
With this additional information, the primary ingress can create and
signal the necessary RSVP extensions to support ingress protection.
6.2.1. Relay-Message Method
To protect the primary ingress of an LSP, the primary ingress MUST do
the following after the LSP is up.
1. Select a PATH message P0 for the LSP.
2. If the backup ingress is off path (the backup ingress is not the
next hop of the primary ingress for P0), then send it a PATH
message P0' with the content from P0 and an INGRESS_PROTECTION
object; else (the backup ingress is a next hop, i.e., on-path
case) add an INGRESS_PROTECTION object into the existing PATH
Chen & Torvi Experimental [Page 17]
^L
RFC 8424 LSP Ingress Protection August 2018
message to the backup ingress (i.e., the next hop). The object
contains the TRAFFIC_DESCRIPTOR subobject, the Backup Ingress
Address subobject and the Label-Routes subobject. The options
field is set to indicate whether a backup P2MP LSP is desired.
The Label-Routes subobject contains the next hops of the primary
ingress and their labels. Note that for the on-path case, there
is an existing PATH message to the backup ingress (i.e., the next
hop), and we just add an INGRESS_PROTECTION object into the
existing PATH message to be sent to the backup ingress. We do
not send a separate PATH message to the backup ingress for this
existing PATH message.
3. For each Pi of the other PATH messages for the LSP, send the
backup ingress a PATH message Pi' with the content copied from Pi
and an empty INGRESS_PROTECTION object.
For every PATH message Pj' (i.e., P0'/Pi') to be sent to the backup
ingress, it has the same SESSION as Pj (i.e., P0/Pi). If the backup
ingress is off path, the primary ingress updates Pj' according to the
backup ingress as its next hop before sending it. It adds the backup
ingress to the beginning of the ERO and sets RSVP_HOP based on the
interface to the backup ingress. The primary ingress MUST NOT set up
any forwarding state to the backup ingress if the backup ingress is
off path.
6.2.2. Proxy-Ingress Method
The primary ingress is responsible for starting the RSVP signaling
for the proxy-ingress node. To do this, the following MUST be done
for the RSVP PATH message.
1. Compute the EROs for the LSP as normal for the ingress.
2. If the selected backup ingress node is not the first node on the
path (for all sub-LSPs), then insert it at the beginning of the
ERO first, then the backup ingress node, and then the ingress
node.
3. In the PATH RECORD_ROUTE Object (RRO), instead of recording the
ingress node's address, replace it with the Proxy-Ingress-Id.
4. Leave the hop (HOP) object populated as usual with information
for the ingress node.
5. Add the INGRESS_PROTECTION object to the PATH message. Include
the Backup Ingress Address (IPv4 or IPv6) subobject and the
TRAFFIC_DESCRIPTOR subobject. Set or clear the options
indicating that a backup P2MP LSP is desired.
Chen & Torvi Experimental [Page 18]
^L
RFC 8424 LSP Ingress Protection August 2018
6. Optionally, add the FAST-REROUTE object [RFC4090] to the Path
message. Indicate whether one-to-one backup is desired.
Indicate whether facility backup is desired.
7. The RSVP PATH message is sent to the backup node as normal.
If the ingress detects that it can't communicate with the backup
ingress, then the ingress SHOULD instead send the PATH message to the
next hop indicated in the ERO computed in step 1. Once the ingress
detects that it can communicate with the backup ingress, the ingress
SHOULD follow steps 1-7 to obtain ingress failure protection.
When the ingress node receives an RSVP PATH message with an
INGRESS_PROTECTION object and the object specifies that node as the
ingress node and the Previous Hop (PHOP) as the backup ingress node,
the ingress node SHOULD remove the INGRESS_PROTECTION object from the
PATH message before sending it out. Additionally, the ingress node
MUST store that it will install ingress forwarding state for the LSP
rather than midpoint forwarding.
When an RSVP RESV message is received by the ingress, it uses the
Next Hop (NHOP) to determine whether the message is received from the
backup ingress or from a different node. The stored associated PATH
message contains an INGRESS_PROTECTION object that identifies the
backup ingress node. If the RESV message is not from the backup
node, then the ingress forwarding state SHOULD be set up, and the
INGRESS_PROTECTION object MUST be added to the RESV before it is sent
to the NHOP, which SHOULD be the backup node. If the RESV message is
from the backup node, then the LSP SHOULD be considered available for
use.
If the backup ingress node is on the forwarding path, then a RESV is
received with an INGRESS_PROTECTION object and an NHOP that matches
the backup ingress. In this case, the ingress node's address will
not appear after the backup ingress in the RRO. The ingress node
SHOULD set up the ingress forwarding state, just as is done if the
ingress node of the LSP weren't protected.
6.3. Backup Ingress Behavior
A Label Edge Router (LER) determines that the ingress local
protection is requested for an LSP if the INGRESS_PROTECTION object
is included in the PATH message it receives for the LSP. The LER can
further determine that it is the backup ingress if one of its
addresses is in the Backup Ingress Address subobject of the
INGRESS_PROTECTION object. The LER as the backup ingress will assume
full responsibility of the ingress after the primary ingress fails.
In addition, the LER determines that it is off path if it is not any
Chen & Torvi Experimental [Page 19]
^L
RFC 8424 LSP Ingress Protection August 2018
node of the LSP. The LER determines whether it uses the Relay-
Message Method or the Proxy-Ingress Method according to
configurations.
6.3.1. Backup Ingress Behavior in the Off-Path Case
The backup ingress considers itself a Point of Local Repair (PLR) and
the primary ingress its next hop, and it provides a local protection
for the primary ingress. It behaves very similarly to a PLR
providing fast reroute where the primary ingress is considered to be
the failure point to protect. Where not otherwise specified, the
behavior given in [RFC4090] for a PLR applies.
The backup ingress MUST follow the control options specified in the
INGRESS_PROTECTION object and the flags and specifications in the
FAST-REROUTE object. This applies to providing a P2MP backup if the
"P2MP backup" is set, a one-to-one backup if "one-to-one desired" is
set, a facility backup if the "facility backup desired" is set, and
backup paths that support both the desired bandwidth and
administrative groups that are requested.
If multiple non-empty INGRESS_PROTECTION objects have been received
via multiple PATH messages for the same LSP, then the most recent one
MUST be the one used.
The backup ingress creates the appropriate forwarding state for the
backup LSP tunnel(s) to the merge point(s).
When the backup ingress sends a RESV message to the primary ingress,
it MUST add an INGRESS_PROTECTION object into the message. It MUST
set or clear the flags in the object to report "Ingress local
protection available", "Ingress local protection in use", and
"bandwidth protection".
If the backup ingress doesn't have a backup LSP tunnel to each of the
merge points, it SHOULD clear "Ingress local protection available"
and set NUB to the number of the merge points to which there is no
backup LSP.
When the primary ingress fails, the backup ingress redirects the
traffic from a source into the backup P2P LSPs or the backup P2MP LSP
transmitting the traffic to the next hops of the primary ingress,
where the traffic is merged into the protected LSP.
In this case, the backup ingress MUST keep the PATH message with the
INGRESS_PROTECTION object received from the primary ingress and the
RESV message with the INGRESS_PROTECTION object to be sent to the
primary ingress. The backup ingress MUST set the "local protection
Chen & Torvi Experimental [Page 20]
^L
RFC 8424 LSP Ingress Protection August 2018
in use" flag in the RESV message, which indicates that the backup
ingress is actively redirecting the traffic into the backup P2P LSPs
or the backup P2MP LSP for locally protecting the primary ingress
failure.
Note that the RESV message with this piece of information will not be
sent to the primary ingress because the primary ingress has failed.
If the backup ingress has not received any PATH messages from the
primary ingress for an extended period of time (e.g., a cleanup
timeout interval) and a confirmed primary ingress failure did not
occur, then the standard RSVP soft-state removal SHOULD occur. The
backup ingress SHALL remove the state for the PATH message from the
primary ingress and either tear down the one-to-one backup LSPs for
protecting the primary ingress if one-to-one backup is used or unbind
the facility backup LSPs if facility backup is used.
When the backup ingress receives a PATH message from the primary
ingress for locally protecting the primary ingress of a protected
LSP, it MUST check to see if any critical information has been
changed. If the next hops of the primary ingress are changed, the
backup ingress SHALL update its backup LSP(s) accordingly.
6.3.1.1. Relay-Message Method
When the backup ingress receives a PATH message with a non-empty
INGRESS_PROTECTION object, it examines the object to learn what
traffic associated with the LSP. It determines the next hops to be
merged to by examining the Label-Routes subobject in the object.
The backup ingress MUST store the PATH message received from the
primary ingress but NOT forward it.
The backup ingress responds with a RESV message to the PATH message
received from the primary ingress. If the backup ingress is off
path, the LABEL object in the RESV message contains IMPLICIT-NULL.
If the INGRESS_PROTECTION object is not "empty", the backup ingress
SHALL send the RESV message with the state indicating protection is
available after the backup LSP(s) are successfully established.
6.3.1.2. Proxy-Ingress Method
When receiving a RESV message for an LSP from a router that is not
primary ingress, the backup ingress collects the pair of (IPv4/IPv6
subobject, Label subobject) in the second place to the top pair in
the RECORD_ROUTE object of the message. It determines the next hops
to be merged according to the set of the pairs collected. If a
Label-Routes subobject is included in the INGRESS_PROTECTION object,
Chen & Torvi Experimental [Page 21]
^L
RFC 8424 LSP Ingress Protection August 2018
the included IPv4/IPv6 subobjects are used to filter the set down to
the specific next hops where protection is desired. An RESV message
MUST have been received before the backup ingress can create or
select the appropriate backup LSP.
When the backup ingress receives a PATH message with the
INGRESS_PROTECTION object, the backup ingress examines the object to
learn what traffic associated with the LSP. The backup ingress
forwards the PATH message to the ingress node with the normal RSVP
changes.
When the backup ingress receives a RESV message with the
INGRESS_PROTECTION object, the backup ingress records an IMPLICIT-
NULL label in the RRO. Then, the backup ingress forwards the RESV
message to the ingress node, which is acting for the proxy ingress.
6.3.2. Backup Ingress Behavior in the On-Path Case
An LER as the backup ingress determines that it is on path if one of
its addresses is a next hop of the primary ingress; for the Proxy-
Ingress Method, the primary ingress is determined as not its next hop
by checking the PATH message with the INGRESS_PROTECTION object
received from the primary ingress. The LER on path MUST send the
corresponding PATH messages without any INGRESS_PROTECTION object to
its next hops. It creates a number of backup P2P LSPs or a backup
P2MP LSP from itself to the other next hops (i.e., the next hops
other than the backup ingress) of the primary ingress. The other
next hops are from the Label-Routes subobject.
It also creates a forwarding entry, which sends/multicasts the
traffic from the source to the next hops of the backup ingress along
the protected LSP when the primary ingress fails. The traffic is
described by the TRAFFIC_DESCRIPTOR.
After setting up all the backup P2P LSPs or the backup P2MP LSP, the
backup ingress creates forwarding entry(s) for importing the traffic
into the backup LSP(s) from the source when the primary ingress
fails. Then, it MUST send the primary ingress a RESV message with an
INGRESS_PROTECTION object. The object contains the state of the
local protection, such as having the "local protection available"
flag set to one, which indicates that the primary ingress is locally
protected.
When the primary ingress fails, the backup ingress sends/multicasts
the traffic from the source to its next hops along the protected LSP
and imports the traffic into each of the backup P2P LSPs or to the
Chen & Torvi Experimental [Page 22]
^L
RFC 8424 LSP Ingress Protection August 2018
backup P2MP LSP transmitting the traffic to the other next hops of
the primary ingress, where the traffic is merged into a protected
LSP.
During the local repair, the backup ingress MUST continue to send the
PATH messages to its next hops as before and keep the PATH message
with the INGRESS_PROTECTION object received from the primary ingress
and the RESV message with the INGRESS_PROTECTION object to be sent to
the primary ingress. It MUST set the "local protection in use" flag
in the RESV message.
6.3.3. Failure Detection and Refresh PATH Messages
As described in [RFC4090], it is necessary to refresh the PATH
messages via the backup LSP(s). The backup ingress MUST wait to
refresh the PATH messages until it can accurately detect that the
ingress node has failed. An example of such an accurate detection
would be that the IGP has no bidirectional links to the ingress node,
or a BFD session to the primary ingress' loopback address has failed
and stayed failed after the network has reconverged.
As described in Section 6.4.3 of [RFC4090], the backup ingress,
acting as PLR, MUST modify and send any saved PATH messages
associated with the primary LSP to the corresponding next hops
through backup LSP(s). Any PATH message sent will not contain any
INGRESS_PROTECTION objects. The RSVP_HOP object in the message
contains an IP source address belonging to the backup ingress. The
SENDER_TEMPLATE object has the Backup Ingress Address as its tunnel
sender address.
6.4. Revertive Behavior
Upon a failure event in the (primary) ingress of a protected LSP, the
protected LSP is locally repaired by the backup ingress. There are a
couple of basic strategies for restoring the LSP to a full working
path.
o Revert to Primary Ingress: When the primary ingress is restored,
it resignals each of the LSPs that start from the primary ingress.
The traffic for every LSP successfully resignaled is switched back
to the primary ingress from the backup ingress.
o Global Repair by Backup Ingress: After determining that the
primary ingress of an LSP has failed, the backup ingress computes a
new optimal path, signals a new LSP along the new path, and
switches the traffic to the new LSP.
Chen & Torvi Experimental [Page 23]
^L
RFC 8424 LSP Ingress Protection August 2018
6.4.1. Revert to Primary Ingress
If "Revert to Primary Ingress" is desired for a protected LSP, the
(primary) ingress of the LSP SHOULD resignal the LSP that starts from
the primary ingress after the primary ingress restores. After the
LSP is resignaled successfully, the traffic SHOULD be switched back
to the primary ingress from the backup ingress on the source node and
redirected into the LSP starting from the primary ingress.
The primary ingress can specify the "Revert to Ingress" control
option in the INGRESS_PROTECTION object in the PATH messages to the
backup ingress. After receiving the "Revert to Ingress" control
option, the backup ingress MUST stop sending/refreshing PATH messages
for the protected LSP.
6.4.2. Global Repair by Backup Ingress
When the backup ingress has determined that the primary ingress of
the protected LSP has failed (e.g., via the IGP), it can compute a
new path and signal a new LSP along the new path so that it no longer
relies upon local repair. To do this, the backup ingress MUST use
the same tunnel sender address in the SENDER_TEMPLATE object and
allocate an LSP ID different from the one of the old LSP as the LSP
ID of the new LSP. This allows the new LSP to share resources with
the old LSP. Alternately, the backup ingress can create a new LSP
with no bandwidth reservation that duplicates the path(s) of the
protected LSP, move traffic to the new LSP, delete the protected LSP,
and then resignal the new LSP with bandwidth.
7. Security Considerations
In principle, this document does not introduce new security issues.
The security considerations pertaining to [RFC4090], [RFC4875],
[RFC2205], and [RFC3209] remain relevant.
8. Compatibility
This extension reuses and extends semantics and procedures defined in
[RFC2205], [RFC3209], [RFC4090], and [RFC4875] to support ingress
protection. The new object defined to indicate ingress protection
has a Class Number of the form 0bbbbbbb. Per [RFC2205], a node not
supporting this extension will not recognize the new Class Number and
should respond with an "Unknown Object Class" error. The error
message will propagate to the ingress, which can then take action to
avoid the incompatible node as a backup ingress or may simply
terminate the session.
Chen & Torvi Experimental [Page 24]
^L
RFC 8424 LSP Ingress Protection August 2018
9. IANA Considerations
This document has no IANA actions.
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S.
Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
Functional Specification", RFC 2205, DOI 10.17487/RFC2205,
September 1997, <https://www.rfc-editor.org/info/rfc2205>.
[RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V.,
and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP
Tunnels", RFC 3209, DOI 10.17487/RFC3209, December 2001,
<https://www.rfc-editor.org/info/rfc3209>.
[RFC3936] Kompella, K. and J. Lang, "Procedures for Modifying the
Resource reSerVation Protocol (RSVP)", BCP 96, RFC 3936,
DOI 10.17487/RFC3936, October 2004,
<https://www.rfc-editor.org/info/rfc3936>.
[RFC4090] Pan, P., Ed., Swallow, G., Ed., and A. Atlas, Ed., "Fast
Reroute Extensions to RSVP-TE for LSP Tunnels", RFC 4090,
DOI 10.17487/RFC4090, May 2005,
<https://www.rfc-editor.org/info/rfc4090>.
[RFC4875] Aggarwal, R., Ed., Papadimitriou, D., Ed., and S.
Yasukawa, Ed., "Extensions to Resource Reservation
Protocol - Traffic Engineering (RSVP-TE) for Point-to-
Multipoint TE Label Switched Paths (LSPs)", RFC 4875,
DOI 10.17487/RFC4875, May 2007,
<https://www.rfc-editor.org/info/rfc4875>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Chen & Torvi Experimental [Page 25]
^L
RFC 8424 LSP Ingress Protection August 2018
10.2. Informative References
[RFC6378] Weingarten, Y., Ed., Bryant, S., Osborne, E., Sprecher,
N., and A. Fulignoli, Ed., "MPLS Transport Profile (MPLS-
TP) Linear Protection", RFC 6378, DOI 10.17487/RFC6378,
October 2011, <https://www.rfc-editor.org/info/rfc6378>.
Acknowledgements
The authors would like to thank Nobo Akiya, Rahul Aggarwal, Eric
Osborne, Ross Callon, Loa Andersson, Daniel King, Michael Yue, Alia
Atlas, Olufemi Komolafe, Rob Rennison, Neil Harrison, Kannan Sampath,
Gregory Mirsky, and Ronhazli Adam for their valuable comments and
suggestions on this document.
Contributors
The following people contributed significantly to the content of this
document and should be considered coauthors:
Autumn Liu
Ciena
United States of America
Email: hliu@ciena.com
Zhenbin Li
Huawei Technologies
Email: zhenbin.li@huawei.com
Yimin Shen
Juniper Networks
10 Technology Park Drive
Westford, MA 01886
United States of America
Email: yshen@juniper.net
Tarek Saad
Cisco Systems
Email: tsaad@cisco.com
Fengman Xu
Verizon
2400 N. Glenville Dr
Richardson, TX 75082
United States of America
Email: fengman.xu@verizon.com
Chen & Torvi Experimental [Page 26]
^L
RFC 8424 LSP Ingress Protection August 2018
The following people also contributed to the content of this
document:
Ning So
Tata Communications
2613 Fairbourne Cir.
Plano, TX 75082
United States of America
Email: ningso01@gmail.com
Mehmet Toy
Verizon
United States of America
Email: mehmet.toy@verizon.com
Lei Liu
United States of America
Email: liulei.kddi@gmail.com
Renwei Li
Huawei Technologies
2330 Central Expressway
Santa Clara, CA 95050
United States of America
Email: renwei.li@huawei.com
Quintin Zhao
Huawei Technologies
Boston, MA
United States of America
Email: quintin.zhao@huawei.com
Boris Zhang
Telus Communications
200 Consilium Pl Floor 15
Toronto, ON M1H 3J3
Canada
Email: Boris.Zhang@telus.com
Markus Jork
Juniper Networks
10 Technology Park Drive
Westford, MA 01886
United States of America
Email: mjork@juniper.net
Chen & Torvi Experimental [Page 27]
^L
RFC 8424 LSP Ingress Protection August 2018
Authors' Addresses
Huaimo Chen (editor)
Huawei Technologies
Boston, MA
United States of America
Email: huaimo.chen@huawei.com
Raveendra Torvi (editor)
Juniper Networks
10 Technology Park Drive
Westford, MA 01886
United States of America
Email: rtorvi@juniper.net
Chen & Torvi Experimental [Page 28]
^L
|