Synonymous Flow Label FrameworkFuturewei Technologies Inc.sb@stewartbryant.comHuaweimach.chen@huawei.comSouthend Technical Centerswallow.ietf@gmail.comCiena Corporationssivabal@ciena.comZTE Corp.gregimirsky@gmail.com
Routing
MPLSMPLSFlowLabelRFC 8372 ("MPLS Flow Identification Considerations") describes the
requirement for introducing flow identities within the MPLS
architecture. This document describes a method of accomplishing this by
using a technique called "Synonymous Flow Labels" in which labels that
mimic the behavior of other labels provide the identification service.
These identifiers can be used to trigger per-flow operations on the
packet at the receiving label switching router.Introduction ("MPLS Flow Identification
Considerations") describes the requirement for introducing
flow identities within the MPLS architecture.
This document describes a method of providing the required identification by using a
technique called "Synonymous Flow Labels (SFLs)" in
which labels that mimic the behavior of other MPLS labels provide the
identification service. These identifiers can be used to trigger
per-flow operations on the packet at the receiving label switching
router.Requirements Language
The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
Synonymous Flow LabelsAn SFL is defined to be a label that causes exactly the same
behavior at the egress Label Edge Router (LER) as the label it
replaces, except that it also causes one or more additional actions that have
been previously agreed between the peer LERs to be executed
on the packet. There are many possible additional actions, such as
measuring the number of received packets in a flow,
triggering an IP Flow Information Export (IPFIX) capture, triggering other types of deep packet
inspection, or identifying the packet source. For example, in
a Performance Monitoring (PM) application, the agreed action could be
recording the receipt of the packet by incrementing a packet
counter. This is a natural action in many MPLS implementations, and
where supported, this permits the implementation of high-quality
packet loss measurement without any change to the packet-forwarding
system.To illustrate the use of this technology, we start by considering
the case where there is an application label in the MPLS label stack.
As a first example, let us consider a
pseudowire (PW) on which it is desired to make
packet loss measurements. Two labels, synonymous with the PW labels, are obtained
from the egress terminating provider edge (T-PE). By alternating
between these SFLs and using them in place of the PW label, the PW
packets may be batched for counting without any impact on the PW
forwarding behavior (note that
strictly only one SFL is needed in
this application, but that is an optimization that is a matter for
the implementor). The method of obtaining these additional
labels is outside the scope of this text; however,
one control protocol that provides a method of obtaining SFLs is described in
.Next, consider an MPLS application that is multipoint to point, such as
a VPN. Here, it is necessary to identify a packet batch from a
specific source. This is achieved by making the SFLs source
specific, so that batches from one source are marked differently from
batches from another source. The sources all operate independently
and asynchronously from each other, independently coordinating with
the destination. Each ingress LER is thus able to establish its own SFL
to identify the subflow and thus enable PM per flow.Finally, we need to consider the case where there is no MPLS
application label such as occurs when sending IP over a Label Switched Path
(LSP), i.e., there is a single label in the MPLS label stack. In
this case, introducing an SFL that was synonymous with the LSP label
would introduce network-wide forwarding state. This would not be
acceptable for scaling reasons. Therefore, we have no choice but to
introduce an additional label. Where penultimate hop popping (PHP)
is in use, the semantics of this additional label can be similar to
the LSP label. Where PHP is not in use, the semantics are similar to
an MPLS Explicit NULL . In both of
these cases, the label has the additional semantics of the SFL.Note that to achieve the goals set out above, SFLs need to be
allocated from the platform label table.User Service Traffic in the Data PlaneAs noted in , it is necessary to
consider two cases:
Application label is present
Single-label stack
Application Label Present shows the case in which
both an LSP label and an application
label are present in the MPLS label stack. Traffic with no SFL
function present runs over the normal stack, and SFL-enabled flows
run over the SFL stack with the SFL used to indicate the packet
batch.At the egress LER, the LSP label is popped (if present). Then, the
SFL is processed executing both the synonymous function and the
corresponding application function.Setting TTL and the Traffic Class BitsThe TTL and the Traffic Class bits in the SFL label stack entry (LSE) would
normally be set to the same value as would have been set in the label
that the SFL is synonymous with. However, it is recognized that, if there
is an application need, these fields in the SFL LSE
MAY be set to some other value. An
example would be where it was desired to cause the SFL to trigger an
action in the TTL expiry exception path as part of the label action.Single-Label Stack shows the case in which
only an LSP label is present in the
MPLS label stack. Traffic with no SFL function present runs over the
"normal" stack, and SFL-enabled flows run over the SFL stack with the
SFL used to indicate the packet batch. However, in this case, it is
necessary for the ingress Label Edge Router (LER) to first push the SFL and
then to push the LSP label.At the receiving Label Switching Router (LSR), it is necessary to
consider two cases:
Where the LSP label is still present
Where the LSP label is penultimate hop popped
If the LSP label is present, it is processed exactly as it would
normally be processed, and then it is popped. This reveals the SFL,
which, in the case of the measurements defined in , is simply counted and then
discarded. In this respect, the processing of the SFL is synonymous
with an MPLS Explicit NULL. As the SFL is the bottom of stack, the IP
packet that follows is processed as normal.If the LSP label is not present due to PHP action in the upstream
LSR, two almost equivalent processing actions can take place.
The SFL can be treated either 1) as an LSP label that was not PHPed and the
additional associated SFL action is taken when the label is
processed or 2) as an MPLS Explicit NULL with
associated SFL actions. From the perspective of the measurement
system described in this document, the behavior of the two approaches is
indistinguishable; thus, either may be implemented.Setting TTL and the Traffic Class BitsThe TTL and the Traffic Class considerations described in apply.Aggregation of SFL ActionsThere are cases where it is desirable to aggregate an SFL action
against a number of labels, for example, where it is desirable to
have one counter record the number of packets received over a group
of application labels or where the number of labels used by a single
application is large and the resultant increase in the number of
allocated labels needed to support the SFL actions may
become too large to be viable. In these circumstances, it would be
necessary to introduce an additional label in the stack to act as an
aggregate instruction. This is not strictly a synonymous action in
that the SFL is not replacing an existing label but is somewhat
similar to the single-label case shown in , and the same
signaling, management, and configuration tools would be applicable.The aggregate SFL is shown in the label stack depicted in as
preceding the application label; however, the choice of position
before or after the application label will be application specific.
In the case described in , by definition, the SFL has the
full application context. In this case, the positioning will depend
on whether the SFL action needs the full context of the application
to perform its action and whether the complexity of the application
will be increased by finding an SFL following the application label.Equal-Cost Multipath ConsiderationsThe introduction of an SFL to an existing flow may cause that flow to take
a different path through the network under conditions of Equal-Cost
Multipath (ECMP). This, in turn, may invalidate certain uses of
the SFL, such as performance measurement applications. Where this is
a problem, there are two solutions worthy of consideration:
The operator MAY elect to always run with the SFL
in place in the MPLS label stack.
The operator can elect to use entropy labels in a network that fully supports
this type of ECMP. If this approach is adopted, the intervening MPLS
network MUST NOT load balance on any packet field other
than the entropy label. Note that this is stricter than the text in
.
Privacy ConsiderationsIETF concerns on pervasive monitoring are described in . The inclusion of originating
and/or flow information in a packet provides more identity information
and hence potentially degrades the privacy of the communication to an
attacker in a position to observe the added identifier. Whilst the
inclusion of the additional granularity does allow greater insight into
the flow characteristics, it does not specifically identify which node
originated the packet unless the attacker can inspect the network at the
point of ingress or inspect the control protocol packets. This privacy
threat may be mitigated by encrypting the control protocol packets by
regularly changing the synonymous labels or by concurrently using a
number of such labels, including the use of a combination of those
methods. Minimizing the scope of the identity indication can be useful
in minimizing the observability of the flow characteristics. Whenever
IPFIX or other deep packet inspection (DPI) technique is used, their
relevant privacy considerations apply.Security ConsiderationsThere are
no new security issues associated with the MPLS data plane. Any
control protocol used to request SFLs will need to ensure the
legitimacy of the request, i.e., that the requesting node is authorized
to make that SFL request by the network operator.IANA ConsiderationsThis document has no IANA actions.ReferencesNormative ReferencesInformative ReferencesContributorsHuaweilizhenbin@huawei.com