Segment Routing for Ipv6 Networks (Srv6)

. Segment Routing for IPv6 Networks (SRv6)

Stefano Previdi Distinguished Engineer

BRKRST-3123 Agenda

• Introduction to Segment Routing

• Segment Routing and the IPv6 Source Routing Model

• IPv6 Segment Routing Header (SRH)

• SRH Procedures

• SR-IPv6 Examples

• Use Cases

• Standardization

• Conclusion

3 Introduction to Segment Routing

4 What is Segment Routing ?

• An architecture that seeks the right balance between distributed intelligence and centralized optimization and programming. • simplifies operation (lower opex) • enables application-based service creation (new revenue) • allows for better utilization of the installed infrastructure (lower capex)

• Applies to both IPv6 and MPLS dataplanes with wide application • (SP, OTT/Web, GET) across (WAN, Metro/Agg, DC) • SDN controller

• An architecture designed with SDN in mind

• Segment Routing technology is extensively explained in • http://www.segment-routing.net (includes all published IETF drafts)

5 Segment Routing • Source Routing • the source chooses a path and encodes it in the packet header as an ordered list of segments • the rest of the network executes the encoded instructions without any further per-flow state • SR-IPv6: the list of segment is encoded into a new (and secure) Routing Header called the “Segment Routing Header”

• Segment: an identifier for any type of instruction • forwarding or service

• Segment Routing leverages the benefit of IPv6 • Source routing capability through the use of extension headers • Full interoperability with non-source routing nodes (with no signaling)

6 Segment Routing – Scalability and Virtualization

• Each engineered application flow is mapped on a path Millions of Application • millions of paths flow paths

• A path is expressed as an ordered list of segments A path is mapped on a • The network maintains segments list of segments • thousands of segments • completely independent of application size/frequency The network only maintains • Excellent scaling and virtualization segments No per-flow • the application state is no longer within the router but application within the packet state

7 Segment Routing - Strong Operator Partnership

• Fundamental to the velocity and success

• Significant commitment • technical transparency • multi-vendor commitment

• Many more operators now involved • Segment Routing MPLS now standardized and (almost) deployed… • Segment Routing IPv6 is getting up to speed

• Open and standardized technology • More than 25 drafts under standardization process in IETF WGs: • SPRING, 6MAN, IS-IS, IDR, OSPF, PCE • For both MPLS and IPv6 dataplanes

8 Segment Routing and the IPv6 Source Routing model

9 Segment Routing and the Source Based Routing Model

• By combining type of segments (i.e.: instructions) Segment Routing allows to address a variety of use cases from edge to edge

Controller

AS W Ap SR DC SR WAN BR AS p Z AS Fwrdr TOR Leaf Spine DCI BR core X

Ap p BR AS Y

Top Segment provides Next segments implement WAN Policy: Last segment Classify flow and ECMP-path to selected . Cost vs Latency Disjointness selects egress push SR segment list DCI . Select egress BR peer

10 Segment Routing and the Source Based Routing Model Wait a Moment !!

• There are two ways of using Segment Routing on v6 networks • IPv6 control plane with a MPLS dataplane • IPv6 control plane with a IPv6 dataplane

• This presentation covers Segment Routing for IPv6 control & data planes i.e.: no MPLS dataplane is involved… but interop is granted

11 Segment Routing and the Source Based Routing Model

• SR-IPv6 allows IPv6 dataplane networks to benefit from all features deployed over the years on MPLS network: • Traffic Engineering • VPNs • Fast Reroute • …

• As well as new features such as • Conduit • Service Chaining • BGP Traffic Engineering • BGP Peer Engineering • Application Engineered Routing

12 Segment Routing IPv6 and the Source Based Routing Model

• In the source based routing model the source chooses a path and encodes it in the packet header as an ordered list of segments

• A new type of the existing IPv6 Routing Extension Header is used for Segment Routing: SRH

• The Segment Routing Header (SRH) contains the list of segments • Path state in the packet, not in the network

• The segment identifier (SID) is a 128-bit IPv6 address • The Segment List expressing the source routed path is a list of IPv6 addresses

13 Segment Routing IPv6 and the Source Based Routing Model

• A segment is an instruction applied to the packet: • IGP-based forwarding construct • BGP-based forwarding construct • local adjacency • service/application • location, • context, …

14 Segment Routing and the IPv6 Dataplane

• Segment Routing applies to both IPv6 and MPLS dataplanes

• Difference is in the bits encoded in the packet not in the architecture

• Enabling SR-IPv6, means that ONLY the nodes that have to process the packet header must have SR-IPv6 dataplane support • All other nodes in the infrastructure are just plain IPv6 nodes

IPv6 Hdr Label(C) Label(F) SR Header B C D Label(H) Segments: C,F,H A H IPv4 or IPv6 hdr E F G PAYLOAD PAYLOAD

SR-IPv6 SR-MPLS

15 Example of Segments Service Segment to S1 S1

Node segment to C Node segment to C Peer Segment

A B C D 1

Adj Segment Z

M N O P 2

Peer Segment Node segment to Z • Examples: • Go to this node using shortest path (Node-SID) • Go to this prefix using shortest path (Prefix-SID) • Go through this specific link (no matter what SPT says, Adj-SID) • Go through this egress interface / peering AS (Adj-SID, Peer-SID) • Etc.

• Simple protocol extensions allowing advertisement of segments • IGP, BGP, BGPLS, PCEP, … 16 Segment Routing and the Source Based Routing Model

• Segment Routing IPv6: • The notion of a “segment” is not new in IPv6 • Routing Extension Header has been defined in RFC 2460 and defines the “segment” • In both RFC 2460 and Segment Routing a segment is identified by an IPv6 address • Segment Routing leverages RFC 2460 Routing Header by defining a new type • Improves Routing Header • Enhance the source routing model • Introduces security • Segment Routing does NOT require a forklift upgrade of the network • SR and non-SR nodes can co-exist • Gradual deployment • Full interoperability • Backward compatibility

17 The Segment Routing Header Insertion Vs. Encapsulation

18 Segment Routing Header and encapsulation

• While not explicitly mentioned, RFC2460 assumes only the source is allowed to insert a routing header – Remember: the SRH is a type of routing header • Segment Routing for IPv6 allows multiple operational modes – All compliant to base IPv6 specification

19 Insertion Vs. Encapsulation

• Header Insertion at the Source: – Source originates the packet with the SRH – SRH is kept and used along the path – Packet is delivered to destination with the SRH (plain IPv6 operations) > Optionally, the SRH may be removed prior to deliver the packet to destination – Use case: source is SRv6 capable

Source C D IPv6 Hdr: SA=A, DA=D A IPv6 Hdr: SA=A, DA=G IPv6 Hdr: SA=A, DA=B SR Hdr: SL= B, D, G, Z Destination SR Hdr: SL= B, D, G, Z SR Hdr: SL= B, D, G, Z B PAYLOAD PAYLOAD Z PAYLOAD Ingress

E F G IPv6 Hdr: SA=A, DA=Z Egress SR Hdr: SL= B, D, G, Z PAYLOAD

SR domain 20 Insertion Vs. Encapsulation

• Header Insertion at Ingress: – Source originates the packet without any SRH – SRH is inserted at ingress – SRH is removed prior to deliver the packet to the destination – Use case: source is not SRv6 capable

Source C D IPv6 Hdr: SA=A, DA=D A IPv6 Hdr: SA=A, DA=G SR Hdr: SL= D, G, Z Destination IPv6 Hdr: SA=A, DA=Z B SR Hdr: SL= D, G, Z PAYLOAD PAYLOAD Z Ingress PAYLOAD

E F G IPv6 Hdr: SA=A, DA=Z PAYLOAD Egress

SR domain 21 Insertion Vs. Encapsulation

• Encapsulation at Ingress : – Source originates the packet without any SRH – Ingress encapsulates the incoming packet into a new outer IPv6 header followed by the SRH – Packet is decapsulated at egress (both outer IPv6 header and SRH are removed) – Use Case:

Source B C IPv6 Hdr: SA=A, DA=C A IPv6 Hdr: SA=A, DA=E IPv6 Hdr: SA=A, DA=Z SR Hdr: SL= C, E Destination A SR Hdr: SL= C, E PAYLOAD IPv6 Hdr: SA=A, DA=Z IPv6 Hdr: SA=A, DA=Z Z Ingress PAYLOAD PAYLOAD

B D IPv6 Hdr: SA=A, DA=Z E PAYLOAD Egress

SR domain 22 Segment Routing Example

23 Example of Explicit Path

• How to express an explicit (source routed) path knowing that: • Nodes may represent routers, hosts, servers, application instances, services, chains of services, etc. • A path is encoded into the packet by the originator (or ingress) node using a list of IPv6 addresses • The network may have plurality of nodes not all supporting Segment Routing • A path can be “loose” or “strict” • Likely to be loose…

• A single mechanism, a single placeholder where the “path” of the packet is expressed

24 SR-IPv6 Explicit Path Example

• In following topology: B C D – Q: How to best express path: [A, B, C, F, G, H] A H • Note well: node A has two shortest E F G paths to C (ECMP)

• A: Source rooted path with segments: [C,F,H] First segment: set of shortest paths from A to C (ECMP aware) Second segment: adjacency/link from C to F Third segment: shortest path from F to H • Loose Source Routing B C D A H E F G

25 SR-IPv6 Explicit Path Example Interoperability

B C D

A H

E F G • Not all nodes needs to be SR capable • Example: – Traffic Engineering from A to H through path ABCFGH – Nodes A, C and F are SR capable – Nodes B, D, E, G and H are plain ipv6 forwarders

26 SR-IPv6 Explicit Path Example B C IPv6 Hdr: SA=A, DA=C SR Hdr: SL= C, F, H A PAYLOAD

• At node A: – Path is computed or received by a controller (e.g.: SDN Controller) – Path is instantiated through a list of segments – A SRH is created with the segment list representing the path – Packet is sent to the first segment > ECMP fully leveraged !

27 SR-IPv6 Explicit Path Example B C D IPv6 Hdr: SA=X, DA=C, SR Hdr: SL= C, F, H A PAYLOAD H

E F G

• At A, the Segment Routing Header (SRH) contains – Segment List: C,F,H (the real destination of the packet is encoded as last segment) – Segments Left: points to the next segment of the path (F) – DA is set as the address of the first segment: C

• Packet is sent towards its DA (C, representing the first segment) – Packet can travel across non SR nodes who will just ignore the SRH (e.g.: node B) – RFC2460 mandates only the node in the DA must examine the SRH

28 SR-IPv6 Explicit Path Example B C D IPv6 Hdr: SA=X, DA=C SR Hdr: SL= C, F, H IPv6 Hdr: SA=X, DA=F A PAYLOAD SR Hdr: SL= C, F, H H PAYLOAD

E F G

• When packet reaches the segment endpoint C – Segments Left is inspected and used in order to update the DA with the next segment address: F – Segments Left pointer is decremented: now points to H (note: Segments Left is now set to 0) – Packet is sent towards its DA

29 SR-IPv6 Explicit Path Example B C D IPv6 Hdr: SA=X, DA=C SR Hdr: SL= C, F, H IPv6 Hdr: SA=X, DA=F A PAYLOAD SR Hdr: SL= C, F, H H PAYLOAD IPv6 Hdr: SA=X, DA=H E F G SR Hdr: SL= C, F, H PAYLOAD

• When packet reaches the segment endpoint F the same process is executed: – Segments Left is inspected and used in order to update the DA with the next segment address: H – Segments Left pointer being 0, it is left unchanged – Packet is sent towards its DA

30 SR-IPv6 Explicit Path Example B C D IPv6 Hdr: SA=X, DA=C SR Hdr: SL= C, F, H IPv6 Hdr: SA=X, DA=F A PAYLOAD SR Hdr: SL= C, F, H H PAYLOAD IPv6 Hdr: SA=X, DA=H E F G SR Hdr: SL= C, F, H PAYLOAD

• When packet reaches the segment endpoint H: – Segments Left == 0 – RFC2462 mandate that the entire Routing Header is ignored – Therefore, H [processes the packet without taking into account the Segment Routing Header – Node H is a RFC2460 (IPv6) capable node and needs not to support segment routing

31 Segment Routing Header (SRH)

32 Segment Identifiers: IPv6 addresses

• A segment is identified by an IPv6 address – SID is an IPv6 address • Any IPv6 address may be used as segment identifier

33 SRH (RH Type 4) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Hdr Ext Len | Routing Type | Segments Left | • Next Header: 8-bit selector. Identifies the type of header +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ immediately following the SRH | First Segment | Flags | HMAC Key ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ • Hdr Ext Len: 8-bit unsigned integer. Defines the length of the | | SRH header in 8-octet units, not including the first 8 octets | Segment List[0] (128 bits ipv6 address) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ • Type: 4 | | // ... // • Segments Left: index, in the Segment List, of the current active | | segment in the SRH. Decremented at each segment endpoint. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Segment List[n] (128 bits ipv6 address) | • First Segment: offset in the SRH, not including the first 8 octets | | and expressed in 16-octet units, pointing to the last element of +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ the Segment List (i.e.: that contains the first segment of the | | path). | Policy List[0] (optional, 128 bits ipv6 address) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ • Flags: 16 bits of flags. Following flags are defined: | | – bit-0: cleanup // ... // | | – bit-1: rerouted packet +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Policy List[3] (optional, 128 bits ipv6 address) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | // HMAC // | (optional, 256 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 34 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ SRH | Next Header | Hdr Ext Len | Routing Type | Segments Left | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | First Segment | Flags | HMAC Key ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ • Segment List[n]: 128 bit IPv6 addresses representing | | each segment of the path. The segment list is | Segment List[0] (128 bits ipv6 address) | encoded in the reverse order of the path: the last | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ segment is in the first position of the list and the first | | segment is in the last position. // ... // | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ • HMAC: SRH authentication (optional) | | | Segment List[n] (128 bits ipv6 address) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Policy List[0] (optional, 128 bits ipv6 address) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | // ... // | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Policy List[3] (optional, 128 bits ipv6 address) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | // HMAC // | (optional, 256 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 35 Segment Routing IPv6

• SRH is a new type of the existing routing header. Therefore, it inherits routing header properties: – Can only appear once – If “Segments Left” is 0, the SRH is silently ignored and packet is NOT dropped

• SRH format is almost identical to RH0 that has been deprecated – Carry ipv6 addresses – Segments (SL and PL) – Security: HMAC

• Deprecation has been motivated by security concerns – SRH address them through HMAC and restricted domain of application

36 Segment Routing Security • Routing Type 0 (RH0) extension header has been deprecated by RFC5095 • Reason: vulnerability (amplification attack) of RH0 • SRH defines an HMAC field to be used at ingress of a SR domain in order to validate the SRH • Avoid malicious attempts to steer a packet out of its intended path • Amplification attack with RH-0 • Addresses concerns of RFC5095

37 Segment Routing Security • When used within the boundaries of a controlled domain, the HMAC is not necessary • Similarly, IETF has standardized the Routing Extension Header type 3 (RPL) without any security mechanism • RH3 is assumed to be used within the boundaries of a private/controlled domain

38 SRH Procedures

39 SRH Processing: Source Node B

IPv6 Hdr: SA=X, DA=C A SR Hdr: SL= C, F, H • Source node may be a SR capable host PAYLOAD

• At source: E – SRH is created (or received by an SDN controller) with: > Segment List encoded in the reverse order of the path: • Segment List[0]: LAST segment • Segment List[n]: FIRST segment > “Segments Left” field set to n-1 where n is the number of segments in the SL > “First Segment” field is set to n-1 – The DA of the packet is set as the first segment of the path > DA = Segment_List[Segments_Left] – The packet is sent out to the first segment

40 SRH Processing: Transit Node

• Different types of Transit Nodes – NON-SR Transit nodes – SR Intra-segment Transit nodes – SR Segment Endpoint nodes

41 SRH Processing: Non-SR Transit Node

• NON-SR Transit nodes – Plain IPv6 forwarding – Solely based on IPv6 DA – No SRH inspection or update – Transparent / interoperable

B C D IPv6 Hdr: SA=X, DA=C SR Hdr: SL= C, F, H IPv6 Hdr: SA=X, DA=F A PAYLOAD SR Hdr: SL= C, F, H H PAYLOAD IPv6 Hdr: SA=X, DA=H E F G SR Hdr: SL= C, F, H PAYLOAD 42 SRH Processing: SR Segment Endpoint nodes

• SR Endpoints: SR Capable nodes whose address is in DA.

• Endpoints inspects SHR and do: 1. IF DA = myself (segment endpoint) 2. IF Segments Left > 0 THEN decrement Segments Left update DA with Segment List[Segments Left] 3. IF Segments Left == 0 THEN IF Clean-up bit is set THEN remove the SRH 4. ELSE continue IPv6 processing of the packet End of processing. 5. Forward the packet out B C D IPv6 Hdr: SA=X, DA=C SR Hdr: SL= C, F, H IPv6 Hdr: SA=X, DA=F A PAYLOAD SR Hdr: SL= C, F, H H PAYLOAD IPv6 Hdr: SA=X, DA=H E F G SR Hdr: SL= C, F, H PAYLOAD 43 Segment Routing Use Cases

44 Disjoint TE Service – Example with encapsulation

PE A 1

2 • A to Z any plane • Set of IGP shortest paths to Z Z • A to Z via blue plane • Traffic Engineering policy: • Set of shortest paths to BLUE (anycast IPv6 address/segment) • Set of shortest paths to Z IPv6: BLUE IPv6: BLUE • Benefits PE A 1 • ECMP 2 • Traffic Engineering with no signaling IPv6: BLUE • Traffic Engineering with no midpoint IPv6: BLUE state Z Disjoint TE Service – Example with encapsulation IPv6 Hdr: SA=X, DA=Y PAYLOAD PE A 1 IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Y 2 • A to Z any plane PAYLOAD • Set of IGP shortest paths to Z Z • A to Z via blue plane • Traffic Engineering policy: • Set of shortest paths to BLUE (anycast IPv6 address/segment) • Set of shortest paths to Z IPv6: BLUE IPv6: BLUE • Benefits PE A 1 • ECMP 2 • Traffic Engineering with no signaling IPv6: BLUE • Traffic Engineering with no midpoint IPv6: BLUE state Z Disjoint TE Service – Example with encapsulation IPv6 Hdr: SA=X, DA=Y PAYLOAD PE A 1 IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Y 2 IPv6 Hdr: SA=X, DA=Y • A to Z any plane PAYLOAD PAYLOAD • Set of IGP shortest paths to Z Z • A to Z via blue plane • Traffic Engineering policy: • Set of shortest paths to BLUE (anycast IPv6 address/segment) • Set of shortest paths to Z IPv6: BLUE IPv6: BLUE • Benefits PE A 1 • ECMP 2 • Traffic Engineering with no signaling IPv6: BLUE • Traffic Engineering with no midpoint IPv6: BLUE state Z Disjoint TE Service – Example with encapsulation IPv6 Hdr: SA=X, DA=Y PAYLOAD PE A 1 IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Y 2 IPv6 Hdr: SA=X, DA=Y • A to Z any plane PAYLOAD PAYLOAD • Set of IGP shortest paths to Z Z IPv6 Hdr: SA=X, DA=Y • A to Z via blue plane PAYLOAD • Traffic Engineering policy: • Set of shortest paths to BLUE (anycast IPv6 address/segment) • Set of shortest paths to Z IPv6: BLUE IPv6: BLUE • Benefits PE A 1 • ECMP 2 • Traffic Engineering with no signaling IPv6: BLUE • Traffic Engineering with no midpoint IPv6: BLUE state Z Disjoint TE Service – Example with encapsulation IPv6 Hdr: SA=X, DA=Y PAYLOAD PE A 1 IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Y 2 IPv6 Hdr: SA=X, DA=Y • A to Z any plane PAYLOAD PAYLOAD • Set of IGP shortest paths to Z Z IPv6 Hdr: SA=X, DA=Y • A to Z via blue plane PAYLOAD • Traffic Engineering policy: • Set of shortest paths to BLUE (anycast IPv6 address/segment) • Set of shortest paths to Z

IPv6 Hdr: SA=X, DA=Y IPv6: BLUE IPv6: BLUE • Benefits PAYLOAD PE A 1 • ECMP 2 • Traffic Engineering with no signaling IPv6: BLUE • Traffic Engineering with no midpoint IPv6: BLUE state Z Disjoint TE Service – Example with encapsulation IPv6 Hdr: SA=X, DA=Y PAYLOAD PE A 1 IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Y 2 IPv6 Hdr: SA=X, DA=Y • A to Z any plane PAYLOAD PAYLOAD • Set of IGP shortest paths to Z Z IPv6 Hdr: SA=X, DA=Y • A to Z via blue plane PAYLOAD • Traffic Engineering policy: • Set of shortest paths to BLUE (anycast IPv6 address/segment) • Set of shortest paths to Z

IPv6 Hdr: SA=X, DA=Y IPv6: BLUE IPv6: BLUE • Benefits PAYLOAD PE A 1 • ECMP IPv6 Hdr: SA=X, DA=BLUE 2 • IPv6: BLUE Traffic Engineering with no signaling SR Hdr: SL= BLUE, Z, Y • Traffic Engineering with no midpoint PAYLOAD IPv6: BLUE state Z Disjoint TE Service – Example with encapsulation IPv6 Hdr: SA=X, DA=Y PAYLOAD PE A 1 IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Y 2 IPv6 Hdr: SA=X, DA=Y • A to Z any plane PAYLOAD PAYLOAD • Set of IGP shortest paths to Z Z IPv6 Hdr: SA=X, DA=Y • A to Z via blue plane PAYLOAD • Traffic Engineering policy: • Set of shortest paths to BLUE (anycast IPv6 address/segment) • Set of shortest paths to Z

IPv6 Hdr: SA=X, DA=Y IPv6: BLUEIPv6 Hdr: SA=X, DA=Z IPv6: BLUE • Benefits PAYLOAD PE A 1 SR Hdr: SL= BLUE, Z, Y • ECMP PAYLOAD IPv6 Hdr: SA=X, DA=BLUE 2 • IPv6: BLUE Traffic Engineering with no signaling SR Hdr: SL= BLUE, Z, Y • Traffic Engineering with no midpoint PAYLOAD IPv6: BLUE state Z Disjoint TE Service – Example with encapsulation IPv6 Hdr: SA=X, DA=Y PAYLOAD PE A 1 IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Z IPv6 Hdr: SA=X, DA=Y 2 IPv6 Hdr: SA=X, DA=Y • A to Z any plane PAYLOAD PAYLOAD • Set of IGP shortest paths to Z Z IPv6 Hdr: SA=X, DA=Y • A to Z via blue plane PAYLOAD • Traffic Engineering policy: • Set of shortest paths to BLUE (anycast IPv6 address/segment) • Set of shortest paths to Z

IPv6 Hdr: SA=X, DA=Y PAYLOAD SRv6 Conduit – Service Routing • Define a segment as a conduit service – Example: reach remote VPN site according to a given SLA • The ingress node of the VPN provider acts as the conduit head-end • The source VPN site (CE) sends traffic using a single segment identifier. Such segment identifiers point to a remot VPN site through a given SLA • When reaching the operator network, the segment is “translated” into the segment list corresponding to the remote VPN site reachability and SLA • Allow to mix IPv6 and MPLS transports

54 SRv6 Conduit – SRv6 as a Routing Service

Overlay VPN: 10.3/16 via 1111::3001/128 RLOC 8888::8/128 Remove SRH and 8888::8/128 INSERT SRH {1111::3001/128} PUSH {16003, 16005}

3 VPN Site 2

10.3/16 7 1 5 8

47 SRv6 Conduit – SRv6 as a Routing Service

Overlay VPN: 10.3/16 via 1111::3001/128 RLOC 8888::8/128 Remove SRH and 8888::8/128 INSERT SRH {1111::3001/128} PUSH {16003, 16005}

3 VPN Site 2

10.3/16 DA: 10.3.0.1 7 1 5 8

47 SRv6 Conduit – SRv6 as a Routing Service

Overlay VPN: 10.3/16 via 1111::3001/128 RLOC 8888::8/128 Remove SRH and 8888::8/128 INSERT SRH {1111::3001/128} PUSH {16003, 16005}

3 VPN Site 2

10.3/16 DA: 10.3.0.1 7 1 5 8

DA: 1111::3001 4 SRH {1111::3001, 8888::8}

DA: 10.3.0.1

47 SRv6 Conduit – SRv6 as a Routing Service

Overlay VPN: 10.3/16 via 1111::3001/128 RLOC 8888::8/128 Remove SRH and 8888::8/128 INSERT SRH {1111::3001/128} PUSH {16003, 16005}

3 VPN Site 2

10.3/16 DA: 10.3.0.1 7 1 16003 5 8 16005 DA: 1111::3001 DA: 8888::8 4 SRH {1111::3001, 8888::8} DA: 10.3.0.1 DA: 10.3.0.1

47 SRv6 Conduit – SRv6 as a Routing Service

Overlay VPN: 10.3/16 via 1111::3001/128 RLOC 8888::8/128 Remove SRH and 8888::8/128 INSERT SRH {1111::3001/128} PUSH {16003, 16005}

3 VPN Site 2

16005 10.3/16 7 1 16003 5 8 DA: 10.3.0.1 DA: 8888::8 16005 DA: 1111::3001 DA: 10.3.0.1 DA: 8888::8 4 SRH {1111::3001, 8888::8} DA: 10.3.0.1 DA: 10.3.0.1

47 SRv6 Conduit – SRv6 as a Routing Service

Overlay VPN: 10.3/16 via 1111::3001/128 RLOC 8888::8/128 Remove SRH and 8888::8/128 INSERT SRH {1111::3001/128} PUSH {16003, 16005}

3 VPN Site 2

16005 10.3/16 7 1 16003 5 8 DA: 10.3.0.1 DA: 8888::8 16005 DA: 1111::3001 DA: 10.3.0.1 DA: 8888::8 4 DA: 8888::8 SRH {1111::3001, 8888::8} DA: 10.3.0.1 DA: 10.3.0.1 DA: 10.3.0.1

47 SRv6 Conduit – SRv6 as a Routing Service

Overlay VPN: 10.3/16 via 1111::3001/128 RLOC 8888::8/128 Remove SRH and 8888::8/128 INSERT SRH {1111::3001/128} PUSH {16003, 16005}

3 VPN Site 2

16005 10.3/16 7 1 16003 5 8 DA: 10.3.0.1 DA: 8888::8 DA: 10.3.0.1 16005 DA: 1111::3001 DA: 10.3.0.1 DA: 8888::8 4 DA: 8888::8 SRH {1111::3001, 8888::8} DA: 10.3.0.1 DA: 10.3.0.1 DA: 10.3.0.1

47 SRv6 Conduit – SRv6 as a Routing Service