]> Cisco Systems, Inc.

Belgium cf@cisco.com

Cisco Systems, Inc.

Italy ahabdels@cisco.com

Cisco Systems, Inc.

Spain pcamaril@cisco.com

Broadcom

Israel mark.yufit@broadcom.com

Swisscom

Switzerland thomas.graf@swisscom.com

Alibaba, Inc

China yitai.syc@alibaba-inc.com

SoftBank

Japan satoru.matsushima@g.softbank.co.jp

Goldman Sachs

USA michael.j.valentine@gs.com

Arrcus

India amitd@arrcus.com

General IPPM Internet-Draft Path Tracing provides a record of the packet path as a sequence of interface ids. In addition, it provides a record of end-to-end delay, per-hop delay, and load on each egress interface along the packet delivery path. Path Tracing allows to trace 14 hops with only a 40-bytes IPv6 Hop-by-Hop extension header. Path Tracing supports fine grained timestamp. It has been designed for linerate hardware implementation in the base pipeline.

Introduction Path Tracing provides a record of the packet path as a sequence of interface ids. In addition, it provides a record of end-to-end delay, per-hop delay, and load on each egress interface along the packet delivery path. Path Tracing allows to trace 14 hops with only a 40 bytes IPv6 Hop-by-Hop header. The overhead is lower than , , , and . Path Tracing supports fine-grained timestamps. It has been designed for linerate hardware implementation in the base pipeline. Path Tracing is applicable to both SR-MPLS , as well as SRv6 . This document defines the Path Tracing specification for the SRv6 dataplane. The SR-MPLS dataplane will be detailed in a separate document. The specification proposed in this document has been implemented successfully in different interoperable hardware platforms at linerate ().

Terminology The following terms used within this document are defined in , and : Segment Routing (SR), SR Domain, Segment ID (SID), SRv6, SRv6 SID, SR Policy, Segment Routing Header (SRH), SR source node, transit node, SR Endpoint, SA, DA. The following terms are used in this document as defined below: PT: Path Tracing MCD: Midpoint Compressed Data (MCD). Information that every transit router adds to the packet for PT purposes. Defined in of this document. HbH-PT: IPv6 Hop-by-Hop Option for Path Tracing. It contains a stack of MCDs. It is defined in of this document DOH-PT: IPv6 Destination Option for Path Tracing. It is defined in of this document. PT Source: A Source node that starts a PT Probing Instance (defined in ) and generates PT probes. PT Midpoint: A transit node that performs plain IPv6 forwarding (or SR Endpoint processing) and in addition records PT information in the HbH-PT. PT Sink: A node that receives PT probes sent from the SRC containing the information recorded by every PT Midpoint along the path, and forwards them to a regional collector after recording its PT information. RC: Regional collector that receives PT probes, parses, and stores them in TimeSeries Database. It uses the information in the HBH-PT and the DOH-PT to construct the packet delivery path as well as the timestamp at each node.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Midpoint Compressed Data Every PT Midpoint along the packet delivery path -from Source to Sink- records its PT information into the HbH-PT header. This information is known as Midpoint Compressed Data (MCD). It contains the following information: MCD.OIF (Outgoing Interface ID): An 8-bit or 12-bit interface ID associated with the egress physical interface of the router The interface ID is assigned by an operator. The Interface IDs are not globally unique across the entire network. Indeed the same Interface ID may be repeated multiple times in the network as long as the end-to-end path can be deterministically inferred based on the chain of Interface IDs. The programming of the Interface ID in the device may be done by CLI/NETCONF or any other means, and it is out of the scope of this document. The usage of an 8-bit or 12-bit Interface ID is an operator choice, but the Interface ID size MUST be consistent across the entire network. In case of Link Aggregation Groups (LAG/bundle) , each one of the members is configured with a different interface ID. MCD.OIL (Outgoing Interface Load): A 4-bit representation of the egress interface load (i.e., current throughout relative to the interface bandwidth). The load is represented using a 4-bit value in logarithmic scale. This allows more granular information as the load is higher. MCD.TTS (Truncated Timestamp): An 8-bit timestamp encoding the time at which the packet egress the router. Each egress interface in the device is configured with a TTS template. The TTS template defines the position of 8-bits to be selected from the egress timestamp. of this document discusses the timestamp format used in path tracing. A Path Tracing Midpoint implementation MAY support one or more TTS templates. Each TTS template provides a different time precision. An operator configures an egress interface with a single TTS template. The choice of the TTS template for a given interface is based on the type of the link connected to that interface. For example, an interface connected to DC link will have a different TTS Template from an interface connected to intercontinental or WAN link, as they have different precision requirements.

Timestamp requirements

Timestamp format Path Tracing uses a 64-bit timestamp format. recommends two 64-bit timestamp formats: 64-bit Truncated PTP timestamp format and NTP 64-bit timestamp format. Path Tracing can work with both formats indifferently.

Time synchronization All routers across the network MUST have time-synchronization. PTP and NTP are example protocols that can be used for time-synchronization.

PT Probing Instance The controller configures a PT Probing Instance at the source node. A PT Probing Instance is configured with the following parameters: SA: the source address of the PT probe. Typically, it is the loopback address of the PT SRC. Session ID: A 16-bit value. Probe-rate: Number of probes per second to generate as part of this PT Probing Instance. The probe-rate is the aggregate of the probes generated across all the sweeping ranges. SRv6 SID List: The SRv6 SID list associated with the packet. The last SID is the Sink node. DSCP value Hop-limit Value IPv6 Flow-Label sweeping range: If set, different Flow-Label values must be used in the probe packets. It may be specified as a range of specific Flow-Label values to enumerate, or it may be specified as the number of different random Flow-Label values to use in a round-robin. HbH-PT size MTU sweeping range: If set, payload must be included at the end of the packet to test different packet sizes.

PT Source Node Dataplane Behavior For each configured PT Probing Instance, according to the probe-rate, the PT SRC generates a PT probe packet as follows:

Notes: The pseudocode describes local processing at a node. An implementation of the pseudocode is compliant as long as the externally observable wire protocol is as described in the pseudocode.

PT Midpoint Node Dataplane Behavior When a midpoint node receives an IPv6 packet that contains an IPv6 HbH-PT option, the node processes the HbH-PT as follows:

Notes: The PT Midpoint behavior MUST be implemented in the normal pipeline to experience the regular datapath (i.e., linerate with full PPS and full BW). Offloading the processing of this option to either the slow-path or a co-processors is not acceptable and yields invalid results.

PT Sink Node Dataplane Behavior We define a new SRv6 Endpoint Behavior called "Endpoint Behavior bound to an SRv6 Policy with Timestamp, Encapsulation and Forward" ("End.B6.TEF" for short). It is a Binding SID instantiated, at Sink nodes, that encapsulates the packet with a new IPv6 header, an SRH that contains the SID list associated to End.B6.TEF SID, and an IPv6 Destinations Option header with DOH-PT that is used to carry Path Tracing information of Sink node. When N receives a packet whose IPv6 DA is S and S is a local End.B6.TEF SID, N does the following:

Notes: The pseudocode describes local processing at a node. An implementation of the pseudocode is compliant as long as the externally observable wire protocol is as described in the pseudocode.

PT Headers

IPv6 Hop-by-Hop Option for Path Tracing (HbH-PT) This document defines a new IPv6 Option for Path Tracing to be carried in the IPv6 Hop-by-Hop Header. The option has the following format:

Where: Option Type: TBA1-1 The 3 high-order bits of the option must be set to 001 00: Skip HbH for nodes that don't support the HbH-PT Option Type 1: update HbH-PT for nodes that support the HbH-PT Option Type Opt Data Len: the length of the MCD stack in bytes. MCD Stack: metadata scratchpad where PT Midpoints record their MCDs Note: The HbH-PT has a variable length. It is RECOMMENDED that implementations support a 38-octet HbH-PT Option. The operator, upon configuring the Source node behavior, MUST select an option length that is supported by all the routers in the network.

IPv6 Destination Option for Path Tracing (DOH-PT) This document defines a new IPv6 Option for Path Tracing to be carried in the IPv6 Destination Options Header. The option has the following format:

Where: Option Type: TBA1-2 The 3 high-order bits of the option must be set to 000 00: Skip the IPv6 Destination Options header for nodes that don't support the DOH-PT Option Type 0: DOH-PT cannot be changed enroute Opt Data Len: the length of the DOH-PT in bytes (12). T64: 64-bit Timestamp Session ID: Session identifier set by SRC node generating the probes. Used to co-relate probes of the same session. Value of zero means unset. IF_ID: 12-bit Interface ID IF_LD: 4-bit Interface Load Note: The DOH-PT is generated by both the PT SRC and the PT SNK. When used at the PT SNK node, the Session ID field MUST be set to zero.

Benefits Low overhead: A 40Byte Hop-By-Hop header allows for 14 hops path measurements: 1 at the PT SRC, 12 at PT Midpoint routers and 1 at the PT SNK PT has the lowest MTU overhead compared to alternative solutions such as , , , and . Linerate and HW friendliness: Implemented at linerate in current hardware, using the regular forwarding pipeline. No offloading to co-processors or slow-path whose databases might defer from forwarding pipeline. Leverages mature hardware capabilities (basic shift operation); no packet resizing at every node along the path High number of diverse linerate interoperable hardware Implementations (see ) Scalable Fine-grained Timestamp: 64bit at PT SRC and PT SNK 8bit at PT Midpoint leveraging flexible per-outgoing-link template allowing diverse link types in the same measurement (e.g., DC, metro, WAN) Scalable Load measurement

Implementation Status Editorial note: Please remove this section prior publication. The following routing platforms have participated in an interop testing: Cisco 8802 (based on Cisco Silicon One Q200) Cisco ASR9904 with Lightspeed linecard Cisco NCS5508 (based on Broadcom Jericho2 platform) Cisco Nexus N3K-C3464C (based on Barefoot Tofino) SONiC Whitebox (based on Cisco Silicon One Q200) Marvell Prestera Falcon Keysight IxNetwork The following open-source software networking stacks have also participated in the interop: FD.io VPP Linux Kernel The following opensource applications also have extensions to support Path Tracing: Wireshark Tcpdump P4 implementation for software switch

Security Considerations The security considerations for Segment Routing are discussed in . Section 5 of describes the SR Deployment Model and the requirements for securing the SR Domain. The security considerations of also cover topics such as attack vectors and their mitigation mechanisms that also apply to the behaviors introduced in this document. Together, they describe the required security mechanisms that allow establishment of an SR domain of trust. Having such a well-defined trust boundary is necessary in order to operate SRv6-based services for internal traffic while preventing any external traffic from accessing or exploiting the SRv6-based services. This document defines the Path Tracing architecture, which is deployed on a secured SRv6-domain. As such, all the security considerations defined in , , and are applicable. In addition, any border router in an SR Domain network where Path Tracing is enabled, MUST support the configuration of the following ACLs: If there is a packet coming from an external interface destined towards an internal interface that contains an IPv6 Hop-by-Hop header with a Path Tracing option, then such packet is silently dropped. If there is a packet coming from an internal interface destined towards an external interface that contains an IPv6 Hop-by-Hop header with a Path Tracing option, then such packet is silently dropped. These ACLs SHOULD be enabled by default. An operator MAY disable them individually based on local configuration. The processing of IPv6 Hop-by-Hop headers could sometimes be used as an attack vector to overload the CPU of the router. As defined in of this document, the HBH-PT option MUST be processed in the router's fast path. Therefore, there is no impact on the router's CPU.

IANA Considerations This document requests the following IPv6 Option Type assignments from the Destination Options and Hop-by-Hop Options sub-registry of Internet Protocol Version 6 (IPv6) Parameters.

Acknowledgements The authors of this document would like to thank the team that has collaborated on the design and implementation of the Path Tracing framework at Cisco, Broadcom, Marvel, Keysight, Swisscom, Alibaba, Softbank, University of Rome "Tor Vergata", and ETH Zurich. In particular: Eyal Dagan, Guy Caspary, Elad Naor, Aviran Kadosh, Eli Stein, Oren Yabo, Aviad Behar, Anand Sridharan, Anju Dey, John Bettink, Kamran Raza, Asif Islam, Yue Gao, Jakub Horn, Sam Kheirallah, Shelly Cadora, Kris Michielsen, Francois Clad, Stefano Salsano, Andrea Mayer, Paolo Lungaroni, Giulio Sidoretti, Leonardo Rodoni, Marco Tollini, Yuanwen Sun, Anirban Bhattacharya, Ajay Ramamurthy, Manomugdha Biswas, Kingshuk Mandal.

&RFC8200; &RFC8754; &RFC8986; &RFC2119; &RFC8174; &RFC5905; &RFC8402; &RFC8660; &RFC8877; &RFC9197; &I-D.kumar-ippm-ifa; &I-D.song-opsawg-ifit-framework;

Contributors Cisco Systems, Inc.

USA jisu@cisco.com

Cisco Systems, Inc.

Canada rgandhi@cisco.com

Cisco Systems, Inc.

Italy sbezverk@cisco.com

Cisco Systems, Inc.

France sbenayed@cisco.com

Broadcom

Israel israel.meilik@broadcom.com

Broadcom

Israel shay.zadok@broadcom.com

Bell Canada

Canada daniel.voyer@bell.ca

China Mobile

China chengweiqiang@chinamobile.com