]> University of Tuebingen

Tuebingen Germany moritz.fluechter@uni-tuebingen.de

University of Tuebingen

Tuebingen Germany michael.menth@uni-tuebingen.de

Futurewei USA

tte@cs.fau.de

Routing Bit Indexed Explicit Replication multicast resilience BIER-TE extends BIER with tree engineering capabilities and can be supported by almost the same hardware. However, a bitstring in BIER-TE hold bits for BFERs and links, which effects that the size of supportable topologies in terms of BFERs is smaller for BIER-TE than for BIER. While for BIER, subsets can be utilized to improve scaling to large multicast domains, this mechanism requires adaptation for BIER-TE. In this document, requirements for BIER-TE subsets are defined, a mechanism is described for how BIER-TE packets can reach their subsets using tunneling, and 1:1 protection for the entire BIER-TE multicast tree is explained. The concept utilizes egress protection for reaching a subset when the ingress BFIR of the subset fails. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Bit Indexed Explicit Replication Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction Bit Index Explicit Replication with Traffic Engineering (BIER-TE) was introduced in as an extension to the BIER archtecture, offering enhanced capabilities through traffic engineering, or "tree engineering" in this context. In BIER-TE, the forwarding and replication of multicast traffic is guided by the BIER-TE header that includes bits representing Bit Forwarding Egress Routers (BFERs) and links. As a result, the entire multicast distribution tree is encoded directly within the packet header. This encoding leads to scalability challenges, particularly in large networks, which are similar as in BIER. However, BIER-TE encodes more information in the bistring and thus scales worse than BIER for large networks. BIER-TE inherits the concept of subsets from BIER where the network domain can be partitioned into smaller sub-topologies. A BIER-TE subset is a partition of the BIER-TE domain with a unique Set Identifier (SI). The SI containing the destination BFERs of a packet is indicated in the BIER-TE header as a bitstring. Further, the bitstring addresses only links and BFERs in that subset. In this document, requirements for BIER-TE subsets are defined, a mechanism is described for how BIER-TE packets can reach their subsets using tunneling. Further the application of 1:1 protection for the entire multicast tree is explained. With these extensions, BIER-TE can scale to large multicast domains. The extensions depend on well established technologies and do not require any changes to the BIER header or forwarding logic.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Abbreviations This document makes use of the terms defined in and in . Further abbreviations used in this document: Abbreviations.

Abbreviation	Meaning	Reference
S-BFIR	Subset Bit Forwarding Ingress Router	This document

BIER-TE Subsets BIER subsets can be constructed by selecting a number of arbitrary BFERs within the BIER domain. The number of BFERs of each subset must not exceed the bitstring length and the BFERs of all subsets should cover all BFERs of the entire domain. This rather unconstraint selection of BFERs works well because a packet sent by a BIER BFIR reaches any BFER over the routing underlay, no matter which subset the BFER belongs to. In contrast, with BIER-TE, a BFER can be reached over a path that is encoded in the bitstring. Therefore, also links need to be part of the subset. Moreover, within a very large ring or a line, a BFIR may be so far away from a BFER that the links of the subset do not suffice to define a path from the BFIR to that BFER. Therefore, a different approach is needed for subsets in BIER-TE. First, a subset also needs links in additions to BFERs which are encoded in the bitstring. The number of BFERs and links within the subset MUST NOT exceed the size of the bitstring. Moreover, links and BFERs need to be connected so that a BIER-TE packet at a source of any link in the subset can reach all BFERs within the subset. The BFRs belonging to the links are also part of the subset but are not represented by a bit in the bitstring unless they constitute BFERs. Thus, a subset needs to be one-connected. That is, the mentioned property is fulfilled unless one link or BFR fails. A BFIR may need to send a packet to a specific BFER, but it does not need to be part of the subset the BFER belongs to. It can however use unicast tunneling to direct packets to some BFR within the subset. That BFR is denoted as S-BFIR (subset BFIR). There may be one or many S-BFIRs for a subset. Subsets for BIER-TE with 1:1 protection have to be at least two-connected, i.e., the remaining subset is one-connected if a link or BFR fails. That is, in case of a failure, there is still a path from any BFR to any BFER within the subset. Further, for every S-BFIR in the subset, one or more backup S-BFIRs have to be assigned. When an S-BFIR fails, the backup S-BFIRs serve as alternative ingress to the subset and ensure that the packets reach the BFERs. A domain may be one- or two connected, but it may be difficult or even impossible to find a desired number of subsets with that property. Then, virtual links may be defined as tunnels whose paths extend over links outside the subset.

Subset Tunneling Any BFIR reaches each subset by tunneling packets to any S-BFIR in the subset. To that end, the BFIR forwarding logic has to be slightly modified from the one defined in . When a BFIR receives an IPMC packet, it determines the destination BFERs and their subsets as with standard BIER-TE. The BFIR clones the packet for each subset and adds the corresponding BIER-TE header to each packet. The BIER-TE bitstring contains the multicast tree from S-BFIR to the BFERs in the same subset. Then, the BFIR adds an outer tunneling header that reaches one of the S-BFIRs of the destination subset.

Example BIER-TE network with a one-connected BIER-TE subset, S-BFIR, and MPLS tunnel.

When an S-BFIR receives such a tunneled packet, it removes the tunnel header and applies BIER-TE forwarding. The tunneling protocols used SHOULD support path steering, e.g., MPLS TE or SRv6. Further, they SHOULD support FRR and egress protection mechanisms for 1:1 protection.

1:1 Protection The protection of BIER-TE with subsets is split into three sections: during tunneling, at the subset ingress, and within the subset.

Subset Tunneling Protection The tunnel between BFIR and S-BFIR may be protected using existing FRR 1:1 protection mechanisms. RSVP-TE with FRR can be used for MPLS and for FRR protection in SRv6.

Subset Ingress Protection When an S-BFIR fails, the packet has to be rerouted to a backup S-BFIR. To protect against this failure, the tunneling protocol must support an egress protection mechanism. If MPLS is used for the tunnel, then the MPLS Egress Protection Framework can be used. For SRv6 egress protection there is a similar draft . When the penultimate tunneling hop detects the failure of the S-BFIR, it becomes the PLR. On a detected failure, the PLR determines a backup S-BFIR of the same subset. If there are multiple backup S-BFIR, the PLR may select a backup S-BFIR based on different criteria, e.g., the closest backup S-BFIR. The PLR uses the egress protection mechanism of the tunneling protocol to reroute the packet to the backup S-BFIR.

MPLS example of a backup S-BFIR and a one-connected subset.

The backup S-BFIR recognizes its role as backup ingress based on the tunneling protocol header. It removes the tunneling header and applies BIER-TE FRR with node protection. This ensures that the packet is forwarded to the correct next hops of the failed S-BFIR. It also modifies the BIER-TE bitstring to prevent loops in the subset. After the backup S-BFIR processing, standard BIER-TE forwarding is applied.

Intra-Subset Protection Protection against failures inside a subset is achieved with existing BIER-TE FRR mechanisms. There are currently two drafts for BIER-TE FRR and . Both define mechanisms for link and node protection and propose BIER-TE-in-BIER-TE tunneling to reroute packets around a failure. Therefore, either of these drafts may be used for the FRR protection mechanisms.

Examples In this section, we present two exemplary scenarios. One for the subset tunneling and one for the ingress protection mechanism.

Subset Tunneling An example topology using BIER-TE subset tunneling is illustrated in . The BFIR determines that the packet needs to be delivered to BFERs 1 and 2. It recognizes that the two BFERs lie within two different subsets and clones the packet. The first packet receives a BIER-TE header with the bits set for link 0 and BFER 1 and is tunneled to the S-BFIR of subset 1. The second packet receives a BIER-TE header with the bits set for link 1 and BFER 2 and is tunneled to subset 2. When the packet arrives at each S-BFIR, the S-BFIR removes the MPLS tunnel header. For subset 1, it then matches the BIER bitstring and forwards the packet over link 0. The S-BFIR of subset to forwards the packet over link 1.

Example BIER-TE network with two subsets and S-BFIRs.

Ingress Protection with MPLS Tunneling illustrates the concept of ingress protection with MPLS. When the tunneled BIER-TE packet arrives at the LSR B, it detects that S-BFIR A failed. Using MPLS egress protection, the PLR (LSR B) switches the label to the context label C' which indicates the backup path to S-BFIR'. S-BFIR' recognizes its role as protector by matching the context label to the failed ingress node. Then, it applies the BIER-TE FRR node protection handling, unsets the bit for link 1 and sets the bit for link 0. This way, the packet reaches the BFR and can be forwarded with standard BIER-TE.

Example BIER-TE network with a single subset and two S-BFIRs.

Security Considerations The security issues discussed in , , and apply to this document.

IANA Considerations This document has no IANA actions.

References Normative References This memo describes per-packet stateless strict and loose path steered replication and forwarding for "Bit Index Explicit Replication" (BIER) packets (RFC 8279); it is called "Tree Engineering for Bit Index Explicit Replication" (BIER-TE) and is intended to be used as the path steering mechanism for Traffic Engineering with BIER. BIER-TE introduces a new semantic for "bit positions" (BPs). These BPs indicate adjacencies of the network topology, as opposed to (non-TE) BIER in which BPs indicate "Bit-Forwarding Egress Routers" (BFERs). A BIER-TE "packets BitString" therefore indicates the edges of the (loop-free) tree across which the packets are forwarded by BIER-TE. BIER-TE can leverage BIER forwarding engines with little changes. Co-existence of BIER and BIER-TE forwarding in the same domain is possible -- for example, by using separate BIER "subdomains" (SDs). Except for the optional routed adjacencies, BIER-TE does not require a BIER routing underlay and can therefore operate without depending on a routing protocol such as the "Interior Gateway Protocol" (IGP). In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document specifies a new architecture for the forwarding of multicast data packets. It provides optimal forwarding of multicast packets through a "multicast domain". However, it does not require a protocol for explicitly building multicast distribution trees, nor does it require intermediate nodes to maintain any per-flow state. This architecture is known as "Bit Index Explicit Replication" (BIER). When a multicast data packet enters the domain, the ingress router determines the set of egress routers to which the packet needs to be sent. The ingress router then encapsulates the packet in a BIER header. The BIER header contains a bit string in which each bit represents exactly one egress router in the domain; to forward the packet to a given set of egress routers, the bits corresponding to those routers are set in the BIER header. The procedures for forwarding a packet based on its BIER header are specified in this document. Elimination of the per-flow state and the explicit tree-building protocols results in a considerable simplification. Huawei USA - Futurewei Technologies Inc. Bouygues Telecom University of Tuebingen University of Tuebingen This document proposes protection methods for the BIER-TE architecture [I-D.ietf-bier-te-arch]. These include 1+1 (live-live) path/tree [RFC7431] redundancy, 1:1 path/tree protection, as well as fast reroute (FRR) methods. The latter may protect against link and/ or node failures and leverage infrastructure tunnels, BIER-in-BIER encapsulation, or header modification for implementation. In particular, this memo describes FRR for BIER-TE in detail. FRR for BIER-TE requires support from the BIER-TE controller and the BFRs that are attached to a link/adjacency for which FRR protection is desired. FRR relies on the BIER header described in [RFC8279] which is also used by BIER-TE. It does not require extensions or modifications to existing BIER-TE tables. However, the presented FRR procedures need some additional forwarding plane logic on the BFR. An additional table is needed that carries information about pre- computed backup paths. When a failure is detected, the information from this table is used to modify the bitstring in the BIER header before forwarding a packet over a backup path. To prevent undesired packet duplication, packets should be tunneled on the backup paths. Futurewei Futurewei China Mobile China Telecom Verizon Inc. Casa Systems Fujitsu Alef Edge This document describes a mechanism for fast re-route (FRR) protection against the failure of a transit node or link on an explicit point to multipoint (P2MP) multicast path/tree in a "Bit Index Explicit Replication" (BIER) Traffic Engineering (TE) domain. It does not have any per-path state in the core. For a multicast packet to traverse a transit node along an explicit P2MP path, when the node fails, its upstream hop node as a PLR reroutes the packet around the failed node along the P2MP path once it detects the failure. Informative References This document specifies a fast reroute framework for protecting IP/MPLS services and MPLS transport tunnels against egress node and egress link failures. For each type of egress failure, it defines the roles of Point of Local Repair (PLR), protector, and backup egress router and the procedures of establishing a bypass tunnel from a PLR to a protector. It describes the behaviors of these routers in handling an egress failure, including local repair on the PLR and context-based forwarding on the protector. The framework can be used to develop egress protection mechanisms to reduce traffic loss before global repair reacts to an egress failure and control-plane protocols converge on the topology changes due to the egress failure. This document updates RFC 4090 for the Resource Reservation Protocol (RSVP) Traffic Engineering (TE) procedures defined for facility backup protection. The updates include extensions that reduce the amount of signaling and processing that occurs during Fast Reroute (FRR); as a result, scalability when undergoing FRR convergence after a link or node failure is improved. These extensions allow the RSVP message exchange between the Point of Local Repair (PLR) and the Merge Point (MP) nodes to be independent of the number of protected Label Switched Paths (LSPs) traversing between them when facility bypass FRR protection is used. The signaling extensions are fully backwards compatible with nodes that do not support them. Cisco Systems Cisco Systems Cisco Systems INSA Lyon Orange Bell Canada This document presents Topology Independent Loop-free Alternate Fast Reroute (TI-LFA), aimed at providing protection of node and adjacency segments within the Segment Routing (SR) framework. This Fast Reroute (FRR) behavior builds on proven IP Fast Reroute concepts being LFAs, remote LFAs (RLFA), and remote LFAs with directed forwarding (DLFA). It extends these concepts to provide guaranteed coverage in any two-connected networks using a link-state IGP. A key aspect of TI-LFA is the FRR path selection approach establishing protection over the expected post-convergence paths from the point of local repair, reducing the operational need to control the tie-breaks among various FRR options. Huawei Futurewei Verizon China Unicom China Unicom TI-LFA specifies fast protections for transit nodes and links of an SR path. However, it does not present any fast protections for the egress node of the SR path. This document describes protocol extensions for fast protecting the egress node and link of a Segment Routing for IPv6 (SRv6) path.