China Mobile

China liuyisong@chinamobile.com

Futurewei Inc.

USA michael.mcbride@futurewei.com

ZTE Corporation

China zzhang_ietf@hotmail.com

Huawei Technologies

China xiejingrong@huawei.com

New H3C Technologies

China linchangwang.04414@h3c.com

PIM Working Group This document specifies the use of Topology Independent Loop-Free Alternate (TI-LFA) mechanisms with Multicast Only Fast ReRoute (MoFRR) for Protocol Independent Multicast (PIM). The TI-LFA mechanism is designed for standard link-state Interior Gateway Protocol (IGP) shortest path and Segment Routing (SR) scenarios. TI- LFA provides fast reroute protection for unicast traffic in IP networks by precomputing backup paths that avoid potential failures. By integrating TI-LFA with MoFRR, this document extends the benefits of fast reroute mechanisms to multicast traffic, enabling enhanced resilience and minimized packet loss in multicast networks. The document outlines the necessary protocol extensions and operational considerations to implement TI-LFA in conjunction with MoFRR for PIM, ensuring that multicast traffic is rapidly rerouted in the event of a failure. This document uses the backup path computed by TI-LFA through IGP as a secondary Upstream Multicast Hop (UMH) for PIM. By using the TI-LFA backup path to send PIM secondary join messages hop-by-hop, it achieves the generation of a fast reroute backup path for PIM multicast.

Introduction The increasing deployment of video services has heightened the importance for network operators to implement solutions that minimize service disruptions caused by faults in the IP networks carrying these services. Multicast-only Fast Reroute (MoFRR), as defined in , offers a mechanism to reduce multicast packet loss in the event of node or link failures by introducing simple enhancements to multicast routing protocols, such as Protocol Independent Multicast (PIM). However, the MoFRR mechanism, which selects the secondary multicast next hop based solely on the loop-free alternate fast reroute defined in , has limitations in certain multicast deployment scenarios. This document introduces a new mechanism for Multicast-only Fast Reroute using Topology Independent Loop-Free Alternate (TI-LFA) fast reroute. Unlike traditional methods, TI-LFA is independent of network topology, enabling broader coverage across diverse network environments. The applicability of this mechanism extends to PIM networks, including scenarios where PIM operates over native IP, as well as public network multicast trees established by PIM. Additionally, this document addresses scenarios involving Multicast Distribution Tree (MDT) SAFI for Multicast VPN (MVPN) in and , covering PIM-SSM Tree, PIM-SM Tree, and BIDIR-PIM Tree deployments. The TI-LFA mechanism is designed for standard link-state Interior Gateway Protocol (IGP) shortest path and Segment Routing (SR) scenarios. For each destination specified by the IGP in the network, TI-LFA pre-installs a backup forwarding entry for the protected destination, ready to be activated upon the detection of a link failure used to reach that destination. This document leverages the backup path computed by TI-LFA through the IGP as a secondary Upstream Multicast Hop (UMH) for PIM. By using the TI-LFA backup path to send PIM secondary join messages hop by hop, it enables the creation of a fast reroute backup path for PIM multicast. The protection techniques described in this document are limited to protecting links and nodes within a link-state IGP area. Protecting domain exit routers and/or links attached to other routing domains is beyond the scope of this document. All the Segment Identifiers (SIDs) required are contained within the Link State Database (LSDB) of the IGP.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Terminology This document utilizes the terminology as defined in and incorporates the concepts established in . The definitions of individual terms are not reiterated within this document.

Problem Statement

LFA for MoFRR Section 3 of specifies that the secondary UMH in PIM for MoFRR is a Loop-Free Alternate (LFA). However, the traditional LFA mechanism requires that at least one neighbor's next hop to the destination node is an loop-free next hop. Due to existing limitations in network deployments, this mechanism only covers certain network topology environments. In specific network topologies, the corresponding secondary UMH cannot be computed, preventing PIM from establishing a standby multicast tree and thus from implementing MoFRR protection. Consequently, the MoFRR functionality in PIM is applicable only in network topologies where LFA is feasible. The limitations of the MoFRR applicability can be illustrated using the example network depicted in Figure 1. In this example, the metric of the R1-R4 link is 20, the metric of the R5-R6 link is 100, and the metrics of the other links are 10. For multicast source S1, the primary path of the PIM join packet is R3->R2->R1, and the secondary path is R3->R4->R1, which corresponds to the LFA path of unicast routing. In this scenario, the MoFRR operates effectively. For multicast source S2, the primary path of the PIM join packet is R3->R2. However, an LFA does not exist. If R3 sends the packet to R4, R4 will forward it back to R3 because the IGP shortest path from R4 to R1 is R4->R3->R2. In this case, the MoFRR cannot calculate a secondary UMH. Similarly, for multicast source S3, the MoFRR mechanism is ineffective.

Example Network Topology

RLFA for MoFRR The Remote Loop-Free Alternate (RLFA), as defined in , extends the traditional LFA mechanism, allowing it to accommodate a broader range of network deployment scenarios by utilizing a tunnel as an alternate path. The RLFA mechanism requires that there exists at least one node, denoted as node N, in the network where the fault node is neither on the path from the source node to node N nor on the path from node N to the destination node. introduces the RPF Vector attribute, which can be included in the PIM Join packet to ensure that the path is selected based on the unicast reachability of the RPF Vector. By combining the RLFA mechanism with the RPF Vector, the secondary multicast tree for MoFRR can be established, thereby supporting a wider range of network topologies compared to the MoFRR implementation with LFA. For instance, in the network illustrated in Figure 1, the secondary path for the PIM Join packet towards multicast source S2 cannot be computed by the MoFRR, as previously described. Utilizing the RLFA mechanism, R3 sends the packet to R4, including an RPF Vector containing the IP address of R1, which serves as the PQ node of R3 with respect to the protected R2-R3 link. Subsequently, R4 forwards the packet to R1 via the R1-R4 link, in accordance with the unicast route associated with the RPF Vector. R1 then continues to forward the packet to R2, thereby establishing the secondary path, R3->R4->R1->R2, using MoFRR with RLFA.

TI-LFA for MoFRR While RLFA provides enhanced capabilities over LFA, it remains dependent on the network topology. In the network depicted in Figure 1, the primary path of the PIM Join packet towards multicast source S3 is R3->R2->R5. However, an RLFA path does not exist because the PQ node of R3 with respect to the protected link R2-R3 is absent. If R3 sends the packet to R7 with an RPF Vector containing the IP address of R5, R7 will forward it back to R3, as the IGP shortest path from R7 to R5 is R7->R3->R2->R5. Similarly, if R3 sends the packet to R7 with an RPF Vector containing the IP address of R6, R7 will forward it to R6, but R6 will then forward it back to R7, as the IGP shortest path from R6 to R5 is R6->R7->R3->R2->R5. In this scenario, MoFRR with RLFA is unable to compute a secondary UMH. RLFA offers improvements over LFA but still has inherent limitations. defines a unicast FRR solution based on the TI-LFA mechanism. The TI-LFA mechanism allows the expression of a backup path using an explicit path and imposes no constraints on the network topology, thus providing a more robust FRR mechanism. Unicast traffic can be forwarded according to an explicit path list as an alternate path to protect unicast traffic, achieving full coverage across various network environments. The alternate path provided by the TI-LFA mechanism is represented as a Segment List, which includes the NodeSID of the P-space node and the Adjacency SIDs of the links between the P-space and Q-space nodes. PIM can look up the corresponding node IP address in the unicast route according to the NodeSID and the IP addresses of the endpoints of the corresponding link in the unicast route according to the Adjacency SIDs. However, multicast protocol packets cannot be directly forwarded along the path of the Segment List. To establish a standby multicast tree, PIM Join messages need to be transmitted hop-by-hop. However, not all nodes and links on the unicast alternate path are included in the Segment List. If PIM protocol packets are transmitted solely in unicast mode, they effectively traverse the unicast tunnel like unicast traffic and do not pass through the intermediate nodes of the tunnel. Consequently, the intermediate nodes on the alternate path cannot forward multicast traffic because they lack PIM state entries. PIM must create entries on each device hop-by-hop, generating an incoming interface and an outgoing interface list, to form a complete end-to- end multicast tree for forwarding multicast traffic. Therefore, simply sending PIM Join packets using the Segment List, as done with unicast traffic, is insufficient to establish a standby multicast tree.

Solution A secondary Upstream Multicast Hop (UMH) serves as a candidate next- hop that can be used to reach the root of the multicast tree. In this document, the secondary UMH is derived from unicast routing, utilizing the Segment List computed by TI-LFA. In essence, the path information from the Segment List is incorporated into the PIM packets to guide hop-by-hop Reverse Path Forwarding (RPF) selection. The IP address corresponding to the Node SID can be used as the segmented root node, while the IP addresses of the interfaces at both endpoints of the link associated with the Adjacency SID can be directly used as the local upstream interface and upstream neighbor. For the PIM protocol, defines the PIM RPF Vector attribute, which can carry the node IP address corresponding to the Node SID. Additionally, defines the explicit RPF Vector, which can carry the peer IP address corresponding to the Adjacency SID. This document leverages the existing RPF Vector standards, obviating the need for PIM protocol extensions. This approach allows the establishment of a standby multicast tree based on the Segment List calculated by TI-LFA, thereby providing comprehensive MoFRR protection for multicast services across diverse network environments. Consider a Segment List calculated by TI-LFA as (NodeSID(A), AdjSID(A-B)). Node A belongs to the P space, and node B belongs to the Q space. The IP address corresponding to NodeSID(A) can be retrieved from the local link-state database of the IGP protocol and assumed to be IP-a. Similarly, the IP addresses of the two endpoints of the link corresponding to AdjSID(A-B) can also be retrieved from the local link-state database and assumed to be IP-La and IP-Lb. Within the PIM process, IP-a is treated as the standard RPF Vector Attribute and added to the PIM Join packet. IP-La is considered the local address of the incoming interface, and IP-Lb is regarded as the address of the upstream neighbor. Consequently, IP-Lb can be included in the PIM Join packet as the explicit RPF Vector Attribute. The PIM protocol initially selects the RPF incoming interface and upstream neighbor towards IP-a and proceeds hop-by-hop to establish the PIM standby multicast tree until reaching node A. At node A, IP- Lb is treated as the PIM upstream neighbor. Node A identifies the incoming interface in the unicast routing table based on IP-Lb, and IP-Lb is used as the RPF upstream address for the PIM Join packet directed towards node B. Upon receiving the PIM Join packet at node B, the PIM protocol, finding no additional RPF Vector Attributes, selects the RPF incoming interface and upstream neighbor towards the multicast source directly. The protocol then continues hop-by-hop to establish the PIM standby multicast tree, extending to the router directly connected to the source.

Illustration This section provides an illustration of MoFRR based on TI-LFA. The example topology is depicted in Figure 2. The metric for the R3-R4 link is 100, while the metrics for the other links are 10. All link metrics are bidirectional.

Example Topology

The IP addresses and SIDs involved in the MoFRR calculation are configured as follows:

IPv4 Data Plane (MPLS-SR)

R4 IP4-R3-R4 Label-R3-R4 R4->R3 IP4-R4-R3 Label-R4-R3 IPv6 Data Plane (SRv6) Node IP Address Node SID (End) R4 IP6-R4 SID-R4 Link IP Address Adjacency SID (End.X) R3->R4 IP6-R3-R4 SID-R3-R4 R4->R3 IP6-R4-R3 SID-R4-R3 ]]> The primary path of the PIM Join packet is R6->R2->R1, and the secondary path is R6->R5->R4->R3->R2->R1. However, the traditional LFA does not function properly for the secondary path because the shortest path to R2 from R5 (or from R4) still traverses the R6-R2 link. In this scenario, R6 must calculate the secondary UMH using the proposed MoFRR method based on TI-LFA. According to the TI-LFA algorithm, the P-space and Q-space are illustrated in Figure 3. The TI-LFA repair path consists of the Node SID of R4 and the Adjacency SID of R4->R3. On the MPLS-SR data plane, the repair segment list is (Label-R4, Label-R4-R3). On the SRv6 data plane, the repair segment list is (SID-R4, SID-R4-R3).

P-Space and Q-Space

In the PIM process, the IP addresses associated with the repair segment list are retrieved from the IGP link-state database. On the IPv4 data plane, the Node SID Label-R4 corresponds to IP4-R4, which will be carried in the RPF Vector Attribute. The Adjacency SID Label-R4-R3 corresponds to the local address IP4-R4-R3 and the remote peer address IP4-R3-R4, with IP4-R3-R4 carried in the Explicit RPF Vector Attribute. On the IPv6 data plane, the End SID SID-R4 corresponds to IP6-R4, which will be carried in the RPF Vector Attribute. The End.X SID SID-R4-R3 corresponds to the local address IP6-R4-R3 and the remote peer address IP6-R3-R4, with IP6-R3-R4 carried in the Explicit RPF Vector Attribute.

Subsequently, R6 installs the secondary UMH using these RPF Vectors.

Forwarding PIM Join Packet along Secondary Path (IPv4) R5---->R4------------>R3----->R2---->R1 ]]>

On the IPv4 data plane, the forwarding of the PIM Join packet along the secondary path is shown in Figure 4. R6 inserts two RPF Vector Attributes in the PIM Join packet: IP4-R4 of Type 0 (RPF Vector Attribute) and IP4-R3-R4 of Type 4 (Explicit RPF Vector Attribute). R6 then forwards the packet along the secondary path. When R5 receives the packet, it performs a unicast route lookup of the first RPF Vector IP4-R4 and sends the packet to R4. R4, being the owner of IP4-R4, removes the first RPF Vector from the packet and forwards it according to the next RPF Vector. R4 sends the packet to R3 based on the next RPF Vector IP4-R3-R4, as its PIM neighbor R3 corresponds to IP4-R3-R4. When R3 receives the packet, as the owner of IP4-R3-R4, it removes the RPF Vector. The packet, now devoid of RPF Vectors, is forwarded to the source through R3->R2->R1 based on unicast routes. After the PIM Join packet reaches R1, a secondary multicast tree, R1->R2->R3->R4->R5->R6, is established hop-by-hop for (S, G) using MoFRR based on TI-LFA.

Forwarding PIM Join Packet along Secondary Path (IPv6) R5---->R4------------>R3----->R2---->R1 ]]>

On the IPv6 data plane, the forwarding of the PIM Join packet along the secondary path is illustrated in Figure 5. The procedure is analogous to that of the IPv4 data plane.

IANA Considerations This document has no IANA actions.

Security Considerations This document does not introduce additional security concerns. It does not change the security properties of PIM. For general PIM-SM protocol security considerations, see . The security considerations of LFA, R-LFA, and MoFRR described in , , and SHOULD apply to this document. When deploying TILFA, packets may be sent over nodes and links they were not transported through before, potentially raising the following security issues:

1. Spoofing and False Route Advertisements
   • Dependencies of LFA/R-LFA/TI-LFA on Routing Information
     • LFAs depend on accurate routing information to determine alternate paths. If an attacker can inject false routing information (e.g., by spoofing link-state advertisements), it could cause the network to select suboptimal or malicious paths for LFAs.
     • R-LFA and TI-LFA also depend on accurate routing information, particularly for determining the tunneling paths or explicit paths. False route advertisements could mislead the network into using insecure or compromised paths.
2. Man-in-the-Middle (MitM) Attacks
   • Use of Alternate Paths
     • By rerouting traffic through alternate paths, especially those that traverse multiple hops (as in R-LFA and TI-LFA), the risk of MitM attacks increases if any of the intermediate routers on the alternate path are compromised.
     • TI-LFA, which uses explicit paths, might expose traffic to routers that were not originally part of the primary path, potentially allowing for interception or alteration of the traffic.
3. Confidentiality and Integrity
   • Traffic Encapsulation
     • R-LFA and TI-LFA involve encapsulating traffic, which may expose it to vulnerabilities if the encapsulation mechanisms are not secure. For instance, if IPsec or another secure encapsulation method is not used, an attacker might be able to intercept or alter the traffic in transit.
   • Protection of Explicit Paths
     • TI-LFA relies on explicit paths that are typically defined using segment routing. If these paths are not properly protected, an attacker could manipulate the segment list to reroute traffic through malicious nodes.
4. Increased Attack Surface
   • Extended Topology
     • By introducing LFA, R-LFA, and TI-LFA, the network increases its reliance on additional routers and links, thereby expanding the potential attack surface. Compromise of any router in these alternate paths could expose traffic to unauthorized access or disruption.

To address security issues #1 and #2 mentioned above, control plane protocols need to provide security protection. To mitigate the risks associated with false route advertisements and MitM attacks, it is recommended to use secure routing protocols (e.g., OSPFv3 with IPsec, ISIS HMAC-SHA256, or PIM with IPsec) that provide authentication and integrity protection for routing updates. To address security issues #3 and #4 mentioned above, these mechanisms need to run within a trusted network. The security of LFA, R-LFA, and TI-LFA mechanisms heavily relies on the trustworthiness of the underlying routing infrastructure. As the solution described in the document is based on Segment Routing technology, readers should be aware of the security considerations related to this technology () and its data plane instantiations (, , and ).

References Normative References Cisco Systems Cisco Systems Cisco Systems INSA Lyon Orange Bell Canada This document presents Topology Independent Loop-free Alternate Fast Reroute (TI-LFA), aimed at providing protection of node and adjacency segments within the Segment Routing (SR) framework. This Fast Reroute (FRR) behavior builds on proven IP Fast Reroute concepts being LFAs, remote LFAs (RLFA), and remote LFAs with directed forwarding (DLFA). It extends these concepts to provide guaranteed coverage in any two-connected networks using a link-state IGP. A key aspect of TI-LFA is the FRR path selection approach establishing protection over the expected post-convergence paths from the point of local repair, reducing the operational need to control the tie-breaks among various FRR options. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document describes the use of loop-free alternates to provide local protection for unicast traffic in pure IP and MPLS/LDP networks in the event of a single failure, whether link, node, or shared risk link group (SRLG). The goal of this technology is to reduce the packet loss that happens while routers converge after a topology change due to a failure. Rapid failure repair is achieved through use of precalculated backup next-hops that are loop-free and safe to use until the distributed network convergence process completes. This simple approach does not require any support from other routers. The extent to which this goal can be met by this specification is dependent on the topology of the network. [STANDARDS-TRACK] This document describes a use of the Protocol Independent Multicast (PIM) Join Attribute as defined in RFC 5384, which enables PIM to build multicast trees through an MPLS-enabled network, even if that network's IGP does not have a route to the source of the tree. [STANDARDS-TRACK] As IPTV deployments grow in number and size, service providers are looking for solutions that minimize the service disruption due to faults in the IP network carrying the packets for these services. This document describes a mechanism for minimizing packet loss in a network when node or link failures occur. Multicast-only Fast Reroute (MoFRR) works by making simple enhancements to multicast routing protocols such as Protocol Independent Multicast (PIM) and Multipoint LDP (mLDP). This document describes an extension to the basic IP fast reroute mechanism, described in RFC 5286, that provides additional backup connectivity for point-to-point link failures when none can be provided by the basic mechanisms. This document specifies Protocol Independent Multicast - Sparse Mode (PIM-SM). PIM-SM is a multicast routing protocol that can use the underlying unicast routing information base or a separate multicast-capable routing information base. It builds unidirectional shared trees rooted at a Rendezvous Point (RP) per group, and it optionally creates shortest-path trees per source. This document obsoletes RFC 4601 by replacing it, addresses the errata filed against it, removes the optional (*,*,RP), PIM Multicast Border Router features and authentication using IPsec that lack sufficient deployment experience (see Appendix A), and moves the PIM specification to Internet Standard. The PIM Reverse Path Forwarding (RPF) Vector TLV defined in RFC 5496 can be included in a PIM Join Attribute such that the RPF neighbor is selected based on the unicast reachability of the RPF Vector instead of the source or Rendezvous Point associated with the multicast tree. This document defines a new RPF Vector Attribute type such that an explicit RPF neighbor list can be encoded in the PIM Join Attribute, thus bypassing the unicast route lookup. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This document describes the MVPN (Multicast in BGP/MPLS IP VPNs) solution designed and deployed by Cisco Systems. The procedures specified in this document are largely a subset of the generalized MVPN framework recently standardized by the IETF. However, as the deployment of the procedures specified herein predates the publication of IETF standards (in some cases by over five years), an implementation based on these procedures differs in some respects from a fully standards-compliant implementation. These differences are pointed out in the document. This document defines a Historic Document for the Internet community. This document describes the BGP encodings and procedures for exchanging the information elements required by Multicast in MPLS/BGP IP VPNs, as specified in RFC 6513. [STANDARDS-TRACK] Segment Routing (SR) leverages the source routing paradigm. A node steers a packet through an ordered list of instructions, called "segments". A segment can represent any instruction, topological or service based. A segment can have a semantic local to an SR node or global within an SR domain. SR provides a mechanism that allows a flow to be restricted to a specific topological path, while maintaining per-flow state only at the ingress node(s) to the SR domain. SR can be directly applied to the MPLS architecture with no change to the forwarding plane. A segment is encoded as an MPLS label. An ordered list of segments is encoded as a stack of labels. The segment to process is on the top of the stack. Upon completion of a segment, the related label is popped from the stack. SR can be applied to the IPv6 architecture, with a new type of routing header. A segment is encoded as an IPv6 address. An ordered list of segments is encoded as an ordered list of IPv6 addresses in the routing header. The active segment is indicated by the Destination Address (DA) of the packet. The next active segment is indicated by a pointer in the new routing header. Segment Routing (SR) leverages the source-routing paradigm. A node steers a packet through a controlled set of instructions, called segments, by prepending the packet with an SR header. In the MPLS data plane, the SR header is instantiated through a label stack. This document specifies the forwarding behavior to allow instantiating SR over the MPLS data plane (SR-MPLS). Segment Routing can be applied to the IPv6 data plane using a new type of Routing Extension Header called the Segment Routing Header (SRH). This document describes the SRH and how it is used by nodes that are Segment Routing (SR) capable. The Segment Routing over IPv6 (SRv6) Network Programming framework enables a network operator or an application to specify a packet processing program by encoding a sequence of instructions in the IPv6 packet header. Each instruction is implemented on one or several nodes in the network and identified by an SRv6 Segment Identifier in the packet. This document defines the SRv6 Network Programming concept and specifies the base set of SRv6 behaviors that enables the creation of interoperable overlays with underlay optimization.

Contributors