Support MPLS Network Actions using Post-Stack Extension Headers

Some applications require adding sizable action instructions and/or ancillary data to packets within an MPLS network. Such examples include In-situ OAM (IOAM) and Service Function Chaining (SFC). New applications are emerging. It is possible that the instructions and/or ancillary data for multiple MNAs are stacked together in one packet to support a compound service. Such instructions and/or ancillary data would need to be encoded and encapsulated as new headers in packets. Such headers may require to be processed in fast path due to performance considerations. Moreover, such headers may require being attended at each hop on the forwarding path (i.e., hop-by-hop or HBH) or at designated end nodes (i.e., end-to-end or E2E). The need and requirements to support such applications in MPLS networks, i.e., MPLS Network Actions (MNA), are described in and . It is clear that some header should be located after the MPLS label stack. We call such a header Post-stack MNA Header (PAH). The encapsulation of PAH poses some challenges to MPLS networks, because the MPLS label stack contains no explicit indicator for the upper layer protocols by design. The mechanism to indicate the presence of the PAH is outside the scope of this document. The indication for the presence of the PAH can be achieved using several mechanisms, including carrying a Special Purpose Label (SPL) or signaling it with the label Forwarding Equivalence Class (FEC) as described in . In this document, we focus on the encoding and encapsulation of the PAH in an MPLS packet. The conventional header encoding and encapsulation methods face some challenges in the case of post-stack MNA: A solution may rely on either the built-in next-protocol indicator in the header or the knowledge of the format and size of the header to access the following packet headers. This method requires each node to be able to parse the new header, which is unrealistic in an incremental deployment environment. Some works provide only piecemeal solutions which assume the new header is the only extra header and its location in the packet is fixed by default (e.g., Encapsulation of SFC NSH in MPLS ). It is impossible or difficult to support multiple new headers in one packet due to the conflicting location assumption. Some previous work such as G-ACH was explicitly defined for control channel only, but we need the mechanism to also work for user packets. To solve the aforementioned problems, we introduce PAH as a general and extensible means to support new MNAs which involve instructions and/or ancillary data for each MNA. The concept is similar to IPv6 extension headers which offer a huge potential for extending IPv6's capability (e.g, network security, SRv6, network programming, SFC, etc.). Thanks to the mechanism of extension headers, it is straightforward to continue introducing new network services into IPv6 networks. Nevertheless, when applying the extension headers to MPLS, some issues of the IPv6 EH should be avoided: IPv6's extension headers are chained with the original upper layer protocol headers in a flat stack. One must scan all the extension headers to access the upper layer protocol headers and the payload. This is inconvenient and raises some performance concerns for some applications (e.g., Deep Packet Inspection (DPI) and Equal Cost Multi Path (ECMP)). The new PAH scheme for MPLS needs to improve this. enforces many constraints to IPv6 extension headers (e.g., EH can only be added or deleted by the end nodes specified by the IP addresses in the IPv6 header, and there is only one Hop-by-Hop EH that can be processed on the path nodes), which are not suitable for MPLS networks. For example, MPLS label stacks are added and changed in network, and there could be tunnel within tunnel, so the extension headers need more flexibility.

The concept and design of the PAH comply with the requirements laid out in . All the post-stack MNAs are encapsulated in a PAH. A PAH is composed of a common header plus a chain of extension headers; each extension header is a container for an MNA. Here we highlight some design objectives of PAH (Note: these should be covered by the MNA requirement document): Unnecessary full extension header chain scanning for all MNAs or the upper layer headers should be avoided. The extension headers should be ordered according to the access need. Each extension header should serve only one MNA to avoid the need of packing multiple TLV options in one extension header. New MNAs can be supported by introducing new extension headers. Multiple extension headers can be easily stacked together to support multiple services simultaneously. Legacy devices which do not recognize the PAH should still be able to forward the packets based on the top label as usual. If a PAH-aware device recognizes some of the MNAs but not the others in an extension header chain, it can process the known MNAs only while ignoring the others. A node (i.e., an LER or LSR) can be configured to process or not process any EH. Any tunnel end nodes in the MPLS domain can add new EH to the packets which shall be removed on the other end of the tunnel. We assume the MPLS label stack has included some indicator of the PAH. The actual PAH is inserted between the MPLS label stack and the original upper layer header. The format of the MPLS packets with PAH is shown in .

MPLS PAH ~ ... ... ~ | +--------+--------+--------+--------+ | | | | ~ Extension Header (EH) n ~ | | | / +--------+--------+--------+--------+ | Original | ~ Upper Layer Headers/Payload ~ | | +--------+--------+--------+--------+ ]]> Following the MPLS label stack is the 4-octet Common Header of PAH (CH), which indicates the total number of extension headers in this packet, the overall length of the PAH, the type of the original upper layer header, and the type of the next extension header. The format of the CH is shown in .

The meaning of the fields in a CH is as follows: reserved nibble. The nibble value means to avoid any potential conflicting with IP version numbers and other well-defined semantics . 4-bit unsigned integer for the Extension Header Counter. This field keeps the total number of extension headers included in this packet. It does not count the original upper layer headers. At most 15 EHs are allowed in one packet. 8-bit unsigned integer for the Extension Header Total Length in 4-octet units. This field keeps the total length of the EHs in this packet, not including the CH itself. 8-bit Original Upper Layer protocol number indicating the original upper layer protocol type. It can be set to "UNKNOWN" (value TBD) if unknown. Sometimes the MPLS FEC may indicate the type of payload. In this case either OUL is redundant or OUL can be used to replace the control plane mechanism. 8-bit indicator for the Next Header. This field identifies the type of the MNA in the extension header immediately following the CH. The value of the reserved nibble needs further consideration. The EHC field can be used to keep track of the number of extension headers when some headers are inserted or removed at some network nodes. The EHTL field can help to skip all the EHs in one step if the original upper layer headers or payload need to be accessed. The OUL field can help identify the type of the original upper layer protocol. The format of an Extension Header (EH) is shown in .

The meaning of the fields in an EH is as follows: 8-bit indicator for the Next Header type. This field identifies the type of the MNA in the EH immediately following this EH. 8-bit unsigned integer for the Extension Header Length in 4-octet units, not including the first 4 octets. 16-bit optional type extension. To save the Next Header numbers and extend the number space, it is possible to use one "Next Header" code to cover a set of sub-types. For example, IOAM has several different options, such as trace and DEX. It is too expensive to assign an EH type for each of it. In this case, it is better to have a single EH type value for IOAM, and use the EXT to specify the option types. This field is optional and only specified for some specific MNA types. This field can also be used to encode other information. A variable length field for the specification of an MNA. This field may need to be padded to make the EH 4-octet aligned. The extension headers as well as the first original upper layer protocol header are chained together through the NH field in CH and EHs. The encoding of NH can share the same value registry for IPv4/IPv6 protocol numbers. Values for new MNA types (i.e., NH number) shall be assigned by IANA from the same registry as for the ipv4 and ipv6 protocol numbers (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Specifically, the NH field of the last EH in a chain can have some special values, which shall be assigned by IANA as well: Indicates that there is no other header and payload after this EH. This can be used to transport packets with only extension header(s), for example, the control packets for control or the probe packets for measurements. Note that value 59 was reserved for "IPv6 No Next Header" indicator. It may be possible for MPLS EH to share this value (Note: need to work with 6MAN). Indicates that the type of the header after this header is unknown. This is intended to be compatible with the original MPLS design in which the upper layer protocol type is unknown from the MPLS header alone. Indicates that the next protocol header is still of MPLS type and another MPLS label stack follows. These NH values can only appear in the last EH in an PAH. Note that the original upper layer protocol can be of type "MPLS", which implies that a packet may contain multiple logically independent label stacks separated by PAH. Having more than one independent label stack is not new. For example, A Bier header could separate the transport/bier labels and the payload labels; An MPLS Pseudo Wire (PW) network could be implemented on the top of another infrastructure MPLS network. In such cases, we have the flexibility to apply different services to different label stacks.

Basically, MPLS EHs have two application scopes based on the nature of the contained MNA: HBH and E2E. E2E means that the EH is only supposed to be inserted/removed and processed at the MPLS tunnel end points where the MPLS header is inserted or removed. The EHs that need to be processed on path nodes within the MPLS tunnel are of the HBH type. However, any node in the tunnel can be configured to ignore an HBH EH, even if it is capable of processing it. If there are two types of EHs in a packet, the HBH EHs must take precedence over the E2E EHs. Making a distinction of the EH types and ordering the EHs in a packet help improve the forwarding performance. For example, if a node within an MPLS tunnel finds only E2E EHs in a packet, it can avoid scanning the EH list. The scope of an EH (i.e., HBH or E2E) is an intrinsic property of the contained MNA. In other words, such information can be inferred from the NH value.

A suitable indication for the presence of PAH is ensured before adding the first EH X to an MPLS packet. Then the PAH is inserted after the MPLS label stack. In the CH of the PAH, EHC is set to 1, EHTL is set to the length of X in 4-octet units, OUL is set to a proper value, and NH is set to the header type value of X. At last, X is inserted after the CH, in which NH and HLEN are set accordingly. Note that if this operation happens at a PE device, the upper layer protocol is known before the MPLS encapsulation, so its value can be saved in the OUL and NH field if desired. Otherwise, the NH field is filled with the value of "UNKNOWN". When an EH Y needs to be added to an MPLS packet which already contains the PAH, the EHC and EHTL in the CH are updated accordingly (i.e., EHC is incremented by 1 and EHTL is incremented by the size of Y in 4-octet units). Then a proper location for Y in the EH chain is located. Y is inserted at this location. The NH field of Y is copied from the previous EH's NH field (or from the CH's NH field, if Y is the first EH in the chain). The previous EH's NH value, or, if Y is the first EH in the chain, the CH's NH value, is set to the NH value of Y. Deleting an EH simply reverses the above operation. If the deleted EH is the last one, the PAH indicator and the PAH can also be removed. When processing an MPLS packet with multiple extension headers in an PAH, the node needs to parse through the entire EH chain and process the EH one by one (but not necessarily in the parsing order). The node should ignore any EH that is not recognized or is configured as "Do not Processing" by the control plane. The EH can be categorized into HBH or E2E. Since EHs are ordered based on their type (i.e., HBH EHs are located before E2E EHs), a node can avoid some unnecessary EH scan.

In this section, we show how PAH can be used to support several new network applications. In-situ OAM (IOAM) records flow OAM information within user packets while the packets traverse a network. The instruction and collected data are kept in an IOAM header . When applying IOAM in an MPLS network, the IOAM header can be encapsulated in an extension header within an PAH. A network telemetry and instruction header can be carried as an extension header in PAH to instruct a node what type of network measurements should be done. For example, the method described in can be implemented in MPLS networks since the EH provides a natural way to color MPLS packets. Security related functions often require user packets to carry some instruction and ancillary data. In a DoS limiting network architecture, a "packet passport" header is used to embed packet authentication information for each node to verify. MPLS extension header in PAH can support the implementation of a new flavor of the MPLS-based segment routing, with better performance and richer functionalities. The details will be described in another draft. With PAH, multiple in-network applications can be chained together as extension headers. For example, IOAM and SFC can be applied at the same time to support network OAM and service function chaining. A node can stop scanning the extension header chain if all the known headers it can process have been located. For example, if IOAM is the first EH in a chain and a node is configured to process IOAM only, it can stop searching the EH chain when the IOAM EH is found. Details on some of these use cases and discussions on some other use cases are covered in .

The major security concerns may come from the MNAs that encapsulated in the PAH. So we need to be careful to admit actions and take measures to avoid the security threats such as information leak or DoS attack.

This document requests IANA to assign two new Internet Protocol Numbers from the "Protocol Numbers" Registry to indicate "No Next Header" and "Unknown Next Header". This document does not create any other new registries. New registries for protocol numbers and type extension numbers should be requested by each MNA use case document.

The other contributors of this document are listed as follows. James Guichard Stewart Bryant Andrew Malis

We thank Tarek Saad and the other members of MPLS ODT for helping improve this document.