Noction Flow Analyzer v23.05 is here. This version comes with a number of new features...
Segment Routing and the SRv6 Network Programming
The Internet Protocol version 6 (IPv6) adoption is growing at pace. According to Google statistics, 22% of the users reach Google over IPv6 (February 2018). It is 2-fold growth compared to February 2016. The Internet of Things (IoT) relies on IPv6, as it will provide connection for millions of IoT devices in the future. IPv6 is also a key enabler for the Segment Routing (SR) concept as it provides reachability to SRv6-capable nodes.
Segment routing is a new way of doing source routing where the source selects a path over a network, placing an ordered list of 128-bit IPv6 addresses into the header of an IPv6 packet.
Segment Routing IPv6 (SRv6) Network Programming Concept
The Network Programming Concept (NPC) represents the capability of a network to encode a network program into the individual network instructions (functions) which are then inserted into the IPv6 packet headers. These functions are distributed through the network in the IPv6 packet headers. The IPv6 packet carrying the network instructions explicitly tells the network about the precise SRv6 nodes that must be chosen for packet processing. For instance, such network instructions may select a low latency path over the entire network, omitting paths with higher latency. Along with the addressing, network instructions define a particular task (function) for each SRv6-capable node in the SRv6 network.
Network Instruction (aka SRv6 Segment)
The network instruction is called the SRv6 segment or the Segment Identifier (SID). SRv6-capable node inserts a single segment into the IPv6 header or multiple segments into the Segment Routing Header (SRH). Segments are the 128-bit IPv6 addresses (Picture 1). Typically, a header of the IPv6 packet contains a list of segments. The pointer between the segments (SIDs) is located in the Segment Routing Header (SRH) and is known as the Segment Left. It refers to the active segment with its value getting decreased by 1 for every SRv6-capable node as the packet travels through the IPv6 network. For instance, if there are five SRv6-capable nodes located on the path, the Segment Left is initially set to 4. The active segment is set to 4 on the first (source) node. The second SRv6 node on the path that receives an IPv6 packet decreases the Segment Left value to 3 (Picture 2). The last SRv6 (destination) node receives the IPv6 packet with Segment left value set to 0 in the SRv6 header.
|Note: The SRv6-capable node places the active SID into the destination address field of IPv6 packet as it represents the IPv6 address of the next SRv6 node along the path. We will explain this in more details further in the article.|
SID represents a 128bit structure, consisting of two parts. The first most significant bits (the length is variable according to I-D) represent an address of a particular SRv6 node. This part is called a Locator and it is used for routing in SRv6 networks. Remaining SID bits identify the function that is executed locally on a particular node, specified by the locator bits.
Picture 1: Network Instruction (SID) Element
|Note: Functions are executed locally by the nodes. However, if we want to pass additional information between the functions, we need a global argument. For instance, it can be the Metadata in TLVs such as performance statistic across the entire path between the source and the destination node, user identity, credentials, etc. In this case, the argument is placed into the right part of a SID, thus a local SID has the form of: Loc:Func:Args.|
Multiple network instructions (SRv6 segments) might be included into a Segment Routing Header (SRH) inside of the IPv6 header (Picture 2). When multiple SRHs are used, they follow each other and the Next Header field of all SRH is 43, except for the last one which is 41 (IPv6 header). However, SRv6 node may receive a packet that has SRv6 SID in the destination address with SRH not being presented. In this case, a packet is processed by the SR engine as well.
Picture 2: Multiple SIDs Inside SRv6 Extension Header
Delivering SRv6 Packets
As the SRv6 packet travels the network, the Locator and Function are copied by each SRv6 node to the destination IPv6 address field of the IPv6 header. When the SID inside of the SRv6 header matches Local SID table of the SRv6 capable node, the node executes a function encoded in the right part of the SID. The next SID is placed into the IPv6 DA field and the Segment Left Value is decreased by 1 accordingly.
My Local SID Table
Each SRv6 capable node maintains а “My Local SID Table”. The table contains all the local SRv6 segments explicitly instantiated at the node. A local SID of the node can be an IPv6 address associated with a local interface of the node (not mandatory). Each entry of the “My Local SID Table” indicates the function associated with the local SID. According to the I-D, an SRv6 node can signal the availability of function via IGP BGP-LS or BGP/IP VPN, depending on the function that a node performs. For instance, the End.DT6 function (Endpoint with decapsulation and specific IPv6 table lookup) can be advertised by all three protocols. However, BGP is often used to advertise the reachability of prefixes in a particular SR-L3VPN from an Egress Provider Edge (egress-PE) to an ingress Provider Edge (ingress-PE). The list of available functions associated with the local SIDs is listed in the I-D.
SRv6 programming concept is certainly a topic that might change the way we look at IPv6 networks in the future. According to the concept, the network will be treated as a computer, programmed by a network program, encoded as a list of segments.
SRv6 has already been implemented by Cisco in their Network Convergence System – NCS 5501 product. The company created a functional demo presented at Cisco Live US in June 2017, which shows the ability of NCSs to encode VPN and TE functions in the SRv6 segments. The demo contains screenshots of the network traffic captured on SRv6-capable nodes. These help to understand addressing and functions executed by each SRv6 node in a topology.
SR-VPNs often present the use cases for SRv6 deployment. The ingress PE encapsulates the VPN packet in an outer IPv6 header where the destination address is the SRv6-VPN SID provided by the egress PE. The underlay between the PE’s only needs to support plain IPv6 forwarding. Encapsulation protocols such as L2TP, VXLAN, GRE are not needed.
Linux also implements the SRv6 Network Programming model as a kernel module srext. CLI based configuration is supported by application srconf.
One of the major benefits of the SRv6 NPC is the seamless deployment, as no massive hardware/software upgrade is required in an IPv6 network. According to the I-D, only a few SIDs should be deployed on the strategic nodes. For instance, only a single SID is needed in case 1 (Best-effort VPN) of the Cisco’s demo. Non SRv6-capable node 2 just forwards network traffic based on the IPv6 destination address (SID).
However, in case of a very long list of the explicit SRv6 hops, encapsulation overhead raises significantly. This represents a significant drawback of the whole SRv6 Network Programming Concept.
Boost BGP Preformance
Automate BGP Routing optimization with Noction IRP
SUBSCRIBE TO NEWSLETTER
You May Also Like
Diverting DDoS traffic using the FlowSpec redirect-to-IP next-hop capability (configuration example)
Distributed denial-of-service (DDoS) attacks can be a major threat to the availability and security of networks. These...
Diverting DDoS traffic using the FlowSpec redirect via VRF capability. Configuration example.
In the previous article, we described different DDoS attacks and their impact on network infrastructure. We focused on...
BGP traffic rerouting, Flowspec, and the DDoS Scrubbing Centers
When it comes to distributed denial-of-service (DDoS) attacks, they are far from a downward trend. Although the...