Segment Routing and the SRv6 Network Programming

IPv6 Addressing

The Internet Protocol version 6 (IPv6) adoption is growing at pace. According to Google statistics, 22% of the users reach Google over IPv6 (February 2018). It is 2-fold growth compared to February 2016. The Internet of Things (IoT) relies on IPv6, as it will provide connection for millions of IoT devices in the future. IPv6 is also a key enabler for the Segment Routing (SR) concept as it provides reachability to SRv6-capable nodes.

Segment Routing

Segment routing is a new way of doing source routing where the source selects a path over a network, placing an ordered list of 128-bit IPv6 addresses into the header of an IPv6 packet.

Segment Routing IPv6 (SRv6) Network Programming Concept

The Network Programming Concept (NPC) represents the capability of a network to encode a network program into the individual network instructions (functions) which are then inserted into the IPv6 packet headers. These functions are distributed through the network in the IPv6 packet headers. The IPv6 packet carrying the network instructions explicitly tells the network about the precise SRv6 nodes that must be chosen for packet processing. For instance, such network instructions may select a low latency path over the entire network, omitting paths with higher latency. Along with the addressing, network instructions define a particular task (function) for each SRv6-capable node in the SRv6 network.

Network Instruction (aka SRv6 Segment)

The network instruction is called the SRv6 segment or the Segment Identifier (SID). SRv6-capable node inserts a single segment into the IPv6 header or multiple segments into the Segment Routing Header (SRH). Segments are the 128-bit IPv6 addresses (Picture 1). Typically, a header of the IPv6 packet contains a list of segments. The pointer between the segments (SIDs) is located in the Segment Routing Header (SRH) and is known as the Segment Left. It refers to the active segment with its value getting decreased by 1 for every SRv6-capable node as the packet travels through the IPv6 network. For instance, if there are five SRv6-capable nodes located on the path, the Segment Left is initially set to 4. The active segment is set to 4 on the first (source) node. The second SRv6 node on the path that receives an IPv6 packet decreases the Segment Left value to 3 (Picture 2). The last SRv6 (destination) node receives the IPv6 packet with Segment left value set to 0 in the SRv6 header.

SID represents a 128bit structure, consisting of two parts. The first most significant bits (the length is variable according to I-D) represent an address of a particular SRv6 node. This part is called a Locator and it is used for routing in SRv6 networks. Remaining SID bits identify the function that is executed locally on a particular node, specified by the locator bits.

Picture 1: Network Instruction (SID) Element

Multiple network instructions (SRv6 segments) might be included into a Segment Routing Header (SRH) inside of the IPv6 header (Picture 2). When multiple SRHs are used, they follow each other and the Next Header field of all SRH is 43, except for the last one which is 41 (IPv6 header). However, SRv6 node may receive a packet that has SRv6 SID in the destination address with SRH not being presented. In this case, a packet is processed  by the SR engine as well.

Picture 2:  Multiple SIDs Inside SRv6 Extension Header

Delivering SRv6 Packets

As the SRv6 packet travels the network, the Locator and Function are copied by each SRv6 node to the destination IPv6 address field of the IPv6 header. When the SID inside of the SRv6 header matches Local SID table of the SRv6 capable node, the node executes a function encoded in the right part of the SID. The next SID is placed into the IPv6 DA field and the Segment Left Value is decreased by 1 accordingly.

My Local SID Table

Each SRv6 capable node maintains а “My Local SID Table”. The table contains all the local SRv6 segments explicitly instantiated at the node. A local SID of the node can be an IPv6 address associated with a local interface of the node (not mandatory). Each entry of the “My Local SID Table” indicates the function associated with the local SID. According to the I-D, an SRv6 node can signal the availability of function via IGP BGP-LS or BGP/IP VPN, depending on the function that a node performs. For instance, the End.DT6 function (Endpoint with decapsulation and specific IPv6 table lookup) can be advertised by all three protocols. However, BGP is often used to advertise the reachability of prefixes in a particular SR-L3VPN from an Egress Provider Edge (egress-PE) to an ingress Provider Edge (ingress-PE). The list of available functions associated with the local SIDs is listed in the I-D.

SRv6 programming concept is certainly a topic that might change the way we look at  IPv6 networks in the future. According to the concept, the network will be treated as a computer, programmed by a network program, encoded as a list of segments.

SRv6 has already been implemented by Cisco in their Network Convergence System – NCS 5501 product. The company created a functional demo presented at Cisco Live US in June 2017, which shows the ability of NCSs to encode VPN and TE functions in the SRv6 segments. The demo contains screenshots of the network traffic captured on SRv6-capable nodes. These help to understand addressing and functions executed by each SRv6 node in a topology.

SR-VPNs often present the use cases for SRv6 deployment. The ingress PE encapsulates the VPN packet in an outer IPv6 header where the destination address is the SRv6-VPN SID provided by the egress PE. The underlay between the PE’s only needs to support plain IPv6 forwarding. Encapsulation protocols such as L2TP, VXLAN, GRE are not needed.

Linux also implements the SRv6 Network Programming model as a kernel module srext. CLI based configuration is supported by application srconf.

One of the major benefits of the SRv6 NPC is the seamless deployment, as no massive hardware/software upgrade is required in an IPv6 network. According to the I-D, only a few SIDs should be deployed on the strategic nodes. For instance, only a single SID is needed in case 1 (Best-effort VPN) of the Cisco’s demo. Non SRv6-capable node 2 just forwards network traffic based on the IPv6 destination address (SID).

However, in case of a very long list of the explicit SRv6 hops, encapsulation overhead raises significantly. This represents a significant drawback of the whole SRv6 Network Programming Concept.