Active OAM for Service Function Chaining

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶

This Internet-Draft will expire on 18 December 2021.¶

Copyright Notice

Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶

Table of Contents

2. Terminology and Conventions

The terminology defined in [RFC7665] is used extensively throughout this document. The reader is expected to be familiar with it.¶

In this document, SFC OAM refers to an active OAM [RFC7799] in an SFC architecture.¶

3. Requirements for Active OAM in SFC

As discussed in [RFC8924], SFC-specific means are needed to perform the OAM task of fault management (FM) in an SFC architecture, including failure detection, defect characterization, and localization. This document defines the set of requirements for active FM OAM mechanisms to be used in an SFC architecture.¶

              +-----+ +-----+ +-----+ +-----+ +-----+ +-----+
              |SFI11| |SFI12| |SFI21| |SFI22| |SFI31| |SFI32|
              +-----+ +-----+ +-----+ +-----+ +-----+ +-----+
                  \    /          \   /           \    /
   +----------+   +----+         +----+          +----+
   |Classifier|---|SFF1|---------|SFF2|----------|SFF3|
   +----------+   +----+         +----+          +----+

The architecture example depicted in Figure 1 considers a service function chain that includes three distinct service functions. In this example, the SFP traverses SFF1, SFF2, and SFF3, each SFF being connected to two instances of the same service function. End-to-end (E2E) SFC OAM has the Classifier as the ingress and SFF3 as its egress. Segment SFC OAM is between two elements that are part of the same SFP. Following are the requirements for an FM SFC OAM, whether with the E2E or segment scope:¶

REQ#1: Packets of active SFC OAM SHOULD be fate sharing with the monitored SFC data in the forward direction from ingress toward egress endpoint(s) of the OAM test.¶

The fate sharing, in the SFC environment, is achieved when a test packet traverses the same path and receives the same treatment in the transport layer as an SFC-encapsulated packet (e.g., NSH).¶

REQ#2: SFC OAM MUST support monitoring of the continuity of the SFP between any of its elements.¶

An SFC failure might be declared when several consecutive test packets are not received within a pre-determined time. For example, in the E2E FM SFC OAM case, the egress, SFF3, in the example in Figure 1, could be the entity that detects the SFP's failure by monitoring a flow of periodic test packets. The ingress may be capable of recovering from the failure, e.g., using redundant SFC elements. Thus, it is beneficial for the egress to signal the new defect state to the ingress, which in this example is the Classifier. Hence the following requirement:¶

REQ#3: SFC OAM MUST support Remote Defect Indication notification by the egress to the ingress.¶

REQ#4: SFC OAM MUST support connectivity verification of the SFP. Definition of the misconnection defect, entry, and exit criteria are outside the scope of this document.¶

Once the SFF1 detects the defect, the objective of the SFC OAM changes from the detection of a defect to defect characterization and localization.¶

REQ#5: SFC OAM MUST support fault localization of the Loss of Continuity Check within an SFP.¶

REQ#6: SFC OAM MUST support an SFP tracing to discover the RSP.¶

In the example presented in Figure 1, two distinct instances of the same service function share the same SFF. In this example, the SFP can be realized over several RSPs that use different instances of SF of the same type. For example, RSP1(SFI11--SFI21--SFI31) and RSP2(SFI12--SFI22--SFI32). Available RSPs can be discovered using the trace function discussed in Section 4.3 [RFC8924] or the procedure defined in Section 6.7.¶

REQ#7: SFC OAM MUST have the ability to discover and exercise all available RSPs in the network.¶

The SFC OAM layer model described in [RFC8924] offers an approach for defect localization within a service function chain. As the first step, the SFP's continuity for SFFs that are part of the same SFP could be verified. After the reachability of SFFs has already been verified, SFFs that serve an SF may be used as a test packet source. In such a case, SFF can act as a proxy for another element within the service function chain.¶

REQ#8: SFC OAM MUST be able to trigger on-demand FM with responses being directed towards the initiator of such proxy request.¶

4. Active OAM Identification in the NSH

The O bit in the NSH is defined in [RFC8300] as follows:¶

• O bit: Setting this bit indicates an OAM packet.¶

This document updates that definition as follows:¶

• O bit: Setting this bit indicates an OAM command and/or data in the NSH Context Header or packet payload.¶

Active SFC OAM is defined as a combination of OAM commands and/or data included in a message that immediately follows the NSH. To identify the active OAM message, the "Next Protocol" field MUST be set to Active SFC OAM (TBA1) (Section 9.1). The rules for interpreting the values of the O bit and the "Next Protocol" field are as follows:¶

• O bit set and the "Next Protocol" value does not match one of identifying active or hybrid OAM protocols (per classification defined in [RFC7799]), e.g., defined in Section 9.1 Active SFC OAM (TBA1).¶

  - a Fixed-Length Context Header or Variable-Length Context Header(s) contain an OAM command or data.¶

  - the type of payload is determined by the "Next Protocol" field.¶

• O bit set and the "Next Protocol" value matches one of identifying active or hybrid OAM protocols:¶

  - the payload that immediately follows the NSH MUST contain an OAM command or data.¶

• O bit is clear:¶

  - no OAM in a Fixed-Length Context Header or Variable-Length Context Header(s).¶

  - the payload determined by the "Next Protocol" field MUST be present.¶

• O bit is clear, and the "Next Protocol" field identifies active or hybrid OAM protocol MUST be identified and reported as an erroneous combination. An implementation MAY have control to enable processing of the OAM payload.¶

One conclusion from the above-listed rules of processing the O bit and the "Next Protocol" field is to avoid the combination of OAM in an NSH Context Header (Fixed-Length or Variable-Length) and the payload immediately following the NSH because there is no unambiguous way to identify such combination using the O bit and the Next Protocol field.¶

5. Active SFC OAM Header

As demonstrated in Section 4 [RFC8924] and Section 3 of this document, SFC OAM is required to perform multiple tasks. Several active OAM protocols could be used to address all the requirements. When IP/UDP encapsulation of an SFC OAM control message is used, protocols can be demultiplexed using the destination UDP port number. But extra IP/UDP headers, especially in an IPv6 network, add noticeable overhead. This document defines Active OAM Header (Figure 2) to demultiplex active OAM protocols on an SFC.¶

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| V | Msg Type  |     Flags     |          Length               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~              SFC Active OAM Control Packet                    ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

• V - two-bit-long field indicates the current version of the SFC active OAM header. The current value is 0. The version number is to be incremented whenever a change is made that affects the ability of an implementation to parse or process the SFC Active OAM header correctly. For example, if syntactic or semantic changes are made to any of the fixed fields.¶
• Msg Type - six bits long field identifies OAM protocol, e.g., Echo Request/Reply or Bidirectional Forwarding Detection.¶
• Flags - eight bits long field carries bit flags that define optional capability and thus processing of the SFC active OAM control packet, e.g., optional timestamping. No flags are defined in this document. Thus, the bit flags MUST be zeroed on transmission and ignored on receipt.¶
• Length - two octets long field that is the length of the SFC active OAM control packet in octets.¶

6. Echo Request/Echo Reply for SFC

Echo Request/Reply is a well-known active OAM mechanism extensively used to verify a path's continuity, detect inconsistencies between a state in control and the data planes, and localize defects in the data plane. ICMP ([RFC0792] for IPv4 and [RFC4443] for IPv6 networks, respectively) and [RFC8029] are examples of broadly used active OAM protocols based on the Echo Request/Reply principle. The SFC Echo Request/Reply defined in this document addresses several requirements listed in Section 3. Specifically, it can be used to check the continuity of an SFP, trace an SFP, or localize the failure within an SFP. The SFC Echo Request/Reply control message format is presented in Figure 3.¶

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | V |        Reserved           |      Echo Request Flags       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Message Type  |   Reply mode  |  Return Code  |Return Subcode |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                        Sender's Handle                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         Sequence Number                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                              TLVs                             ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The interpretation of the fields is as follows:¶

• Version (V) is a two-bit field that indicates the current version of the SFC Echo Request/Reply. The current value is 0. The version number is to be incremented whenever a change is made that affects the ability of an implementation to parse or process the control packet correctly. If a packet presumed to carry an SFC Echo Request/Reply is received at an SFF, and the SFF does not understand the Version field value, the packet MUST be discarded, and the event SHOULD be logged.¶
• Reserved - fourteen-bit field. It MUST be zeroed on transmission and ignored on receipt.¶
• The Echo Request Flags is a two-octet bit vector field. Note that a flag defined in the Flags field of the SFC Active OAM header in Figure 2 has no implication of those defined in the Echo Request Flags field of an Echo Request/Reply message.¶
• The Message Type is a one-octet field that reflects the packet type. Value TBA3 identifies Echo Request and TBA4 - Echo Reply.¶
• The Reply Mode is a one-octet field. It defines the type of the return path requested by the sender of the Echo Request.¶
• Return Codes and Subcodes are one-octet fields each. These can be used to inform the sender about the result of processing its request. Initial Return Code values are provided in Table 1. For all Return Code values defined in this document, the value of the Return Subcode field MUST be set to zero.¶
• The Sender's Handle is a four-octet field. It MUST be filled in by the sender of the Echo Request and returned unchanged by the Echo Reply sender (if a reply mandated). The sender of the Echo Request SHOULD use a pseudo-random number generator to set the value of the Sender's Handle field.¶
• The Sequence Number is a four-octet field. It is assigned by the sender and can be, for example, used to detect missed replies. The initial Sequence Number MUST be randomly generated and then SHOULD be monotonically increasing in the course of the test session.¶

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Type     |    Reserved   |           Length              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                            Value                              ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

TLV is a variable-length field. Multiple TLVs MAY be placed in an SFC Echo Request/Reply packet. Additional TLVs may be enclosed within a given TLV, subject to the semantics of the (outer) TLV in question. If more than one TLV is to be included, the value of the Type field of the outmost outer TLV MUST be set to "Multiple TLVs Used" (TBA12), as assigned by IANA according to Section 9.4. Figure 4 presents the format of an SFC Echo Request/Reply TLV, where fields are defined as follows:¶

• Type - a one-octet-long field that characterizes the interpretation of the Value field. Type values allocated according to Section 9.4.¶
• Reserved - one-octet-long field. The value of the Type field determines its interpretation and encoding.¶
• Length - two-octet-long field equal to the Value field's length in octets.¶
• Value - a variable-length field. The value of the Type field determines its interpretation and encoding.¶

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |  Source ID  |   Reserved1   |           Length              |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |         Port Number         |           Reserved2           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                        IP Address                           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

        0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Errored TLVs |    Reserved   |            Length             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Value                             |
      .                                                               .
      .                                                               .
      .                                                               .
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

7. Security Considerations

When the integrity protection for SFC active OAM, and SFC Echo Request/Reply in particular, is required, it is RECOMMENDED to use one of the Context Headers defined in [I-D.ietf-sfc-nsh-integrity]. MAC#1 (Message Authentication Code) Context Header could be more suitable for active SFC OAM because it does not require re-calculation of the MAC when the value of the NSH Base Header's TTL field is changed. The integrity protection for SFC active OAM can also be achieved using mechanisms in the underlay data plane. For example, if the underlay is an IPv6 network, IP Authentication Header [RFC4302] or IP Encapsulating Security Payload Header [RFC4303] can be used to provide integrity protection. Confidentiality for the SFC Echo Request/Reply exchanges can be achieved using the IP Encapsulating Security Payload Header [RFC4303]. Also, the security needs for SFC Echo Request/Reply are similar to those of ICMP ping [RFC0792], [RFC4443] and MPLS LSP ping [RFC8029].¶

There are at least three approaches to attacking a node in the overlay network using the mechanisms defined in the document. One is a Denial-of-Service attack, sending an SFC Echo Request to overload an element of the SFC. The second may use spoofing, hijacking, replying, or otherwise tampering with SFC Echo Requests and/or replies to misrepresent, alter the operator's view of the state of the SFC. The third is an unauthorized source using an SFC Echo Request/Reply to obtain information about the SFC and/or its elements, e.g., SFF or SF.¶

It is RECOMMENDED that implementations throttle the SFC ping traffic going to the control plane to mitigate potential Denial-of-Service attacks.¶

Reply and spoofing attacks involving faking or replying to SFC Echo Reply messages would have to match the Sender's Handle and Sequence Number of an outstanding SFC Echo Request message, which is highly unlikely. Thus the non-matching reply would be discarded.¶

To protect against unauthorized sources trying to obtain information about the overlay and/or underlay, an implementation MAY check that the source of the Echo Request is indeed part of the SFP.¶

9. IANA Considerations

Authors' Addresses