Internet-Draft | NSH MD2 Context Headers | January 2022 |
Wei, et al. | Expires 16 July 2022 | [Page] |
Service Function Chaining (SFC) uses the Network Service Header (NSH) (RFC 8300) to steer and provide context Metadata (MD) with each packet. Such Metadata can be of various Types including MD Type 2 variable length context headers. This document specifies several such context headers that can be used within a service function path.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 16 July 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Network Service Header (NSH) [RFC8300] is the Service Function Chaining (SFC) encapsulation that supports the SFC architecture [RFC7665]. As such, the NSH provides following key elements:¶
[RFC8300] further defines two metadata formats (MD Types): 1 and 2. MD Type 1 defines the fixed-length, 16-octet long metadata, whereas MD Type 2 defines a variable-length context format for metadata. This document defines several common metadata context headers for use with NSH MD Type 2. These supplement the Subscriber Identity and Performance Policy MD Type 2 metadata context headers specified in [RFC8979].¶
This document does not address metadata usage, updating/chaining of metadata, or other SFP functions. Those topics are described in [RFC8300].¶
This document uses the terminology defined in the SFC Architecture [RFC7665] and the Network Service Header [RFC8300].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
An NSH is composed of a 4-octet Base Header, a 4-octet Service Path Header and optional Context Headers. The Base Header identifies the MD-Type in use:¶
Please refer to NSH [RFC8300] for a detailed header description.¶
When the base header specifies MD Type = 0x2, zero or more Variable Length Context Headers MAY be added, immediately following the Service Path Header. Figure 2 below depicts the format of the Context Header as defined in Section 2.5.1 of [RFC8300].¶
[RFC8300] specifies Metadata Class 0x0000 as IETF Base NSH MD Class. In this document, metadata types are defined for the IETF Base NSH MD Class.¶
This metadata context carries a network forwarding context, used for segregation and forwarding scope. Forwarding context can take several forms depending on the network environment. For example, VXLAN/VXLAN-GPE VNID, VRF identification, or VLAN.¶
where:¶
Context Type (CT) is four bits-long field that defines the length and the interpretation of the Forwarding Context field. Please see the IANA Considerations in Section 7. This document defines these CT values:¶
Tenant identification is often used for segregation within a multi-tenant environment. Orchestration system-generated tenant IDs are an example of such data. This context header carries the value of the Tenant identifier.¶
The fields are described as follows:¶
This context header carries a Node ID of the ingress network node.¶
The fields are described as follows:¶
This context identifies the ingress interface of the ingress network node.¶
The fields are described as follows:¶
Flow ID provides a field in the NSH MD Type 2 to label packets belonging to the same flow. Absence of this field, or a value of zero denotes that packets have not been labeled.¶
The fields are described as follows:¶
Intent-based systems can use this data to express the logical grouping of source and/or destination objects. [OpenStack] and [OpenDaylight] provide examples of such a system. Each is expressed as a 32-bit opaque object.¶
Traffic handling policies are often referred to by a system-generated identifier, which is then used by the devices to look up the policy's content locally. For example, this identifier could be an index to an array, a lookup key, a database Id. The identifier allows enforcement agents or services to look up the content of their part of the policy.¶
The fields are described as follows:¶
This policy identifier is a general policy ID, essentially a key to allow Service Functions to know which policies to apply to packets. Those policies generally will not have much to do with performance, but rather with what specific treatment to apply. It may for example select a URL filter data set for a URL filter, or select a video transcoding policy in a transcoding SF. The Performance Policy Identifier in [RFC8979] is described there as having very specific use, and for example says that fully controlled SFPs would not use it. The Policy ID in this document is for cases not covered by [RFC8979].¶
A misbehaving node from within the SFC-enabled domain may alter the content of the Context Headers, which may lead to service disruption. Such an attack is not unique to the Context Headers defined in this document. Measures discussed in Section 8 of [RFC8300] describes the general security considerations for protecting NSH. [I-D.ietf-sfc-nsh-integrity] specifies methods of protecting the integrity of the NSH metadata. If the NSH includes the MAC Context Header, the authentication of the packet MUST be verified before using any data. If the verification fails, the receiver MUST stop processing the variable length context headers and notify an operator.¶
The authors would like to thank Paul Quinn, Behcet Sarikaya, Dirk von Hugo, Mohamed Boucadair, Gregory Mirsky, and Joel Halpern for providing invaluable concepts and content for this document.¶
IANA is requested to assign the following types (Table 1) from the "NSH IETF- Assigned Optional Variable-Length Metadata Types" registry available at [IANA-NSH-MD2].These Metadata Types only apply when the Metadata Class is 0x000 (IETF Base NSH MD Class)¶
Value | Description | Reference |
---|---|---|
TBA1 | Forwarding Context | This document |
TBA2 | Tenant Identifier | This document |
TBA3 | Ingress Network NodeID | This document |
TBA4 | Ingress Network Interface | This document |
TBA5 | Flow ID | This document |
TBA6 | Source and/or Destination Groups | This document |
TBA7 | Policy Identifier | This document |
IANA is requested to create a new sub-registry for "Forwarding Context" context types at [IANA-NSH-MD2] as follows:¶
The Registration Policy is IETF Review¶
Value | Forwarding Context Header Types | Reference |
---|---|---|
0x0 | 12-bit VLAN identifier | This document |
0x1 | 24-bit double tagging identifiers | This document |
0x2 | 20-bit MPLS VPN label | This document |
0x3 | 24-bit virtual network identifier (VNI) | This document |
0x4 | 32-bit Session ID | This document |
0x5-0xE | Unassigned | |
0xF | Reserved | This document |