Segment Routing with IPv6 Eric Vyncke Distinguished Engineer – Cisco Systems September, 2014 Leveraging IPv6 extension header for traffic.

Slides:

Advertisements

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 MPLS Scale to 100k endpoints with resiliency and simplicity Clarence.

Advertisements

OLD DOG CONSULTING Challenges and Solutions for OAM in Point-to-Multipoint MPLS Adrian Farrel, Old Dog Consulting Ltd. Zafar Ali, Cisco Systems, Inc.

Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson.

Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Introduction into VXLAN Russian IPv6 day June 6 th, 2012 Frank Laforsch Systems Engineer, EMEA

REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal*, Benjamin Hesmans*, Olivier Bonaventure*, Yves Vanaubel° and Benoit Donnet°. *Université.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

© 2010 Cisco and/or its affiliates. All rights reserved. 1 Segment Routing Clarence Filsfils – Distinguished Engineer Christian Martin –

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,

Network Layer Packet Forwarding IS250 Spring 2010

PCEP Extensions for Segment Routing draft-ietf-pce-segment-routing-01

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

MPLS H/W update Brief description of the lab What it is? Why do we need it? Mechanisms and Protocols.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.

CS 6401 IPv6 Outline Background Structure Deployment.

1Group 07 IPv6 2 1.ET/06/ ET/06/ ET/06/ EE/06/ EE/06/ EE/06/6473 Group 07 IPv6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

1 Multi-Protocol Label Switching (MPLS). 2 MPLS Overview A forwarding scheme designed to speed up IP packet forwarding (RFC 3031) Idea: use a fixed length.

Multimedia Wireless Networks: Technologies, Standards, and QoS Chapter 3. QoS Mechanisms TTM8100 Slides edited by Steinar Andresen.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.

Thierry Ernst - MOTOROLA Labs / INRIA Ludovic Bellier - INRIA project PLANETE Claude Castelluccia - INRIA project PLANETE Hong-Yon Lach - MOTOROLA Labs.

Covert Channels in IPv6 Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin Syracuse University PET 2005, Cavtat, Croatia May 31 st, 2005.

IP Traffic Engineering RSP draft-shen-ip-te-rsp-01.txt Naiming Shen Albert Tian Jun Zhuang

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 Module 10 Routing Fundamentals and Subnets.

An Introduction to Mobile IPv4

Networking Components Assignment 3 Corbin Watkins.

Multi-protocol Label Switching

Fabric: A Retrospective on Evolving SDN Presented by: Tarek Elgamal.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Segment Routing: An Architecture build with SDN in mind and addressing the evolving network requirements Brian Meaney Cisco SP Consulting Team.

Source-Specific Multicast (RFC4607) Author: H. Holbrook, Arastra, Inc. B. Cain, Acopia Networks Speaker: Wu Zhi Yu.

Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.

IPv6 Internet Protocol, Version 6 Yen-Cheng Chen NCNU

Konstantin agouros Omkar deshpande

Requirements for LER Forwarding of IPv4 Option Packets

Connecting MPLS-SPRING Islands over IP Networks

Routing Jennifer Rexford.

IP - The Internet Protocol

OpenDaylight BGP Use-Cases

Segment Routing (SR) Introduction and Tutorial

Next Generation: Internet Protocol, Version 6 (IPv6) RFC 2460

PCEP Extensions For Transporting Traffic Engineering (TE) Data

Multi Topology Routing (MTR) for OSPF

Carrying IPSEC Authentication and ESP Headers Across SCPS-NP Networks

IP - The Internet Protocol

Guide to TCP/IP Fourth Edition

Network Security (contd.)

CHAPTER 8 Network Management

A Unified Approach to IP Segment Routing

How to Secure Routing Header for Segment Routing?

ISIS extensions for SRv6 draft-bashandy-isis-srv6-extensions-00

Segment Routing.

IP - The Internet Protocol

1 Multi-Protocol Label Switching (MPLS). 2 MPLS Overview A forwarding scheme designed to speed up IP packet forwarding (RFC 3031) Idea: use a fixed length.

Virtual Private Networks (VPNs)

draft-guichard-sfc-nsh-sr-02

ISIS extensions for SRv6 draft-bashandy-isis-srv6-extensions-03

Internet Protocol version 6 (IPv6)

draft-ali-spring-srv6-oam-01.txt SRv6 OAM

Chapter 4: outline 4.1 Overview of Network layer data plane

Presentation transcript:

Segment Routing with IPv6 Eric Vyncke Distinguished Engineer – Cisco Systems September, 2014 Leveraging IPv6 extension header for traffic engineering

2 © 2014 Cisco and/or its affiliates. All rights reserved. We know IPv6 is there! Doubling every 9 months Doubling every 9 months....

3 © 2014 Cisco and/or its affiliates. All rights reserved.  TE requires RSVP to install states in every the core routers  => ‘low’ convergence  => TE not widely deployed Where is Traffic Engineering (TE) ? PE1 PE3 PE4 SP core PE2 RSVP states

4 © 2014 Cisco and/or its affiliates. All rights reserved.  Leverage IPv6 flexibility  Overload routing header, i.e. install states in the data packet  Remove states in the core  Push states at the edge or SDN controller What Can We Do for Efficient/Flexible TE? PE1 PE3 PE4 SR-IPv6 core PE2 A -> B Via.... A -> B Via.... I’m a dumb stateless router A -> B Via.... A -> B Via.... (SDN) controller Image source wikimedia

5 © 2014 Cisco and/or its affiliates. All rights reserved. Segment Routing in a Nutshell Segment Routing: –Source based routing model where the source chooses a path and encodes it in the packet header as an ordered list of segments > Removes routing states from any node other than the source –A segment is an instruction applied to the packet. –Segment Routing leverages the source routing architecture defined in RFC2460 for IPv6 Source: wikimedia

6 © 2014 Cisco and/or its affiliates. All rights reserved. Segment Routing and the Source Based Routing Model Segment Routing technology is extensively explained in – (includes all published IETF drafts) Segment Routing data-planes –SR-MPLS: segment routing applied to MPLS data-plane –SR-IPv6: segment routing applied to IPv6 SR-IPv6 allows Segment Routing do be deployed over non-MPLS networks and/or in areas of the network where MPLS is not present (e.g.: datacenters) Segment Routing backward compatibility –SR nodes fully interoperate with non-SR nodes –No need to have a full network upgrade

7 © 2014 Cisco and/or its affiliates. All rights reserved. Segment Routing Header Segment Routing introduces a new Routing Header Type: –The Segment Routing Header (SRH) –Contains the list of segments the packet should traverse –VERY close to what already specified in RFC2460 –Changes are introduced for: > Better flexibility > Addressing security concerns raised by RFC5095 Two SR-IPv6 drafts: –draft-previdi-6man-segment-routing-header –draft-ietf-spring-ipv6-use-cases S. Previdi, Ed. C. Filsfils Cisco Systems, Inc. B. Field Comcast I. Leung Rogers Communications June 9, 2014 IPv6 Segment Routing Header (SRH) draft-previdi-6man-segment-routing-header-01 J. Brzozowski J. Leddy Comcast I. Leung Rogers Communications S. Previdi M. Townsley C. Martin C.Filsfils D.R. Maglione, Ed. Cisco Systems May 9, 2014 IPv6 SPRING Use Cases draft-ietf-spring-ipv6-use-cases-00 Source Packet Routing in Networking

8 © 2014 Cisco and/or its affiliates. All rights reserved. Segment Routing Model How to express an explicit (source routed) path knowing that: –Nodes may represent routers, hosts, servers, application instances, services, chains of services, etc. –A path is encoded into the packet by the originator (or ingress) node –A path may be modified by a node within the path –The network may have plurality of nodes not all supporting Segment Routing

9 © 2014 Cisco and/or its affiliates. All rights reserved. Segment Routing Model Assuming following topology: –Node A has two shortest paths to C How to best express path: [A, B, C, F, G, H] Source rooted path with segments: [C,F,H] > First segment: set of shortest paths from A to C (ECMP aware) > Second segment: adjacency/link from C to F > Third segment: shortest path from F to H H A G D F CB E H A G D F CB E

10 © 2014 Cisco and/or its affiliates. All rights reserved. Segment Routing Header At ingress: –Path is computed or received by a controller (e.g.: SDN Controller) –Path is instantiated through a list of segments –A SRH is created with the segment list representing the path X A B E PAYLOAD IPv6 Hdr: DA=Y, SA=X IPv6 Hdr: DA=C, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD

11 © 2014 Cisco and/or its affiliates. All rights reserved. Segment Routing Header Segment Routing Header: –Segment List describes the path of the packet: list of segments (IPv6 addresses) –Next Segment: a pointer to the segment list element identifying the next segment –HMAC –Flags and optional policy information The Active Segment is set as the Destination Address (DA) of the packet –At each segment endpoint, the DA is updated with the “Next Segment” –Compliant with RFC2460 rules for the Routing Header > Request to IANA to allocate a new type (probably 4)

12 © 2014 Cisco and/or its affiliates. All rights reserved. Segment Routing Header | Next Header | Hdr Ext Len | Routing Type | Next Segment | | Last Segment | Flags | HMAC Key ID | Policy List Flags | | | | Segment List[0] (128 bits ipv6 address) | | | | | … | | | | | Segment List[n] (128 bits ipv6 address) | | | | | | Policy List[0] (128 bits ipv6 address) | | (optional) | | | | | | Policy List[1] (128 bits ipv6 address) | | (optional) | | | | | | Policy List[2] (128 bits ipv6 address) | | (optional) | | | | | | HMAC (256 bits) | | (optional) | | |

13 © 2014 Cisco and/or its affiliates. All rights reserved. SR-IPv6 Example Example: –Classify packets coming from X and destined to Y and forward them across A,B,C,F,G,H path –Nodes A, C, F and H are SR capable X A F CB E Y G D PAYLOAD IPv6 Hdr: DA=Y, SA=X PAYLOAD IPv6 Hdr: DA=Y, SA=X H

14 © 2014 Cisco and/or its affiliates. All rights reserved. SR-IPv6 Example At ingress, the Segment Routing Header (SRH) contains –Segment List: C,F,H,Y (original destination address is encoded as last segment of the path) –Next Segment: points to the next segment of the path (F) –DA is set as the address of the first segment: C Packet is sent towards its DA (C, representing the first segment) –Packet can travel across non SR nodes who will just ignore the SRH –RFC2460 mandates only the node in the DA must examine the SRH X A F CB E Y G D PAYLOAD IPv6 Hdr: DA=Y, SA=X H IPv6 Hdr: DA=C, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD

15 © 2014 Cisco and/or its affiliates. All rights reserved. SR-IPv6 Example When packet reaches the segment endpoint C –Next Segment is inspected and used in order to update the DA with the next segment address: F –Next Segment pointer is incremented: now points to H –Packet is sent towards its DA X A F CB E Y G D PAYLOAD IPv6 Hdr: DA=Y, SA=X H IPv6 Hdr: DA=C, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD IPv6 Hdr: DA=F, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD

16 © 2014 Cisco and/or its affiliates. All rights reserved. SR-IPv6 Example When packet reaches the segment endpoint F the same process is executed: –Next Segment is inspected and used in order to update the DA with the next segment address: H –Next Segment pointer is incremented: now points to Y (the original DA) –Packet is sent towards its DA X A F CB E Y G D PAYLOAD IPv6 Hdr: DA=Y, SA=X H IPv6 Hdr: DA=C, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD IPv6 Hdr: DA=F, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD IPv6 Hdr: DA=H, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD

17 © 2014 Cisco and/or its affiliates. All rights reserved. SR-IPv6 Example When packet reaches the segment endpoint H: –Next Segment is inspected and used in order to update the DA with the next segment address: Y –A flag (cleanup-flag) in SRH tells H to cleanup the packet and remove the SRH –Packet is sent towards its DA X A F CB E Y G D PAYLOAD IPv6 Hdr: DA=Y, SA=X H IPv6 Hdr: DA=C, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD IPv6 Hdr: DA=F, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD IPv6 Hdr: DA=H, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD IPv6 Hdr: DA=Y, SA=X

18 © 2014 Cisco and/or its affiliates. All rights reserved. Use Cases: SR-IPv6 Capable Service Chaining With SR-capable service instances, service chaining leverages the SRH –Still interoperable with NSH No need to support SR across the network –Transparent to network infrastructure Next Step: allow SR service chaining with non-SR applications… –Work in progress Service Instance S1 X H A G D F CB E PAYLOAD IPv6 Hdr: DA=Y, SA=X Service Instance S2 Y IPv6 Hdr: DA=S1, SA=X SR Hdr: SL= S1, S2, Y PAYLOAD IPv6 Hdr: DA=S2, SA=X SR Hdr: SL= S1, S2, Y, PAYLOAD IPv6 Hdr: DA=Y, SA=X SR Hdr: SL= S1, S2, Y PAYLOAD IPv6 Hdr: DA=Y, SA=X PAYLOAD IPv6 Hdr: DA=S2, SA=X SR Hdr: SL= S1, S2, Y PAYLOAD IPv6 Hdr: DA=S1, SA=X SR Hdr: SL= S1, S2, Y PAYLOAD

19 © 2014 Cisco and/or its affiliates. All rights reserved.  What about mobile node away from SP network? “Extreme Traffic Engineering” from CPE/Set-up Box? PE1 PE3 PE4 SR-IPv6 core PE2 A -> B Via.... A -> B Via.... I’m a dumb stateless router A -> B Via.... A -> B Via.... (SDN) controller Image source wikimedia I’m a dumb stateless router but not stupid!!!!Let’s check authorization A -> B Via.... A -> B Via....

20 © Cisco and/or its affiliates. All rights reserved. Huh??? Source Routing Security? What about RFC 5095?

21 © 2014 Cisco and/or its affiliates. All rights reserved. IPv6 Routing Header An extension header, processed by intermediate routers Three types –Type 0: similar to IPv4 source routing (multiple intermediate routers) –Type 2: used for mobile IPv6 –Type 3: RPL (Routing Protocol for Low-Power and Lossy Networks) Routing TypeExt Hdr LengthNext Header RH Type IPv6 Basic Header Routing Header Next Header = 43 Routing Header Routing Header Segments Left Routing Header Data

22 © 2014 Cisco and/or its affiliates. All rights reserved. Type 0 Routing Header: Amplification Attack What if attacker sends a packet with RH containing –A -> B -> A -> B -> A -> B -> A -> B -> A.... Packet will loop multiple time on the link A-B An amplification attack! A B

23 © 2014 Cisco and/or its affiliates. All rights reserved. Routing Type Ext Hdr Length IPv6 Type 2 Routing Header: no problem Rebound/amplification attacks impossible –Only one intermediate router: the mobile node home address Next Header RH Type= 2 IPv6 Basic Header Routing Header Next Header = 43 Routing Header Routing Header Segments Left= 1 Mobile Node Home Address

24 © 2014 Cisco and/or its affiliates. All rights reserved. RH-3 for RPL: no problem  Used by Routing Protocol for Low-Power and Lossy Networks  But only within a single trusted network (strong authentication of node), never over a public untrusted network  Damage is limited to this RPL network  If attacker was inside the RPL network, then he/she could do more damage anyway 24

25 © 2014 Cisco and/or its affiliates. All rights reserved. Segment Routing Security Addresses concerns of RFC5095 –HMAC field to be used at ingress of a SR domain in order to validate/authorize the SRH –Inside SR domain, each node trust its brothers (RPL model) HMAC requires a shared secret (SDN & SR ingress routers) –Outside of current discussions –Pretty much similar to BGP session security or OSPFv3 security

26 © 2014 Cisco and/or its affiliates. All rights reserved. SRv6 packets dropped on the Internet RFC 5095 deprecates source routing –RH-0 only –Forwarding based on DA is not prevented even in presence of RH Some tests with scapy shows RH-4 (assuming IANA value of 4) => packets are not dropped Test on your own: –And let us know !

27 © Cisco and/or its affiliates. All rights reserved. Running Code IETF-90 Source: wikimedia

28 © 2014 Cisco and/or its affiliates. All rights reserved.  Reports of IETF-90  Linux implementation by Université de Louvain  Comcast implementation  2 x Cisco implementations Bit ‘n Bytes SR Interop at the IETF-90 in Toronto

29 © Cisco and/or its affiliates. All rights reserved. Wrapping Up Source: wikimedia

30 © 2014 Cisco and/or its affiliates. All rights reserved. Summary Segment Routing implements the source routing model for both MPLS and IPv6 IPv6 source routing model is already integrated in RC2460 and Segment Routing introduces minor changes through a new routing type header –Segment Routing Header Segment Routing is very flexible and interoperable with non-SR nodes –A SR node can be a router, a server, any appliance, application, … Segments are identified by IPv6 addresses, no specific signaling is needed

31 © 2014 Cisco and/or its affiliates. All rights reserved. Conclusion Standardization of Segment Routing is in progress at IETF –More than 17 drafts Running code exists Next Step: Segment Routing for Service Chaining –More flexible, interoperable with existing applications Collaboration with operator on going and very fruitful –Join the team ! Pointers:

Thank you.