Source Segment for SRv6 based Multicast VPN

Segment Routing () leverages the mechanism of source routing. An ingress node steers a packet through an ordered list of instructions, called "segments". Each one of these instructions represents a function to be implemented at a specific location in the network. A function is locally defined on the node where it is executed. Network Programming combines Segment Routing functions to achieve a networking objective that goes beyond mere packet routing. defines the SRv6 Network Programming concept and specifies the main Segment Routing behaviors and network programming functions. Previous segments defined in SRv6 can be used as the destination address of an IPv6 packet. This document introduces the new segments, source segments, which can be used as the IPv6 source address of an IPv6 packet. This document defines the general concept of source segment and the source segment used for multicast VPN service. Protocol extensions on the control plane are not in the scope of this document. This document defines the general concept of source segment and the source segment used for multicast service. Protocol extensions on the control plane are not in the scope of this document.

The following new terms are used throughout this document: SRv6: Source Routing over IPv6; MVPN: Multicast VPN;

Source segment is different from the existing SID defined in RFC8402 from the following aspects: Source segment is unchanged along the SRv6 multicast path. Source segment is distributed by the ingress node but indicates functions in other nodes along the path, e.g., egress node. Forwarding table should be maintained in the nodes where the instruction takes place. When the source segment is encapsulated in an SRv6 packet, it is activated by other instructions in the data plane because source address is not parsed in existing forwarding process of a unicast packet Using source segment for SRv6 Network Programming have several benefits including: Enhance network programming capability for more SRv6 functions and extend the programming space in IPv6 header; Provide sematic for source address with similar IPv6 address allocation and management method as SRv6; Facilitates security management inside the limited domain; Source segment should be avoided to process hop by hop. Per-hop process of source segment which will degrade forwarding performance and bring compatibility issues.

Source segment leverages the format of SID defined in SRv6 network programming. Source segment consists of LOC:FUNCT:ARG, where a locator (LOC) is encoded in the L most significant bits of the SID, followed by F bits of function (FUNCT) and A bits of arguments (ARG). A locator may be represented as B:N where B is the SRv6 SID block (IPv6 prefix allocated for SRv6 SIDs by the operator) and N is the identifier of the ingress node . The FUNCT is an opaque identification of the behavior bound to the SID. The behavior could be executed in other nodes except ingress node. The behavior indicated by FUNCT may require additional information for its processing. This information may be encoded in the ARG bits of the SID.

In the multicast VPN (MVPN) service, packet is replicated along a point-to-multipoint path (multicast path) towards a set of leaf nodes. MVPN routing and the corresponding information could be encapsulated in the source segment carried in the IPv6 source address. Source Segment for MVPN is distributed by the multicast source node and the function is executed by the multicast leaf nodes.As described in section 3, Source Segment for MVPN is not changed when the packet is replicated and forwarded along the P2MP path. This section defines the source segment for MVPN.

The following is a set of behaviors that can be associated with a source segment for MVPN.

The "Source address for decapsulation and IPv4 table lookup" behavior ("Src.DT4" for short) is used in MVPNv4 use case where an MFIB lookup in a specific VRF table T at the egress node is required. The Src.DT4 SID is an SID associated with an IPv4 MFIB table T on the egress PE, either through a control-plane message advertised by the ingress PE, or through a local configuration on the egress PE. When an IPv6 encapsulated packet with IPv6 source address being S is received on an egress PE, and S is associated with an Src.DT4 SID on the egress PE, the egress PE does the following behavior:

SRC.DT6 behavior could be used in MVPNv6 use case where a MFIB lookup in a specific VRF table at the egress node is required.

SRC.DT46 behavior could be used in MVPN use case where a MFIB lookup in a specific VRF table at the egress node is required.

SRC.DT2 behavior could be used in MVPN use case where a L2 table lookup in a specific Layer-2 Multicast forwarding table at the egress node is required.

Once a source segment is used in an SRv6 encapsulated multicast data packet as source address, it is expected to receive an ICMPv6 error message with the source segment being the Destination address, and such a packet is expected to be processed by Ingress PE. Additionally, there are cases where a source segment may appear as destination address of an packet that is not an ICMPv6 message. This could be a packet without SRH, or a packet with SRH and the active segment is the source segment. Such a packet is expected to be dropped. The following pseudo-code describes how a packet with a source segment as destination address is handled:

The source segment could be applied in SRv6-based Multicast cases. MSR6: MSR6 is considered to be one of the SRv6-based Multicast solutions, and MVPN is one of the typical services intended to be running over MSR6. The source segment defined in this document can be used in this solution as source address for identifying a VRF. Tree SID over SRv6: MVPN service can use Tree SID over SRv6 for point-to-multipoint transport of a packet. When a Tree SID over SRv6 P-tunnel is shared across different MVPNs, an IPv6 address in IPv6 source address for identifying a VRF is possible. MVPN service can use Ingress Replication(IR) to simulate a point-to-multipoint P-tunnel. In an IPv6 environment, Ingress Replication can use IPv6 encapsulation for each branch. When the egress PE of an Ingress Replication P-tunnel branch receives a packet, it gets to know the VRF of the packet through the Destination address in the IPv6 header. This means that, every egress PE of the IR P-tunnel branch need to allocate an IPv6 address to identify a VRF. If the source segment is used for the IPv6 source address, only one IPv6 address of the Ingress PE is needed for identifying a VRF, and thus save the IPv6 addresses and their operation costs.

TBD