SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting:...
Transcript of SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting:...
![Page 1: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/1.jpg)
1/36
Segment Routing: IPv6, Implementation and aPractical Use Case
David Lebrun<[email protected]>
Université Catholique de LouvainLouvain-la-Neuve, Belgium
![Page 2: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/2.jpg)
2/36
Segment Routing
I Source routingI Path encoded as stack of segments (IPv6 addresses)I Node and adjacency segmentsI Segments distributed through IGP
![Page 3: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/3.jpg)
3/36
Illustration
I Abstract SR HeaderI Segments = SD, SB, SS, SF, SEI Ptr = Segments[0] (SD)
![Page 4: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/4.jpg)
4/36
Illustration
I Abstract SR HeaderI Segments = SD, SB, SS, SF, SEI Ptr = Segments[0] (SD)
![Page 5: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/5.jpg)
5/36
Illustration
I Abstract SR HeaderI Segments = SD, SB, SS, SF, SEI Ptr = Segments[0] (SD)
![Page 6: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/6.jpg)
6/36
Illustration
I Abstract SR HeaderI Segments = SD, SB, SS, SF, SEI Ptr = Segments[1] (SB)
![Page 7: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/7.jpg)
7/36
Illustration
I Abstract SR HeaderI Segments = SD, SB, SS, SF, SEI Ptr = Segments[2] (SS)
![Page 8: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/8.jpg)
8/36
Illustration
I Abstract SR HeaderI Segments = SD, SB, SS, SF, SEI Ptr = Segments[3] (SF)
![Page 9: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/9.jpg)
9/36
Illustration
I Abstract SR HeaderI Segments = SD, SB, SS, SF, SEI Ptr = Segments[4] (SE)
![Page 10: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/10.jpg)
10/36
Use cases
I Link/node disjoint pathsI Dynamic network reconfigurationI Middleboxing (firewalls, etc)I User/customer-level path selectionI ...
![Page 11: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/11.jpg)
11/36
IPv6 Segment Routing
I Segment = IPv6 addressI New extension header: Routing Header type 4I Security concerns of RH0 addressed with HMAC field
![Page 12: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/12.jpg)
12/36
IPv6 Segment Routing extension header
0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Next Header | Hdr Ext Len | Routing Type | Segments Left |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| First Segment | Flags | HMAC Key ID |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| || Segment List[0] (128 bits ipv6 address) || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| |
...| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| || Segment List[n] (128 bits ipv6 address) || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| || HMAC (256 bits) || (optional) || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
![Page 13: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/13.jpg)
13/36
IPv6 Segment Routing extension header
I Two flags currently defined: cleanup and fast rerouteI Cleanup is important
I Penultimate hop removes SRHI Avoid data leak when packets exit network
![Page 14: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/14.jpg)
14/36
SR-IPv6 forwarding algorithm
Algorithm 1 SR Segment Endpoint processing1: if DA = myself (segment endpoint) then2: if Segments Left > 0 then3: Decrement Segments Left4: Update DA with Segment List[Segments Left]5: if Segments Left == 0 AND Clean-Up bit set then6: Strip SRH7: end if8: else9: Give packet to next PID (application)
10: End of processing11: end if12: end if13: Forward the packet out
![Page 15: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/15.jpg)
15/36
SR-IPv6 implementation
I Linux kernel implementation, current branch: 3.14.xI About 2,500 LoC as of latest commitI Open-sourceI Interfaces for SRH injection and controlI http://github.com/segment-routing/
![Page 16: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/16.jpg)
16/36
SRH injection: router-level
I Currently: per destination prefix
![Page 17: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/17.jpg)
17/36
SRH injection: host-level (1)
I Per socket, through setsockopt()
![Page 18: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/18.jpg)
18/36
SRH injection: host-level (2)
I SRH reversalI For TCP connectionsI Ensure outbound flow uses same path as inbound flowI Per-socket control
![Page 19: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/19.jpg)
19/36
Interface
I Kernel exposes netlink interfaceI Sysctl for global control of some variablesI Userland tool to control kernel structures (seg6ctl)
![Page 20: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/20.jpg)
20/36
Configuration example: injectionInjection# seg6ctl –-prefix2a03:2880:2130:cf05:face:b00c:0:1/128 –-add2a00:1450:4007:808::100e,2001:67c:2e8:22::c100:68b
I "When a packet with DA = Facebook is forwarded, inject anSRH containing two segments: first Google, then RIPE."
I Segments list is comma-separated
With cleanup# seg6ctl –-prefix2a03:2880:2130:cf05:face:b00c:0:1/128 –-add2a00:1450:4007:808::100e,2001:67c:2e8:22::c100:68b–-cleanup
I Same thing, but penultimate SR hop (i.e. RIPE, in this case)must remove SRH before forwarding to final destination (i.e.Facebook)
![Page 21: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/21.jpg)
20/36
Configuration example: injectionInjection# seg6ctl –-prefix2a03:2880:2130:cf05:face:b00c:0:1/128 –-add2a00:1450:4007:808::100e,2001:67c:2e8:22::c100:68b
I "When a packet with DA = Facebook is forwarded, inject anSRH containing two segments: first Google, then RIPE."
I Segments list is comma-separated
With cleanup# seg6ctl –-prefix2a03:2880:2130:cf05:face:b00c:0:1/128 –-add2a00:1450:4007:808::100e,2001:67c:2e8:22::c100:68b–-cleanup
I Same thing, but penultimate SR hop (i.e. RIPE, in this case)must remove SRH before forwarding to final destination (i.e.Facebook)
![Page 22: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/22.jpg)
20/36
Configuration example: injectionInjection# seg6ctl –-prefix2a03:2880:2130:cf05:face:b00c:0:1/128 –-add2a00:1450:4007:808::100e,2001:67c:2e8:22::c100:68b
I "When a packet with DA = Facebook is forwarded, inject anSRH containing two segments: first Google, then RIPE."
I Segments list is comma-separated
With cleanup# seg6ctl –-prefix2a03:2880:2130:cf05:face:b00c:0:1/128 –-add2a00:1450:4007:808::100e,2001:67c:2e8:22::c100:68b–-cleanup
I Same thing, but penultimate SR hop (i.e. RIPE, in this case)must remove SRH before forwarding to final destination (i.e.Facebook)
![Page 23: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/23.jpg)
20/36
Configuration example: injectionInjection# seg6ctl –-prefix2a03:2880:2130:cf05:face:b00c:0:1/128 –-add2a00:1450:4007:808::100e,2001:67c:2e8:22::c100:68b
I "When a packet with DA = Facebook is forwarded, inject anSRH containing two segments: first Google, then RIPE."
I Segments list is comma-separated
With cleanup# seg6ctl –-prefix2a03:2880:2130:cf05:face:b00c:0:1/128 –-add2a00:1450:4007:808::100e,2001:67c:2e8:22::c100:68b–-cleanup
I Same thing, but penultimate SR hop (i.e. RIPE, in this case)must remove SRH before forwarding to final destination (i.e.Facebook)
![Page 24: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/24.jpg)
21/36
Configuration example: table dump
Show table# seg6ctl –-show> 2a03:2880:2130:cf05:face:b00c:0:1/128 via 2 segs[2a00:1450:4007:808::100e 2001:67c:2e8:22::c100:68b]id 0 hmac 0x0> fc00:42::/64 via 2 segs [fc00:1::2 fc00:1::7] id 0hmac 0x0 cleanup> 2001:db8::/32 via 1 segs [2a01::12] id 0 hmac 0x0
![Page 25: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/25.jpg)
22/36
Configuration example: misc
Delete# seg6ctl –-prefix2a03:2880:2130:cf05:face:b00c:0:1/128 –-delete
Flush# seg6ctl –-flush
![Page 26: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/26.jpg)
23/36
Code example: per-socket injection (1)
struct ipv6_sr_hdr *hdr;int sock, tot_len;struct sockaddr_in6 sin6;
sock = socket(AF_INET6, SOCK_STREAM, 0);sin6.sin6_family = AF_INET6;sin6.sin6_port = htons(80);inet_pton(AF_INET6, "2a03:2880:2130:cf05:face:b00c:0:1",
&sin6.sin6_addr.s6_addr);
![Page 27: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/27.jpg)
24/36
Code example: per-socket injection (2)
tot_len = sizeof(*hdr) + 2*sizeof(struct in6_addr);hdr = malloc(tot_len);
hdr->hdrlen = 0; /* computed by the kernel */hdr->type = 4;hdr->first_segment = 1; /* offset */sr_set_flags(hdr, SR6_FLAG_CLEANUP);
![Page 28: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/28.jpg)
25/36
Code example: per-socket injection (3)
inet_pton(AF_INET6, "2a00:1450:4007:808::100e",hdr->segments);
inet_pton(AF_INET6, "2001:67c:2e8:22::c100:68b",hdr->segments + 1);
setsockopt(sock, IPPROTO_IPV6, IPV6_RTHDR, hdr, tot_len);
connect(...);
![Page 29: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/29.jpg)
26/36
Services with Segment RoutingI On SRH processing: segment represents next hopI It can also represent service to apply
![Page 30: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/30.jpg)
26/36
Services with Segment RoutingI On SRH processing: segment represents next hopI It can also represent service to apply
![Page 31: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/31.jpg)
27/36
Services with Segment Routing
I Multiple services can be designed:I EncryptionI CompressionI FirewallingI NetflowI DPII NATI etc...
I What if we need to firewall, then compress, then encrypt ?
![Page 32: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/32.jpg)
28/36
Service Function Chaining
![Page 33: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/33.jpg)
29/36
Service Function Chaining
![Page 34: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/34.jpg)
30/36
Service Function Chaining
![Page 35: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/35.jpg)
31/36
Service Function Chaining
![Page 36: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/36.jpg)
32/36
Service Function Chaining
![Page 37: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/37.jpg)
33/36
Service Function Chaining
![Page 38: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/38.jpg)
34/36
IETF drafts
I draft-ietf-spring-segment-routing-01I draft-previdi-6man-segment-routing-header-06I draft-vyncke-6man-segment-routing-security-02
![Page 39: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/39.jpg)
35/36
Pointers
I UCL (SR-IPv6) website: http://www.segment-routing.orgI Cisco website: http://www.segment-routing.netI Implementation: http://github.com/segment-routing/I Technical report on SR-IPv6 implem (being updated):
http://www.segment-routing.org/sr6-doc.pdfI Virtual Machine to play around with SR-IPv6:
http://www.segment-routing.org/sr6-vm.vdi.bz2
![Page 40: SegmentRouting: IPv6,Implementationanda PracticalUseCase · 1/36 SegmentRouting: IPv6,Implementationanda PracticalUseCase DavidLebrun Université](https://reader036.fdocuments.net/reader036/viewer/2022081409/6074a74c9c856254e0372140/html5/thumbnails/40.jpg)
36/36
That’s all folks !