IPPM G. Fioccola Internet-Draft T. Zhou Intended status: Informational Huawei Expires: 8 January 2024 F. Milan M. Nilo TIM 7 July 2023 Alternate Marking Deployment Framework draft-fz-ippm-alt-mark-deployment-00 Abstract This document provides a framework for Alternate Marking deployment and includes considerations and guidance for the deployment of the methodology. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 8 January 2024. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Fioccola, et al. Expires 8 January 2024 [Page 1] Internet-Draft enhanced-alternate-marking July 2023 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Alternate Marking Deployment Domain . . . . . . . . . . . . . 3 3. Alternate Marking Measurement Nodes . . . . . . . . . . . . . 5 4. Type of Measurements . . . . . . . . . . . . . . . . . . . . 5 5. Manageability . . . . . . . . . . . . . . . . . . . . . . . . 7 6. Data Export, Collection and Calculation . . . . . . . . . . . 7 7. Encapsulations . . . . . . . . . . . . . . . . . . . . . . . 8 7.1. IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 8 7.2. SRv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 8 7.3. BIER . . . . . . . . . . . . . . . . . . . . . . . . . . 8 7.4. MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . 8 7.5. SFC . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.6. NVO3 . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.7. Enhanced capabilities . . . . . . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 11.1. Normative References . . . . . . . . . . . . . . . . . . 9 11.2. Informative References . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction The Alternate Marking [RFC9341] and Multipoint Alternate Marking [RFC9342] define the Alternate Marking technique that is a hybrid performance measurement method, per [RFC7799] classification of measurement methods. This method is based on marking consecutive batches of packets and it can be used to measure packet loss, latency, and jitter on live traffic. The first experiments on Alternate-Marking are described in [RFC8321] and [RFC8889]. According to the definitions of [RFC7799], the Alternate-Marking Method can be classified as Hybrid Type I. Indeed, Alternate Marking can be implemented by using reserved bits in the protocol header, and the change in value of these marking bits at the source node is formally considered a modification of the stream of interest. This document complements [RFC9341] and [RFC9342] as it explains the mechanisms that can be used to manage and deploy the method. Fioccola, et al. Expires 8 January 2024 [Page 2] Internet-Draft enhanced-alternate-marking July 2023 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 1.2. Terminology Abbreviations used in this document: AltMark: Alternate-Marking NMS: Network Management System IPv6: Internet Protocol version 6 SRv6: Segment Routing over IPv6 dataplane BIER: Bit Index Explicit Replication MPLS: Multi-Protocol Label Switching SFC: Service Function Chaining NVO3: Network Virtualization Overlays IPFIX: IP Flow Information Export YANG: Yet Another Next Generation PCEP: Path Computation Element Communication Protocol BGP: Border Gateway Protocol 2. Alternate Marking Deployment Domain The Alternate Marking Method MUST be deployed in a controlled domain for security and compatibility reasons. In this regard, [RFC8799] reports further examples of specific limited domain solutions. It is not common that the user traffic originates and terminates within the controlled domain. For this reason, it will typically only be applicable in an overlay network, where user traffic is encapsulated at one domain border, decapsulated at the other domain border and the encapsulation incorporates the relevant extension header for Alternate Marking. This requirement also implies that an implementation MUST filter packets that carry Alternate Marking data Fioccola, et al. Expires 8 January 2024 [Page 3] Internet-Draft enhanced-alternate-marking July 2023 and are entering or leaving the controlled domain. A controlled domain is a managed network where it is required to select, monitor and control the access to the network by enforcing policies at the domain boundaries in order to discard undesired external packets entering the domain and check the internal packets leaving the domain. It does not necessarily mean that a controlled domain is a single administrative domain or a single organization. A controlled domain can correspond to a single administrative domain or can be composed by multiple administrative domains under a defined network management. Indeed, some scenarios may imply that the Alternate Marking Method involves more than one domain, but in these cases, it is RECOMMENDED that the multiple domains create a whole controlled domain while traversing the external domain by employing IPsec authentication and encryption or other VPN technology that provides full packet confidentiality and integrity protection. In a few words, it must be possible to control the domain boundaries and eventually use specific precautions if the traffic traverse the Internet. The Alternate Marking measurement domain can overlap with the controlled domain or may be a subset of the controlled domain. The typical scenarios for the application of the Alternate Marking Method depend on the controlled domain boundaries, in particular: the user equipment can be the starting or ending node, only in case it is fully managed and if it belongs to the controlled domain. In this case the user generated packets contain the Alternate Marking data. But, in practice, this is not common due to the fact that the user equipment cannot be totally secured in the majority of cases. the CPE (Customer Premises Equipment) or the PE (Provider Edge) routers are most likely to be the starting or ending nodes since they can be border routers of the controlled domain. For instance, the CPE, which connects the user's premises with the service provider's network, belongs to a controlled domain only if it is managed by the service provider and if additional security measures are taken to keep it trustworthy. Typically the CPE or the PE can encapsulate a received packet in an outer header which contains the Alternate Marking data. They can also be able to filter and drop packets from outside of the domain with inconsistent fields to make effective the relevant security rules at the domain boundaries, for example a simple security check can be to insert the Alternate Marking data if and only if the destination is within the controlled domain. Fioccola, et al. Expires 8 January 2024 [Page 4] Internet-Draft enhanced-alternate-marking July 2023 3. Alternate Marking Measurement Nodes An Alternate-Marking Domain consists of marking nodes, unmarking nodes, and transit nodes. A marking node, also called encapsulating node, incorporates the AltMark Data Fields into packets in order to enable Alternate- Marking. If the Alternate-Marking method is enabled for a selected flow of the traffic, the encapsulating node is responsible for applying the AltMark functionality to the selected flow and to take initial timestamps and packet counters. A transit node only reads AltMark Data Fields in order to take timestamps and packet counters. An unmarking node, also called decapsulating node, reads AltMark Data Fields in order to take final timestamps and packet counters and then removes any AltMark Option from packets. Export of Export of Export of Export of AltMark data AltMark data AltMark data AltMark data ^ ^ ^ ^ | | | | | | | | User +----+----+ +----+----+ +----+----+ +----+----+ packets |Marking | | Transit | | Transit | |Unmarking| -------->|Node |====>| Node |====>| Node |====>|Node |--> | | | A | | B | | | +---------+ +---------+ +---------+ +---------+ Figure 1: Roles of Alternate-Marking Nodes 4. Type of Measurements The methodology described in the previous sections can be applied to various performance measurement problems. The only requirement is to select and mark the flow to be monitored; in this way, packets are batched by the sender, and each batch is alternately marked such that it can be easily recognized by the receiver. Either one or two flag bits might be available for marking in different deployments: One flag: packet loss measurement MUST be done as described in Section 3.1 of [RFC9341], while delay measurement MUST be done according to the single-marking method described in Section 3.2.1 of [RFC9341]. Mean delay (Section 3.2.1.1 of [RFC9341]) MAY also be used but it could imply more computational load. Fioccola, et al. Expires 8 January 2024 [Page 5] Internet-Draft enhanced-alternate-marking July 2023 Two flags: packet loss measurement MUST be done as described in Section 3.1 of [RFC9341], while delay measurement MUST be done according to double-marking method Section 3.2.2 of [RFC9341]. In this case single-marking MAY also be used in combination with double-marking and the two approaches provide slightly different pieces of information that can be combined to have a more robust data set. There are some operational guidelines to consider for the purpose of deciding to follow the recommendations above and use one or two flags. The Alternate-Marking method utilizes specific flags in the packet header, so an important factor is the number of flags available for the implementation. Indeed, if there is only one flag available there is no other way, while if two flags are available the option with two flags is certainly more complete. The duration of the Alternate-Marking period affects the frequency of the measurement and this is a parameter that can be decided on the basis of the required temporal sampling. But it cannot be freely chosen, as explained in Section 5 of [RFC9341]. The Alternate-Marking methodologies enable packet loss, delay and delay variation calculation, but in accordance with the method used (e.g. single-marking or double-marking), there is different kind of information that can be derived. For example, to get more statistics of extent data, the option with two flags is desirable. For this reason, the type of data needed in the specific scenario is an additional element to take into account. The Alternate-Marking methods imply different computational load depending on the method employed. Therefore, the available computational resources on the measurement points can also influence the choice. As an example, mean delay calculation may require more processing and it may not be the best option to minimize the computational load. A deployment of the Alternate-Marking Method should also take into account how to handle and recognize marked and unmarked traffic. Since Alternate-Marking normally employs a marking field which is dedicated, reserved, and included in a protocol extension, the measurement points can learn whether the measurement is activated or not by checking if the specific extension is included or not within the packets. Fioccola, et al. Expires 8 January 2024 [Page 6] Internet-Draft enhanced-alternate-marking July 2023 5. Manageability The YANG model can be used for configuring Alternate-Marking in network nodes that support it. An example is defined in [I-D.wang-ippm-alt-mark-yang]. There are also other control plane mechanisms to advertise and activate AltMark capabilities, using PCEP or BGP: [I-D.ietf-idr-sr-policy-ifit], [I-D.ietf-idr-bgp-ifit-capabilities], [I-D.ietf-pce-pcep-ifit]. These mechanisms can be used to signal and configure the parameters to identify the flow to monitor both in case of point-to-point flow and multipoint-to-multipoint flow. Indeed, the selection of the identification fields directly affects the type of paths that the flow would follow in the network. As an example, for IPv6 the setting of the Flow Monitoring Identification (FlowMonID) is used in combination with source and destination addresses to identify a flow, as described in Section 5.3 of [RFC9343], and it can be algorithmically generated by the source node or assigned by the central controller. Additionally, other parameters are essential for the activation of the AltMark methodology: the choice between end-to-end or hop-by-hop measurement, the choice between the methods with one flag or two flags and the duration of the Alternate-Marking period which affects the measurement frequency (longer the duration of the block, the less frequently the measurement can be taken). 6. Data Export, Collection and Calculation The nodes enabled to perform performance monitoring collect the value of the packet counters and timestamps. Data Export can be done in different ways, e.g. by using IPFIX, while Data Collection and Calculation are implemented in the NMS. Telemetry and YANG Push [RFC8639] can also be used to report and export data (e.g. timestamps and packet counters). Every node needs to collect and send out counters and timestamps related to the monitored flow and for each Alternate-Marking period. Data can be sent out by the nodes after each Alternate-Marking period. Alternatively, the counters and the timestamps can be stored locally for a given number of periods and then sent out by the nodes by grouping multiple periods together. The mechanisms for the data collection can be decided according to the application scenario. Then, the NMS is responsible for the calculation of the measurements (i.e packet loss, delay and delay variation) for each flow. Fioccola, et al. Expires 8 January 2024 [Page 7] Internet-Draft enhanced-alternate-marking July 2023 +--------------+ +-------------+ | | Network | | | Management | | | System(s) |-+ +-------------+ ^ | | | +---------------+-------+-------+---------------+ | | | | | | | | User +----+----+ +----+----+ +----+----+ +----+----+ packets |Marking | | Transit | | Transit | |Unmarking| -------->|Node |====>| Node |====>| Node |====>|Node |--> | | | A | | B | | | +---------+ +---------+ +---------+ +---------+ Figure 2: Alternate-Marking Framework with Data Export 7. Encapsulations 7.1. IPv6 Alternate-Marking encapsulation for IPv6 is defined in [RFC9343], which also discusses deployment considerations for IPv6 networks. The IPv6 AltMark Option [RFC9343] applies the Alternate Marking Method to IPv6, and defines an Extension Header Option to encode the Alternate Marking Method for both the Hop-by-Hop Options Header and the Destination Options Header. 7.2. SRv6 Alternate-Marking encapsulation for SRv6 is discussed in IPv6 AltMark Option [RFC9343] and [I-D.fz-spring-srv6-alt-mark]. 7.3. BIER Alternate-Marking encapsulation for BIER is introduced in [I-D.ietf-bier-pmmm-oam]. 7.4. MPLS Alternate-Marking encapsulation for MPLS is introduced in [I-D.ietf-mpls-rfc6374-sfl]. Fioccola, et al. Expires 8 January 2024 [Page 8] Internet-Draft enhanced-alternate-marking July 2023 7.5. SFC Alternate-Marking encapsulation for SFC is introduced in [I-D.mfm-ippm-sfc-nsh-pmamm]. 7.6. NVO3 Alternate-Marking encapsulation for NVO3 is introduced in [I-D.fmm-nvo3-pm-alt-mark]. 7.7. Enhanced capabilities [I-D.zhou-ippm-enhanced-alternate-marking] defines extended data fields for the AltMark Option and provides enhanced capabilities to overcome some challenges and enable future proof applications. It is worth mentioning that the enhanced capabilities are intended for further use and are optional. 8. Security Considerations Alternate Marking [RFC9341] and Multipoint Alternate Marking [RFC9342] analyze different security concerns and related solutions. These aspects are valid and applicable also to this document. In particular the fundamental security requirement is that Alternate Marking MUST only be applied in a specific limited domain, as also mentioned in [RFC8799]. 9. IANA Considerations This document has no request to IANA. 10. Acknowledgements TBD 11. References 11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . Fioccola, et al. Expires 8 January 2024 [Page 9] Internet-Draft enhanced-alternate-marking July 2023 [RFC9341] Fioccola, G., Ed., Cociglio, M., Mirsky, G., Mizrahi, T., and T. Zhou, "Alternate-Marking Method", RFC 9341, DOI 10.17487/RFC9341, December 2022, . [RFC9342] Fioccola, G., Ed., Cociglio, M., Sapio, A., Sisto, R., and T. Zhou, "Clustered Alternate-Marking Method", RFC 9342, DOI 10.17487/RFC9342, December 2022, . [RFC9343] Fioccola, G., Zhou, T., Cociglio, M., Qin, F., and R. Pang, "IPv6 Application of the Alternate-Marking Method", RFC 9343, DOI 10.17487/RFC9343, December 2022, . 11.2. Informative References [I-D.fmm-nvo3-pm-alt-mark] Fioccola, G., Mirsky, G., and T. Mizrahi, "Performance Measurement (PM) with Alternate Marking in Network Virtualization Overlays (NVO3)", Work in Progress, Internet-Draft, draft-fmm-nvo3-pm-alt-mark-03, 23 October 2018, . [I-D.fz-spring-srv6-alt-mark] Fioccola, G., Zhou, T., Cociglio, M., Mishra, G. S., and X. wang, "Segment Routing Header encapsulation for Alternate Marking Method", Work in Progress, Internet- Draft, draft-fz-spring-srv6-alt-mark-05, 9 March 2023, . [I-D.ietf-bier-pmmm-oam] Mirsky, G., Zheng, L., Chen, M., and G. Fioccola, "Performance Measurement (PM) with Marking Method in Bit Index Explicit Replication (BIER) Layer", Work in Progress, Internet-Draft, draft-ietf-bier-pmmm-oam-13, 3 January 2023, . [I-D.ietf-idr-bgp-ifit-capabilities] Fioccola, G., Pang, R., Wang, S., Decraene, B., Zhuang, S., and H. Wang, "Advertising In-situ Flow Information Telemetry (IFIT) Capabilities in BGP", Work in Progress, Internet-Draft, draft-ietf-idr-bgp-ifit-capabilities-02, 9 March 2023, . Fioccola, et al. Expires 8 January 2024 [Page 10] Internet-Draft enhanced-alternate-marking July 2023 [I-D.ietf-idr-sr-policy-ifit] Qin, F., Yuan, H., Yang, S., Zhou, T., and G. Fioccola, "BGP SR Policy Extensions to Enable IFIT", Work in Progress, Internet-Draft, draft-ietf-idr-sr-policy-ifit- 06, 26 April 2023, . [I-D.ietf-mpls-rfc6374-sfl] Bryant, S., Swallow, G., Chen, M., Fioccola, G., and G. Mirsky, "RFC6374 Synonymous Flow Labels", Work in Progress, Internet-Draft, draft-ietf-mpls-rfc6374-sfl-10, 5 March 2021, . [I-D.ietf-pce-pcep-ifit] Yuan, H., 王雪荣, Yang, P., Li, W., and G. Fioccola, "Path Computation Element Communication Protocol (PCEP) Extensions to Enable IFIT", Work in Progress, Internet- Draft, draft-ietf-pce-pcep-ifit-02, 31 January 2023, . [I-D.mfm-ippm-sfc-nsh-pmamm] Mirsky, G., Fioccola, G., and T. Mizrahi, "Performance Measurement (PM) with Alternate Marking Method in Service Function Chaining (SFC) Network Service Header (NSH) Domain", Work in Progress, Internet-Draft, draft-mfm-ippm- sfc-nsh-pmamm-00, 1 April 2022, . [I-D.wang-ippm-alt-mark-yang] Wang, M., Han, L., Min, X., Jun, G., and M. Nilo, "A YANG Data Model for Alternate Marking Method", Work in Progress, Internet-Draft, draft-wang-ippm-alt-mark-yang- 02, 8 February 2023, . [I-D.zhou-ippm-enhanced-alternate-marking] Zhou, T., Fioccola, G., Liu, Y., Cociglio, M., Lee, S., and W. Li, "Enhanced Alternate Marking Method", Work in Progress, Internet-Draft, draft-zhou-ippm-enhanced- alternate-marking-12, 1 March 2023, . Fioccola, et al. Expires 8 January 2024 [Page 11] Internet-Draft enhanced-alternate-marking July 2023 [RFC7799] Morton, A., "Active and Passive Metrics and Methods (with Hybrid Types In-Between)", RFC 7799, DOI 10.17487/RFC7799, May 2016, . [RFC8321] Fioccola, G., Ed., Capello, A., Cociglio, M., Castaldelli, L., Chen, M., Zheng, L., Mirsky, G., and T. Mizrahi, "Alternate-Marking Method for Passive and Hybrid Performance Monitoring", RFC 8321, DOI 10.17487/RFC8321, January 2018, . [RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard, E., and A. Tripathy, "Subscription to YANG Notifications", RFC 8639, DOI 10.17487/RFC8639, September 2019, . [RFC8799] Carpenter, B. and B. Liu, "Limited Domains and Internet Protocols", RFC 8799, DOI 10.17487/RFC8799, July 2020, . [RFC8889] Fioccola, G., Ed., Cociglio, M., Sapio, A., and R. Sisto, "Multipoint Alternate-Marking Method for Passive and Hybrid Performance Monitoring", RFC 8889, DOI 10.17487/RFC8889, August 2020, . Authors' Addresses Giuseppe Fioccola Huawei Palazzo Verrocchio, Centro Direzionale Milano 2 20054 Segrate (Milan) Italy Email: giuseppe.fioccola@huawei.com Tianran Zhou Huawei 156 Beiqing Rd. Beijing 100095 China Email: zhoutianran@huawei.com Fioccola, et al. Expires 8 January 2024 [Page 12] Internet-Draft enhanced-alternate-marking July 2023 Fabrizio Milan TIM Via Reiss Romoli, 274 10148 Torino Italy Email: fabrizio.milan@telecomitalia.it Massimo Nilo TIM Via Reiss Romoli, 274 10148 Torino Italy Email: massimo.nilo@telecomitalia.it Fioccola, et al. Expires 8 January 2024 [Page 13]