Ieee nfv-sdn-2020-srv6-tutorial

This presentation is partly based on slide decks that have been kindly provided by Cisco Systems
SRv6 and the Network Programming Model
Hands-On tutorial
Stefano Salsano – University of Rome Tor Vergata / CNIT
stefano.salsano@uniroma2.it
6th IEEE Conference on Network Functions Virtualization and
Software Defined Networking (IEEE NFV-SDN 2020)
November 9th 2020

Tutorial highlights - part 1
• What is Segment Routing ?
• What is SRv6 ? (Segment Routing over IPv6)
• How does it work ? few protocol details…
Segment Routing Header (SRH)
2
• Why is SRv6 so cool?
Hint: scalability and SDN!

Tutorial highlights - part 1
• What is the Network Programming Model?
from “waypoints” to “instructions”
• How can we use the Network Programming Model?
SRv6 example use cases:
3
•SR Traffic Engineering / Fast ReRouting
•Service Chaining (SFC)
•VPNs/SD-WANs

Tutorial highlights - part 2 “Hands on”
• SRv6 open source implementations and tools
• The ROSE ecosystem (Linux)
4
• Hands-on using the rose-srv6 Virtual Machine
• Create SRv6 tunnels (VPNs) in a Linux based Data Plane
(SR ingress/SR waypoint/IPv6 transit/SR egress nodes)
- manual setup with Linux CLI
- setup using our controller

The ROSE ecosystem
5
Data
Plane
Control
Plane
web
dashboard
Controller
Apache Kafka
NorthBound APIs
(gRPC)
SouthBound APIs
(gRPC)
Orchestrator
ArangoDB
InfluxDB
Linux
Host/Server
Linux
Router
P4 Router

Acknowledgements
7
This slideset originated from the following presentations:
• Segment Routing
Clarence Filsfils (CISCO), Kris Michielsen (CISCO)
http://www.segment-routing.net/tutorials/2016-09-27-segment-routing-introduction/
• Introduction to Segment Routing
Alberto Donzelli (CISCO)
CISCO Live! – January 29 February 2 2018 Barcelona, Spain
• SRv6 Network Programming
Francois Clad (CISCO)
(which in turn acknowledge several CISCO people)

Acknowledgements
8
This tutorial is based on work performed in the context of:
• 5G-EVE project funded by EU (Horizon 2020)
• ROSE project funded by CISCO University Research Program
5G European Validation Platform for Extensive Trials
https://www.5g-eve.eu/
Research on Open SRv6 Ecosystem
https://netgroup.github.io/rose/

The ROSE team Pier Luigi Ventre
Ahmed AbdelSalam
Bogdan Iatco
Mahdi Tajiki
Lorenzo Bracciale
Pierpaolo Loreti
Angelo Tulumello
Marco Bonola
Luca Chiaraviglio
Fabio D'Andreagiovanni
Marco Ferrari
Daniele Zaccariello
Emanuele Altomare
9
Andrea Mayer
Paolo Lungaroni
Francesco Lombardo
Carmine Scarpitta
Giulio Sidoretti
Stefano Salsano
The team involved in the setup of the tutorial VM and experiments

Agenda
SR and SRv6 introduction
SRv6 Dataplane
SRv6 Network Programming Model
SRv6 use cases
(TE / FRR / Service Function Chaining / VPNs / SD-WAN)
Hands-on part
SRv6 Segment Routing Header
Why SRv6 is so cool? Scalability, SDN…
Additional materials and conclusions

© 2018 Cisco and/or its affiliates. All rights reserved.© 2018 Cisco and/or its affiliates. All rights reserved.
Segment Routing : a form of source routing
Seattle
New-York
Toronto
Segment Routing
11
1. A unique and global luggage
tag is attached to the luggage
with the list of stops to the final
destination
2. At each stop, the luggage is
simply routed to the next hop
listed on the luggage tag
Mission - Route the luggage to Berlin
via Mexico and Madrid
Mexico
Madrid
Berlin
London

Seattle
New-York
Toronto
Segment Routing
12
MEX
MAD
BER
destination
Mexico
Madrid
Berlin
London

Seattle
New-York
Berlin
Mexico
Toronto London
Segment Routing
MEX
MAD
BER
13
MEX
MAD
BER
destination
Madrid

Seattle
New-York
BerlinToronto London
Segment Routing
MEX
MAD
BER
MEX
MAD
BER
14
MEX
MAD
BER
destination
Mexico
Madrid

• Strict Source Routing
• all routing steps should be listed by the source
• Loose Source Routing
• the source can add “waypoints” to the path
• Segment Routing uses Loose Source Routing
15
Source Routing variants (in packet networks!)

• SR is based on Source Routing
• the source chooses a path and encodes it in the packet header as an ordered
list of segments
• the rest of the network executes the encoded instructions
• Segment: an identifier for any type of instruction
• forwarding (segment=>waypoint) or service (segment=>operation)
• SR Policy: an ordered list of segments (segment list)
16
Segment Routing (SR)

SR Policy and SR domain
S1
S2
S3Headend
Node
P=<S1,S2,S3> SR domain
SR Policy
17
Ingress node
(edge node)
Egress node
(edge node)
Datacenter
Server

SR path and SR segments
S1
S2
S3Headend
Node
SR Policy
18
Ingress node Egress node
Datacenter
Server
S1 S2 S3
The path is split in three segments

© 2018 Cisco and/or its affiliates. All rights reserved.
Two dataplane instantiations
IPv6 : SRv6
• uses IPv6 source routing extension header (SRH) - RFC8754
• 1 segment = 1 IPv6 address
• a segment list = a list of addresses in the SRH
MPLS : SR-MPLS
• uses the mature MPLS HW with only SW upgrade
• 1 segment = 1 label
• a segment list = a label stack
Segment Routing
19
I will only discuss the SRv6 dataplane in the rest of this tutorial!

SRv6 – Forwarding Plane
21
• SRv6: a segment list is encoded in a routing
extension header (SRH)
• Segment → IPv6 Address
• The routing protocols natively distribute the
addresses
(no changes needed for topological instructions)

IPv6 header
22

SRH header
23
Total number
of segments
Pointer to the
current segment

SRv6 segments
24
S1
S2
S3Headend
Node
SR Policy
Ingress node Egress node
Datacenter
Server
S1 S2 S3
The path is split in three segments, each one identified by an IPv6 address

SRv6 forwarding operations
S1
S2
S3
SR source
node SR domain
DA : Destination Address
SL : Segments Left
N4 N5
N6
N7Transit
node SR endpoint
25
Packet

PUSH
S1
S2
S3
SR source
node SR domain
SR Policy
P=<S1,S2,S3>
SL : Segments Left
N4 N5
N6
N7Transit
node SR endpoint
26
Packet
(encapsulation)

S1
S2
S3
SR source
node SR domain
SR Policy
P=<S1,S2,S3>
SL : Segments Left
IPv6 DA = S1
(S3, S2, S1) SL=2
Payload
SR H
IPv6 H
N4 N5
N6
N7Transit
node SR endpoint
27
Packet
PUSH
(encapsulation)

S1
S2
S3
SR source
node SR domain
SR Policy
P=<S1,S2,S3>
NEXT
SL : Segments Left
IPv6 DA = S2
(S3, S2, S1) SL=1
Payload
SR H
IPv6 H
IPv6 DA = S1
(S3, S2, S1) SL=2
Payload
SR H
IPv6 H
N4 N5
N6
N7Transit
node SR endpoint
28
Packet
(encapsulation)
PUSH

S1
S2
S3
SR source
node SR domain
SR Policy
P=<S1,S2,S3>
NEXT CONTINUE
SL : Segments Left
IPv6 DA = S2
(S3, S2, S1) SL=1
Payload
SR H
IPv6 H
IPv6 DA = S1
(S3, S2, S1) SL=2
Payload
SR H
IPv6 H IPv6 DA = S2
(S3, S2, S1) SL=1
Payload
SR H
IPv6 H
N4 N5
N6
N7Transit
node SR endpoint
29
Packet
(encapsulation)
PUSH

S1
S2
S3
SR source
node SR domain
SR Policy
P=<S1,S2,S3>
NEXT CONTINUE
SL : Segments Left
IPv6 DA = S2
(S3, S2, S1) SL=1
Payload
SR H
IPv6 H IPv6 DA = S3
(S3, S2, S1) SL=0
Payload
SR H
IPv6 H
IPv6 DA = S1
(S3, S2, S1) SL=2
Payload
SR H
IPv6 H IPv6 DA = S2
(S3, S2, S1) SL=1
Payload
SR H
IPv6 H IPv6 DA = S3
(S3, S2, S1) SL=0
Payload
SR H
IPv6 H
N4 N5
N6
N7Transit
node SR endpoint
30
Packet
(encapsulation)
PUSH

Global and Local Segments
• Global Segment
• Any node in the SR domain can execute the associated instruction (e.g. a waypoint,
a.k.a. node segment )
• Each node in the SR domain installs the associated instruction (e.g. forward to a
waypoint) in its forwarding table
• Local Segment
• Only a specific node can execute the associated instruction (e.g. forward the packet
over a specific outgoing interface a.k.a. IGP Adjacency Segment)
31

SRv6 Dataplane - Node Segment
• Shortest-path to the IGP prefix
• Equal Cost Multi-Path (ECMP)-aware
• (Already) distributed by ISIS/OSPF
32
A5::
A5::
A1
A1::
A2
A2::
A3
A3::
A4
A4::
A5
A5::
A5::/56
A5::
A5::
A5::
A5::

SRv6 Dataplane - Node Segment
• Shortest-path to the IGP prefix
• Equal Cost Multi-Path (ECMP)-aware
• (Already) distributed by ISIS/OSPF
33
A1
A1::
A2
A2::
A3
A3::
A4
A4::
A5
A5::
A4::
A4::
A4::/56
A4::
A4::
A4::
A4::

A1
A1::
A2
A2::
A3
A3::
A4
A4::
A5
A5::
SRv6 Dataplane - IGP Adjacency Segment
• Forward on the IGP adjacency
• Advertised as an IPv6 SID
• Distributed by ISIS/OSPF in
specific TLVs
34
A4::C2
A4::C5
Adj to
A5
Adj to
A2
A4::C3
Adj to A3

A1
A1::
A2
A2::
A3
A3::
A4
A4::
A5
A5::
SRv6 Dataplane - IGP Adjacency Segment
• Steer traffic on any path through the
network
• Path is specified by a list of IPv6
addresses (Segment List) in the SRH
header
• No path is signaled
• Per-flow state is created only in the
source node
• Single protocol: IS-IS or OSPF
35
SRH (A4::C5)
Packet to A5
SRH (A4::C5)
Packet to A5

• Scalability (thanks to Source Routing)
• the topological and service (NFV/SFC) path is encoded in packet header
• the network fabric does not hold any per-flow state for TE or NFV/SFC
• Simplicity
• automation: sub-50msec FRR (Fast ReRouting) with TI-LFA (Topology Independent
Loop Free Alternates)
• protocol elimination: LDP, RSVP-TE, NSH…
• End-to-End applicability (with SRv6)
• e.g. integrated view of Mobile Access, Data Center, Metro, WAN
Segment Routing: key advantages
37

Scalability : traditional approach
38
State information (match/action)
per flow in all nodes! example: “traditional” MPLS label
lookup tables with per-flow state

Scalability : SR approach
39
State information (match/action)
per flow only in the headend node

Scalability and SDN: traditional approach
40
“traditional” OpenFlow with
per-flow state in all nodes
SDN controller talks with
all nodes (per flow)

Scalability and SDN: SR approach
41
SDN controller only talks with
edge nodes (per flow)

SRv6: extending the SR domain (1/3)
42
S1
S2
S3Headend
Node
SR domainSR Policy
Ingress node
(edge node)
Egress node
(edge node)
Datacenter
Server

43
S1
S2
S3Headend
Node
SR domain
Ingress node
Datacenter
Server
Edge node
SR Policy
SR Policy
Datacenter
Network

44
S1
S2
S3
Headend
Node
SR domainSR Policy
Edge node
Datacenter
Server
Edge node
SR Policy
Datacenter
Network
Access / Metro
Network
“End-to-end” SRv6

IPv6 provides reachability
45

IPv6 provides reachability: IoT, Core, Data Centers
46

SRv6 Underlay and Overlay domains
47
Underlay
Overlay

SRv6 – Segment Routing & IPv6 : the Vision
• Simplicity
• Protocol elimination
• SLA
• Fast ReRoute and TE
• Overlay
• NFV
• SDN
• SR is de-facto SDN architecture
• 5G
48
IPv6 for reachability
SR for anything else

SRv6 for underlay
49
RSVP for FRR/TE Horrendous states scaling in k*N^2

SRv6 for underlay
50
SRv6 for Underlay
Simplification through protocol reduction
SLA through automated FRR and TE
De-facto SDN architecture

SRv6 for underlay and overlay
Multiplicity of protocols and states hinder network economics
51
SRv6 for Underlay Simplification, FRR, TE, SDN
UDP+VxLAN Overlay Additional Protocol just for tenant ID
NSH for NFV Additional Protocol and State

SRv6 for underlay and overlay
52
SRv6 for Underlay Simplification, FRR, TE, SDN
SRv6 for Overlay SRv6 for SFC, VPNs…

SRv6 – Segment Routing & IPv6
53
SR for anything else
• Simplicity
• Protocol elimination
• SLA
• Fast ReRoute and TE
• Overlay
• NFV
• SDN
• SR is de-facto SDN architecture
• 5G

Network instruction
• 128-bit SRv6 SID
• Locator: routed to the node performing the function
• Function: any possible function
either local to network node or app in VM/Container
• Flexible bit-length selection
55
FunctionLocator

Network instruction
• 128-bit SRv6 SID
• Locator: routed to the node performing the function
• Function: any possible function
either local to network node or app in VM/Container
• Arguments: optional argument bits to be used only by that SID
• Flexible bit-length selection
• USE WITH CAUTION… it may have side effects if it changes on a packet by packet
base for packets of the same flow
56
FunctionLocator Args*

Network Program
Next Segment
Locator 1 Function 1
57

Network Program
Next Segment
58

Network Program
Next Segment
59

Network Program in the Packet Header
60
TCP, UDP, QUIC
Locator 1 Function 1Source Address
Active Segment
IPv6 header
Segment
Routing
Header
IPv6 payload
IPv6 destination addressIPv6 source address

SRv6 Header
61
Metadata TLV
Segments Left
TAG

Argument shared between functions
62
“Global”
Argument
Metadata TLV
Segments Left
TAG

SRv6 for anything
63
Optimized for HW processing
e.g. Underlay & Tenant use-cases
Optimized for SW processing
e.g. NFV, Container, Micro-Service
Metadata TLV
Segments Left
TAG

SRv6 for anything
64
Turing
Metadata TLV
Segments Left
TAG

SRv6 Network Programming model
End Endpoint function
The SRv6 instantiation of a prefix SID
End.X Endpoint function with Layer-3 cross-connect
The SRv6 instantiation of a Adj SID
End.T Endpoint function with specific IPv6 table lookup
End.DX2 Endpoint with decapsulation and Layer-2 cross-connect
L2VPN use-case
End.DX2V Endpoint with decapsulation and VLAN L2 table lookup
EVPN Flexible cross-connect use-cases
End.DT2U Endpoint with decaps and unicast MAC L2 table lookup
EVPN Bridging unicast use-cases
End.DT2M Endpoint with decapsulation and L2 table flooding
EVPN Bridging BUM use-cases with ESI filtering
65

End.DX6 Endpoint with decapsulation and IPv6 cross-connect
IPv6 L3VPN use (equivalent of a per-CE VPN label)
End.DX4 Endpoint with decapsulation and IPv4 cross-connect
IPv4 L3VPN use (equivalent of a per-CE VPN label)
End.DT6 Endpoint with decapsulation and IPv6 table lookup
IPv6 L3VPN use (equivalent of a per-VRF VPN label)
End.DT4 Endpoint with decapsulation and IPv4 table lookup
IPv4 L3VPN use (equivalent of a per-VRF VPN label)
End.DT46 Endpoint with decapsulation and IP table lookup
IP L3VPN use (equivalent of a per-VRF VPN label)
End.B6 Endpoint bound to an SRv6 policy
SRv6 instantiation of a Binding SID
66

End.B6.EncapsEndpoint bound to an SRv6 encapsulation Policy
SRv6 instantiation of a Binding SID
End.BM Endpoint bound to an SR-MPLS Policy
SRv6/SR-MPLS instantiation of a Binding SID
End.S Endpoint in search of a target in table T
The list is not exhaustive. In practice, any function can be
attached to a local SID: e.g. a node N can bind a SID to a local VM
or container which can apply any complex function on the packet.
67

END – Default endpoint function
68
• Default endpoint behavior (node segment)
• Decrement Segments Left, update DA
• Forward according to new DA
• Node 2 advertises prefix A2::/64 (A2::/64 is the SID locator)
• Packets are forwarded to node 2 along the default routes (shortest path)
• On 2, the default endpoint behavior is associated with ID 1 (1 is the function)
• The SID corresponding to the default endpoint behavior on node 2 is A2::1
SR Hdr
IPv6 Hdr
SA = A1::, DA =
A2::1
(…,A3::,A2::1,…)
SL=k
Payload
2
A2:: /64
SR Hdr
IPv6 Hdr SA = A1::, DA = A3::
(…, A3::, A2::1,…)
SL=k-1
Payload
3

END.X – Endpoint then layer3 Xconnect
70
• Endpoint xconnect behavior (adjacency segment)
• Decrement Segments Left, update DA
• Forward on the interface associated with the Xconnect segment
• Node 3 advertises prefix A3::/64
• Packets are forwarded to node 3 along the default routes (shortest path)
• On 3, the endpoint xconnect behavior for adjacency 1 is associated with ID C1
• The SID corresponding to endpoint xconnect-1 behavior on node 3 is A3::C1
SR Hdr
IPv6 Hdr
SA = A1::, DA =
A3::C1
(…,A4::, A3::C1,…)
SL=k
Payload
SR Hdr
IPv6 Hdr SA = A1::, DA = A4::
(…, A4::, A3::C1,…) SL=k-1
Payload
3
A3:: /64
4
1 2

Segment Routing Traffic Engineering
vs. “traditional” Traffic Engineering
• In “traditional” TE, a connection (LSP) is setup updating the forwarding
tables of ALL crossed nodes,
• By combining prefix and adjacency segments we have the same
expressiveness of traditional TE
• The average number of segments (waypoints) needed to enforce a TE
path is very low in typical scenarios
• Equal Cost Multipath (ECMP) can be exploited in a natural way with SR
73

Using Segment Routing for Fault Protection
• FRR (Fast ReRoute) with TI-LFA: Topology Independent Loop-Free
Alternate
• Local backup instructions can be added to protect every routing entry
from (single) failure of outgoing link/node
74

TI-LFA example (needs an Adjacency Segment)
75
2 4
6 5
1
A5::0
A5::/64
Pri → via 5
FRR → insert A2::C4
100
Primary route FRR Route
(Using Adiacency Segment)
1
1
1
1

76
2 4
6 5
1
A5::0
A5::/64
Pri → via 5
1001
1
1
1

77
2 4
6 5
1
A2::C4
A5::0
A5::0
<50mec FRR
A5::/64
Pri → via 5
1001
1
1
1

TI-LFA
81
• 50msec Protection upon
local link, node or SRLG failure
• Simple to operate and understand
• can be automatically computed by the router’s IGP process
• 100% coverage across any topology
• predictable (backup = postconvergence)
• Optimum backup path
• leverages the post-convergence path, planned to carry the traffic
• avoid any intermediate flap via alternate path
• Incremental deployment
• Distributed and Automated Intelligence

SRv6 Overlays for VPNs / SD-WAN
• Automated
– No tunnel to configure
C4 identifies the tenant
• Simple
– Protocol elimination
• Efficient
– SRv6 for everything
82
1
2
Green Overlay
V:: /16
via A:2::C4
4
V:: /16
3
T:: /16
IPv6 ( A:1::, A:2::C4 )
Payload
IPv6 ( T:1::, V:2:: )
IPv6 ( T:1::, V:2:: )
Payload
IPv6 ( T:1::, V:2:: )
Payload

SRv6 Overlays with Underlay Control
• SRv6 does not only eliminate
unneeded overlay protocols
• SRv6 solves problems that
these protocols cannot solve
83
1
2
Green Overlay
V:: /16
via A:2::C4
with Latency
4
V:: /16
3
T:: /16
3
IPv6 ( T:1::, V:2:: )
Payload
IPv6 ( A:1::, A:3::0 )
Payload
IPv6 ( T:1::, V:2:: )
SRH (A:2::C4, A:3::0 )

84
IPv6 ( A:1::, A:2::C4 )
Payload
IPv6 ( T:1::, V:2:: )
SRH ( A:2::C4, A:3::0 )
1
2
Green Overlay
V:: /16
via A:2::C4
with Latency
4
V:: /16
3
T:: /16
3
IPv6 ( T:1::, V:2:: )
Payload
IPv6 ( T:1::, V:2:: )
Payload
SRv6 Overlays with Underlay Control
• SRv6 does not only eliminate
unneeded overlay protocols
• SRv6 solves problems that
these protocols cannot solve

SRv6 for SFC
• A:3::A32 means
– App in Container 32
– @ node A:3::/64
• Stateless
– NSH creates per-chain state
in the fabric
– SR does not
• App is SR aware or not
85
IPv6 ( A:1::, A:3::A32 )
Payload
IPv6 ( T:1::, V:2:: )
SRH
( A:2::C4, A:5::A76,
A:4::0, A:3::A32 )
1
2
4
V:: /16
3
T:: /16
4
3
App 32
Container
Server 3
5
App 76
VM
Server 5
IPv6 ( T:1::, V:2:: )
Payload

IPv6 ( A:1::, A4::0 )
Payload
IPv6 ( T:1::, V:2:: )
SRH
( A:2::C4, A:5::A76,
A:4::0, A:3::A32 )
3
App 32
Container
Server 3
SRv6 for SFC
• Integrated with
underlay SLA
86
1
2
4
V:: /16
3
T:: /16
4
5
App 76
VM
Server 5

IPv6 ( A:1::, A:5::A76 )
Payload
IPv6 ( T:1::, V:2:: )
SRH
( A:2::C4, A:5::A76,
A:4::0, A:3::A32 )
3
App 32
Container
Server 3
SRv6 for SFC
• A:5::A76 means
– App in VM 76
– @ node A:5::/64
• Stateless
– NSH creates per-chain state
in the fabric
– SR does not
• App is SR aware or not
87
1
2
4
V:: /16
3
T:: /16
4
5
App 76
VM
Server 5

IPv6 ( A:1::, A:2::C4 )
Payload
IPv6 ( T:1::, V:2:: )
SRH
( A:2::C4, A:5::A76,
A:4::0, A:3::A32 )
3
App 32
Container
Server 3
SRv6 for SFC
• Integrated with
Overlay
88
1
2
4
V:: /16
3
T:: /16
4
5
App 76
VM
Server 5
IPv6 ( T:1::, V:2:: )
Payload

Hands-on session
• We run our experiments on the rose-srv6 Virtual Machine, if you want to
replicate them, see https://netgroup.github.io/rose/rose-vm.html
• The experiments performed are reported in these technical reports:
–“ROSE-SRv6 Tutorial on Linux – Part 1. Manual creation of SRv6 tunnels in the data plane”
https://netgroup.github.io/rose/rose-vm.html#rose-srv6-tutorial-on-linux---part-1
–“ROSE-SRv6 tutorial on Linux - Part 2. ROSE Control Plane : setting up SRv6 tunnels from the controller”
https://netgroup.github.io/rose/rose-vm.html#rose-srv6-tutorial-on-linux---part-2
90

SRv6 standardization
•Large standardization efforts in IETF (around 70 document)
– Driven by vendors (CISCO is the main supporter)
– See full list here: www.segment-routing.net/ietf/
• Main RFCs
– RFC 8402 Segment Routing Architecture
defines SR concepts both for MPLS and SRv6
– RFC 8660 Segment Routing with MPLS data plane
– RFC 8754 IPv6 Segment Routing Header (SRH)
defines the SRv6 dataplane encapsulation (SRH)
92

SRv6 standardization
• Main WG docs
– draft-ietf-spring-srv6-network-programming
defines the SRv6 Network Programming model
– draft-ietf-spring-segment-routing-policy
– draft-ietf-spring-sr-service-programming
covers SFC aspects
•IETF docs can be classified in several categories:
Architecture, Use-Cases and Requirements, Deployments and Interoperability, Fast Reroute
(FRR), OAM, Performance Measurements, Multicast/Replication, Protocol Extensions
93

SRv6 deployments
• Large-scale commercial deployments
– Softbank, Iliad, China Telecom, LINE corporation, China Unicom, CERNET2, China Bank
and Uganda MTN.
•Hardware linerate implementations
– Cisco Systems, Huawei
– Broadcom, Barefoot, Intel, Marvell, Mellanox
– Multiple Interop Reports
•Open-source platforms/ Applications
– Linux kernel, FD.io VPP, P4, Wireshark, tcpdump, iptables, nftables, snort, ExaBGP,
Contiv-VPP
94

SRv6 Open Source Platforms / Applications
• SRv6 Data path
– Linux kernel
– FD.io VPP (https://wiki.fd.io/view/VPP)
– P4 SRv6 (http://bit.ly/onos-p4-srv6)
• Applications and tools
– Wireshark, Tcpdump
– scapy
– iptables, nftables
– Snort NIDS (https://github.com/SRouting/SR-Snort)
• Control plane
– ExaBGP (https://www.segment-routing.net/open-software/exabgp/)
– Contiv-VPP
95

ROSE - Research on Open SRv6 Ecosystem
• SRv6 uSID (micro segment) implementation in Linux
• SRv6 uSID (micro segment) implementation on P4
• SRv6-PM (SRv6 Performance monitoring)
• rose-srv6 VM
• HIKE – HybrId Kernel EBPF data plane
96
• SREXT - Segment Routing Extension Linux kernel module
• SRNK – SR proxy Native Kernel
• pyroute2 extensions to support SRv6
• SRv6-SDN – An SDN ecosystem for SRv6 on Linux
• SRPerf - a Performance Evaluation Framework for
SRv6 implementations
The ROSE ecosystem includes several sub-projects:
The hands-on part of this tutorial is based on the ROSE ecosystem, in particular on the rose-srv6 VM

Segment Routing scientific work
• More than 90 papers
– http://www.segment-routing.net/scientific-papers/ (lists 60 papers)
– See P.L. Ventre et al. “Segment Routing: a Comprehensive Survey of Research
Activities, Standardization Efforts and Implementation Results” accepted for
publication in IEEE Communications Surveys and Tutorials
(preprint on arxiv http://arxiv.org/abs/1904.03471)
97

Our contributions…
• SRPerf: a Performance Evaluation Framework for IPv6 Segment Routing
A. Abdelsalam, P. L. Ventre, C. Scarpitta, A. Mayer, S. Salsano, P. Camarillo, F. Clad and C. Filsfils,
Accepted to IEEE Transactions on Network and Service Management (TNSM).
• SRPerf: a Performance Evaluation Framework for IPv6 Segment Routing
A. Tulumello, A. Mayer, M. Bonola, P. Lungaroni, C. Scarpitta, S. Salsano, A. Abdelsalam, P. Camarillo, D. Dukes, F. Clad, C. Filsfils,
Conference of Network and Service Management 2020 (CNSM 2020).
• SDN Architecture and Southbound APIs for IPv6 Segment Routing Enabled Wide Area Networks
P. L. Ventre, M. M. Tajiki, S. Salsano, C. Filsfils,
IEEE Transactions on Network and Service Management (TNSM), December 2018.
• The Network as a Computer with IPv6 Segment Routing: a Novel Distributed Processing Model for the Internet of Things
A. Mayer, E. Altomare, S. Salsano, F. Lo Presti, C. Filsfils,
NGOSCPS workshop at the CPS-IoT Week 2019, April 15 2019, Montreal, Canada (pdf)
• SR-Snort: IPv6 Segment Routing Aware IDS/IPS
A. Abdelsalam, S. Salsano, F. Clad, P. Camarillo, C. Filsfils,
IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), Verona, Italy, November 2018.
• Performance of IPv6 Segment Routing in Linux Kernel
A. Abdelsalam, P. L. Ventre, A. Mayer, S. Salsano, P. Camarillo, F. Clad, C. Filsfils,
CNSM Workshop on Segment Routing and Service Function Chaining (SR+SFC), Rome, Italy, 2018.
• SERA: SEgment Routing Aware Firewall for Service Function Chaining scenarios
A. Abdelsalam, S. Salsano, F. Clad, P. Camarillo, C. Filsfils, IFIP Networking, Zurich, Switzerland, May 2018.
• Implementation of Virtual Network Function Chaining through Segment Routing in a Linux-based NFV Infrastructure
A. AbdelSalam, F. Clad, C. Filsfils, S. Salsano, G. Siracusano and L. Veltri
IEEE Conference on Network Softwarization (NetSoft), Bologna, Italy, 2017.
• An Efficient Linux Kernel Implementation of Service Function Chaining for legacy VNFs based on IPv6 Segment Routing,
A. Mayer, S. Salsano, P. L. Ventre, A. Abdelsalam, L. Chiaraviglio, C. Filsfils,
5th IEEE International Conference on Network Softwarization (NetSoft 2019), 24-28 June 2019, Paris, France
99

Segment Routing hottest open issues
• In our survey http://arxiv.org/abs/1904.03471 we have identified the following
research directions:
– Service Function Chaining support
– SRv6 end-host implementation aspects / SmartNICs and SRv6
– Cloud Orchestration
– Integration with Applications
– 5G and SRv6
– Internet of Things and SRv6
100

Conclusions
• Segment Routing architecture seeks the right balance between distributed
intelligence and centralized optimization
• Segment Routing over IPv6 (SRv6) brings in the
Network Programming model
• SRv6 provides underlay and overlay services in a unified way, possibly across
access, metro, core and data center networking domains
• Lots of issues are still open, very good for researchers ☺
101

Thank you. Questions?
Contacts
Stefano Salsano
University of Rome Tor Vergata / CNIT
stefano.salsano@uniroma2.it
102

References and acknowledgements
Research on Open SRv6 Ecosystem
5G European Validation Platform for Extensive Trials
https://www.5g-eve.eu/
The 5G EVE project has received funding from the European Horizon 2020 Programme for research,
technological development and demonstration under grant agreement n° 815074

The network as a computer with SRv6 (SR-IoT)
• The Network as a Computer with IPv6 Segment Routing: a Novel Distributed Processing Model for the Internet of Things
A. Mayer, E. Altomare, S. Salsano, F. Lo Presti, C. Filsfils,
NGOSCPS workshop at the CPS-IoT Week 2019, April 15 2019, Montreal, Canada (pdf)
A position (or visionary…) paper. Assuming that it is possible to exploit
distributed processing in the “things/gateways”, the application logic and the
computation state is transferred “on the fly” with IP packets (using SRv6!) : “SR-
IoT”
105

In SR-IoT, the Segment List can be seen as a “Network program”, where the next
segment is the Instruction Pointer and a network node is a CPU that executes
the instruction
106

In SR-IoT, we extend the SRv6 network programming model, considering the
Functions as “operation codes” of a processor ISA (Instruction Set Architecture)
The whole IoT infrastructure is seen as a logical machine with I/O ports
(corresponding to the ports of IoT devices), that can be programmed through an
Instruction Set Architecture
107

In SR-IoT, we extend the SRv6 network programming model, considering the
Functions as “operation codes” of a processor ISA (Instruction Set Architecture)
The whole IoT infrastructure is seen as a logical machine with I/O ports
(corresponding to the ports of IoT devices), that can be programmed through an
Instruction Set Architecture
108

We designed a prototype of SR-IoT, considering the Instruction Set Architecture
(ISA) of Atmel AVR microcontroller (Arduino) and using the the SimAVR emulator
on Linux to emulate the AVR microcontroller.
An SR-IoT packet corresponds to a process. It includes the program in the SRv6
segment list, and the serialization of registers, stack and RAM. All need to fit in
less than 1500 bytes ! For TinyAVR microcontrollers, RAM used can be as low as
128 or 256 bytes.
We designed an efficient solution to encode operations in the IPv6 segment list.
For example, 100 instructions over 10 different nodes can be represented with
320 bytes, leaving 1000 bytes for RAM, stack and CPU registers…
109

Compressing the SR Header
• An SRv6 segment list is a sequence of IPv6 addresses. The SRH always
introduces 8 bytes. Each IPv6 address is 16 bytes long.
Example for 5 segments => 8 + 5 * 16 = 88 bytes of overhead.
Example for 10 segments => 8 + 10 * 16 = 168 bytes of overhead.
• In most cases the number of segments is limited (e.g. up to 3-4 segments), but
what happens if many segments are needed for a particular service or service
scenario ?
• A more compact representation of the Segment List is needed !
110

SRv6 uSID (micro-SID)
• A new extension of the SRv6 Network Programming model
– https://datatracker.ietf.org/doc/draft-filsfils-spring-net-pgm-extension-srv6-usid/
• It allows expressing SRv6 segments with a very compact and efficient representation.
– For example, using two bytes for uSID instead of using a normal IPv6 address (16
bytes) for a regular SRv6 segment.
• Leverages the SRv6 control and data planes without any change
• Provides better scaling and minimum MTU overhead
111

SRv6 uSID interop event
112
https://www.youtube.com/watch?v=pVFkmwYIgmo
Developed by the ROSE team

Other proposals in IETF for SRH compression
•Segment Routing Mapped To IPv6 (SRm6)
– draft-bonica-spring-sr-mapped-six-01
– draft-bonica-6man-comp-rtg-hdr-22
•Compressed SRv6 Network Programming
– draft-li-spring-compressed-srv6-np-02
113

Network Transport Evolution
Simplify - Optimize - Enable
114
Service
Protocol
s
Transpor
t
Protocol
s
IGP/SR
BGP-EVPN
Unified MPLS
SR
Enabled Transport
Do more with less !!
IP

Path expressed in the packet Data
Dynamic path
Explicit path
Paths options
Dynamic
(Headend computation)
Explicit
(Operator / Controller)
Control Plane
Routing protocols with
extensions
(IS-IS,OSPF, BGP)
SDN controller
Data Plane
MPLS
(segment labels)
IPv6
(+SR header)
Segment Routing
115
Segment routing architecture seeks the right balance between
distributed intelligence and centralized optimization

IPv6 adoption is a reality
https://6lab.cisco.com/stats/ 116

IPv6 adoption trend
117
https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption

SRv6 domain and its
security
(few simple considerations…)

SR Domain
• The set of trusted nodes participating in
the SR solution
• May be organized in multiple
IGP areas and BGP AS
SRv6 Domain
AS
AS
area area
119

Domain Blocks
• The SR domain has
– a classic address block (e.g. B::/4)
– a SID block (e.g. A::/4)
SRv6 Domain
Classic
address Block
B::/4
SID Block
A::/4
120

Trust inside the domain
• Any source A inside the domain can inject
SR traffic using any SID of the domain
– via SID list <S1, S2, S3>
S1
S2
S3
A
Z
(A, S1)(Z, S3, S2, S1, SL=3)
121

External traffic is not trusted
• Any external source A cannot
leverage the SID’s of the domain
• Any border router drops any external traffic
destined to its blocks
– A::/4 and B::/4 S1
S2
S3
A
Z
(A, S1)(Z, S3, S2, S1, SL=3)
122

Validating SR Headers
• The HMAC TLV can be carried in Segment Routing Header to
validate the header
– “SR Source Nodes not directly connected to the SR Domain may access
specific sets of segments within the SR Domain when secured with the SRH
HMAC TLV. The SRH HMAC TLV provides a means of verifying the validity of
ingress packets SRH, limiting access to the segments in the SR Domain to
only those source nodes with permission.”
123

Ieee nfv-sdn-2020-srv6-tutorial

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Ieee nfv-sdn-2020-srv6-tutorial

Semelhante a Ieee nfv-sdn-2020-srv6-tutorial (20)

Mais de Stefano Salsano

Mais de Stefano Salsano (17)

Último

Último (20)

Ieee nfv-sdn-2020-srv6-tutorial