Segment Routing over IPv6 (SRv6) is an architecture based on the source routing paradigm that seeks the right balance between distributed (network-wide) intelligence and centralized (controller-based) programmability. Using SRv6, network devices have complete control over the forwarding paths and the network functions to be applied to packets, by combining simple network instructions. Moreover, applications can become SRv6 aware and gain control over the network-wide forwarding and processing of packets. SRv6 technology has been implemented in hardware by different vendors (e.g. CISCO, Huawei, Barefoot), in software (e.g. Linux kernel networking) and in software with I/O acceleration (e.g. FD.io Vector Packet Processing using DPDK). Several large scale deployments of SRv6 have been rolled out in 2019 (including Softbank, Iliad, ChinaTelecom, China Unicom), see https://tools.ietf.org/html/draft-matsushima-spring-srv6-deployment-status. This tutorial will provide a quick introduction to SRv6 architecture and protocols and will illustrate the design and implementation of SRv6 services with hands-on examples. The hands-on part will be based on the open-source SRv6 ecosystem developed in the ROSE project: https://netgroup.github.io/rose/
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Ieee nfv-sdn-2020-srv6-tutorial
1. This presentation is partly based on slide decks that have been kindly provided by Cisco Systems
SRv6 and the Network Programming Model
Hands-On tutorial
Stefano Salsano – University of Rome Tor Vergata / CNIT
stefano.salsano@uniroma2.it
6th IEEE Conference on Network Functions Virtualization and
Software Defined Networking (IEEE NFV-SDN 2020)
November 9th 2020
2. Tutorial highlights - part 1
• What is Segment Routing ?
• What is SRv6 ? (Segment Routing over IPv6)
• How does it work ? few protocol details…
Segment Routing Header (SRH)
2
• Why is SRv6 so cool?
Hint: scalability and SDN!
3. Tutorial highlights - part 1
• What is the Network Programming Model?
from “waypoints” to “instructions”
• How can we use the Network Programming Model?
SRv6 example use cases:
3
•SR Traffic Engineering / Fast ReRouting
•Service Chaining (SFC)
•VPNs/SD-WANs
4. Tutorial highlights - part 2 “Hands on”
• SRv6 open source implementations and tools
• The ROSE ecosystem (Linux)
4
• Hands-on using the rose-srv6 Virtual Machine
• Create SRv6 tunnels (VPNs) in a Linux based Data Plane
(SR ingress/SR waypoint/IPv6 transit/SR egress nodes)
- manual setup with Linux CLI
- setup using our controller
7. Acknowledgements
7
This slideset originated from the following presentations:
• Segment Routing
Clarence Filsfils (CISCO), Kris Michielsen (CISCO)
http://www.segment-routing.net/tutorials/2016-09-27-segment-routing-introduction/
• Introduction to Segment Routing
Alberto Donzelli (CISCO)
CISCO Live! – January 29 February 2 2018 Barcelona, Spain
• SRv6 Network Programming
Francois Clad (CISCO)
(which in turn acknowledge several CISCO people)
8. Acknowledgements
8
This tutorial is based on work performed in the context of:
• 5G-EVE project funded by EU (Horizon 2020)
• ROSE project funded by CISCO University Research Program
5G European Validation Platform for Extensive Trials
https://www.5g-eve.eu/
Research on Open SRv6 Ecosystem
https://netgroup.github.io/rose/
9. The ROSE team Pier Luigi Ventre
Ahmed AbdelSalam
Bogdan Iatco
Mahdi Tajiki
Lorenzo Bracciale
Pierpaolo Loreti
Angelo Tulumello
Marco Bonola
Luca Chiaraviglio
Fabio D'Andreagiovanni
Marco Ferrari
Daniele Zaccariello
Emanuele Altomare
9
Andrea Mayer
Paolo Lungaroni
Francesco Lombardo
Carmine Scarpitta
Giulio Sidoretti
Stefano Salsano
The team involved in the setup of the tutorial VM and experiments
10. Agenda
SR and SRv6 introduction
SRv6 Dataplane
SRv6 Network Programming Model
SRv6 use cases
(TE / FRR / Service Function Chaining / VPNs / SD-WAN)
Hands-on part
SRv6 Segment Routing Header
Why SRv6 is so cool? Scalability, SDN…
Additional materials and conclusions
17. SR Policy and SR domain
S1
S2
S3Headend
Node
P=<S1,S2,S3> SR domain
SR Policy
17
Ingress node
(edge node)
Egress node
(edge node)
Datacenter
Server
18. SR path and SR segments
S1
S2
S3Headend
Node
P=<S1,S2,S3> SR domain
SR Policy
18
Ingress node Egress node
Datacenter
Server
S1 S2 S3
The path is split in three segments
20. Agenda
SR and SRv6 introduction
SRv6 Dataplane
SRv6 Network Programming Model
SRv6 use cases
(TE / FRR / Service Function Chaining / VPNs / SD-WAN)
Hands-on part
SRv6 Segment Routing Header
Why SRv6 is so cool? Scalability, SDN…
Additional materials and conclusions
21. SRv6 – Forwarding Plane
21
• SRv6: a segment list is encoded in a routing
extension header (SRH)
• Segment → IPv6 Address
• The routing protocols natively distribute the
addresses
(no changes needed for topological instructions)
36. Agenda
SR and SRv6 introduction
SRv6 Dataplane
SRv6 Network Programming Model
SRv6 use cases
(TE / FRR / Service Function Chaining / VPNs / SD-WAN)
Hands-on part
SRv6 Segment Routing Header
Why SRv6 is so cool? Scalability, SDN…
Additional materials and conclusions
37. • Scalability (thanks to Source Routing)
• the topological and service (NFV/SFC) path is encoded in packet header
• the network fabric does not hold any per-flow state for TE or NFV/SFC
• Simplicity
• automation: sub-50msec FRR (Fast ReRouting) with TI-LFA (Topology Independent
Loop Free Alternates)
• protocol elimination: LDP, RSVP-TE, NSH…
• End-to-End applicability (with SRv6)
• e.g. integrated view of Mobile Access, Data Center, Metro, WAN
Segment Routing: key advantages
37
38. Scalability : traditional approach
38
State information (match/action)
per flow in all nodes! example: “traditional” MPLS label
lookup tables with per-flow state
39. Scalability : SR approach
39
State information (match/action)
per flow only in the headend node
40. Scalability and SDN: traditional approach
40
“traditional” OpenFlow with
per-flow state in all nodes
SDN controller talks with
all nodes (per flow)
41. Scalability and SDN: SR approach
41
SDN controller only talks with
edge nodes (per flow)
42. SRv6: extending the SR domain (1/3)
42
S1
S2
S3Headend
Node
SR domainSR Policy
Ingress node
(edge node)
Egress node
(edge node)
Datacenter
Server
43. SRv6: extending the SR domain (2/3)
43
S1
S2
S3Headend
Node
SR domain
Ingress node
Datacenter
Server
Edge node
SR Policy
SR Policy
Datacenter
Network
44. SRv6: extending the SR domain (3/3)
44
S1
S2
S3
Headend
Node
SR domainSR Policy
Edge node
Datacenter
Server
Edge node
SR Policy
Datacenter
Network
Access / Metro
Network
“End-to-end” SRv6
54. Agenda
SR and SRv6 introduction
SRv6 Dataplane
SRv6 Network Programming Model
SRv6 use cases
(TE / FRR / Service Function Chaining / VPNs / SD-WAN)
Hands-on part
SRv6 Segment Routing Header
Why SRv6 is so cool? Scalability, SDN…
Additional materials and conclusions
57. Network Program
Next Segment
Locator 1 Function 1
Locator 1 Function 1
Locator 2 Function 2
Locator 3 Function 3
Locator 2 Function 2
Locator 3 Function 3
57
58. Network Program
Next Segment
Locator 2 Function 2
Locator 1 Function 1
Locator 2 Function 2
Locator 3 Function 3
Locator 1 Function 1
Locator 3 Function 3
58
59. Network Program
Next Segment
Locator 3 Function 3
Locator 1 Function 1
Locator 2 Function 2
Locator 3 Function 3
Locator 1 Function 1
Locator 2 Function 2
59
65. SRv6 Network Programming model
End Endpoint function
The SRv6 instantiation of a prefix SID
End.X Endpoint function with Layer-3 cross-connect
The SRv6 instantiation of a Adj SID
End.T Endpoint function with specific IPv6 table lookup
End.DX2 Endpoint with decapsulation and Layer-2 cross-connect
L2VPN use-case
End.DX2V Endpoint with decapsulation and VLAN L2 table lookup
EVPN Flexible cross-connect use-cases
End.DT2U Endpoint with decaps and unicast MAC L2 table lookup
EVPN Bridging unicast use-cases
End.DT2M Endpoint with decapsulation and L2 table flooding
EVPN Bridging BUM use-cases with ESI filtering
65
66. SRv6 Network Programming model
End.DX6 Endpoint with decapsulation and IPv6 cross-connect
IPv6 L3VPN use (equivalent of a per-CE VPN label)
End.DX4 Endpoint with decapsulation and IPv4 cross-connect
IPv4 L3VPN use (equivalent of a per-CE VPN label)
End.DT6 Endpoint with decapsulation and IPv6 table lookup
IPv6 L3VPN use (equivalent of a per-VRF VPN label)
End.DT4 Endpoint with decapsulation and IPv4 table lookup
IPv4 L3VPN use (equivalent of a per-VRF VPN label)
End.DT46 Endpoint with decapsulation and IP table lookup
IP L3VPN use (equivalent of a per-VRF VPN label)
End.B6 Endpoint bound to an SRv6 policy
SRv6 instantiation of a Binding SID
66
67. SRv6 Network Programming model
End.B6.EncapsEndpoint bound to an SRv6 encapsulation Policy
SRv6 instantiation of a Binding SID
End.BM Endpoint bound to an SR-MPLS Policy
SRv6/SR-MPLS instantiation of a Binding SID
End.S Endpoint in search of a target in table T
The list is not exhaustive. In practice, any function can be
attached to a local SID: e.g. a node N can bind a SID to a local VM
or container which can apply any complex function on the packet.
67
70. Agenda
SR and SRv6 introduction
SRv6 Dataplane
SRv6 Network Programming Model
SRv6 use cases
(TE / FRR / Service Function Chaining / VPNs / SD-WAN)
Hands-on part
SRv6 Segment Routing Header
Why SRv6 is so cool? Scalability, SDN…
Additional materials and conclusions
71. Segment Routing Traffic Engineering
vs. “traditional” Traffic Engineering
• In “traditional” TE, a connection (LSP) is setup updating the forwarding
tables of ALL crossed nodes,
• By combining prefix and adjacency segments we have the same
expressiveness of traditional TE
• The average number of segments (waypoints) needed to enforce a TE
path is very low in typical scenarios
• Equal Cost Multipath (ECMP) can be exploited in a natural way with SR
73
72. Using Segment Routing for Fault Protection
• FRR (Fast ReRoute) with TI-LFA: Topology Independent Loop-Free
Alternate
• Local backup instructions can be added to protect every routing entry
from (single) failure of outgoing link/node
74
84. Agenda
SR and SRv6 introduction
SRv6 Dataplane
SRv6 Network Programming Model
SRv6 use cases
(TE / FRR / Service Function Chaining / VPNs / SD-WAN)
Hands-on part
SRv6 Segment Routing Header
Why SRv6 is so cool? Scalability, SDN…
Additional materials and conclusions
85. Hands-on session
• We run our experiments on the rose-srv6 Virtual Machine, if you want to
replicate them, see https://netgroup.github.io/rose/rose-vm.html
• The experiments performed are reported in these technical reports:
–“ROSE-SRv6 Tutorial on Linux – Part 1. Manual creation of SRv6 tunnels in the data plane”
https://netgroup.github.io/rose/rose-vm.html#rose-srv6-tutorial-on-linux---part-1
–“ROSE-SRv6 tutorial on Linux - Part 2. ROSE Control Plane : setting up SRv6 tunnels from the controller”
https://netgroup.github.io/rose/rose-vm.html#rose-srv6-tutorial-on-linux---part-2
90
86. Agenda
SR and SRv6 introduction
SRv6 Dataplane
SRv6 Network Programming Model
SRv6 use cases
(TE / FRR / Service Function Chaining / VPNs / SD-WAN)
Hands-on part
SRv6 Segment Routing Header
Why SRv6 is so cool? Scalability, SDN…
Additional materials and conclusions
87. SRv6 standardization
•Large standardization efforts in IETF (around 70 document)
– Driven by vendors (CISCO is the main supporter)
– See full list here: www.segment-routing.net/ietf/
• Main RFCs
– RFC 8402 Segment Routing Architecture
defines SR concepts both for MPLS and SRv6
– RFC 8660 Segment Routing with MPLS data plane
– RFC 8754 IPv6 Segment Routing Header (SRH)
defines the SRv6 dataplane encapsulation (SRH)
92
88. SRv6 standardization
• Main WG docs
– draft-ietf-spring-srv6-network-programming
defines the SRv6 Network Programming model
– draft-ietf-spring-segment-routing-policy
– draft-ietf-spring-sr-service-programming
covers SFC aspects
•IETF docs can be classified in several categories:
Architecture, Use-Cases and Requirements, Deployments and Interoperability, Fast Reroute
(FRR), OAM, Performance Measurements, Multicast/Replication, Protocol Extensions
93
89. SRv6 deployments
• Large-scale commercial deployments
– Softbank, Iliad, China Telecom, LINE corporation, China Unicom, CERNET2, China Bank
and Uganda MTN.
•Hardware linerate implementations
– Cisco Systems, Huawei
– Broadcom, Barefoot, Intel, Marvell, Mellanox
– Multiple Interop Reports
•Open-source platforms/ Applications
– Linux kernel, FD.io VPP, P4, Wireshark, tcpdump, iptables, nftables, snort, ExaBGP,
Contiv-VPP
94
90. SRv6 Open Source Platforms / Applications
• SRv6 Data path
– Linux kernel
– FD.io VPP (https://wiki.fd.io/view/VPP)
– P4 SRv6 (http://bit.ly/onos-p4-srv6)
• Applications and tools
– Wireshark, Tcpdump
– scapy
– iptables, nftables
– Snort NIDS (https://github.com/SRouting/SR-Snort)
• Control plane
– ExaBGP (https://www.segment-routing.net/open-software/exabgp/)
– Contiv-VPP
95
91. ROSE - Research on Open SRv6 Ecosystem
• SRv6 uSID (micro segment) implementation in Linux
• SRv6 uSID (micro segment) implementation on P4
• SRv6-PM (SRv6 Performance monitoring)
• rose-srv6 VM
• HIKE – HybrId Kernel EBPF data plane
96
• SREXT - Segment Routing Extension Linux kernel module
• SRNK – SR proxy Native Kernel
• pyroute2 extensions to support SRv6
• SRv6-SDN – An SDN ecosystem for SRv6 on Linux
• SRPerf - a Performance Evaluation Framework for
SRv6 implementations
https://netgroup.github.io/rose/
The ROSE ecosystem includes several sub-projects:
The hands-on part of this tutorial is based on the ROSE ecosystem, in particular on the rose-srv6 VM
92. Segment Routing scientific work
• More than 90 papers
– http://www.segment-routing.net/scientific-papers/ (lists 60 papers)
– See P.L. Ventre et al. “Segment Routing: a Comprehensive Survey of Research
Activities, Standardization Efforts and Implementation Results” accepted for
publication in IEEE Communications Surveys and Tutorials
(preprint on arxiv http://arxiv.org/abs/1904.03471)
97
93. Our contributions…
• SRPerf: a Performance Evaluation Framework for IPv6 Segment Routing
A. Abdelsalam, P. L. Ventre, C. Scarpitta, A. Mayer, S. Salsano, P. Camarillo, F. Clad and C. Filsfils,
Accepted to IEEE Transactions on Network and Service Management (TNSM).
• SRPerf: a Performance Evaluation Framework for IPv6 Segment Routing
A. Tulumello, A. Mayer, M. Bonola, P. Lungaroni, C. Scarpitta, S. Salsano, A. Abdelsalam, P. Camarillo, D. Dukes, F. Clad, C. Filsfils,
Conference of Network and Service Management 2020 (CNSM 2020).
• SDN Architecture and Southbound APIs for IPv6 Segment Routing Enabled Wide Area Networks
P. L. Ventre, M. M. Tajiki, S. Salsano, C. Filsfils,
IEEE Transactions on Network and Service Management (TNSM), December 2018.
• The Network as a Computer with IPv6 Segment Routing: a Novel Distributed Processing Model for the Internet of Things
A. Mayer, E. Altomare, S. Salsano, F. Lo Presti, C. Filsfils,
NGOSCPS workshop at the CPS-IoT Week 2019, April 15 2019, Montreal, Canada (pdf)
• SR-Snort: IPv6 Segment Routing Aware IDS/IPS
A. Abdelsalam, S. Salsano, F. Clad, P. Camarillo, C. Filsfils,
IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), Verona, Italy, November 2018.
• Performance of IPv6 Segment Routing in Linux Kernel
A. Abdelsalam, P. L. Ventre, A. Mayer, S. Salsano, P. Camarillo, F. Clad, C. Filsfils,
CNSM Workshop on Segment Routing and Service Function Chaining (SR+SFC), Rome, Italy, 2018.
• SERA: SEgment Routing Aware Firewall for Service Function Chaining scenarios
A. Abdelsalam, S. Salsano, F. Clad, P. Camarillo, C. Filsfils, IFIP Networking, Zurich, Switzerland, May 2018.
• Implementation of Virtual Network Function Chaining through Segment Routing in a Linux-based NFV Infrastructure
A. AbdelSalam, F. Clad, C. Filsfils, S. Salsano, G. Siracusano and L. Veltri
IEEE Conference on Network Softwarization (NetSoft), Bologna, Italy, 2017.
• An Efficient Linux Kernel Implementation of Service Function Chaining for legacy VNFs based on IPv6 Segment Routing,
A. Mayer, S. Salsano, P. L. Ventre, A. Abdelsalam, L. Chiaraviglio, C. Filsfils,
5th IEEE International Conference on Network Softwarization (NetSoft 2019), 24-28 June 2019, Paris, France
99
94. Segment Routing hottest open issues
• In our survey http://arxiv.org/abs/1904.03471 we have identified the following
research directions:
– Service Function Chaining support
– SRv6 end-host implementation aspects / SmartNICs and SRv6
– Cloud Orchestration
– Integration with Applications
– 5G and SRv6
– Internet of Things and SRv6
100
95. Conclusions
• Segment Routing architecture seeks the right balance between distributed
intelligence and centralized optimization
• Segment Routing over IPv6 (SRv6) brings in the
Network Programming model
• SRv6 provides underlay and overlay services in a unified way, possibly across
access, metro, core and data center networking domains
• Lots of issues are still open, very good for researchers ☺
101
97. References and acknowledgements
Research on Open SRv6 Ecosystem
https://netgroup.github.io/rose/
5G European Validation Platform for Extensive Trials
https://www.5g-eve.eu/
The 5G EVE project has received funding from the European Horizon 2020 Programme for research,
technological development and demonstration under grant agreement n° 815074
99. The network as a computer with SRv6 (SR-IoT)
• The Network as a Computer with IPv6 Segment Routing: a Novel Distributed Processing Model for the Internet of Things
A. Mayer, E. Altomare, S. Salsano, F. Lo Presti, C. Filsfils,
NGOSCPS workshop at the CPS-IoT Week 2019, April 15 2019, Montreal, Canada (pdf)
A position (or visionary…) paper. Assuming that it is possible to exploit
distributed processing in the “things/gateways”, the application logic and the
computation state is transferred “on the fly” with IP packets (using SRv6!) : “SR-
IoT”
105
100. The network as a computer with SRv6 (SR-IoT)
In SR-IoT, the Segment List can be seen as a “Network program”, where the next
segment is the Instruction Pointer and a network node is a CPU that executes
the instruction
106
101. The network as a computer with SRv6 (SR-IoT)
In SR-IoT, we extend the SRv6 network programming model, considering the
Functions as “operation codes” of a processor ISA (Instruction Set Architecture)
The whole IoT infrastructure is seen as a logical machine with I/O ports
(corresponding to the ports of IoT devices), that can be programmed through an
Instruction Set Architecture
107
102. The network as a computer with SRv6 (SR-IoT)
In SR-IoT, we extend the SRv6 network programming model, considering the
Functions as “operation codes” of a processor ISA (Instruction Set Architecture)
The whole IoT infrastructure is seen as a logical machine with I/O ports
(corresponding to the ports of IoT devices), that can be programmed through an
Instruction Set Architecture
108
103. The network as a computer with SRv6 (SR-IoT)
We designed a prototype of SR-IoT, considering the Instruction Set Architecture
(ISA) of Atmel AVR microcontroller (Arduino) and using the the SimAVR emulator
on Linux to emulate the AVR microcontroller.
An SR-IoT packet corresponds to a process. It includes the program in the SRv6
segment list, and the serialization of registers, stack and RAM. All need to fit in
less than 1500 bytes ! For TinyAVR microcontrollers, RAM used can be as low as
128 or 256 bytes.
We designed an efficient solution to encode operations in the IPv6 segment list.
For example, 100 instructions over 10 different nodes can be represented with
320 bytes, leaving 1000 bytes for RAM, stack and CPU registers…
109
104. Compressing the SR Header
• An SRv6 segment list is a sequence of IPv6 addresses. The SRH always
introduces 8 bytes. Each IPv6 address is 16 bytes long.
Example for 5 segments => 8 + 5 * 16 = 88 bytes of overhead.
Example for 10 segments => 8 + 10 * 16 = 168 bytes of overhead.
• In most cases the number of segments is limited (e.g. up to 3-4 segments), but
what happens if many segments are needed for a particular service or service
scenario ?
• A more compact representation of the Segment List is needed !
110
105. SRv6 uSID (micro-SID)
• A new extension of the SRv6 Network Programming model
– https://datatracker.ietf.org/doc/draft-filsfils-spring-net-pgm-extension-srv6-usid/
• It allows expressing SRv6 segments with a very compact and efficient representation.
– For example, using two bytes for uSID instead of using a normal IPv6 address (16
bytes) for a regular SRv6 segment.
• Leverages the SRv6 control and data planes without any change
• Provides better scaling and minimum MTU overhead
111
106. SRv6 uSID interop event
112
https://www.youtube.com/watch?v=pVFkmwYIgmo
Developed by the ROSE team
107. Other proposals in IETF for SRH compression
•Segment Routing Mapped To IPv6 (SRm6)
– draft-bonica-spring-sr-mapped-six-01
– draft-bonica-6man-comp-rtg-hdr-22
•Compressed SRv6 Network Programming
– draft-li-spring-compressed-srv6-np-02
113
108. Network Transport Evolution
Simplify - Optimize - Enable
114
Service
Protocol
s
Transpor
t
Protocol
s
IGP/SR
BGP-EVPN
Unified MPLS
SR
Enabled Transport
Do more with less !!
IP
109. Path expressed in the packet Data
Dynamic path
Explicit path
Paths options
Dynamic
(Headend computation)
Explicit
(Operator / Controller)
Control Plane
Routing protocols with
extensions
(IS-IS,OSPF, BGP)
SDN controller
Data Plane
MPLS
(segment labels)
IPv6
(+SR header)
Segment Routing
115
Segment routing architecture seeks the right balance between
distributed intelligence and centralized optimization
113. SR Domain
• The set of trusted nodes participating in
the SR solution
• May be organized in multiple
IGP areas and BGP AS
SRv6 Domain
AS
AS
area area
119
114. Domain Blocks
• The SR domain has
– a classic address block (e.g. B::/4)
– a SID block (e.g. A::/4)
SRv6 Domain
Classic
address Block
B::/4
SID Block
A::/4
120
115. Trust inside the domain
• Any source A inside the domain can inject
SR traffic using any SID of the domain
– via SID list <S1, S2, S3>
S1
S2
S3
A
Z
(A, S1)(Z, S3, S2, S1, SL=3)
121
116. External traffic is not trusted
• Any external source A cannot
leverage the SID’s of the domain
• Any border router drops any external traffic
destined to its blocks
– A::/4 and B::/4 S1
S2
S3
A
Z
(A, S1)(Z, S3, S2, S1, SL=3)
122
117. Validating SR Headers
• The HMAC TLV can be carried in Segment Routing Header to
validate the header
– “SR Source Nodes not directly connected to the SR Domain may access
specific sets of segments within the SR Domain when secured with the SRH
HMAC TLV. The SRH HMAC TLV provides a means of verifying the validity of
ingress packets SRH, limiting access to the segments in the SR Domain to
only those source nodes with permission.”
123