思科首席工程师/工信部通信科技委委员
10/25/2018
Think in SRv6: 极简的编程化网络
苏远超
THANK YOU!
Peering optimization
Simplify MPLS WAN optimization
WAE
WAN
WAE
WA
Peer’s
ISP
ISP
ISPNSO
50ms protection(TI-LFA)
100
10
10 10
10
WA
N B
WAE
DC
WAE
Unified Forwarding Plane/SPDC
3GPP 5G Study Item C4-176400: SRv6
SR已经成为事实上的SDN架构标准
网络比以往任何时候都更需要成为一个平台
5G
5G
5G
5G/物联网
下一代数据中心
微服务
城域网/骨干网
现有网络
现有数据中心
行业
解决方案
下一代网络平台-基于Segment Routing
多云世界
SR回顾
SRv6理念&原理
SRv6案例
Agenda
应用驱动网络:Segment Routing简化 & 可扩展
Segment
Routing
SDN
控制器
应用1
应用提出需求 – 带宽, 时延, 保护…
2控制器从网络中收集拓扑,链路状态,链路利用率等信息
3
应用被映射到由Segment list所定义的路径上
只需网络边缘节点维持路径信息中间节点无状态
Segment Routing标准化进展
http://www.segment-routing.net/ietf/
•Segment Routing Architecture RFC 8402
•Source Packet Routing in Networking (SPRING) Problem Statement and Requirements RFC 7855
•Use Cases for IPv6 Source Packet Routing in Networking (SPRING) RFC 8354
•Label Switched Path (LSP) Ping/Trace for Segment Routing Networks Using MPLS Dataplane RFC 8287
•UDP Return Path for Packet Loss and Delay Measurement for MPLS Networks RFC 7876
•IS-IS Traffic Engineering (TE) Metric Extensions RFC 7810
•OSPF Traffic Engineering (TE) Metric Extensions RFC 7471
•Packet Loss and Delay Measurement for MPLS Networks RFC 6374
• Segment Routing最重要的架构标准”Segment Routing Architecture”已经完成了标准化: RFC8402
• Segment Routing目前已经有8个标准的RFC文件,另外有数量众多的技术草案预计在2019/2020年完成标准化• 25份工作组草案, 32份个人草案
MPLS+SDN+NFV World Congress 2018- EANTC多厂家互通测试
• 参与厂家
• 思科,华为,中兴,Juniper,Nokia,Arista,Spirent,IxiaErissson,ECI, UTStarcom
• 测试的项目
• SR, SR-FRR/TI-LFA
• SR与LDP互通,SRv6
• EVPN-E-line, E-Tree, IRB
• EVPN/VXLAN与EVPN/SR互通
• SDN
• PCEP,Netconfig/Yang
• 域内SR-TE,跨域SR-TE
• 时钟同步‘All our test scenarios involving MPLS in the Segment Routing, Ethernet VPNs andSoftware Defined Networking sections were carried out using Segment Routing...’
SR回顾
SRv6理念&原理
SRv6案例分析
Agenda
SR
MPLS数据平面SR MPLS
IPv6数据平面SRv6
IPv4控制平面:
ISIS/OSPF/BGP
IPv6控制平面:
ISISv6/OSPFv3/BGP4+
SR支持IPv6
Why this?
SR for Anything
Network as a Computer
服务器
CPU指令
程序
网络
SRv6
Segment
SDN
SRv6: 极简 & 编程
draft-filsfils-spring-srv6-network-programming
SRv6 Segment格式: Locator+Function
• SRv6 SIDs are 128-bit addresses
• Locator: most significant bits are used to route the segment to its parent node
• Function: least significant bits identify the action to be performed on the parent node
• Argument [optional]: Last bits can be used as a local function argument
• Flexible bit-length allocation
• Segment format is local knowledge on the parent node
• SIDs have to be specifically enabled as such on their parent node
• A local address is not by default a local SID
• A local SID does not have to be associated with an interface
1111 : 2222 : 3333 : 4444 : 5555 : 6666 : 7777 : 8888
Locator Function Argument
编程化网络
Next Segment
Locator 1 Function 1
Locator 1 Function 1
Locator 2 Function 2
Locator 3 Function 3
Locator 2 Function 2
Locator 3 Function 3
编程化网络
Next Segment
Locator 1 Function 1
Locator 1 Function 1
Locator 2 Function 2
Locator 3 Function 3
Locator2 Function2
Locator 3 Function 3
编程化网络
Next Segment
Locator 1 Function 1
Locator 2 Function 2
Locator 3 Function 3
Locator 3 Function 3
Locator 2 Function 2
Locator 1 Function 1
目前定义的SRv6操作(Function)
• End Endpoint function The SRv6 instantiation of a prefix SID
• End.X Endpoint function with Layer-3 cross-connect The SRv6 instantiation of a Adj SID
• End.T Endpoint function with specific IPv6 table lookup
• End.DX2 Endpoint with decapsulation and Layer-2 cross-connect L2VPN use-case
• End.DX6 Endpoint with decapsulation and IPv6 cross-connect IPv6 L3VPN use (equivalent
of a per-CE VPN label)
• End.DX4 Endpoint with decapsulation and IPv4 cross-connect IPv4 L3VPN use (equivalent
of a per-CE VPN label)
• End.DT6 Endpoint with decapsulation and IPv6 table lookup IPv6 L3VPN use (equivalent
of a per-VRF VPN label)
• End.DT4 Endpoint with decapsulation and IPv4 table lookup IPv4 L3VPN use (equivalent
of a per-VRF VPN label)
• End.B6 Endpoint bound to an SRv6 policy SRv6 instantiation of a Binding SID
• End.B6.Encaps Endpoint bound to an SRv6 encapsulation Policy SRv6 instantiation of a
Binding SID
• End.BM Endpoint bound to an SR-MPLS Policy SRv6/SR-MPLS instantiation of a Binding SID
• End.S Endpoint in search of a target in table T
• End.AS Endpoint to SR-unaware APP via static proxy
• End.AM Endpoint to SR-unaware APP via masquerading
• T.Insert Transit behavior with insertion of an SRv6 Policy
• T.Encaps Transit behavior with encapsulation in an SRv6 policy
• T.Encaps.L2 T.Encaps behavior of the received L2 frame
And more...
SRv6业界支持情况
• 用户接受度• 多个运营商/OTT的RFP中, SRv6都是必选项• 2019年初首个客户商用案例
• 业界共识• 主流厂商都将SRv6作为5G承载的终极目标
• 开源社区• Linux(内核4.10以上), FD.IO/VPP, IPtables,
Snort...
• 芯片• Cisco全系列路由/交换芯片支持SRv6
• Broadcom Jericho2芯片全面支持SRv6
• Barefoot P4芯片• 产品实现
• Cisco全系列路由器/交换机从2018年底开始支持SRv6
• 基于Broadcom Jericho2芯片的设备预计1HCY19支持SRv6
Linux支持SRv6情况
*srext: a Linux kernel module for the SRv6 Network Programming modelSource: http://www.segment-routing.net/open-software/linux/
IPv6很早就支持源路由了
• Generic routing extension header
• Defined in RFC 2460
• Next Header: UDP, TCP, IPv6…
• Hdr Ext Len: Any IPv6 device can skip this header
• Segments Left: Ignore extension header if equal to 0
• Routing Type field:• 0 Source Route (deprecated since 2007)
• 1 Nimrod (deprecated since 2009)
• 2 Mobility (RFC 6275)
• 3 RPL Source Route (RFC 6554)
• 4 Segment Routing
43
SRv6定义了新的路由扩展头类型但不止是为了支持源路由
• NH = 43, Type = 4
43
RFC
24
60
SR s
pec
ific
4
draft-ietf-6man-segment-routing-header
源节点(Source Node)
• Source node is SR-capable
• SR Header (SRH) is created with
• Segment list in reversed order of the path
• Segment List [ 0 ] is the LAST segment
• Segment List [ 𝑛 − 1 ] is the FIRST segment
• Segments Left is set to 𝑛 − 1
• First Segment is set to 𝑛 − 1
• IP DA is set to the first segment
• Packet is send according to the IP DA
• Normal IPv6 forwarding
Version Traffic Class
Next = 43 Hop LimitPayload Length
Source Address = A1::
Destination Address = A2::
Segment List [ 0 ] = A4::
Segment List [ 1 ] = A3::
Next Header Len= 6 Type = 4 SL = 2
First = 2 Flags TAG
IPv6
Hd
r
Segment List [ 2 ] = A2::
SR H
dr
Payload
Flow LabelFlow Label
4A4::
1A1::
SR Hdr
IPv6 Hdr SA = A1::, DA = A2::
( A4::, A3::, A2:: ) SL=2
Payload
2A2::
3A3::
SR Hdr
IPv6 Hdr SA = A1::, DA = A2::
( A4::, A3::, A2:: ) SL=2
Payload
中转节点(Non-SR Transit Node)
• Plain IPv6 forwarding
• Solely based on IPv6 DA
• No SRH inspection or update
4A4::
1A1::
2A2::
3A3::
SR Hdr
IPv6 Hdr SA = A1::, DA = A3::
( A4::, A3::, A2:: ) SL=1
Payload
Segment端节点(SR Segment Endpoints)
• SR Endpoints: SR-capable nodes whose address is in the IP DA
• SR Endpoints inspect the SRH and do:
• IF Segments Left > 0, THEN
• Decrement Segments Left ( -1 )
• Update DA with Segment List [ Segments Left ]
• Forward according to the new IP DA
Version Traffic Class
Next = 43 Hop LimitPayload Length
Source Address = A1::
Destination Address = A3::
Segment List [ 0 ] = A4::
Segment List [ 1 ] = A3::
Next Header Len= 6 Type = 4 SL = 1
First = 2 Flags TAG
IPv6
Hd
r
Segment List [ 2 ] = A2::
SR H
dr
Payload
Flow LabelFlow Label
4A4::
AA1::
2A2::
3A3::
SR Hdr
IPv6 Hdr SA = A1::, DA = A4::
( A4::, A3::, A2:: ) SL=0
Payload
Segment端节点
• SR Endpoints: SR-capable nodes whose address is in the IP DA
• SR Endpoints inspect the SRH and do:
• IF Segments Left > 0, THEN
• Decrement Segments Left ( -1 )
• Update DA with Segment List [ Segments Left ]
• Forward according to the new IP DA
• ELSE (Segments Left = 0)
• Remove the IP and SR header
• Process the payload:
• Inner IP: Lookup DA and forward
• TCP / UDP: Send to socket
• …
Version Traffic Class
Next = 43 Hop LimitPayload Length
Source Address = A1::
Destination Address = A4::
Segment List [ 0 ] = A4::
Segment List [ 1 ] = A3::
Next Header Len= 6 Type = 4 SL = 0
First = 2 Flags TAG
IPv6
Hd
r
Segment List [ 2 ] = A2::
SR H
dr
Payload
Flow LabelFlow Label
4A4::
1A1::
2A2::
3A3::
Standard IPv6 processingThe final
destination does not have to be SR-
capable.
Segment端节点转发流程
SRv6实现VPN
• Automated
• No tunnel to configure
• Simple
• Protocol elimination
• Efficient• SRv6 for everything
1
2
Green Overlay V/64via A2::C4
4
V
3
T1
IPv6 ( A1::0, A2::C4 )
payload
IPv4 ( T1, V)
IPv4 ( T1, V )
payload
IPv4 ( T1, V)
payload
End.DX4/End.DT4
BGP SRv6 VPN–控制平面
1 2
5
A2::1A1::1
eBGPAFI:1 -IPv4SAFI:1NLRI:4.0.0.0/8NH:4.4.4.1
eBGPAFI:1 -IPv4SAFI:1NLRI:4.0.0.0/8NH:.3.3.3.2
A2::C4end.DX4
A1::C3end.DX4
33.0.0.0/8
3.3.
3.1
3.3.
3.2
44.0.0.0/8
4.4
.4.1
4.4.
4.2
iBGPAFI:1 -IPv4SAFI:128NLRI:4.0.0.0/8NH:A2::1Label:ImplNullSID: A2::C4
A2::/64IGP
A1::/64IGP
draft-dawra-idr-srv6-vpn-03
BGP SRv6 VPN–数据平面
1 2 4 4.0.0.0/833.0.0.0/8
5
A2::1A1::1
A2::C4end.DX4
A1::C3end.DX43
.3.3
.1
3.3
.3.2
4.4
.4.1
4.4
.4.2
IPv4 ( 3.1.1.1, 4.1.1.1)
payload
IPv6 ( A1::1, A2::C4 )
payload
IPv4 ( 3.1.1.1, 4.1.1.1)
IPv4 ( 3.1.1.1, 4.1.1.1) )
payload
SRv6实现VPN+TE
• SRv6 does not only eliminate unneeded overlay protocols
• SRv6 solves problems that these protocols cannot solve
1
2
Green Overlay Vvia A2::C4with Latency
4
V
3
T1
3
IPv4 ( T1, V )
payload
IPv4 ( T1, V )
payload
IPv6 ( A1::0, A2::C4 )
payload
IPv4 ( T1, V )
SRH {A2::C4 ,A3::0}
IPv6 ( A1::0, A3::0 )
payload
IPv4 ( T1, V )
SRH {A2::C4 ,A3::0}
SRv6实现SD-WAN
ISP1
A BISP3 ISP4
ISP22
C
SD-WAN控制器
站点A 站点 B
1 3
X
主机T 主机R
B to R
IP: (T, R) (Payload)IP: (T, R) (Payload)
Packet T to R(A, C1:B31::; NH=SRH)
(B, C1:B31::; SL=1; NH=ESP)
(ESP(T,R)Payload)
A to 1
(A, C2::; NH=SRH)
(B,C3::,C2::; SL=2; NH=ESP)
(ESP(T,R)Payload)
1 to 3 3 to B
(A, B; NH=ESP)
(ESP (T,R)Payload)
节点1上生成BSID:BSID C1:B31:: to SR Policy to 3
draft-dukes-spring-sr-for-sdwan-00
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Strictly Confidential
Payload
IPv6 SA = C1::, DA = C2::1
SR(E2::1, C2::1, E1::A2)
SL=1IPv4 SA = A.A.A.A, DA = B.B.B.B
SRv6实现服务链(End.AD)
TenGE0/1/0 TenGE0/2/0
Service192.168.0.10
Proxy E1::/6
4
Dynamically learned SR information on the proxy.
Note: IFACE-OUT and IFACE-IN may be virtual interfaces
Payload
IPv4SA = A.A.A.A, DA =
B.B.B.B
Payload
IPv6 SA = C1::, DA = E1::A2
SR(E2::1, C2::1, E1::A2)
SL=2IPv4 SA = A.A.A.A, DA = B.B.B.B
• Ingress: SID E1::A2 with dynamic proxy behavior
• Advance to next segment
• Store IPv6 and extension headers in local cache
• Pop IPv6 and extension headers
• Forward towards S-ADDR on IFACE-OUT
• Egress: Inbound policy on IFACE-IN
• Encapsulate with cached IP and SR header
• Forward based on outer destination address
• Inner header can be IPv4, IPv6 or Ethernet
• SR policy can combine service and topological segments
• Per-chain dynamic configuration
>VPP: show sr localsidSID BehaviorE1::A2 Dynamic proxy
INNER-TYPE: IPv4,S-ADDR: 192.168.0.10,IFACE-OUT: TenGE0/1/0,IFACE-IN: TenGE0/2/0
IPv6 SA = C1::, DA = C2::1
SR(E2::1, C2::1, E1::A2)
SL=1
Cache:
draft-xuclad-spring-sr-service-chaining-01
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Strictly Confidential
SRv6实现服务链(End.AM)
• SRv6 insertion mode only
• SR policy can combine service and topological segments
• Chain agnostic configuration
Payload
IPv6 SA = C1::, DA = C2::1
SR (B::, C2::1, E1::A4) SL=1
TenGE0/1/0 TenGE0/2/0
Service2001::A
Proxy E1::/6
4
Payload
IPv6 SA = C1::, DA = E1::A4
SR (B::, C2::1, E1::A4) SL=2
>VPP: show sr localsidSID BehaviorE1::A4 Masquerading proxy
S-ADDR: 2001::A,IFACE-OUT: TenGE0/1/0,IFACE-IN: TenGE0/2/0
IPv6 SA = C1::, DA = B::
SR (B::, C2::1, E1::A4) SL=1
Payload
• Ingress: SID E1::A4 with masquerading proxy behavior
• Decrement SL value (2 → 1)
• Replace DA with last segment (B::)
• Forward towards S-ADDR on IFACE-OUT
• Egress: Inbound policy on IFACE-IN
• Restore DA based on SR header SL value
• Forward based on destination address
Replace active segment with final destination address.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Strictly Confidential
• Proxy functions
• Linux (srext kernel module)
• FD.io VPP (18.04)
• SR-capable open-source services
• iptables (mainstream)
• nftables (mainstream)
• Snort
SR服务链支持情况
And also:• Wireshark (mainstream)• tcpdump (mainstream)• pyroute2 (mainstream)
Note: SRv6 is supported in the Linux kernel since version 4.10 (Feb 2017).
SRv6与传统IPv6网络互操作
root@sr:~#ip -6 route add b::/64 via a::1 encap seg6 mode encap segs 2001:718:1c01:eeee::1,2001:718:1:20:a::2
Ubuntu 16.04.2 LTS
Source: http://www.segment-routing.net/conferences/
root@sr:~#sr localsid address 2001:718:1c01:eeee::2 behavior end.dt6 1
VPP/FD.IO
SRv6与SR MPLS网络互操作
MPLS { L1, L2, L3 }
SR Hdr (…,E::, D::30,…) SL=k-1
Payload
IPv6 Hdr SA = A::, DA = E::SR Hdr
IPv6 Hdr SA = A::, DA = D::30
(…,E::, D::30,…) SL=k
Payload
D
D:: /64
End.BM: Binding-SID(D:30), 对应于SR Policy标签栈(<L1,L2,L3>)
SR Policy for IPv6:直接根据IPv6目的地址/Color或者flow信息把数据包引导至SR Policy
MPLS { L1, L2, L3 }
SR Hdr (…,E::, D::10,…) SL=k
Payload
IPv6 Hdr SA = A::, DA = D::10SR Hdr
IPv6 Hdr SA = A::, DA = D::10
(…,E::, D::10,…) SL=k
Payload
R
Color
ToS
(Color,Endpoint)
1 7711 7
EVPN prefixes with VNI: 1001
NH: 1.1.1.4
EVPN prefixes with SRv6 VPN SID A7::DX4
2 53 6
4
SRv6 PoDVxLAN PoD
SRv6与VXLAN互操作(控制平面)
37
44
Stitching
1. Node 7 advertises EVPN prefixes with SRv6 VPN SID A7::DX4
2. Node4/44 install prefixes in respective VRF table
3. Node4/44 will originate EVPN prefix with VNI 1001 with NH as 1.1.1.4
4. Node1 install prefixes in respective VRF table
1
23
4
• IPv6 SID can be A7::DX6 A7::DT6 or A7::DT46
1 77
Payload
VNI:1001
IPv4
Payload
SA = B4::DA = A7::DX4
IPv6
Payload
VNI:1001
IPv4
Payload
SA = B4::DA = A7::DX4
IPv6
11 7
2 53 6
4
SRv6 PoDVxLAN PoD
SRv6与VXLAN互操作(数据平面)
38
44
Stitching
1
2 3
4
SR回顾
SRv6理念&原理
SRv6案例分析
Agenda
某运营商网络改造目标
初期5G接入/汇聚基于SRv6, 未来支持端到端SRv6
近期目标: 5G承载接入/汇聚采用SRv6
AN APT
SRv6
ISISv6
MP-BGP
SR MPLS
ISISv6
APTSRv6-VPN IXCR CR
SR MPLS
ISISv6
CR
LDP
RSVP-TE
CR
OSPF
VPNv4
MP-BGP
IPv6 Global
VPNv4/PBB-EVPN
MP-BGP
APTN
SRv6 Domain
VLAN连接
VLAN
VLAN
VLAN
BB Core
Mobile Core
Enterprise Core
AN PTN
MPLS-TP
PTN
现有PTN
PE
PEPE
PE
SRv6
ISISv6
SRv6
ISISv6
IXCR CR
BB Core
SRv6
ISISv6
CR
Mobile Core
SRv6
ISISv6
CR
Enterprise Core
AN PTNPTN
SRv6-VPN(EVPN)
SRv6 Global
SRv6-VPN(EVPN)
MP-BGP
APTN
现有PTN
终极目标: 端到端SRv6
MP-BGP
AN
MP-BGP
MP-BGP
MP-BGP
SRv6 Domain for Mobile
APTAPT
SRv6SRv6
SRv6
SRv6连接
SRv6 Domain for BB
PEPE
PEPE
MPLS-TP
5G核心网采用SRv6
5G核心网采用GTP作为用户面的问题
用户已经获得IPv6地址的情况下继续使用GTP承载用户数据开销很大(532bits)且很难扩展(每session一隧道)
532bits
多UPF场景下使用GTP的问题(N9接口)
SRv6用于5G核心网
draft-ietf-dmm-srv6-mobile-uplane-02
多个UE共享同一条SR Policy
多个UE共享多条SR Policy(网络切片)
SRv6: 全新的思考、设计、运营网络的方式!
更多内容...
SR最新信息: http://www.segment-routing.net/
SR中文内容: https://www.cisco.com/c/zh_cn/solutions/service-provider/segment_routing.html
Segment Routing详解(第一卷)
架构 & 原理
中文版Q12019
Segment Routing详解(第二卷)
SRTE
中文版2H2019
Segment Routing详解(第三卷)
SRv6
Top Related