RFC8424: Extensions to RSVP-TE for Label Switched Path (LSP) Ingress Fast Reroute (FRR) Protection

Download in PDF format Download in text format

Related keywords:  (Head Protection)





Internet Engineering Task Force (IETF)                      H. Chen, Ed.
Request for Comments: 8424                           Huawei Technologies
Category: Experimental                                     R. Torvi, Ed.
ISSN: 2070-1721                                         Juniper Networks
                                                             August 2018


          Extensions to RSVP-TE for Label Switched Path (LSP)
                 Ingress Fast Reroute (FRR) Protection

Abstract

   This document describes extensions to Resource Reservation Protocol -
   Traffic Engineering (RSVP-TE) for locally protecting the ingress node
   of a Point-to-Point (P2P) or Point-to-Multipoint (P2MP) Traffic
   Engineered (TE) Label Switched Path (LSP).  It extends the Fast
   Reroute (FRR) protection for transit nodes of an LSP to the ingress
   node of the LSP.  The procedures described in this document are
   experimental.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for examination, experimental implementation, and
   evaluation.

   This document defines an Experimental Protocol for the Internet
   community.  This document is a product of the Internet Engineering
   Task Force (IETF).  It represents the consensus of the IETF
   community.  It has received public review and has been approved for
   publication by the Internet Engineering Steering Group (IESG).  Not
   all documents approved by the IESG are candidates for any level of
   Internet Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8424.














Chen & Torvi                  Experimental                      [Page 1]

RFC 8424                 LSP Ingress Protection              August 2018


Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.








































Chen & Torvi                  Experimental                      [Page 2]

RFC 8424                 LSP Ingress Protection              August 2018


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
     1.1.  Ingress Local Protection Example  . . . . . . . . . . . .   5
     1.2.  Ingress Local Protection Overview . . . . . . . . . . . .   6
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   7
   3.  Ingress Failure Detection . . . . . . . . . . . . . . . . . .   7
     3.1.  Source Detects Failure  . . . . . . . . . . . . . . . . .   7
     3.2.  Backup and Source Detect Failure  . . . . . . . . . . . .   8
   4.  Backup Forwarding State . . . . . . . . . . . . . . . . . . .   9
     4.1.  Forwarding State for Backup LSP . . . . . . . . . . . . .   9
   5.  Protocol Extensions . . . . . . . . . . . . . . . . . . . . .   9
     5.1.  INGRESS_PROTECTION Object . . . . . . . . . . . . . . . .  10
       5.1.1.  Class Number and Class Type . . . . . . . . . . . . .  10
       5.1.2.  Object Format . . . . . . . . . . . . . . . . . . . .  11
       5.1.3.  Subobject: Backup Ingress IPv4 Address  . . . . . . .  12
       5.1.4.  Subobject: Backup Ingress IPv6 Address  . . . . . . .  13
       5.1.5.  Subobject: Ingress IPv4 Address . . . . . . . . . . .  13
       5.1.6.  Subobject: Ingress IPv6 Address . . . . . . . . . . .  13
       5.1.7.  Subobject: TRAFFIC_DESCRIPTOR . . . . . . . . . . . .  14
       5.1.8.  Subobject: Label-Routes . . . . . . . . . . . . . . .  15
   6.  Behavior of Ingress Protection  . . . . . . . . . . . . . . .  15
     6.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .  15
       6.1.1.  Relay-Message Method  . . . . . . . . . . . . . . . .  15
       6.1.2.  Proxy-Ingress Method  . . . . . . . . . . . . . . . .  16
     6.2.  Ingress Behavior  . . . . . . . . . . . . . . . . . . . .  17
       6.2.1.  Relay-Message Method  . . . . . . . . . . . . . . . .  17
       6.2.2.  Proxy-Ingress Method  . . . . . . . . . . . . . . . .  18
     6.3.  Backup Ingress Behavior . . . . . . . . . . . . . . . . .  19
       6.3.1.  Backup Ingress Behavior in the Off-Path Case  . . . .  20
       6.3.2.  Backup Ingress Behavior in the On-Path Case . . . . .  22
       6.3.3.  Failure Detection and Refresh PATH Messages . . . . .  23
     6.4.  Revertive Behavior  . . . . . . . . . . . . . . . . . . .  23
       6.4.1.  Revert to Primary Ingress . . . . . . . . . . . . . .  24
       6.4.2.  Global Repair by Backup Ingress . . . . . . . . . . .  24
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  24
   8.  Compatibility . . . . . . . . . . . . . . . . . . . . . . . .  24
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  25
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  25
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  25
     10.2.  Informative References . . . . . . . . . . . . . . . . .  26
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  26
   Contributors  . . . . . . . . . . . . . . . . . . . . . . . . . .  26
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  28







Chen & Torvi                  Experimental                      [Page 3]

RFC 8424                 LSP Ingress Protection              August 2018


1.  Introduction

   For an MPLS Traffic Engineered (TE) Label Switched Path (LSP),
   protecting the failures of its transit nodes using Fast Reroute (FRR)
   is covered in [RFC4090] for Point-to-Point (P2P) LSPs and [RFC4875]
   for Point-to-Multipoint (P2MP) LSPs.  However, protecting the failure
   of its ingress node using FRR is not covered in either [RFC4090] or
   [RFC4875].  The MPLS Transport Profile (MPLS-TP) Linear Protection
   described in [RFC6378] can provide a protection against the failure
   of any transit node of an LSP between the ingress node and the egress
   node of the LSP, but it cannot protect against the failure of the
   ingress node.

   To protect against the failure of the (primary) ingress node of a
   primary end-to-end P2MP (or P2P) TE LSP, a typical existing solution
   is to set up a secondary backup end-to-end P2MP (or P2P) TE LSP.  The
   backup LSP is from a backup ingress node to backup egress nodes (or
   node).  The backup ingress node is different from the primary ingress
   node.  The backup egress nodes (or node) are (or is) different from
   the primary egress nodes (or node) of the primary LSP.  For a P2MP TE
   LSP, on each of the primary (and backup) egress nodes, a P2P LSP is
   created from the egress node to its primary (backup) ingress node and
   configured with Bidirectional Forwarding Detection (BFD).  This is
   used to detect the failure of the primary (backup) ingress node for
   the receiver to switch to the backup (or primary) egress node to
   receive the traffic after the primary (or backup) ingress node fails
   when both the primary LSP and the secondary LSP carry the traffic.
   In addition, FRR may be used to provide protections against the
   failures of the transit nodes and the links of the primary and
   secondary end-to-end TE LSPs.

   There are a number of issues in this solution:

   o  It consumes lots of network resources.  Double states need to be
      maintained in the network since two end-to-end TE LSPs are
      created.  Double link bandwidth is reserved and used when both the
      primary and the secondary end-to-end TE LSPs carry the traffic at
      the same time.

   o  More operations are needed, which include the configuration of two
      end-to-end TE LSPs and BFDs from each of the egress nodes to its
      corresponding ingress node.

   o  The detection of the failure of the ingress node may not be
      reliable.  Any failure on the path of the BFD from an egress node
      to an ingress node may cause the BFD to indicate the failure of
      the ingress node.




Chen & Torvi                  Experimental                      [Page 4]

RFC 8424                 LSP Ingress Protection              August 2018


   o  The speed of protection against the failure of the ingress node
      may be slow.

   This specification defines a simple extension to RSVP-TE for local
   protection (FRR) of the ingress node of a P2MP or P2P LSP to resolve
   these issues.  Ingress local protection and ingress FRR protection
   will be used interchangeably.

   Note that this document is an Experimental RFC.  Two different
   approaches are proposed to transfer the information for ingress
   protection.  They both use the same new INGRESS_PROTECTION object,
   which is sent in both PATH and RESV messages between a primary
   ingress and a backup ingress.  One approach is the Relay-Message
   Method (refer to Sections 6.1.1 and 6.2.1), the other is the Proxy-
   Ingress Method (refer to Sections 6.1.2 and 6.2.2).  Each of them has
   advantages and disadvantages.  It is hard to decide which one is used
   as a standard approach now.  It is expected that the experiment on
   the ingress local protection with these two approaches will provide
   quantities to help choose one.  The quantities include the numbers on
   control traffic, states, codes, and operations.  After one approach
   is selected, the document will be revised to reflect that selection
   and any other items learned from the experiment.  The revised
   document is expected to be submitted for publication on the standards
   track.

1.1.  Ingress Local Protection Example

   Figure 1 shows an example of using a backup P2MP LSP to locally
   protect the ingress of a primary P2MP LSP, which is from ingress Ia
   to three egresses: L1, L2, and L3.  The backup LSP is from backup
   ingress Ib to the next hops of ingress Ia: R2 and R4.




















Chen & Torvi                  Experimental                      [Page 5]

RFC 8424                 LSP Ingress Protection              August 2018


                      *******  *******              S Source
                   [R2]-----[R3]-----[L1]          Ix Ingress
                  */ &                             Rx Transit
                 */  &                             Lx Egress
                */   &                            *** Primary LSP
               */    &                            &&& Backup LSP across
              */     &                                Logical Hop
             */      &
            */ ********    ********  *******
     [S]---[Ia]--------[R4]------[R5]-----[L2]
       \      |     &    &           *\
        \     |    &    &             *\
         \    |   &    &               *\
          \   |  &    &                 *\
           \  | &    &                   *\
            \ |&    &                     *\
             [Ib]&&&                       [L3]

                    Figure 1: Ingress Local Protection

   In normal operations, source S sends the traffic to primary ingress
   Ia.  Ia imports the traffic into the primary LSP.

   When source S detects the failure of Ia, it switches the traffic to
   backup ingress Ib, which imports the traffic from S into the backup
   LSP to Ia's next hops, R2 and R4, where the traffic is merged into
   the primary LSP and then sent to egresses L1, L2, and L3.

   Note that the backup ingress is one logical hop away from the
   ingress.  A logical hop is a direct link or a tunnel (such as a GRE
   tunnel) over which RSVP-TE messages may be exchanged.

1.2.  Ingress Local Protection Overview

   There are four parts in ingress local protection:

   o  setting up the necessary backup LSP forwarding state based on the
      information received for ingress local protection;

   o  detecting the primary ingress failure and providing the fast
      repair (as discussed in Sections 3 and 4);

   o  maintaining the RSVP-TE control-plane state until a global repair
      is done; and,

   o  performing the global repair (see Section 6.4.2).





Chen & Torvi                  Experimental                      [Page 6]

RFC 8424                 LSP Ingress Protection              August 2018


   The primary ingress of a primary LSP sends the backup ingress the
   information for ingress protection in a PATH message with a new
   INGRESS_PROTECTION object.  The backup ingress sets up the backup
   LSP(s) and forwarding state after receiving the necessary information
   for ingress protection.  Then, it sends the primary ingress the
   status of ingress protection in a RESV message with a new
   INGRESS_PROTECTION object.

   When the primary ingress fails, the backup ingress sends or refreshes
   the next hops of the primary ingress the PATH messages without any
   INGRESS_PROTECTION object after verifying the failure.  Thus, the
   RSVP-TE control-plane state of the primary LSP is maintained.

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Ingress Failure Detection

   Exactly how to detect the failure of the ingress is out of scope.
   However, it is necessary to discuss different modes for detecting the
   failure because they determine what is the required behavior for the
   source and backup ingress.

3.1.  Source Detects Failure

   Source Detects Failure, or Source-Detect for short, means that the
   source is responsible for "fast detecting" the failure of the primary
   ingress of an LSP.  Fast detecting the failure means detecting the
   failure in a few or tens of milliseconds.  The backup ingress is
   ready to import the traffic from the source into the backup LSP(s)
   after the backup LSP(s) is up.

   In normal operations, the source sends the traffic to the primary
   ingress.  When the source detects the failure of the primary ingress,
   it switches the traffic to the backup ingress, which delivers the
   traffic to the next hops of the primary ingress through the backup
   LSP(s), where the traffic is merged into the primary LSP.

   For an LSP, after the primary ingress fails, the backup ingress MUST
   use a method to verify the failure of the primary ingress before the
   PATH message for the LSP expires at the next hop of the primary
   ingress.  After verifying the failure, the backup ingress sends/




Chen & Torvi                  Experimental                      [Page 7]

RFC 8424                 LSP Ingress Protection              August 2018


   refreshes the PATH message to the next hop through the backup LSP as
   needed.  The method may verify the failure of the primary ingress
   slowly, such as in seconds.

   After the primary ingress fails, it will not be reachable after
   routing convergence.  Thus, checking whether the primary ingress
   (address) is reachable is a possible method.

   When the previously failed primary ingress of a primary LSP becomes
   available again and the primary LSP has recovered from its primary
   ingress, the source may switch the traffic to the primary ingress
   from the backup ingress.  An operator may control the traffic switch
   through using a command on the source node after seeing that the
   primary LSP has recovered.

3.2.  Backup and Source Detect Failure

   Backup and Source Detect Failure, or Backup-Source-Detect for short,
   means that both the backup ingress and the source are concurrently
   responsible for fast detecting the failure of the primary ingress.

   Note that one of the differences between Source-Detect and Backup-
   Source-Detect is the following: in the former, the backup ingress
   verifies the failure of the primary ingress slowly, such as in
   seconds; in the latter, the backup ingress detects the failure fast,
   such as in a few or tens of milliseconds.

   In normal operations, the source sends the traffic to the primary
   ingress.  It switches the traffic to the backup ingress when it
   detects the failure of the primary ingress.

   The backup ingress does not import any traffic from the source into
   the backup LSP in normal operations.  When it detects the failure of
   the primary ingress, it imports the traffic from the source into the
   backup LSP to the next hops of the primary ingress, where the traffic
   is merged into the primary LSP.

   The Source-Detect is preferred.  It is simpler than the Backup-
   Source-Detect, which needs both the source and the backup ingress to
   detect the ingress failure quickly.











Chen & Torvi                  Experimental                      [Page 8]

RFC 8424                 LSP Ingress Protection              August 2018


4.  Backup Forwarding State

   Before the primary ingress fails, the backup ingress is responsible
   for creating the necessary backup LSPs.  These LSPs might be multiple
   bypass P2P LSPs that avoid the ingress.  Alternately, the backup
   ingress could choose to use a single backup P2MP LSP as a bypass or
   detour to protect the primary ingress of a primary P2MP LSP.

   The backup ingress may be "off path" or "on path" of an LSP.  If a
   backup ingress is not any node of the LSP, it is off path.  If a
   backup ingress is a next hop of the primary ingress of the LSP, it is
   on path.  When a backup ingress for protecting the primary ingress is
   configured, the backup ingress MUST not be on the LSP except for if
   it is the next hop of the primary ingress.  If it is on path, the
   primary forwarding state associated with the primary LSP SHOULD be
   clearly separated from the backup LSP(s) state.

4.1.  Forwarding State for Backup LSP

   A forwarding entry for a backup LSP is created on the backup ingress
   after the LSP is set up.  Depending on the failure-detection mode
   (e.g., Source-Detect), it may be used to forward received traffic or
   simply be inactive (e.g., Backup-Source-Detect) until required.  In
   either case, when the primary ingress fails, this entry is used to
   import the traffic into the backup LSP to the next hops of the
   primary ingress, where the traffic is merged into the primary LSP.

   The forwarding entry for a backup LSP is a local implementation
   issue.  In one device, it may have an inactive flag.  This inactive
   forwarding entry is not used to forward any traffic normally.  When
   the primary ingress fails, it is changed to active; thus, the traffic
   from the source is imported into the backup LSP.

5.  Protocol Extensions

   A new object, INGRESS_PROTECTION, is defined for signaling ingress
   local protection.  The primary ingress of a primary LSP sends the
   backup ingress this object in a PATH message.  In this case, the
   object contains the information needed to set up ingress protection.
   The information includes:

   o  the Backup Ingress IP Address, which indicates the backup ingress;

   o  the TRAFFIC_DESCRIPTOR, which describes the traffic that the
      primary LSP transports (this traffic is imported into the backup
      LSP(s) on the backup ingress when the primary ingress fails);





Chen & Torvi                  Experimental                      [Page 9]

RFC 8424                 LSP Ingress Protection              August 2018


   o  the Labels and Routes, which indicate the first hops of the
      primary LSP, each of which is paired with its label; and,

   o  the Desire options on ingress protection, such as a P2MP option,
      which indicates a desire to use a backup P2MP LSP to protect the
      primary ingress of a primary P2MP LSP.

   The backup ingress sends the primary ingress this object in a RESV
   message.  In this case, the object contains the information about the
   status on the ingress protection.

5.1.  INGRESS_PROTECTION Object

5.1.1.  Class Number and Class Type

   The Class Number for the INGRESS_PROTECTION object MUST be of the
   form 0bbbbbbb to enable implementations that do not recognize the
   object to reject the entire message and return an "Unknown Object
   Class" error [RFC2205].  It is suggested that a Class Number value
   from the Private Use range (124-127) [RFC3936] specified for the
   0bbbbbbb octet be chosen for this experiment.  It is also suggested
   that a Class Type value of 1 be used for this object in this
   experiment.

   The INGRESS_PROTECTION object with the FAST_REROUTE object in a PATH
   message is used to control the backup for protecting the primary
   ingress of a primary LSP.  The primary ingress MUST insert this
   object into the PATH message to be sent to the backup ingress for
   protecting the primary ingress.






















Chen & Torvi                  Experimental                     [Page 10]

RFC 8424                 LSP Ingress Protection              August 2018


5.1.2.  Object Format

   The INGRESS_PROTECTION object has the following format:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |         Length (bytes)        |    Class-Num  |    C-Type     |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Reserved (zero)  |   NUB   |      Flags    |    Options    |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     ~                         (Subobjects)                          ~
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

        Flags
         0x01    Ingress local protection available
         0x02    Ingress local protection in use
         0x04    Bandwidth protection

        Options
         0x01    Revert to Ingress
         0x02    P2MP Backup

   For protecting the ingress of a P2MP LSP, if the backup ingress
   doesn't have a backup LSP to each of the next hops of the primary
   ingress, it SHOULD clear "Ingress local protection available" and set
   the Number of Unprotected Branches (NUB) to the number of the next
   hops to which there is no backup LSP.

   The flags are used to communicate status information from the backup
   ingress to the primary ingress.

   o Ingress local protection available:  The backup ingress MUST set
     this flag after backup LSPs are up and ready for locally protecting
     the primary ingress.  The backup ingress sends this to the primary
     ingress to indicate that the primary ingress is locally protected.

   o Ingress local protection in use:  The backup ingress MUST set this
     flag when it detects a failure in the primary ingress and actively
     redirects the traffic into the backup LSPs.  The backup ingress
     records this flag and does not send any RESV messages with this
     flag to the primary ingress since the primary ingress is down.

   o Bandwidth protection:  The backup ingress MUST set this flag if the
     backup LSPs guarantee to provide the desired bandwidth for the
     protected LSP against the primary ingress failure.





Chen & Torvi                  Experimental                     [Page 11]

RFC 8424                 LSP Ingress Protection              August 2018


   The options are used by the primary ingress to specify the desired
   behavior to the backup ingress.

   o Revert to Ingress:  The primary ingress sets this option, which
     indicates that the traffic for the primary LSP, if successfully
     resignaled, will be switched back to the primary ingress from the
     backup ingress when the primary ingress is restored.

   o P2MP Backup:  This option is set to ask for the backup ingress to
     use backup P2MP LSP to protect the primary ingress.

   The INGRESS_PROTECTION object may contain some subobjects of
   following format:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Type      |            Length             |Reserved (zero)|
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                    Contents / Body of Subobject               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   where Type is the type of a subobject and Length is the total size of
   the subobject in bytes, including Type, Length, and Contents fields.

5.1.3.  Subobject: Backup Ingress IPv4 Address

   When the primary ingress of a protected LSP sends a PATH message with
   an INGRESS_PROTECTION object to the backup ingress, the object MUST
   have a Backup Ingress IPv4 Address subobject containing an IPv4
   address belonging to the backup ingress if IPv4 is used.  The Type of
   the subobject is 1, and the body of the subobject is given below:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |              Backup Ingress IPv4 Address (4 bytes)            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Backup Ingress IPv4 Address: An IPv4 host address of backup ingress











Chen & Torvi                  Experimental                     [Page 12]

RFC 8424                 LSP Ingress Protection              August 2018


5.1.4.  Subobject: Backup Ingress IPv6 Address

   When the primary ingress of a protected LSP sends a PATH message with
   an INGRESS_PROTECTION object to the backup ingress, the object MUST
   have a Backup Ingress IPv6 Address subobject containing an IPv6
   address belonging to the backup ingress if IPv6 is used.  The Type of
   the subobject is 2, the body of the subobject is given below:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             Backup Ingress IPv6 Address (16 bytes)            |
   ~                                                               ~
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Backup Ingress IPv6 Address: An IPv6 host address of backup ingress

5.1.5.  Subobject: Ingress IPv4 Address

   The INGRESS_PROTECTION object may have an Ingress IPv4 Address
   subobject containing an IPv4 address belonging to the primary ingress
   if IPv4 is used.  The Type of the subobject is 3.  The subobject has
   the following body:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |               Ingress IPv4 Address (4 bytes)                  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Ingress IPv4 Address: An IPv4 host address of ingress

5.1.6.  Subobject: Ingress IPv6 Address

   The INGRESS_PROTECTION object may have an Ingress IPv6 Address
   subobject containing an IPv6 address belonging to the primary ingress
   if IPv6 is used.  The Type of the subobject is 4.  The subobject has
   the following body:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |               Ingress IPv6 Address (16 bytes)                 |
   ~                                                               ~
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Ingress IPv6 Address: An IPv6 host address of ingress




Chen & Torvi                  Experimental                     [Page 13]

RFC 8424                 LSP Ingress Protection              August 2018


5.1.7.  Subobject: TRAFFIC_DESCRIPTOR

   The INGRESS_PROTECTION object may have a TRAFFIC_DESCRIPTOR subobject
   describing the traffic to be mapped to the backup LSP on the backup
   ingress for locally protecting the primary ingress.  The subobject
   types for Interface, IPv4 Prefix, IPv6 Prefix, and Application
   Identifier are 5, 6, 7, and 8, respectively.  The subobject has the
   following body:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Traffic Element 1                      |
   ~                                                               ~
   |                        Traffic Element n                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The TRAFFIC_DESCRIPTOR subobject may contain multiple Traffic
   Elements of the same type as follows:

   o Interface Traffic:  Each of the Traffic Elements is a 32-bit index
     of an interface from which the traffic is imported into the backup
     LSP.

   o IPv4 Prefix Traffic:  Each of the Traffic Elements is an IPv4
     prefix that contains an 8-bit prefix length followed by an IPv4
     address prefix (whose length, in bits, is specified by the prefix
     length) that is padded to a byte boundary.

   o IPv6 Prefix Traffic  Each of the Traffic Elements is an IPv6
     prefix, containing an 8-bit prefix length followed by an IPv6
     address prefix (whose length, in bits, is specified by the prefix
     length) that is padded to a byte boundary.

   o Application Traffic:  Each of the Traffic Elements is a 32-bit
     identifier of an application from which the traffic is imported
     into the backup LSP.














Chen & Torvi                  Experimental                     [Page 14]

RFC 8424                 LSP Ingress Protection              August 2018


5.1.8.  Subobject: Label-Routes

   The INGRESS_PROTECTION object in a PATH message from the primary
   ingress to the backup ingress may have a Label-Routes subobject
   containing the labels and routes that the next hops of the ingress
   use.  The Type of the subobject is 9.  The subobject has the
   following body:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   ~                           Subobjects                          ~
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The Subobjects in Label-Routes are copied from those in the
   RECORD_ROUTE objects in the RESV messages that the primary ingress
   receives from its next hops for the primary LSP.  They MUST contain
   the first hops of the LSP, each of which is paired with its label.

6.  Behavior of Ingress Protection

6.1.  Overview

   There are two different proposed signaling approaches to transfer the
   information for ingress protection.  They both use the same new
   INGRESS_PROTECTION object.  The object is sent in both PATH and RESV
   messages.

6.1.1.  Relay-Message Method

   The primary ingress relays the information for ingress protection of
   an LSP to the backup ingress via PATH messages.  Once the LSP is
   created, the ingress of the LSP sends the backup ingress a PATH
   message with an INGRESS_PROTECTION object with a Label-Routes
   subobject, which is populated with the next hops and labels.  This
   provides sufficient information for the backup ingress to create the
   appropriate forwarding state and backup LSP(s).

   The ingress also sends the backup ingress all the other PATH messages
   for the LSP with an empty INGRESS_PROTECTION object.  An
   INGRESS_PROTECTION object without any TRAFFIC_DESCRIPTOR subobject is
   called an empty INGRESS_PROTECTION object.  Thus, the backup ingress
   has access to all the PATH messages needed for modification to
   refresh the control-plane state after a failure.

   The empty INGRESS_PROTECTION object is for efficient processing of
   ingress protection for a P2MP LSP.  A P2MP LSP's primary ingress may
   have more than one PATH message, each of which is sent to a next hop



Chen & Torvi                  Experimental                     [Page 15]

RFC 8424                 LSP Ingress Protection              August 2018


   along a branch of the P2MP LSP.  The PATH message along a branch will
   be selected and sent to the backup ingress with an INGRESS_PROTECTION
   object containing the TRAFFIC_DESCRIPTOR subobject; all the PATH
   messages along the other branches will be sent to the backup ingress
   containing an INGRESS_PROTECTION object without any
   TRAFFIC_DESCRIPTOR subobject (empty INGRESS_PROTECTION object).  For
   a P2MP LSP, the backup ingress only needs one TRAFFIC_DESCRIPTOR.

6.1.2.  Proxy-Ingress Method

   Conceptually, a proxy ingress is created that starts the RSVP
   signaling.  The explicit path of the LSP goes from the proxy ingress
   to the backup ingress and then to the real ingress.  The behavior and
   signaling for the proxy ingress is done by the real ingress; the use
   of a proxy-ingress address avoids problems with loop detection.  Note
   that the proxy ingress MUST reside within the same router as the real
   ingress.

                              [ Traffic Source ]       *** Primary LSP
                               $             $         --- Backup LSP
                               $             $          $$  Link
                               $             $
                       [ Proxy Ingress ]  [ Backup ]
                       [ & Ingress     ]     |
                              *              |
                              *****[ MP ]----|

      Figure 2: Example of a Protected LSP with a Proxy-Ingress Node

   The backup ingress MUST know the merge points or next hops and their
   associated labels.  This is accomplished by having the RSVP PATH and
   RESV messages go through the backup ingress, although the forwarding
   path need not go through the backup ingress.  If the backup ingress
   fails, the ingress simply removes the INGRESS_PROTECTION object and
   forwards the PATH messages to the LSP's next hop(s).  If the ingress
   has its LSP configured for ingress protection, then the ingress can
   add the backup ingress and itself to the Explicit Route Object (ERO)
   and start forwarding the PATH messages to the backup ingress.

   Slightly different behavior can apply for the on-path and off-path
   cases.  In the on-path case, the backup ingress is a next-hop node
   after the ingress for the LSP.  In the off-path case, the backup
   ingress is not any next-hop node after the ingress for all associated
   sub-LSPs.

   The key advantage of this approach is that it minimizes the special
   handling code required.  Because the backup ingress is on the
   signaling path, it can receive various notifications.  It easily has



Chen & Torvi                  Experimental                     [Page 16]

RFC 8424                 LSP Ingress Protection              August 2018


   access to all the PATH messages needed for a modification to be sent
   to refresh the control-plane state after a failure.

6.2.  Ingress Behavior

   The primary ingress MUST be configured with a couple of pieces of
   information for ingress protection.

   o Backup Ingress Address:  The primary ingress MUST know the IP
     address of the backup ingress it wants to be used before it can use
     the INGRESS_PROTECTION object.

   o Proxy-Ingress-Id (only needed for Proxy-Ingress Method):  The
     Proxy-Ingress-Id is only used in the RECORD_ROUTE object for
     recording the proxy ingress.  If no Proxy-Ingress-Id is specified,
     then a local interface address that will not otherwise be included
     in the RECORD_ROUTE object can be used.  A similar technique is
     used in Section 6.1.1. of [RFC4090].

   o Application Traffic Identifier:  The primary ingress and backup
     ingress MUST both know what application traffic should be directed
     into the LSP.  If a list of prefixes in the TRAFFIC_DESCRIPTOR
     subobject will not suffice, then a commonly understood Application
     Traffic Identifier can be sent between the primary ingress and
     backup ingress.  The exact meaning of the identifier should be
     configured similarly at both the primary ingress and backup
     ingress.  The Application Traffic Identifier is understood within
     the unique context of the primary ingress and backup ingress.

   o A Connection between Backup Ingress and Primary Ingress:  If there
     is not any direct link between the primary ingress and the backup
     ingress, a tunnel MUST be configured between them.

   With this additional information, the primary ingress can create and
   signal the necessary RSVP extensions to support ingress protection.

6.2.1.  Relay-Message Method

   To protect the primary ingress of an LSP, the primary ingress MUST do
   the following after the LSP is up.

   1.  Select a PATH message P0 for the LSP.

   2.  If the backup ingress is off path (the backup ingress is not the
       next hop of the primary ingress for P0), then send it a PATH
       message P0' with the content from P0 and an INGRESS_PROTECTION
       object; else (the backup ingress is a next hop, i.e., on-path
       case) add an INGRESS_PROTECTION object into the existing PATH



Chen & Torvi                  Experimental                     [Page 17]

RFC 8424                 LSP Ingress Protection              August 2018


       message to the backup ingress (i.e., the next hop).  The object
       contains the TRAFFIC_DESCRIPTOR subobject, the Backup Ingress
       Address subobject and the Label-Routes subobject.  The options
       field is set to indicate whether a backup P2MP LSP is desired.
       The Label-Routes subobject contains the next hops of the primary
       ingress and their labels.  Note that for the on-path case, there
       is an existing PATH message to the backup ingress (i.e., the next
       hop), and we just add an INGRESS_PROTECTION object into the
       existing PATH message to be sent to the backup ingress.  We do
       not send a separate PATH message to the backup ingress for this
       existing PATH message.

   3.  For each Pi of the other PATH messages for the LSP, send the
       backup ingress a PATH message Pi' with the content copied from Pi
       and an empty INGRESS_PROTECTION object.

   For every PATH message Pj' (i.e., P0'/Pi') to be sent to the backup
   ingress, it has the same SESSION as Pj (i.e., P0/Pi).  If the backup
   ingress is off path, the primary ingress updates Pj' according to the
   backup ingress as its next hop before sending it.  It adds the backup
   ingress to the beginning of the ERO and sets RSVP_HOP based on the
   interface to the backup ingress.  The primary ingress MUST NOT set up
   any forwarding state to the backup ingress if the backup ingress is
   off path.

6.2.2.  Proxy-Ingress Method

   The primary ingress is responsible for starting the RSVP signaling
   for the proxy-ingress node.  To do this, the following MUST be done
   for the RSVP PATH message.

   1.  Compute the EROs for the LSP as normal for the ingress.

   2.  If the selected backup ingress node is not the first node on the
       path (for all sub-LSPs), then insert it at the beginning of the
       ERO first, then the backup ingress node, and then the ingress
       node.

   3.  In the PATH RECORD_ROUTE Object (RRO), instead of recording the
       ingress node's address, replace it with the Proxy-Ingress-Id.

   4.  Leave the hop (HOP) object populated as usual with information
       for the ingress node.

   5.  Add the INGRESS_PROTECTION object to the PATH message.  Include
       the Backup Ingress Address (IPv4 or IPv6) subobject and the
       TRAFFIC_DESCRIPTOR subobject.  Set or clear the options
       indicating that a backup P2MP LSP is desired.



Chen & Torvi                  Experimental                     [Page 18]

RFC 8424                 LSP Ingress Protection              August 2018


   6.  Optionally, add the FAST-REROUTE object [RFC4090] to the Path
       message.  Indicate whether one-to-one backup is desired.
       Indicate whether facility backup is desired.

   7.  The RSVP PATH message is sent to the backup node as normal.

   If the ingress detects that it can't communicate with the backup
   ingress, then the ingress SHOULD instead send the PATH message to the
   next hop indicated in the ERO computed in step 1.  Once the ingress
   detects that it can communicate with the backup ingress, the ingress
   SHOULD follow steps 1-7 to obtain ingress failure protection.

   When the ingress node receives an RSVP PATH message with an
   INGRESS_PROTECTION object and the object specifies that node as the
   ingress node and the Previous Hop (PHOP) as the backup ingress node,
   the ingress node SHOULD remove the INGRESS_PROTECTION object from the
   PATH message before sending it out.  Additionally, the ingress node
   MUST store that it will install ingress forwarding state for the LSP
   rather than midpoint forwarding.

   When an RSVP RESV message is received by the ingress, it uses the
   Next Hop (NHOP) to determine whether the message is received from the
   backup ingress or from a different node.  The stored associated PATH
   message contains an INGRESS_PROTECTION object that identifies the
   backup ingress node.  If the RESV message is not from the backup
   node, then the ingress forwarding state SHOULD be set up, and the
   INGRESS_PROTECTION object MUST be added to the RESV before it is sent
   to the NHOP, which SHOULD be the backup node.  If the RESV message is
   from the backup node, then the LSP SHOULD be considered available for
   use.

   If the backup ingress node is on the forwarding path, then a RESV is
   received with an INGRESS_PROTECTION object and an NHOP that matches
   the backup ingress.  In this case, the ingress node's address will
   not appear after the backup ingress in the RRO.  The ingress node
   SHOULD set up the ingress forwarding state, just as is done if the
   ingress node of the LSP weren't protected.

6.3.  Backup Ingress Behavior

   A Label Edge Router (LER) determines that the ingress local
   protection is requested for an LSP if the INGRESS_PROTECTION object
   is included in the PATH message it receives for the LSP.  The LER can
   further determine that it is the backup ingress if one of its
   addresses is in the Backup Ingress Address subobject of the
   INGRESS_PROTECTION object.  The LER as the backup ingress will assume
   full responsibility of the ingress after the primary ingress fails.
   In addition, the LER determines that it is off path if it is not any



Chen & Torvi                  Experimental                     [Page 19]

RFC 8424                 LSP Ingress Protection              August 2018


   node of the LSP.  The LER determines whether it uses the Relay-
   Message Method or the Proxy-Ingress Method according to
   configurations.

6.3.1.  Backup Ingress Behavior in the Off-Path Case

   The backup ingress considers itself a Point of Local Repair (PLR) and
   the primary ingress its next hop, and it provides a local protection
   for the primary ingress.  It behaves very similarly to a PLR
   providing fast reroute where the primary ingress is considered to be
   the failure point to protect.  Where not otherwise specified, the
   behavior given in [RFC4090] for a PLR applies.

   The backup ingress MUST follow the control options specified in the
   INGRESS_PROTECTION object and the flags and specifications in the
   FAST-REROUTE object.  This applies to providing a P2MP backup if the
   "P2MP backup" is set, a one-to-one backup if "one-to-one desired" is
   set, a facility backup if the "facility backup desired" is set, and
   backup paths that support both the desired bandwidth and
   administrative groups that are requested.

   If multiple non-empty INGRESS_PROTECTION objects have been received
   via multiple PATH messages for the same LSP, then the most recent one
   MUST be the one used.

   The backup ingress creates the appropriate forwarding state for the
   backup LSP tunnel(s) to the merge point(s).

   When the backup ingress sends a RESV message to the primary ingress,
   it MUST add an INGRESS_PROTECTION object into the message.  It MUST
   set or clear the flags in the object to report "Ingress local
   protection available", "Ingress local protection in use", and
   "bandwidth protection".

   If the backup ingress doesn't have a backup LSP tunnel to each of the
   merge points, it SHOULD clear "Ingress local protection available"
   and set NUB to the number of the merge points to which there is no
   backup LSP.

   When the primary ingress fails, the backup ingress redirects the
   traffic from a source into the backup P2P LSPs or the backup P2MP LSP
   transmitting the traffic to the next hops of the primary ingress,
   where the traffic is merged into the protected LSP.

   In this case, the backup ingress MUST keep the PATH message with the
   INGRESS_PROTECTION object received from the primary ingress and the
   RESV message with the INGRESS_PROTECTION object to be sent to the
   primary ingress.  The backup ingress MUST set the "local protection



Chen & Torvi                  Experimental                     [Page 20]

RFC 8424                 LSP Ingress Protection              August 2018


   in use" flag in the RESV message, which indicates that the backup
   ingress is actively redirecting the traffic into the backup P2P LSPs
   or the backup P2MP LSP for locally protecting the primary ingress
   failure.

   Note that the RESV message with this piece of information will not be
   sent to the primary ingress because the primary ingress has failed.

   If the backup ingress has not received any PATH messages from the
   primary ingress for an extended period of time (e.g., a cleanup
   timeout interval) and a confirmed primary ingress failure did not
   occur, then the standard RSVP soft-state removal SHOULD occur.  The
   backup ingress SHALL remove the state for the PATH message from the
   primary ingress and either tear down the one-to-one backup LSPs for
   protecting the primary ingress if one-to-one backup is used or unbind
   the facility backup LSPs if facility backup is used.

   When the backup ingress receives a PATH message from the primary
   ingress for locally protecting the primary ingress of a protected
   LSP, it MUST check to see if any critical information has been
   changed.  If the next hops of the primary ingress are changed, the
   backup ingress SHALL update its backup LSP(s) accordingly.

6.3.1.1.  Relay-Message Method

   When the backup ingress receives a PATH message with a non-empty
   INGRESS_PROTECTION object, it examines the object to learn what
   traffic associated with the LSP.  It determines the next hops to be
   merged to by examining the Label-Routes subobject in the object.

   The backup ingress MUST store the PATH message received from the
   primary ingress but NOT forward it.

   The backup ingress responds with a RESV message to the PATH message
   received from the primary ingress.  If the backup ingress is off
   path, the LABEL object in the RESV message contains IMPLICIT-NULL.
   If the INGRESS_PROTECTION object is not "empty", the backup ingress
   SHALL send the RESV message with the state indicating protection is
   available after the backup LSP(s) are successfully established.

6.3.1.2.  Proxy-Ingress Method

   When receiving a RESV message for an LSP from a router that is not
   primary ingress, the backup ingress collects the pair of (IPv4/IPv6
   subobject, Label subobject) in the second place to the top pair in
   the RECORD_ROUTE object of the message.  It determines the next hops
   to be merged according to the set of the pairs collected.  If a
   Label-Routes subobject is included in the INGRESS_PROTECTION object,



Chen & Torvi                  Experimental                     [Page 21]

RFC 8424                 LSP Ingress Protection              August 2018


   the included IPv4/IPv6 subobjects are used to filter the set down to
   the specific next hops where protection is desired.  An RESV message
   MUST have been received before the backup ingress can create or
   select the appropriate backup LSP.

   When the backup ingress receives a PATH message with the
   INGRESS_PROTECTION object, the backup ingress examines the object to
   learn what traffic associated with the LSP.  The backup ingress
   forwards the PATH message to the ingress node with the normal RSVP
   changes.

   When the backup ingress receives a RESV message with the
   INGRESS_PROTECTION object, the backup ingress records an IMPLICIT-
   NULL label in the RRO.  Then, the backup ingress forwards the RESV
   message to the ingress node, which is acting for the proxy ingress.

6.3.2.  Backup Ingress Behavior in the On-Path Case

   An LER as the backup ingress determines that it is on path if one of
   its addresses is a next hop of the primary ingress; for the Proxy-
   Ingress Method, the primary ingress is determined as not its next hop
   by checking the PATH message with the INGRESS_PROTECTION object
   received from the primary ingress.  The LER on path MUST send the
   corresponding PATH messages without any INGRESS_PROTECTION object to
   its next hops.  It creates a number of backup P2P LSPs or a backup
   P2MP LSP from itself to the other next hops (i.e., the next hops
   other than the backup ingress) of the primary ingress.  The other
   next hops are from the Label-Routes subobject.

   It also creates a forwarding entry, which sends/multicasts the
   traffic from the source to the next hops of the backup ingress along
   the protected LSP when the primary ingress fails.  The traffic is
   described by the TRAFFIC_DESCRIPTOR.

   After setting up all the backup P2P LSPs or the backup P2MP LSP, the
   backup ingress creates forwarding entry(s) for importing the traffic
   into the backup LSP(s) from the source when the primary ingress
   fails.  Then, it MUST send the primary ingress a RESV message with an
   INGRESS_PROTECTION object.  The object contains the state of the
   local protection, such as having the "local protection available"
   flag set to one, which indicates that the primary ingress is locally
   protected.

   When the primary ingress fails, the backup ingress sends/multicasts
   the traffic from the source to its next hops along the protected LSP
   and imports the traffic into each of the backup P2P LSPs or to the





Chen & Torvi                  Experimental                     [Page 22]

RFC 8424                 LSP Ingress Protection              August 2018


   backup P2MP LSP transmitting the traffic to the other next hops of
   the primary ingress, where the traffic is merged into a protected
   LSP.

   During the local repair, the backup ingress MUST continue to send the
   PATH messages to its next hops as before and keep the PATH message
   with the INGRESS_PROTECTION object received from the primary ingress
   and the RESV message with the INGRESS_PROTECTION object to be sent to
   the primary ingress.  It MUST set the "local protection in use" flag
   in the RESV message.

6.3.3.  Failure Detection and Refresh PATH Messages

   As described in [RFC4090], it is necessary to refresh the PATH
   messages via the backup LSP(s).  The backup ingress MUST wait to
   refresh the PATH messages until it can accurately detect that the
   ingress node has failed.  An example of such an accurate detection
   would be that the IGP has no bidirectional links to the ingress node,
   or a BFD session to the primary ingress' loopback address has failed
   and stayed failed after the network has reconverged.

   As described in Section 6.4.3 of [RFC4090], the backup ingress,
   acting as PLR, MUST modify and send any saved PATH messages
   associated with the primary LSP to the corresponding next hops
   through backup LSP(s).  Any PATH message sent will not contain any
   INGRESS_PROTECTION objects.  The RSVP_HOP object in the message
   contains an IP source address belonging to the backup ingress.  The
   SENDER_TEMPLATE object has the Backup Ingress Address as its tunnel
   sender address.

6.4.  Revertive Behavior

   Upon a failure event in the (primary) ingress of a protected LSP, the
   protected LSP is locally repaired by the backup ingress.  There are a
   couple of basic strategies for restoring the LSP to a full working
   path.

   o Revert to Primary Ingress:  When the primary ingress is restored,
     it resignals each of the LSPs that start from the primary ingress.
     The traffic for every LSP successfully resignaled is switched back
     to the primary ingress from the backup ingress.

   o Global Repair by Backup Ingress:  After determining that the
     primary ingress of an LSP has failed, the backup ingress computes a
     new optimal path, signals a new LSP along the new path, and
     switches the traffic to the new LSP.





Chen & Torvi                  Experimental                     [Page 23]

RFC 8424                 LSP Ingress Protection              August 2018


6.4.1.  Revert to Primary Ingress

   If "Revert to Primary Ingress" is desired for a protected LSP, the
   (primary) ingress of the LSP SHOULD resignal the LSP that starts from
   the primary ingress after the primary ingress restores.  After the
   LSP is resignaled successfully, the traffic SHOULD be switched back
   to the primary ingress from the backup ingress on the source node and
   redirected into the LSP starting from the primary ingress.

   The primary ingress can specify the "Revert to Ingress" control
   option in the INGRESS_PROTECTION object in the PATH messages to the
   backup ingress.  After receiving the "Revert to Ingress" control
   option, the backup ingress MUST stop sending/refreshing PATH messages
   for the protected LSP.

6.4.2.  Global Repair by Backup Ingress

   When the backup ingress has determined that the primary ingress of
   the protected LSP has failed (e.g., via the IGP), it can compute a
   new path and signal a new LSP along the new path so that it no longer
   relies upon local repair.  To do this, the backup ingress MUST use
   the same tunnel sender address in the SENDER_TEMPLATE object and
   allocate an LSP ID different from the one of the old LSP as the LSP
   ID of the new LSP.  This allows the new LSP to share resources with
   the old LSP.  Alternately, the backup ingress can create a new LSP
   with no bandwidth reservation that duplicates the path(s) of the
   protected LSP, move traffic to the new LSP, delete the protected LSP,
   and then resignal the new LSP with bandwidth.

7.  Security Considerations

   In principle, this document does not introduce new security issues.
   The security considerations pertaining to [RFC4090], [RFC4875],
   [RFC2205], and [RFC3209] remain relevant.

8.  Compatibility

   This extension reuses and extends semantics and procedures defined in
   [RFC2205], [RFC3209], [RFC4090], and [RFC4875] to support ingress
   protection.  The new object defined to indicate ingress protection
   has a Class Number of the form 0bbbbbbb.  Per [RFC2205], a node not
   supporting this extension will not recognize the new Class Number and
   should respond with an "Unknown Object Class" error.  The error
   message will propagate to the ingress, which can then take action to
   avoid the incompatible node as a backup ingress or may simply
   terminate the session.





Chen & Torvi                  Experimental                     [Page 24]

RFC 8424                 LSP Ingress Protection              August 2018


9.  IANA Considerations

   This document has no IANA actions.

10.  References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC2205]  Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S.
              Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
              Functional Specification", RFC 2205, DOI 10.17487/RFC2205,
              September 1997, <https://www.rfc-editor.org/info/rfc2205>.

   [RFC3209]  Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V.,
              and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP
              Tunnels", RFC 3209, DOI 10.17487/RFC3209, December 2001,
              <https://www.rfc-editor.org/info/rfc3209>.

   [RFC3936]  Kompella, K. and J. Lang, "Procedures for Modifying the
              Resource reSerVation Protocol (RSVP)", BCP 96, RFC 3936,
              DOI 10.17487/RFC3936, October 2004,
              <https://www.rfc-editor.org/info/rfc3936>.

   [RFC4090]  Pan, P., Ed., Swallow, G., Ed., and A. Atlas, Ed., "Fast
              Reroute Extensions to RSVP-TE for LSP Tunnels", RFC 4090,
              DOI 10.17487/RFC4090, May 2005,
              <https://www.rfc-editor.org/info/rfc4090>.

   [RFC4875]  Aggarwal, R., Ed., Papadimitriou, D., Ed., and S.
              Yasukawa, Ed., "Extensions to Resource Reservation
              Protocol - Traffic Engineering (RSVP-TE) for Point-to-
              Multipoint TE Label Switched Paths (LSPs)", RFC 4875,
              DOI 10.17487/RFC4875, May 2007,
              <https://www.rfc-editor.org/info/rfc4875>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.








Chen & Torvi                  Experimental                     [Page 25]

RFC 8424                 LSP Ingress Protection              August 2018


10.2.  Informative References

   [RFC6378]  Weingarten, Y., Ed., Bryant, S., Osborne, E., Sprecher,
              N., and A. Fulignoli, Ed., "MPLS Transport Profile (MPLS-
              TP) Linear Protection", RFC 6378, DOI 10.17487/RFC6378,
              October 2011, <https://www.rfc-editor.org/info/rfc6378>.

Acknowledgements

   The authors would like to thank Nobo Akiya, Rahul Aggarwal, Eric
   Osborne, Ross Callon, Loa Andersson, Daniel King, Michael Yue, Alia
   Atlas, Olufemi Komolafe, Rob Rennison, Neil Harrison, Kannan Sampath,
   Gregory Mirsky, and Ronhazli Adam for their valuable comments and
   suggestions on this document.

Contributors

   The following people contributed significantly to the content of this
   document and should be considered coauthors:

            Autumn Liu
            Ciena
            United States of America
            Email: hliu@ciena.com

            Zhenbin Li
            Huawei Technologies
            Email: zhenbin.li@huawei.com

            Yimin Shen
            Juniper Networks
            10 Technology Park Drive
            Westford, MA  01886
            United States of America
            Email: yshen@juniper.net

            Tarek Saad
            Cisco Systems
            Email: tsaad@cisco.com

            Fengman Xu
            Verizon
            2400 N. Glenville Dr
            Richardson, TX  75082
            United States of America
            Email: fengman.xu@verizon.com





Chen & Torvi                  Experimental                     [Page 26]

RFC 8424                 LSP Ingress Protection              August 2018


   The following people also contributed to the content of this
   document:

           Ning So
           Tata Communications
           2613 Fairbourne Cir.
           Plano, TX  75082
           United States of America
           Email: ningso01@gmail.com

           Mehmet Toy
           Verizon
           United States of America
           Email: mehmet.toy@verizon.com

           Lei Liu
           United States of America
           Email: liulei.kddi@gmail.com

           Renwei Li
           Huawei Technologies
           2330 Central Expressway
           Santa Clara, CA  95050
           United States of America
           Email: renwei.li@huawei.com

           Quintin Zhao
           Huawei Technologies
           Boston, MA
           United States of America
           Email: quintin.zhao@huawei.com

           Boris Zhang
           Telus Communications
           200 Consilium Pl Floor 15
           Toronto, ON  M1H 3J3
           Canada
           Email: Boris.Zhang@telus.com

           Markus Jork
           Juniper Networks
           10 Technology Park Drive
           Westford, MA  01886
           United States of America
           Email: mjork@juniper.net






Chen & Torvi                  Experimental                     [Page 27]

RFC 8424                 LSP Ingress Protection              August 2018


Authors' Addresses

   Huaimo Chen (editor)
   Huawei Technologies
   Boston, MA
   United States of America

   Email: huaimo.chen@huawei.com


   Raveendra Torvi (editor)
   Juniper Networks
   10 Technology Park Drive
   Westford, MA  01886
   United States of America

   Email: rtorvi@juniper.net


































Chen & Torvi                  Experimental                     [Page 28]