Clarifying SRv6 SID List Processing

Introduction The Segment Routing (SR) architecture is specified in . SR forwards packets along a series of segments, and may perform additional segment-specific processing on packets. Segments are indicated by Segment Identifiers (SIDs). The mechanisms to achieve Segment Routing for IPv6 (SRv6) include the use of the Segment Routing Header (SRH) an IPv6 extension header that includes a SID list indicating the sequence of segments and any additional processing to be performed. This document updates by clarifying the processing of SID list entries. It does not change any elements of the SRv6 architecture.

Clarification The SRH is processed per Section 4 of . One objective is to determine the value to place in the Destination Address field of the IPv6 packet. To this end, the next entry in the SID list in the SRH is processed and mapped to the value to place in the Destination Address field. The value placed in the 128-bit Destination Address field of an IPv6 packet header needs to be a routable IPv6 address since that is required for forwarding the packet. Note that entries in the SID list do not need to be fully-formed IPv6 addresses that are copied direct to the Destination Address field of the IPv6 packet. The mapping from SID list entry could be a direct copy (the SID list contains a list of IPv6 addresses), or could involve a more complex function. An example of such a function is shown in where a REPLACE-CSID compressed SID is expanded to be placed in the Destination Address field.

Updates to RFC 8754

Segments Left in Section 2 of RFC 8754 The definition of the Segments Left field of the SRH is presented as:

Segments Left:

Defined in .

This is clarified by Erratum Report EID 7102. This clarification is included in this update for completeness. The new text reads:

Segments Left:

Defined in . Specifically, for the SRH, the number of unprocessed 128-bit entries in the Segment List.

Segment List in Section 2 of RFC 8754 The figure in Section 2 of RFC 8754 reads:

This is updated as follows to clarify that the entries in the Segment List are 128 bit entries, but not necessarily IPv6 addresses.

The text in RFC 8754 reads:

Segment List[0..n]:

128-bit IPv6 addresses representing the nth segment in the Segment List. The Segment List is encoded starting from the last segment of the SR Policy. That is, the first element of the Segment List (Segment List[0]) contains the last segment of the SR Policy, the second element contains the penultimate segment of the SR Policy, and so on.

This is updated as follows to clarify that the entries in the Segment List are 128 bit entries, but not necessarily IPv6 addresses.

Segment List[0..n]:

128-bit entries representing the nth segment in the Segment List. The Segment List is encoded starting from the last segment of the SR Policy. That is, the first element of the Segment List (Segment List[0]) contains the last segment of the SR Policy, the second element contains the penultimate segment of the SR Policy, and so on.

HMAC Processing in Section 2.1.2.1 of RFC 8754 In describing the HMAC processing, the text in RFC 8754 says that HMAC verification checks that the destination address of the packet matches that indicated by the next entry in the Segment List.

HMAC Segments Left is less than or equal to Last Entry, and the destination address is equal to Segment List[Segments Left].

This is updated to allow a non-direct mapping from Segment List entry to destination address as follows:

HMAC Segments Left is less than or equal to Last Entry, and the destination address is equal to the address created by mapping from Segment List[Segments Left].

Further, in describing the concatenation of information to generate the text field input to the HMAC computation, this section says:

SRH: All addresses in the Segment List (variable octets)

This is updated as follows to indicate that Segment List entries are not necessarily IPv6 addresses.

SRH: All entries in the Segment List (variable octets)

SRH Processing in Section 4.3.1.1 of RFC 8754 The processing steps for a locally instantiated SRv6 SID include the following step:

S16. Copy Segment List[Segments Left] from the SRH to the destination address of the IPv6 header.

As explained earlier in this document, the function used to generate the destination address may be a copy, but may be some other function. Thus, this text is updated as follows:

S16. Derive the destination address of the IPv6 header from Segment List[Segments Left] in the SRH.

ICMP Processing in Section 5.4 of RFC 8754 The method for deriving the destination address of the invoking packet in RFC 8574 reads as:

The SID at Segment List[0] may be used as the destination address of the invoking packet.

To allow for the 0th entry in the Segment List to be mapped rather than copied to a destination address, this is updated to:

The SID at Segment List[0] may be mapped to derive the destination address of the invoking packet.

Operational Considerations This document does not change any elements of the SR architecture and, as such, it makes no change to the operational procedures or management tools of SR. In clarifying the nature of SID list processing, this document also clarifies the nature of SID list entries. Operational and management tools that examine the SID list in a packet need to be aware of the nature of those entries in order to offer maximal clarity to the users of those tools.

Security Considerations This document makes no changes to the security properties of SRv6. See for more discussion of SRv6 security. Note that describing the SID list entries as being mapped to the destination address of a packet enables potential additional security features.

IANA Considerations This document makes no requests for IANA action.

Acknowledgments Thanks to Eric Vyncke and Erik Kline for inspiring the authors to write this document. Thanks to Bob Hinden, Mohamed Boucadair, Joel Halpern, Yao Liu, Bruno Decraene, and Brian Carpenter for their reviews and comments that improved this document.