Alternate Marking Deployment Framework

The Alternate Marking and Multipoint Alternate Marking define the Alternate Marking technique that is a hybrid performance measurement method, per classification of measurement methods. This method is based on marking consecutive batches of packets and it can be used to measure packet loss, latency, and jitter on live traffic. The first experiments on Alternate-Marking are described in and . According to the definitions of , the Alternate-Marking Method can be classified as Hybrid Type I. Indeed, Alternate Marking can be implemented by using reserved bits in the protocol header, and the change in value of these marking bits at the source node is formally considered a modification of the stream of interest. This document complements and as it explains the mechanisms that can be used to manage and deploy the method.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Abbreviations used in this document: AltMark: Alternate-Marking NMS: Network Management System IPv6: Internet Protocol version 6 SRv6: Segment Routing over IPv6 dataplane BIER: Bit Index Explicit Replication MPLS: Multi-Protocol Label Switching SFC: Service Function Chaining NVO3: Network Virtualization Overlays IPFIX: IP Flow Information Export YANG: Yet Another Next Generation PCEP: Path Computation Element Communication Protocol BGP: Border Gateway Protocol

The Alternate Marking Method MUST be deployed in a controlled domain for security and compatibility reasons. In this regard, reports further examples of specific limited domain solutions. It is not common that the user traffic originates and terminates within the controlled domain. For this reason, it will typically only be applicable in an overlay network, where user traffic is encapsulated at one domain border, decapsulated at the other domain border and the encapsulation incorporates the relevant extension header for Alternate Marking. This requirement also implies that an implementation MUST filter packets that carry Alternate Marking data and are entering or leaving the controlled domain. A controlled domain is a managed network where it is required to select, monitor and control the access to the network by enforcing policies at the domain boundaries in order to discard undesired external packets entering the domain and check the internal packets leaving the domain. It does not necessarily mean that a controlled domain is a single administrative domain or a single organization. A controlled domain can correspond to a single administrative domain or can be composed by multiple administrative domains under a defined network management. Indeed, some scenarios may imply that the Alternate Marking Method involves more than one domain, but in these cases, it is RECOMMENDED that the multiple domains create a whole controlled domain while traversing the external domain by employing IPsec authentication and encryption or other VPN technology that provides full packet confidentiality and integrity protection. In a few words, it must be possible to control the domain boundaries and eventually use specific precautions if the traffic traverse the Internet. The Alternate Marking measurement domain can overlap with the controlled domain or may be a subset of the controlled domain. The typical scenarios for the application of the Alternate Marking Method depend on the controlled domain boundaries, in particular: the user equipment can be the starting or ending node, only in case it is fully managed and if it belongs to the controlled domain. In this case the user generated packets contain the Alternate Marking data. But, in practice, this is not common due to the fact that the user equipment cannot be totally secured in the majority of cases. the CPE (Customer Premises Equipment) or the PE (Provider Edge) routers are most likely to be the starting or ending nodes since they can be border routers of the controlled domain. For instance, the CPE, which connects the user's premises with the service provider's network, belongs to a controlled domain only if it is managed by the service provider and if additional security measures are taken to keep it trustworthy. Typically the CPE or the PE can encapsulate a received packet in an outer header which contains the Alternate Marking data. They can also be able to filter and drop packets from outside of the domain with inconsistent fields to make effective the relevant security rules at the domain boundaries, for example a simple security check can be to insert the Alternate Marking data if and only if the destination is within the controlled domain.

An Alternate-Marking Domain consists of marking nodes, unmarking nodes, and transit nodes. A marking node, also called encapsulating node, incorporates the AltMark Data Fields into packets in order to enable Alternate-Marking. If the Alternate-Marking method is enabled for a selected flow of the traffic, the encapsulating node is responsible for applying the AltMark functionality to the selected flow and to take initial timestamps and packet counters. A transit node only reads AltMark Data Fields in order to take timestamps and packet counters. An unmarking node, also called decapsulating node, reads AltMark Data Fields in order to take final timestamps and packet counters and then removes any AltMark Option from packets.

|Node |====>| Node |====>| Node |====>|Node |--> | | | A | | B | | | +---------+ +---------+ +---------+ +---------+ ]]>

The methodology described in the previous sections can be applied to various performance measurement problems. The only requirement is to select and mark the flow to be monitored; in this way, packets are batched by the sender, and each batch is alternately marked such that it can be easily recognized by the receiver. Either one or two flag bits might be available for marking in different deployments: One flag: packet loss measurement MUST be done as described in Section 3.1 of , while delay measurement MUST be done according to the single-marking method described in Section 3.2.1 of . Mean delay (Section 3.2.1.1 of ) MAY also be used but it could imply more computational load. Two flags: packet loss measurement MUST be done as described in Section 3.1 of , while delay measurement MUST be done according to double-marking method Section 3.2.2 of . In this case single-marking MAY also be used in combination with double-marking and the two approaches provide slightly different pieces of information that can be combined to have a more robust data set. There are some operational guidelines to consider for the purpose of deciding to follow the recommendations above and use one or two flags. The Alternate-Marking method utilizes specific flags in the packet header, so an important factor is the number of flags available for the implementation. Indeed, if there is only one flag available there is no other way, while if two flags are available the option with two flags is certainly more complete. The duration of the Alternate-Marking period affects the frequency of the measurement and this is a parameter that can be decided on the basis of the required temporal sampling. But it cannot be freely chosen, as explained in Section 5 of . The Alternate-Marking methodologies enable packet loss, delay and delay variation calculation, but in accordance with the method used (e.g. single-marking or double-marking), there is different kind of information that can be derived. For example, to get more statistics of extent data, the option with two flags is desirable. For this reason, the type of data needed in the specific scenario is an additional element to take into account. The Alternate-Marking methods imply different computational load depending on the method employed. Therefore, the available computational resources on the measurement points can also influence the choice. As an example, mean delay calculation may require more processing and it may not be the best option to minimize the computational load. A deployment of the Alternate-Marking Method should also take into account how to handle and recognize marked and unmarked traffic. Since Alternate-Marking normally employs a marking field which is dedicated, reserved, and included in a protocol extension, the measurement points can learn whether the measurement is activated or not by checking if the specific extension is included or not within the packets.

The YANG model can be used for configuring Alternate-Marking in network nodes that support it. An example is defined in . There are also other control plane mechanisms to advertise and activate AltMark capabilities, using PCEP or BGP: , , . These mechanisms can be used to signal and configure the parameters to identify the flow to monitor both in case of point-to-point flow and multipoint-to-multipoint flow. Indeed, the selection of the identification fields directly affects the type of paths that the flow would follow in the network. As an example, for IPv6 the setting of the Flow Monitoring Identification (FlowMonID) is used in combination with source and destination addresses to identify a flow, as described in Section 5.3 of , and it can be algorithmically generated by the source node or assigned by the central controller. Additionally, other parameters are essential for the activation of the AltMark methodology: the choice between end-to-end or hop-by-hop measurement, the choice between the methods with one flag or two flags and the duration of the Alternate-Marking period which affects the measurement frequency (longer the duration of the block, the less frequently the measurement can be taken).

Each packet marked for Alternate-Marking, as for example the AltMark IPv6 option type defined in Section 3.1 of or the Segment Routing TLV Type as defined in Section 3.1 of MUST be copied to the IPFIX or YANG push metering process depending which Network Telemetry protocol is used to export the data.

|Node |====>| Node |====>| Node |====>|Node |--> | | | A | | B | | | +---------+ +---------+ +---------+ +---------+ ]]>

For IPFIX , the data decomposition can be achieved on the Alternate-Marking-aware node exporting the data or on the data collection. When decomposed at the data collection, the headers, as example the IPv6 options type header described in Section 3.1 of or the Segment Routing header TLV as described in Section 3.1 of containing the FlowMonID, Loss and Delay flag are being exposed as part of ipPayloadPacketSection(IE314), defined in Section 4.2 of RFC 7133. When being decomposed on the Alternate-Marking-aware node, new IPFIX entities for FlowMonID, Loss and Delay flag are needed so that the data can now be aggregated according to section 5 of . FlowMonID is a Flow Key field. The following IPFIX entities are of interest to describe the relationship to the forwarding topology and the control-plane. node id, ingressInterface(IE10) and egressInterface(IE14) describes on which node which logical ingress and egress interfaces have been used to forward the packet. Node id and egressPhysicalInterface(253) describes on which node which physical egress interfaces have been used to forward the packet. Node id and ipNextHopIPv4Address(IE15) or ipNextHopIPv6Address(IE62), describes the forwarding path to which next-hop IP address. Node id and mplsTopLabelIPv4Address(IE47) or srhActiveSegmentIPv6 from describes the forwarding path to which MPLS top label IPv4 address or SRv6 active segment. BGP communities are often used for setting a path priority or service selection. bgpDestinationExtendedCommunityList(488) or bgpDestinationCommunityList(485) or bgpDestinationLargeCommunityList(491) describes which group of prefixes have been used to forward the packet. Node id and destinationIPv4Address(13), destinationTransportPort(11), protocolIdentifier (4) and sourceIPv4Address(IE8) describes the forwarding path on each node from each IPv4 source address to a specific application in the network. To calculate loss, the packet count with octetDeltaCount(IE1) and to calculate delay, either flowStartSeconds(IE150), flowStartMilliseconds(IE152), flowStartMicroseconds(IE154) or flowStartNanoseconds(IE156), depending on timestamp granularity requirements, are needed. To calculate loss, the packet count with octetDeltaCount(IE1) and to calculate delay, either flowStartSeconds(IE150), flowStartMilliseconds(IE152), flowStartMicroseconds(IE154) or flowStartNanoseconds(IE156), depending on timestamp granularity requirements, are needed.

For YANG Push , periodical subscription as defined in Section 3.1 of is used to subscribe data. Decomposition is done on the Alternate-Marking-aware node publishing the data. The YANG module contains FlowMonID as key, Loss and Delay flag, ingress and egress interface ifIndex , octet delta count describing the amount of observed packets within a flow to measure loss, and flow start timestamp describing the first packet observed for measuring delay as leafes. Since the amount of observed data could overwhelm a route processor on a network node, publishing data from network processors as specified in is advised.

Alternate-Marking encapsulation for IPv6 is defined in , which also discusses deployment considerations for IPv6 networks. The IPv6 AltMark Option applies the Alternate Marking Method to IPv6, and defines an Extension Header Option to encode the Alternate Marking Method for both the Hop-by-Hop Options Header and the Destination Options Header.

Alternate-Marking encapsulation for SRv6 is discussed in IPv6 AltMark Option and .

Alternate-Marking encapsulation for BIER is introduced in .

Alternate-Marking encapsulation for MPLS is introduced in .

Alternate-Marking encapsulation for SFC is introduced in .

Alternate-Marking encapsulation for NVO3 is introduced in .

defines extended data fields for the AltMark Option and provides enhanced capabilities to overcome some challenges and enable future proof applications. It is worth mentioning that the enhanced capabilities are intended for further use and are optional.

In a controlled domain, the nodes may support the AltMark specific encapsulation and this also depends on the implementation. If a node is configured to read the AltMark option, the measurement is done on that node, otherwise it is simply not considered in the measurement. Assuming that the measurement domain overlaps with the controlled domain, the procedure for AltMark data encapsulation can be summarized as follows: Ingress Node: the Ingress Node of a controlled domain that supports the Alternate Marking Method adds the AltMark data in the the data packets. Intermediate Node: if an Intermediate Node is not capable of processing the AltMark data, it simply ignores it. If an Intermediate Node is capable of processing the AltMark data, it processes it. Egress SR Node: The Egress Node is the last node of the controlled domain. The processing if the AltMark data is similar to the processing at the Intermediate Nodes. The only difference is that it needs to remove the AltMark data from the the data packets.

Alternate Marking and Multipoint Alternate Marking analyze different security concerns and related solutions. These aspects are valid and applicable also to this document. In particular the fundamental security requirement is that Alternate Marking MUST only be applied in a specific limited domain, as also mentioned in .

This document has no request to IANA.

TBD