Cisco Systems, Inc.

3rd Floor Hansaallee 249 Duesseldorf 40549 Germany fbrockne@cisco.com

Thoughtspot

3rd Floor, Indiqube Orion 24th Main Rd, Garden Layout, HSR Layout Bangalore Karnataka 560 102 India shwetha.bhandari@thoughtspot.com

rtg sfc inband In situ Telemetry Tracing In situ Operations, Administration, and Maintenance (IOAM) is used for recording and collecting operational and telemetry information while the packet traverses a path between two points in the network. This document outlines how IOAM-Data-Fields are encapsulated with the Network Service Header (NSH).

Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .

Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

• .  Introduction
• .  Conventions
• .  IOAM Encapsulation with NSH
• .  IANA Considerations
• .  Security Considerations
• .  References
  • .  Normative References
  • .  Informative References
• .  Discussion of the IOAM-Encapsulation Approach
• Acknowledgments
• Contributors
• Authors' Addresses

Introduction IOAM, as defined in , is used to record and collect OAM information while the packet traverses a particular network domain. The term "in situ" refers to the fact that the OAM data is added to the data packets rather than what is being sent within packets specifically dedicated to OAM. This document defines how IOAM-Data-Fields are transported as part of the Network Service Header (NSH) encapsulation for the Service Function Chaining (SFC) Architecture . The IOAM-Data-Fields are defined in .

Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Abbreviations used in this document:

IOAM:

In situ Operations, Administration, and Maintenance

MD:

NSH Metadata, see

NSH:

Network Service Header

OAM:

Operations, Administration, and Maintenance

SFC:

Service Function Chaining

TLV:

Type, Length, Value

IOAM Encapsulation with NSH The NSH is defined in . IOAM-Data-Fields are carried as NSH payload using a Next Protocol header that follows the NSH headers. An IOAM header containing the IOAM-Data-Fields is added. The IOAM-Data-Fields MUST follow the definitions corresponding to IOAM Option-Types (e.g., see and ). In an administrative domain where IOAM is used, insertion of the IOAM header in NSH is enabled at the NSH tunnel endpoints, which are also configured to serve as encapsulating and decapsulating nodes for IOAM. The operator MUST ensure that SFC-aware nodes along the Service Function Path support IOAM; otherwise, packets might be dropped (see the last paragraph of this section as well as ). The IOAM transit nodes (e.g., a Service Function Forwarder (SFF)) MUST process all the IOAM headers that are relevant based on its configuration. See for a discussion of deployment-related aspects of IOAM-Data-Fields.

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<-+ |Ver|O|U| TTL | Length |U|U|U|U|MD Type| NP = 0x06 | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ N | Service Path Identifier | Service Index | S +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ H | ... | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<-+ | IOAM-Type | IOAM HDR Len | Reserved | Next Protocol | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I ! | O ! | A ~ IOAM Option and Optional Data Space ~ M | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<-+ | | | | | Payload + Padding (L2/L3/...) | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The NSH header and fields are defined in . The O bit MUST be handled following the rules in . The "NSH Next Protocol" value (referred to as "NP" in the diagram above) is 0x06. The IOAM-related fields in NSH are defined as follows:

IOAM-Type:

8-bit field defining the IOAM Option-Type, as defined in the "IOAM Option-Type" registry specified in .

IOAM HDR Len:

8-bit field that contains the length of the IOAM header in multiples of 4-octets, including the "IOAM-Type" and "IOAM HDR Len" fields.

Reserved bits:

Reserved bits are present for future use. The reserved bits MUST be set to 0x0 upon transmission and ignored upon receipt.

Next Protocol:

8-bit unsigned integer that determines the type of header following IOAM. The semantics of this field are identical to the Next Protocol field in .

IOAM Option and Optional Data Space:

IOAM-Data-Fields as specified by the IOAM-Type field. IOAM-Data-Fields are defined corresponding to the IOAM Option-Type (e.g., see and ) and are always aligned by 4 octets. Thus, there is no padding field.

Multiple IOAM Option-Types MAY be included within the NSH encapsulation. For example, if an NSH encapsulation contains two IOAM Option-Types before a data payload, the Next Protocol field of the first IOAM option will contain the value 0x06, while the Next Protocol field of the second IOAM Option-Type will contain the "NSH Next Protocol" number indicating the type of the data payload. The applicability of the IOAM Active and Loopback flags is outside the scope of this document and may be specified in the future. In case the IOAM Incremental Trace Option-Type is used, an SFC-aware node that serves as an IOAM transit node needs to adjust the "IOAM HDR Len" field accordingly. See . Per , packets with unsupported Next Protocol values SHOULD be silently dropped by default. Thus, when a packet with IOAM is received at an NSH-based forwarding node (such as an SFF) that does not support the IOAM header, it SHOULD drop the packet. The mechanisms to maintain and notify of such events are outside the scope of this document.

IANA Considerations IANA has allocated the following code point for IOAM in the "NSH Next Protocol" registry:

Next Protocol	Description	Reference
0x06	IOAM (Next Protocol is an IOAM header)	RFC 9452

Security Considerations IOAM is considered a "per domain" feature, where the operator decides how to leverage and configure IOAM according to the operator's needs. The operator needs to properly secure the IOAM domain to avoid malicious configuration and use, which could include injecting malicious IOAM packets into a domain. For additional IOAM-related security considerations, see . For additional OAM- and NSH-related security considerations, see .

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document describes a Network Service Header (NSH) imposed on packets or frames to realize Service Function Paths (SFPs). The NSH also provides a mechanism for metadata exchange along the instantiated service paths. The NSH is the Service Function Chaining (SFC) encapsulation required to support the SFC architecture (defined in RFC 7665). In situ Operations, Administration, and Maintenance (IOAM) collects operational and telemetry information in the packet while the packet traverses a path between two points in the network. This document discusses the data fields and associated data types for IOAM. IOAM-Data-Fields can be encapsulated into a variety of protocols, such as Network Service Header (NSH), Segment Routing, Generic Network Virtualization Encapsulation (Geneve), or IPv6. IOAM can be used to complement OAM mechanisms based on, e.g., ICMP or other types of probe packets. This document clarifies an ambiguity in the Network Service Header (NSH) specification related to the handling of O bit. In particular, this document clarifies the meaning of "OAM packet". This document updates RFC 8300. Informative References This document describes an architecture for the specification, creation, and ongoing maintenance of Service Function Chains (SFCs) in a network. It includes architectural concepts, principles, and components used in the construction of composite services through deployment of SFCs, with a focus on those to be standardized in the IETF. This document does not propose solutions, protocols, or extensions to existing protocols. In situ Operations, Administration, and Maintenance (IOAM) collects operational and telemetry information in packets while they traverse a path between two points in the network. This document defines two new flags in the IOAM Trace Option headers, specifically the Loopback and Active flags. In situ Operations, Administration, and Maintenance (IOAM) is used for recording and collecting operational and telemetry information. Specifically, IOAM allows telemetry data to be pushed into data packets while they traverse the network. This document introduces a new IOAM option type (denoted IOAM-Option-Type) called the "IOAM Direct Export (DEX) Option-Type". This Option-Type is used as a trigger for IOAM data to be directly exported or locally aggregated without being pushed into in-flight data packets. The exporting method and format are outside the scope of this document. In situ Operations, Administration, and Maintenance (IOAM) collects operational and telemetry information in the packet while the packet traverses a path between two points in the network. This document provides a framework for IOAM deployment and provides IOAM deployment considerations and guidance.

Discussion of the IOAM-Encapsulation Approach This section lists several approaches considered for encapsulating IOAM with NSH and presents the rationale for the approach chosen in this document. An encapsulation of IOAM-Data-Fields in NSH should be friendly to an implementation in both hardware as well as software forwarders and support a wide range of deployment cases, including large networks that desire to leverage multiple IOAM-Data-Fields at the same time.

• Hardware- and software-friendly implementation: Hardware forwarders benefit from an encapsulation that minimizes iterative lookups of fields within the packet. Any operation that looks up the value of a field within the packet, based on which another lookup is performed, consumes additional gates and time in an implementation, both of which should be kept to a minimum. This means that flat TLV structures are preferred over nested TLV structures. IOAM-Data-Fields are grouped into several categories, including trace, proof-of-transit, and edge-to-edge. Each of these options defines a TLV structure. A hardware-friendly encapsulation approach avoids grouping these three option categories into yet another TLV structure and would instead carry the options as a serial sequence.
• Total length of the IOAM-Data-Fields: The total length of IOAM-Data-Fields can grow quite large if multiple different IOAM-Data-Fields are used and large path-lengths need to be considered. For example, if an operator would consider using the IOAM Trace Option-Type and capture node-id, app_data, egress and ingress interface-id, timestamp seconds, and timestamp nanoseconds at every hop, then a total of 20 octets would be added to the packet at every hop. In this case, the particular deployment has a maximum path length of 15 hops in the IOAM domain, and a maximum of 300 octets would be encapsulated in the packet.

Different approaches for encapsulating IOAM-Data-Fields in NSH could be considered:

1. Encapsulation of IOAM-Data-Fields as "NSH MD Type 2" (see ). Each IOAM Option-Type (e.g., trace, proof-of-transit, and edge-to-edge) would be specified by a type, with the different IOAM-Data-Fields being TLVs within this the particular option type. NSH MD Type 2 offers support for variable length metadata. The length field is 6 bits, resulting in a maximum of 256 (2⁶ x 4) octets.
2. Encapsulation of IOAM-Data-Fields using the "Next Protocol" field. Each IOAM Option-Type (e.g., trace, proof-of-transit, and edge-to-edge) would be specified by its own "next protocol".
3. Encapsulation of IOAM-Data-Fields using the "Next Protocol" field. A single NSH protocol type code point would be allocated for IOAM. A "sub-type" field would then specify what IOAM options type (trace, proof-of-transit, edge-to-edge) is carried.

The third option has been chosen here. This option avoids the additional layer of TLV-nesting that the use of NSH MD Type 2 would result in. In addition, this option does not constrain IOAM data to a maximum of 256 octets, thus allowing support for very large deployments.

Acknowledgments The authors would like to thank , , , , , , , , , , , and for their comments and advice.

Contributors The following people contributed significantly to the content of this document and should be considered coauthors: Cisco Systems, Inc.

venggovi@cisco.com

Cisco Systems, Inc.

7200-11 Kit Creek Road Research Triangle Park NC 27709 United States of America cpignata@cisco.com

RtBrick Inc.

hannes@rtbrick.com

john@leddy.net

JP Morgan Chase

25 Bank Street London E14 5JP United Kingdom stephen.youell@jpmorgan.com

Huawei Network.IO Innovation Lab

Israel tal.mizrahi.phd@gmail.com

mosesster@gmail.com

Facebook

1 Hacker Way Menlo Park CA 94025 United States of America petr@fb.com

Barefoot Networks

2185 Park Boulevard Palo Alto CA 94306 United States of America

Authors' Addresses Cisco Systems, Inc.

3rd Floor Hansaallee 249 Duesseldorf 40549 Germany fbrockne@cisco.com

Thoughtspot

3rd Floor, Indiqube Orion 24th Main Rd, Garden Layout, HSR Layout Bangalore Karnataka 560 102 India shwetha.bhandari@thoughtspot.com