Network Working Group J.P.Lang (Editor) Internet DraftLang, Ed. Request for Comments: 4872 Sonos Updates: 3471 Y.Rekhter (Editor) Expiration Date: February 2007Rekhter, Ed. Category: Standards Track Juniper D.Papadimitriou (Editor) Updates RFC 3471 October 2006Papadimitriou, Ed. Alcatel May 2007 RSVP-TE Extensions insupportSupport of End-to-End Generalized Multi-Protocol Label Switching (GMPLS) Recoverydraft-ietf-ccamp-gmpls-recovery-e2e-signaling-04.txtStatus ofthisThis MemoBy submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents ofThis document specifies an Internet standards track protocol for the InternetEngineering Task Force (IETF), its areas,community, andits working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents validrequests discussion and suggestions fora maximumimprovements. Please refer to the current edition ofsix monthsthe "Internet Official Protocol Standards" (STD 1) for the standardization state andmay be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The liststatus ofcurrent Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The listthis protocol. Distribution ofInternet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.this memo is unlimited. Copyright Notice Copyright (C) TheInternet Society (2006).IETF Trust (2007). Abstract This document describesprotocol specificprotocol-specific procedures and extensions for Generalized Multi-Protocol Label Switching (GMPLS) ResourceReserVationReSerVation Protocol - Traffic Engineering (RSVP-TE) signaling to support end-to-end Label Switched Path (LSP) recovery that denotes protection and restoration. A generic functional description of GMPLS recovery can be found in a companion document, RFC 4426.J.P.Lang et al. Standards Track 1Table of ContentsStatus of this Memo ............................................. 1 Abstract ........................................................ 1 Table of Content ................................................ 21.Conventions .................................................. 3 2.Introduction................................................. 4.....................................................3 2. Conventions Used in This Document ...............................5 3. Relationship to Fast Reroute (FRR)........................... 4..............................5 4. Definitions.................................................. 6 4.1.....................................................6 4.1. LSP Identification.......................................... 6 4.2.........................................6 4.2. Recovery Attributes......................................... 7 4.2.1........................................7 4.2.1. LSP Status................................................ 7 4.2.2..........................................7 4.2.2. LSP Recovery.............................................. 8 4.3........................................8 4.3. LSP Association............................................. 9............................................9 5. 1+1 Unidirectional Protection................................ 9...................................9 5.1. Identifiers............................................... 10...............................................10 6. 1+1Bi-directionalBidirectional Protection............................... 10...................................10 6.1. Identifiers............................................... 11...............................................11 6.2. End-to-End Switchover Request/Response.................... 11....................11 7. 1:1 Protection with Extra-Traffic........................... 13 7.1..............................13 7.1. Identifiers................................................ 14 7.2...............................................14 7.2. End-to-End Switchover Request/Response..................... 14 7.3....................15 7.3. 1:N (N > 1) Protection with Extra-Traffic.................. 16.................16 8.Re-routingRerouting without Extra-Traffic............................ 16 8.1................................17 8.1. Identifiers................................................ 18 8.2...............................................19 8.2. Signaling Primary LSPs..................................... 18 8.3....................................19 8.3. Signaling Secondary LSPs................................... 18..................................19 9. Shared-Mesh Restoration..................................... 19........................................20 9.1. Identifiers............................................... 21 9.2...............................................22 9.2. Signaling Primary LSPs..................................... 21 9.3....................................22 9.3. Signaling Secondary LSPs................................... 21..................................23 10. LSP Preemption............................................. 22................................................23 11. (Full) LSPRe-routing ...................................... 23 11.1Rerouting ..........................................25 11.1. Identifiers............................................... 24 11.2..............................................25 11.2. SignalingRe-routableReroutable LSPs................................ 24................................26 12. Reversion.................................................. 25.....................................................26 13.ExternalRecovery Commands.......................................... 28.............................................29 14. PROTECTION Object.......................................... 29 14.1.............................................31 14.1. Format.................................................... 29 14.2...................................................31 14.2. Processing................................................ 31...............................................33 15.PRIMARY PATH ROUTEPRIMARY_PATH_ROUTE Object.................................. 31 15.1.....................................33 15.1. Format.................................................... 31 15.2...................................................34 15.2. Subobjects................................................ 32 15.3...............................................34 15.3. Applicability............................................. 33 15.4............................................35 15.4. Processing................................................ 33...............................................36 16. ASSOCIATION Object......................................... 34 16.1............................................37 16.1. Format.................................................... 34 16.2...................................................37 16.2. Processing................................................ 36...............................................38 17. Updated RSVP Message Formats............................... 36..................................39 18. Security Considerations.................................... 37.......................................40 19. IANA Considerations........................................ 38...........................................41 20. Acknowledgments............................................ 39 J.P.Lang et al. Expires February 2007 2...............................................43 21. References................................................. 40 21.1....................................................43 21.1. Normative References...................................... 40 21.2.....................................43 21.2. Informative References.................................... 41...................................44 22.Editor's Addresses ......................................... 41 23.Contributors............................................... 41..................................................45 1.Conventions used in this document: The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. In addition, the reader is assumed to be familiar with the terminology used in [RFC3945], [RFC3471], [RFC3473] and referenced as well as in [RFC4427] and [RFC4426]. 2.Introduction Generalized Multi-Protocol Label Switching (GMPLS) extends MPLS to include support for Layer-2 Switch Capable (L2SC), Time-Division Multiplex (TDM), Lambda Switch Capable (LSC), and Fiber Switch Capable (FSC) interfaces. GMPLS recovery uses control plane mechanisms (i.e., signaling, routing, and link management mechanisms) to support data plane fault recovery. Note that the analogous (data plane) fault detection mechanisms are required to be present in support of the control plane mechanisms. In this document, the term "recovery" is generically used to denote both protection and restoration; the specific terms "protection" and "restoration" are only used when differentiation is required. The subtle distinction between protection and restoration is made based on the resource allocation done during the recovery phase (see [RFC4427]). A functional description of GMPLS recovery is provided in [RFC4426] and should be considered as a companion document. The present document describes theprotocol specificprotocol-specific procedures for GMPLS RSVP- TE (Resource ReSerVation Protocol - Traffic Engineering) signaling (see [RFC3473]) to support end-to-end recovery. End-to-end recovery refers to the recovery of an entire LSP from its head-end (ingress nodeend-point)endpoint) to its tail-end (egress nodeend-point).endpoint). Withend-to-endend-to- end recovery, working LSPs are assumed to be resource-disjoint (where a resource(link/node/SRLG) disjointis a link, node, or Shared Risk Link Group (SRLG)) in the network so that they do not share any failure probability, but this is not mandatory. With respect to a given set of network resources, a pair of working/protecting LSPs SHOULD be resource disjoint in case of dedicated recovery type (see below). On the other hand, in case of shared recovery (see below), a group of working LSPs SHOULD be mutually resource-disjoint in order to allow for a (single and commonly) shared protectingLSPLSP, itself resource-disjoint from each of the working LSPs. Note that resource disjointness is a necessary (but notasufficient) condition to ensure LSP recoverability.J.P.Lang et al. Expires February 2007 3The present document addresses four types of end-to-end LSP recovery: 1) 1+1(unidirectional/bi-directional)(unidirectional/bidirectional) protection, 2) 1:N (N >= 1) LSP protection with extra-traffic, 3) pre-planned LSPre- routingrerouting without extra-traffic (including shared mesh), and 4) full LSPre-routing.rerouting. 1) The simplest notion of end-to-end LSP protection is 1+1 unidirectional protection. Using this type of protection, a protecting LSP is signaled over a dedicated resource-disjoint alternate path to protect an associated working LSP. Normal traffic is simultaneously sent on both LSPs and a selector is used at the egress node to receive traffic from one of the LSPs. If a failure occurs along one of the LSPs, the egress node selects the traffic from the valid LSP. No coordination is required between the end nodes when a failure/switchover occurs. In 1+1bi-directionalbidirectional protection, a protecting LSP is signaled over a dedicated resource-disjoint alternate path to protect the working LSP. Normal traffic is simultaneously sent on both LSPs (in bothdirections)directions), and a selector is used at both ingress/egress nodes to receive traffic from the same LSP. This requiresco-ordinationcoordination between the end-nodes when switching to the protecting LSP. 2) In 1:N (N >= 1) protection with extra-traffic, the protecting LSP is a fully provisioned and resource-disjoint LSP from the N working LSPs, that allows for carrying extra-traffic. The N working LSPs MAY be mutually resource-disjoint. Coordination between end-nodes is required when switching from one of the working LSPs to the protecting LSP. As the protecting LSP is fully provisioned, default operations during protection switching are specified for a protecting LSP carrying extra-traffic, but this is not mandatory. Note that M:N protection is out of scope of this document (though mechanisms it defines may be extended to cover it). 3) Pre-planned LSPre-routingrerouting (or restoration) relies on the establishment between the same pair of end-nodes of a working LSP and a protecting LSP that is link/node/SRLG disjoint from the working one. Here, the recovery resources for the protecting LSP are pre-reserved but explicit action is required to activate(i.e.(i.e., commit resource allocation at the data plane) a specific protecting LSP instantiated during the (pre-)provisioning phase. Since the protecting LSP is not "active"(i.e.(i.e., fully instantiated), itcan notcannot carry any extra-traffic. This does not mean that the corresponding resourcescan notcannot be used by other LSPs. Therefore, this mechanism protects against working LSP(s) failure(s) but requires activation of the protecting LSP after working LSP failure occurrence. This requires restoration signaling along the protecting path. "Shared-mesh" restoration can be seen as a particular case of pre-planned LSPre-routingrerouting that reduces the recovery resource requirements by allowingJ.P.Lang et al. Expires February 2007 4multiple protecting LSPs to share common link and node resources. The recovery resources are pre-reserved but explicit action is required to activate(i.e.(i.e., commit resource allocation at the data plane) a specific protecting LSP instantiated during the (pre-) provisioning phase. This procedure requires restoration signaling along the protecting path. Note that in both cases, bandwidth pre-reserved for a protecting (but not activated)LSP,LSP can be made available for carrying extra traffic. LSPs forextra trafficextra-traffic (with lower holding priority than the protecting LSP) can then be established using the bandwidth pre-reserved for the protecting LSP. Also, any lower priority LSP that use the pre-reserved resources for the protecting LSP(s) must be preempted during the activation of the protecting LSP. 4) Full LSPre-routingrerouting (or restoration) switches normal traffic to an alternate LSP that is not even partially established until after the working LSP failure occurs. The new alternate route is selected at the LSP head-end node, it may reuse resources of the failed LSP at intermediate nodes and may include additional intermediate nodes and/or links. Crankback signaling (see [CRANK]) and LSP segment recovery (see[SEGREC])[RFC4873]) are further detailed in dedicated companion documents. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. In addition, the reader is assumed to be familiar with the terminology used in [RFC3945], [RFC3471], [RFC3473] and referenced as well as in [RFC4427] and [RFC4426]. 3. Relationship to Fast Reroute (FRR) There is no impact to RSVP-TE Fast Reroute (FRR) [RFC4090] introduced by end-to-end GMPLS recoveryi.e.i.e., it is possible to use either method defined in FRR with end-to-end GMPLS recovery. The objects used and/or newly introduced by end-to-end recovery will be ignored by [RFC4090] conformant implementations, and FRR can operate on a per LSP basis as defined in [RFC4090]. 4. Definitions4.14.1. LSP Identification This section reviews terms previously defined in [RFC2205], [RFC3209], and [RFC3473]. LSP tunnels are identified by a combination of the SESSION and SENDER_TEMPLATE objects (see also [RFC3209]). The relevant fields are as follows: IPv4 (or IPv6) tunnelend pointendpoint address IPv4 (or IPv6) address of the egress node for the tunnel. Tunnel ID A 16-bit identifier used in the SESSION that remains constant over the life of the tunnel.J.P.Lang et al. Expires February 2007 5Extended Tunnel ID A 32-bit (or 16-byte) identifier used in the SESSION that remains constant over the life of the tunnel. Normally set to all zeros. Ingress nodes that wish to narrow the scope of a SESSION to the ingress-egress pair MAY place their IPv4 (or IPv6) address here as a globally unique identifier. IPv4 (or IPv6) tunnel sender address IPv4 (or IPv6) address for a sender node. LSP ID A 16-bit identifier used in the SENDER_TEMPLATE and FILTER_SPEC that can be changed to allow a sender to share resources with itself. The first three fields are carried in the SESSION object (Path and Resv message) and constitute the basic identification of the LSP tunnel. The last two fields are carried in the SENDER_TEMPLATE (Path message) and FILTER_SPEC objects (Resv message). The LSP ID is used to differentiate LSPs that belong to the same LSP Tunnel (as identified by its Tunnel ID).4.24.2. Recovery Attributes The recovery attributes include all the parameters that determine the status ofaan LSP within the recovery scheme to which it is associated. These attributes are part of the PROTECTION object introduced in Section 14.4.2.14.2.1. LSP Status The following bits are used in determining resource allocation and status of the LSP within the group of LSPs forming the protected entity: - S (Secondary) bit: enables distinction between primary and secondary LSPs. A primary LSP is a fully established LSP for which the resource allocation has been committed at the data plane(i.e.(i.e., full cross-connection has been performed). Both working and protecting LSPs can be primary LSPs. A secondary LSP is an LSP that has been provisioned in the control planeonlyonly, and for which resource selection MAY have been done but for which the resource allocation has not been committed at the data plane (for instance, no cross-connection has been performed). Therefore, a secondary LSP is not immediately available to carry any traffic(requiring thus(thus requiring additional signaling to be available). A secondary LSP canJ.P.Lang et al. Expires February 2007 6only be a protecting LSP. The (data plane) resources allocated for a secondary LSP MAY be used by other LSPs until the primary LSP fails over to the secondary LSP. - P (Protecting) bit: enables distinction between working and protecting LSPs. A working LSP must be a primary LSP whilst a protecting LSP can be either a primary or a secondary LSP. When protecting LSP(s) are associated with working LSP(s), one also refers to the latter as protected LSPs. Note: The combination "secondary working" is not valid (only protecting LSPs can be secondary LSPs). Working LSPs are always primary LSPs(i.e.(i.e., fully established) whilst primary LSPs can be either working or protecting LSPs. - O (Operational) bit: this bit is set when a protecting LSP is carrying the normal traffic after protection switching(i.e.(i.e., applies only in case of dedicated LSP protection or LSP protection withextra-traffic,extra-traffic; see Section 4.2.2). In this document, the PROTECTION object uses as a basis the PROTECTION object defined in [RFC3471] and [RFC3473] and defines additional fields within it. The fields defined in [RFC3471] and [RFC3473] are unchanged by this document.4.2.24.2.2. LSP Recovery The following classification is used to distinguish the LSP Protection Type with which LSPs can be associated at end-nodes (a distinct value is associated with each Protection Type in the PROTECTIONobject,object; see Section 14): - Full LSPRe-routing:Rerouting: set if a primary working LSP is dynamically recoverable using (non pre-planned) head-endre-routing.rerouting. - Pre-planned LSPRe-routingRerouting without Extra-traffic: set if a protecting LSP is a secondary LSP that allows sharing of thepre-reservedpre- reserved recovery resources between one or more than one <sender;receiver> pair. When the secondary LSPs resources are not pre-reserved for a single <sender;receiver> pair, this type is referred to as "shared mesh" recovery. - LSP Protection with Extra-traffic: set if a protecting LSP is a dedicated primary LSP that allows for extra-traffic transport and thus precludes any sharing of the recovery resources between more than one <sender;receiver> pair. This type includes 1:N LSP protection with extra-traffic. - Dedicated LSP Protection: set if a protecting LSP does not allow sharing of the recovery resources nor the transport of extra- traffic (implying in the present context, duplication of the signal over both working and protecting LSPs as in 1+1 dedicated protection). Note also that this document makes a distinctionJ.P.Lang et al. Expires February 2007 7between 1+1 unidirectional andbi-directionalbidirectional dedicated LSP protection. For LSP protection, inparticularparticular, when the data plane provides automatedprotection switchingprotection-switching capability (see for instance ITU-T [G.841] Recommendation), a Notification (N) bit is defined in the PROTECTION object. It allows for distinction between protection switching signaling via the control plane orviathe data plane. Note: this document assumes that Protection Type values have end-to- end significance and that the same value is sent over the protected and the protecting path. In this context, shared-meshfor instance,(for instance) appears from the end-nodes perspective as being simply an LSPre- routingrerouting without extra-traffic services. The net result of this is that a single bit (the S bit alone) does not allow determining whether resource allocation should be performedand this *withwith respectto*to the status of the LSP within the protected entity. The introduction of the P bit solves this problem unambiguously. These bits MUST be processed on a hop-by-hop basis (independently of the LSP Protection Type context). This allows for an easier implementation of reversion signaling (see Section 12) but also facilitates the transparent delivery of protected services since any intermediate node is not required to know thesemanticsemantics associated with the incoming LSP Protection Type value.4.34.3. LSP Association The ASSOCIATION object, introduced in Section 16, is used to associate the working and protecting LSPs. When used for signaling the working LSP, the Association ID of the ASSOCIATION object (see Section 16) identifies the protecting LSP. When used for signaling the protecting LSP, this field identifies the LSP protected by the protecting LSP. 5. 1+1 Unidirectional Protection One of the simplest notions of end-to-end LSP protection is 1+1 unidirectional protection. Consider the following network topology: A---B---C---D \ / E---F---G The paths [A,B,C,D] and [A,E,F,G,D] are node and link disjoint, ignoring the ingress/egress nodes A and D. A 1+1 protected path is established from A to D over [A,B,C,D] and[A,E,F,G,D][A,E,F,G,D], and traffic is transmitted simultaneously over both component paths(i.e.(i.e., LSPs).J.P.Lang et al. Expires February 2007 8During the provisioning phase, both LSPs are fully instantiated (and thus activated) so that no resource sharing can be done along the protecting LSP (nor can any extra-traffic be transported). It is also RECOMMENDED to set the N bit since noprotection switchingprotection-switching signaling is assumed in this case. When a failure occurs(say(say, at node B) and is detected at end-node D, the receiver at D selects the normal traffic from the other LSP. From this perspective, 1+1 unidirectional protection can be seen as an uncoordinatedprotection switchingprotection-switching mechanism acting independently at bothend-points.endpoints. Also, for the LSP under failure condition, it is RECOMMENDED to not set the Path_State_Removed Flag of the ERROR_SPEC object (see [RFC3473]) upon PathErr message generation. Note: it is necessary that both paths are SRLG disjoint to ensurerecoverability otherwiserecoverability; otherwise, a single failure may impact both working and protecting LSPs. 5.1. Identifiers To simplify association operations, both LSPs belong to the same session. Thus, the SESSION object MUST be the same for both LSPs. The LSP ID, however, MUST be different to distinguish between the two LSPs. A new PROTECTION object (see Section 14) is included in the Path message. This object carries the desired end-to-end LSP ProtectionType,Type -- in this case, "1+1 Unidirectional". This LSP Protection Type value is applicable to both uni- andbi-directionalbidirectional LSPs. To allow distinguishing the working LSP (from which the signal is taken) from the protecting LSP, the working LSP is signaled by setting in the PROTECTION object the S bit to 0, the P bit to 0, and in the ASSOCIATION object, the Association ID to the protecting LSP_ID. The protecting LSP is signaled by setting in the PROTECTION object the S bit to 0, the P bit to 1, and in the ASSOCIATION object, the Association ID to the associated protected LSP_ID. After protection switching completes, and after reception of the PathErr message, to keep track of the LSP from which the signal is taken, the protecting LSP SHOULD be signaled with theO-bitO bit set. The formerly working LSP MAY be signaled with the A bit set in the ADMIN_STATUS object (see [RFC3473]). This process assumes the tail- end node has notified the head-end node that traffic selection switchover has occurred. 6. 1+1Bi-directionalBidirectional Protection 1+1bi-directionalbidirectional protection is a scheme that provides end-to-end protection forbi-directionalbidirectional LSPs.J.P.Lang et al. Expires February 2007 9Consider the following network topology: A---B---C---D \ / E---F---G The LSPs [A,B,C,D] and [A,E,F,G,D] are node and link disjoint, ignoring the ingress/egress nodes A and D. Abi-directionalbidirectional LSP is established from A to D over eachpathpath, and traffic is transmitted simultaneously over both LSPs. In this scheme, bothend-pointsendpoints must receive traffic over the same LSP. Note also that both LSPs are fully instantiated (and thus activated) so that no resource sharing can be done along the protection path (nor can any extra-traffic be transported). When a failure is detected by one or bothend-pointsendpoints of the LSP, bothend-pointsendpoints must select traffic from the other LSP. This action must be coordinated between node A and D. From this perspective, 1+1bi-directionalbidirectional protection can be seen as a coordinatedprotectionprotection- switching mechanism between bothend-points.endpoints. Note: it is necessary that both paths are SRLG disjoint to ensurerecoverability, otherwiserecoverability; otherwise, a single failure may impact both working and protecting LSPs. 6.1. Identifiers To simplify association operations, both LSPs belong to the same session. Thus, the SESSION object MUST be the same for both LSPs. The LSP ID, however, MUST be different to distinguish between the two LSPs. A new PROTECTION object (see Section 14) is included in the Path message. This object carries the desired end-to-end LSP ProtectionType,Type -- in this case, "1+1Bi-directional".Bidirectional". This LSP Protection Type value is only applicable tobi-directionalbidirectional LSPs. It is also desirable to allow distinguishing the working(LSP fromLSP (from which the signal is taken) from the protecting LSP. This is achieved for the working LSP by setting in the PROTECTION object the S bit to 0, the P bit to 0, and in the ASSOCIATION object, the Association ID to the protecting LSP_ID. The protecting LSP is signaled by setting in the PROTECTION object the S bit to 0, the P bit to11, and in the ASSOCIATION object the Association ID to the associated protected LSP_ID. 6.2. End-to-End Switchover Request/Response Toco-ordinatecoordinate the switchover betweenend-points,endpoints, an end-to-end switchover request/response exchange is needed since a failure affecting one of the LSPs results in bothend-pointsendpoints switching to theJ.P.Lang et al. Expires February 2007 10other LSP (resulting in receiving traffic from the other LSP) in their respective directions. The procedure is as follows: 1. If an end-node (A or D) detects the failure of the working LSP (or a degradation of signal quality over the working LSP) or receives a Notify message including its SESSION object within the <upstream/downstream session list> (see [RFC3473]), and the new error code/sub-code "Notify Error/ LSP Locally Failed" in the (IF_ID)_ERROR_SPEC object, it MUST begin receiving on the protecting LSP. Note that the <sender descriptor> or <flow descriptor> is also present in the Notify message that resolves any ambiguity and race condition since identifying (together with the SESSION object) the LSP under failure condition. Note: (IF_ID)_ERROR_SPEC indicates that either the ERROR_SPEC (C-Type 1/2) or the ERROR_SPEC (C-Type 3/4, defined in [RFC3473]) can be used. This node MUST reliably send a Notifymessagemessage, including the MESSAGE_IDobjectobject, to the other end-node (D or A, respectively) with the new error code/sub-code "Notify Error/LSP Failure" (Switchover Request) indicating the failure of the working LSP. This Notify message MUST be sent with the ACK_Desired flag set in the MESSAGE_ID object to request the receiver to send an acknowledgment for the message (see [RFC2961]). This (switchover request) Notify message MAY indicate the identity of the failed link or any other relevant information using the IF_ID ERROR_SPEC object (see [RFC3473]). In this case, the IF_ID ERROR_SPEC object replaces the ERROR_SPEC object in the Notifymessage, otherwisemessage; otherwise, the corresponding (data plane) information SHOULD be received in the PathErr/ResvErr message. 2. Upon receipt of the (switchover request) Notify message, the end-node (D or A, respectively) MUST begin receiving from the protecting LSP. This node MUST reliably send a Notifymessagemessage, including the MESSAGE_IDobjectobject, to the other end-node (A or D, respectively). This (switchover response) Notify message MUST also include a MESSAGE_ID_ACK object to acknowledge reception of the (switchover request) Notify message. This (switchover response) Notify message MAY indicate the identity of the failed link or any other relevant information using the IF_ID ERROR_SPEC object (see [RFC3473]). Note: upon receipt of the (switchover response) Notify message, the end-node (A or D, respectively) MUST send an Ack message to the other end-node to acknowledge itsJ.P.Lang et al. Expires February 2007 11reception. Since the intermediate nodes(B,C,E,F(B, C, E, F, and G) are assumed to be GMPLS RSVP-TE signaling capable, each node adjacent to the failure MAY generate a Notify message directed either to the LSP head-end (upstreamdirection)direction), or the LSP tail-end (downstreamdirection)direction), or even both. Therefore, it is expected that these LSP terminating nodes (that MAY also detect the failure of the LSP from the data plane) provide either the right correlation mechanism to avoid repetition of the above procedure or just discard subsequent Notify messages corresponding to the same Session. In addition, for the LSP under failure condition, it is RECOMMENDED to not set the Path_State_ Removed Flag of the ERROR_SPEC object (see [RFC3473]) upon PathErr message generation. After protection switching completes (step 2), and after reception of the PathErr message, to keep track of the LSP from which the signal is taken, the protecting LSP SHOULD be signaled with theO-O bit set. The formerly working LSP MAY be signaled with the A bit set in the ADMIN_STATUS object (see [RFC3473]). Note: when the N bit is set, the end-to-end switchover request/ response exchange described above only provides control plane coordination (no actions are triggered at the data plane level). 7. 1:1 Protection with Extra-Traffic The most common case of end-to-end 1:N protection is to establish, between the sameend-points,endpoints, an end-to-end working LSP (thus, N = 1) and a dedicated end-to-end protecting LSP that are mutually link/ node/SRLG disjoint. This protects against working LSP failure(s). The protecting LSP is used for switchover when the working LSP fails. GMPLS RSVP-TE signaling allows for the pre-provisioning of protecting LSPs by indicating in the Path message (in the PROTECTIONobject,object; see Section 14) that the LSPs are of type protecting. Here, working and protecting LSPs are signaled as primary LSPs; both are fully instantiated during the provisioning phase. Although the resources for the protecting LSP are pre-allocated, preemptable traffic may be carried end-to-end using this LSP. Thus, the protecting LSP is capable of carrying extra-traffic with the caveat that this traffic will be preempted if the working LSP fails. The setup of the working LSP SHOULD indicate that the LSP head-end and tail-end node wish to receive Notify messages using the NOTIFY REQUEST object. The node upstream to the failure (upstream in terms of the direction an Path message traverses) SHOULD send a Notify message to the LSP head-end node, and the node downstream to the failure SHOULD send an Notify message to the LSP tail-end node. Upon receipt of the Notify messages, both the end-nodes MUST switch the (normal) traffic from the working LSP to the pre-configuredJ.P.Lang et al. Expires February 2007 12protecting LSP (see Section 7.2).MoreoverMoreover, some coordination is required if extra-traffic is carried over the end-to-end protecting LSP. Note that if the working and the protecting LSP are established between the sameend-nodesend-nodes, no further notification is required to indicate that the working LSPs are no longer protected. Consider the following topology: A---B---C---D \ / E---F---G The working LSP [A,B,C,D] could be protected by the protecting LSP [A,E,F,G,D]. Both LSPs are fully instantiated (resources are allocated for both working and protecting LSPs) and no resource sharing can be done along the protection path since the primary protecting LSP can carry extra-traffic. Note: it is necessary that both paths are SRLG disjoint to ensurerecoverability otherwiserecoverability; otherwise, a single failure may impact both working and protecting LSPs.7.17.1. Identifiers To simplify association operations, both LSPs belong to the same session. Thus, the SESSION object MUST be the same for both LSPs. The LSP ID, however, MUST be different to distinguish between the protected LSP carrying working traffic and the protecting LSP that can carry extra-traffic. A new PROTECTION object (see Section 14) is included in the Path message used tosetupset up the two LSPs. This object carries the desired end-to-end LSP ProtectionType,Type -- in this case, "1:N Protection with Extra-Traffic". This LSP Protection Type value is applicable to both uni- andbi-directionalbidirectional LSPs. The working LSP is signaled by setting in the new PROTECTION object the S bit to 0, the P bit to00, and in the ASSOCIATIONobjectobject, the Association ID to the protecting LSP_ID. The protecting LSP is signaled by setting in the new PROTECTION object the S bit to 0, the P bit to 1, and in the ASSOCIATIONobjectobject, the Association ID to the associated protected LSP_ID.7.27.2. End-to-End Switchover Request/Response Toco-ordinatecoordinate the switchover betweenend-points,endpoints, an end-to-end switchover request/response is needed such that the affected LSP is moved to the protecting LSP. Protection switching from the working to the protecting LSP (implying preemption of extra-traffic carried over the protecting LSP) must be initiated by one of the end-nodes (A or D).J.P.Lang et al. Expires February 2007 13The procedure is as follows: 1. If an end-node (A or D) detects the failure of the working LSP (or a degradation of signal quality over the working LSP) or receives a Notify message including its SESSION object within the <upstream/downstream session list> (see [RFC3473]), and the new error code/sub-code "Notify Error/LSP Locally Failed" in the (IF_ID)_ERROR_SPEC object, it disconnects the extra-traffic from the protecting LSP. Note that the <sender descriptor> or <flow descriptor> is also present in the Notify message that resolves any ambiguity and race condition since identifying (together with the SESSION object) the LSP under failure condition. This node MUST reliably send a Notifymessagemessage, including the MESSAGE_IDobjectobject, to the other end-node (D or A, respectively) with the new error code/sub-code "Notify Error/LSP Failure" (Switchover Request) indicating the failure of the working LSP. This Notify message MUST be sent with the ACK_Desired flag set in the MESSAGE_ID object to request the receiver to send an acknowledgment for the message (see [RFC2961]). This (switchover request) Notify message MAY indicate the identity of the failed link or any other relevant information using the IF_ID ERROR_SPEC object (see [RFC3473]). In this case, the IF_ID ERROR_SPEC object replaces the ERROR_SPEC object in the Notifymessage, otherwisemessage; otherwise, the corresponding (data plane) information SHOULD be received in the PathErr/ResvErr message. 2. Upon receipt of the (switchover request) Notify message, the end-node (D or A, respectively) MUST disconnect the extra- traffic from the protecting LSP and begin sending/receiving normal traffic out/from the protecting LSP. This node MUST reliably send a Notifymessagemessage, including the MESSAGE_IDobjectobject, to the other end-node (A or D, respectively). This (switchover response) Notify message MUST also include a MESSAGE_ID_ACK object to acknowledge reception of the (switchover request) Notify message. This (switchover response) Notify message MAY indicate the identity of the failed link or any other relevant information using the IF_ID ERROR_SPEC object (see [RFC3473]). Note: since the Notify message generated by the otherend- nodeend-node (A or D, respectively) is distinguishable from the one generated by an intermediate node, there is no possibility of connecting theextra trafficextra-traffic to the working LSP due toJ.P.Lang et al. Expires February 2007 14the receipt of a Notify message from an intermediate node. 3. Upon receipt of the (switchover response) Notify message, the end-node (A or D, respectively) MUST beginreceiving/sendingreceiving normal trafficfrom/outfrom or sending normal traffic out the protecting LSP. This node MUST also send an Ack message to the otherend- nodeend-node (D or A, respectively) to acknowledge the reception of the (switchover response) Notify message. Note 1: a 2-phaseprotection switchingprotection-switching signaling is used in the presentcontext,context; a 3-phase signaling (see [RFC4426]) that would imply a notification message, a switchover request, and a switchover response messages is not considered here. Also, when the protecting LSPs do not carry extra-traffic,protection switchingprotection-switching signalingas(as defined in Section6.26.2) MAY be used instead of the procedure described in this section. Note 2: when the N bit is set, the above end-to-end switchover request/response exchangedoesonlyprovideprovides control plane coordination (no actions are triggered at the data plane level). After protection switching completes (step 3), and after reception of the PathErr message, to keep track of the LSP from which the normal traffic is taken, the protecting LSP SHOULD be signaled with theO-bitO bit set. In addition, the formerly working LSP MAY be signaled with the A bit set in the ADMIN_STATUS object (see [RFC3473]).7.37.3. 1:N (N > 1) Protection with Extra-Traffic 1:N (N > 1) protection with extra-traffic assumes that the fully provisioned protecting LSP is resource-disjoint from the N working LSPs. This protecting LSP thereby allowsthusfor carrying extra-traffic. Note that the N working LSPs and the protecting LSP are all between the same pair ofend-points.endpoints. In addition, the N working LSPs (considered as identical in terms of traffic parameters) MAY be mutually resource-disjoint. Coordination between end-nodes is required when switching from one of the working to the protecting LSP. Each working LSP is signaled with both S bit and P bit set to 0. The LSP Protection Type is set to 0x04 (1:N Protection with Extra- Traffic) during LSP setup. Each Association ID points to the protecting LSP ID. The protecting LSP (carrying extra-traffic) is signaled with the S bit set to 0 and the P bit set to 1. The LSP Protection Type is set to 0x04 (1:N Protection with Extra-Traffic) during LSP setup. The Association ID MUST be set by default to the LSP ID of the protected LSP corresponding to N = 1.J.P.Lang et al. Expires February 2007 15Any signaling procedure applicable to 1:1 protection with extra- traffic equally applies to 1:N protection with extra-traffic. 8.Re-routingRerouting without Extra-Traffic End-to-end (pre-planned)re-routingrerouting without extra-traffic relies on the establishment between the same pair of end-nodes of a working LSP and a protecting LSP that is link/node/SRLG disjoint from the working LSP. However, in this case the protecting LSP is not fullyinstantiated,instantiated; thus, itcan notcannot carry any extra-traffic (note that this does not mean that the corresponding resourcescan notcannot be used by other LSPs). Therefore, this mechanism protects against working LSP failure(s) but requires activation of the protecting LSP after failure occurrence. Signaling is performed by indicating in the Path message (in the PROTECTIONobject,object; see Section 14) that the LSPs are of type working and protecting, respectively. Protecting LSPs are used for fast switchover when working LSPs fail. In this case, working and protecting LSPs are signaled as primary LSP and secondary LSP, respectively. Thus, only the working LSP is fully instantiated during the provisioningphasephase, and for the protecting LSPs, no resources are committed at the data plane level (they are pre- reserved at the control plane level only). The setup of the working LSP SHOULD indicate (using the NOTIFY REQUEST object as specified in Section 4 of [RFC3473]) that the LSP head-end node (and possibly the tail-end node) wish to receive a Notify message upon LSP failure occurrence. Upon receipt of the Notify message, the head-end node MUST switch the (normal) traffic from the working LSP to the protecting LSP after its activation. Note that since the working and the protectingLSPLSPs are established between the sameend-nodesend-nodes, no further notification is required to indicate that the working LSPs areno longer protected.without protection. To make bandwidth pre-reserved for a protecting (but not activated)LSP,LSP available forextra trafficextra-traffic, this bandwidth could be included in the advertised Unreserved Bandwidth at priority lower (means numerically higher) than the Holding Priority of the protecting LSP. In addition, the Max LSP Bandwidth field in the Interface Switching Capability Descriptor sub-TLV should reflect the fact that the bandwidth pre-reserved for the protecting LSP is available for extra traffic. LSPs forextra trafficextra-traffic then can be established using the bandwidth pre-reserved for the protecting LSP by setting (in the Path message) the Setup Priority field of the SESSION_ATTRIBUTE object to X (where X is the Setup Priority of the protectingLSP)LSP), and the Holding Priority field to at leasttoX+1. Also, if the resourcespre-reservedpre- reserved for the protecting LSP are used bylower prioritylower-priority LSPs, these LSPs MUST be preempted when the protecting LSP is activated (see Section 10). Consider the following topology:J.P.Lang et al. Expires February 2007 16A---B---C---D \ / E---F---G The working LSP [A,B,C,D] could be protected by the protecting LSP [A,E,F,G,D]. Only the protected LSP is fully instantiated (resources are only allocated for the working LSP). Therefore, the protecting LSPcan notcannot carry any extra-traffic. When a failure is detected on the working LSP(say(say, at B), the error is propagated and/or notified (using a Notify message with the new error code/sub-code "Notify Error/LSP Locally Failed" in the (IF_ID)_ERROR_SPEC object) to the ingress node (A). Upon reception, the latter activates the secondary protecting LSP instantiated during the (pre-)provisioning phase. This requires: (1) the ability to identify a "secondary protecting LSP" (hereby called the "secondary LSP") used to recover another primary working LSP (hereby called the "protected LSP") (2) the ability to associate the secondary LSP with the protected LSP (3) the capability to activate a secondary LSP after failure occurrence. In the following subsections, these features are described in more detail.8.18.1. Identifiers To simplify association operations, both LSPs(i.e.(i.e., the protected and the secondary LSPs) belong to the same session. Thus, the SESSION object MUST be the same for both LSPs. The LSP ID, however, MUST be different to distinguish between the protected LSP carrying working traffic and the secondary LSP thatcan notcannot carry extra- traffic. A new PROTECTION object (see Section 14) is used tosetupset up the two LSPs. This object carries the desired end-to-end LSP Protection Type (in this case,"Re-routing"Rerouting without Extra-Traffic"). This LSP Protection Type value is applicable to both uni- andbi-directionalbidirectional LSPs.8.28.2. Signaling Primary LSPs The new PROTECTION object is included in the Path message during signaling of the primary working LSP, with the end-to-end LSP Protection Type value set to"Re-routing"Rerouting without Extra-Traffic". Primary working LSPs are signaled by setting in the new PROTECTION object the S bit to 0, the P bit to00, and in the ASSOCIATIONobjectobject, the Association ID to the associated secondary protecting LSP_ID.8.38.3. Signaling Secondary LSPsJ.P.Lang et al. Expires February 2007 17The new PROTECTION object is included in the Path message during signaling of secondary protecting LSPs, with the end-to-end LSP Protection Type value set to"Re-routing"Rerouting without Extra-Traffic". Secondary protecting LSPs are signaled by setting in the new PROTECTION object the S bit and the P bit to11, and in the ASSOCIATIONobjectobject, the Association ID to the associated primary working LSP_ID, which MUST be known before signaling of the secondary LSP. With this setting, the resources for the secondary LSP SHOULD be pre-reserved, but not committed at the data planelevellevel, meaning that the internals of the switch need not be established until explicit action is taken to activate this secondary LSP. Activation of a secondary LSP is done using a modified Path message with the S bit set to 0 in the PROTECTION object. At this point, the link and node resources must be allocated for this LSP that becomes a primary LSP (ready to carry normal traffic). From [RFC3945], the secondary LSP issetupset up with resource pre- reservation but with or without label pre-selection (both allowing sharing of the recovery resources). In the former case (defined as the default), label allocation during secondary LSP signaling does not require any specific procedure compared to [RFC3473]. However, in the latter case, label (and thus resource) re-allocation MAY occur during the secondary LSP activation. This means that during the LSP activation phase, labels MAY bere-assignedreassigned (with higher precedence over existing labelassignment,assignment; see also [RFC3471]). Note: under certain circumstances(e.g.(e.g., when pre-reserved protecting resources are used bylower prioritylower-priority LSPs), it MAY be desirable to perform the activation of the secondary LSP in the upstream direction (Resv trigger message) instead of using the default downstream activation. In this case, any mis-ordering and any mis- interpretation between a refresh Resv (along thelower prioritylower-priority LSP) and a trigger Resv message (along the secondary LSP) MUST be avoided at any intermediate node. For this purpose, upon reception of the Path message, the egress node MAY include the PROTECTION object in the Resv message. The latter is then processed on ahop by hophop-by-hop basis to activate the secondary LSP until reaching the ingress node. The PROTECTION object included in the Path message MUST be set as specified in thisSection.section. In this case, the PROTECTION object with the S bit MUST be set to 0 and included in the Resv message sent in the upstream direction. The upstream activation behavior SHOULD be configurable on a local basis. Details concerninglower prioritylower-priority LSP preemption upon secondary LSP activation are provided in Section 10. 9. Shared-Mesh Restoration An approach to reduce recovery resource requirements is to have protection LSPs sharing network resources when the working LSPs that they protect are physically (i.e., link, node, SRLG, etc.) disjoint.J.P.Lang et al. Expires February 2007 18This mechanism is referred to as shared mesh restoration and is described in [RFC4426]. Shared-mesh restoration can be seen as a particular case of pre-planned LSPre-routingrerouting (see Section 8) that reduces the recovery resource requirements by allowing multiple protecting LSPs to share common link and node resources. Here also, the recovery resources for the protecting LSPs are pre-reserved during the provisioning phase, thus an explicit signaling action is required to activate(i.e.(i.e., commit resource allocation at the data plane) a specific protecting LSP instantiated during the (pre-) provisioning phase. This requires restoration signaling along the protecting LSP. To make bandwidth pre-reserved for a protecting (but not activated) LSP, available forextra trafficextra-traffic this bandwidth could be included in the advertised Unreserved Bandwidth at priority lower (means numerically higher) than the Holding Priority of the protecting LSP. In addition, the Max LSP Bandwidth field in the Interface Switching Capability Descriptor sub-TLV should reflect the fact that the bandwidth pre-reserved for the protecting LSP is available for extra traffic. LSPs forextra trafficextra-traffic then can be established using the bandwidth pre-reserved for the protecting LSP by setting (in the Path message) the Setup Priority field of the SESSION_ATTRIBUTE object to X (where X is the Setup Priority of the protecting LSP) and the Holding Priority field to at leasttoX+1. Also, if the resourcespre-reservedpre- reserved for the protecting LSP are used by lower priority LSPs, these LSPs MUST be preempted when the protecting LSP is activated (see Section 10). Further, if the recovery resources are shared between multiple protecting LSPs, the corresponding working LSPs head-end nodes must be informed that they are no longer protected when the protecting LSP is activated to recover the normal traffic for the working LSP under failure. Consider the following topology: A---B---C---D \ / E---F---G / \ H---I---J---K The working LSPs [A,B,C,D] and [H,I,J,K] could be protected by [A,E,F,G,D] and [H,E,F,G,K], respectively. Per [RFC3209], in order to achieve resource sharing during the signaling of these protecting LSPs, they must have the same Tunnel Endpoint Address (as part of their SESSION object). However, these addresses are not the same in this example. Resource sharing along E, F, and G can only be achieved if the nodes E,FF, and G recognize that the LSP Protection Type of the secondaryLSPsLSP is set to"Re-routing"Rerouting without Extra-Traffic" (see PROTECTION object, Section 14) and acts accordingly. In this case,J.P.Lang et al. Expires February 2007 19the protecting LSPs are not merged (which is useful since the paths diverge at G), but the resources along E, F, G can be shared. When a failure is detected on one of the working LSPs(say(say, at B), the error is propagated and/or notified (using a Notify message with the new error code/sub-code "Notify Error/LSP Locally Failed" in the (IF_ID)_ERROR_SPEC object) to the ingress node (A). Upon reception, the latter activates the secondary protecting LSP (see Section 8). At this point, it is important that a failure on the other LSP(say(say, at J) does not cause the other ingress (H) to send the data down the protecting LSP since the resources are already in use. This can be achieved by node E using the following procedure. When the capacity is first reserved for the protecting LSP, E should verify that the LSPs being protected ([A,B,C,D] and [H,I,J,K], respectively) do not share any common resources. Then, when a failure occurs(say(say, at B) and the protecting LSP [A,E,F,G,D] is activated, E should notify H that the resources for the protecting LSP [H,E,F,G,K] are no longer available. The followingsub-sections detailssubsections detail how shared mesh restoration can be implemented in an interoperable fashion using GMPLS RSVP-TE extensions (see [RFC3473]). This includes: (1) the ability to identify a "secondary protecting LSP" (hereby called the "secondary LSP") used to recover another primary working LSP (hereby called the "protected LSP") (2) the ability to associate the secondary LSP with the protected LSP (3) the capability to include information about the resources used by the protected LSP while instantiating the secondary LSP. (4) the capability to instantiate during the provisioning phase several secondary LSPs in an efficient manner. (5) the capability to activate a secondary LSP after failure occurrence. In the following subsections, these features are described in detail. 9.1. Identifiers To simplify association operations, both LSPs(i.e.(i.e., the protected and the secondary LSPs) belong to the same session. Thus, the SESSION object MUST be the same for both LSPs. The LSP ID, however, MUST be different to distinguish between the protected LSP carrying working traffic and the secondary LSP thatcan notcannot carry extra- traffic. A new PROTECTION object (see Section 14) is used tosetupset up the two LSPs. This object carries the desired end-to-end LSP ProtectionType,Type -- in this case,"Re-routing"Rerouting without Extra-Traffic". This LSP Protection Type value is applicable to both uni- andbi-directionalbidirectional LSPs.J.P.Lang et al. Expires February 2007 20 9.29.2. Signaling Primary LSPs The new PROTECTION object is included in the Path message during signaling of the primary working LSPs, with the end-to-end LSP Protection Type value set to"Re-routing"Rerouting without Extra-Traffic". Primary working LSPs are signaled by setting in the new PROTECTION object the S bit to 0, the P bit to00, and in the ASSOCIATIONobjectobject, the Association ID to the associated secondary protecting LSP_ID.9.39.3. Signaling Secondary LSPs The new PROTECTION object is included in the Path message during signaling of the secondary protecting LSPs, with the end-to-end LSP Protection Type value set to"Re-routing"Rerouting without Extra-Traffic". Secondary protecting LSPs are signaled by setting in the new PROTECTION object the S bit and the P bit to11, and in the ASSOCIATIONobjectobject, the Association ID to the associated primary working LSP_ID, which MUST be known before signaling of the secondary LSP. Moreover, the Path message used to instantiate the secondary LSP SHOULD include at least onePRIMARY PATH ROUTEPRIMARY_PATH_ROUTE object (see Section 15) that further allows for recovery resource sharing at each intermediate node along the secondary path. With this setting, the resources for the secondary LSP SHOULD be pre-reserved, but not committed at the data planelevellevel, meaning that the internals of the switch need not be established until explicit action is taken to activate this LSP. Activation of a secondary LSP is done using a modified Path message with the S bit set to 0 in the PROTECTION object. At this point, the link and node resources must be allocated for this LSP that becomes a primary LSP (ready to carry normal traffic). From [RFC3945], the secondary LSP issetupset up with resource pre- reservation but with or without label pre-selection (both allowing sharing of the recovery resources). In the former case (defined as the default), label allocation during secondary LSP signaling does not require any specific procedure compared to [RFC3473]. However, in the latter case, label (and thus resource) re-allocation MAY occur during the secondary LSP activation. This meansthatthat, during the LSP activation phase, labels MAY bere-assignedreassigned (with higher precedence over existing labelassignment,assignment; see also [RFC3471]). 10. LSP Preemption When protecting resources are only pre-reserved for the secondary LSPs, they MAY be used tosetup lower priorityset up lower-priority LSPs. In this case, these resources MUST be preempted when the protecting LSP is activated. An additional condition raises frommis-connectionmisconnection avoidance between the secondary protecting LSP being activated and thelow prioritylow-priority LSP(s) being preempted. Procedure to be appliedJ.P.Lang et al. Expires February 2007 21when the secondary protecting LSP(i.e.(i.e., thepre-emptingpreempting LSP) Path message reaches a node using the resources forlower prioritylower-priority LSP(s)(i.e. pre-empted(i.e., preempted LSP(s)) is as follows: 1.DeallocateDe-allocate resources to be used by thepre-emptingpreempting LSP and release the cross-connection. Note that if thepre-emptingpreempting LSP isbi-directional,bidirectional, these resources may come from one or twolowerlower- priority LSPs, and if from two LSPs, they may be uni- or bi- directional. Thepre-emptingpreempting node SHOULD NOT send the Path message before thedeallocationde-allocation of resources has completed since this may lead to the downstream path becoming misconnected if the downstream node is able tore-assignreassign the resources more quickly. 2. Send PathTear and PathErr messages with the new error code/sub- code "Policy Control failure/HardPre-empted"preempted" and thePath_State_ RemovedPath_State_Removed flag set for thepre-emptedpreempted LSP(s). 3. Reserve thepre-emptedpreempted resources for the protecting LSP. Thepre- emptingpreempting node MUST NOT cross-connect the upstream resources of abi- directional pre-emptingbidirectional preempting LSP. 4. Send the Path message. 5. Upon reception of a trigger Resv message from the downstream node, cross-connect the downstream pathresourcesresources, and if thepre- emptingpreempting LSP isbi-directional,bidirectional, perform cross-connection for the upstream path resources. Note that step 1 may cause alarms to be raised for thepre-emptedpreempted LSP. If alarm suppression isdesireddesired, thepre-emptingpreempting node MAY insert the following steps before step 1. 1a. Beforedeallocating resourcesde-allocating resources, send a Resvmessagemessage, including an ADMIN_STATUSobjectobject, to disable alarms for thepre-emptedpreempted LSP. 1b. Receive a Path message indicating that alarms are disabled. At the downstream node (with respect to thepre-empting LSP)preempting LSP), the processing is RECOMMENDED to be as follows: 1. Receive PathTear (and/or PathErr) message for thepre-emptedpreempted LSP(s).2a.Release2a. Release the resources associated with the LSP on the interface to thepre-emptingpreempting LSP, remove anycross-connectioncross-connection, and release all other resources associated with thepre-emptedpreempted LSP.2b.Forward2b. Forward the PathTear (and/or PathErr) message per [RFC3473]. 3. Receive the Path message for thepre-emptingpreempting LSP and process as normal, forwarding it to the downstream node. 4. Receive the Resv message for thepre-emptingpreempting LSP and process as normal, forwarding it to the upstream node.J.P.Lang et al. Expires February 2007 2211. (Full) LSPRe-routingRerouting LSPre-routing,rerouting, on the other hand, switches normal traffic to an alternate LSP that is fully established only after failure occurrence. The new (alternate) route is selected at the LSP head- end and may reuse intermediate nodes included in the original route; it may also include additional intermediate nodes. For strict-hop routing, TE requirements can be directly applied to the route computation, and the failed node or link can be avoided. However, if the failure occurred within a loose-routed hop, the head-end node may not have enough information to reroute the LSP around the failure. Crankback signaling (see [CRANK]) and route exclusion techniques (see[XRO])[RFC4874]) MAY be used in this case. The alternate route MAY be either computed on demand (that is, when the failure occurs; this is referred to as full LSPre-routing)rerouting) or pre-computed and stored for use when the failure is reported. The latter offers faster restoration time. There is, however, a risk that the alternate route will become out of date through other changes in thenetwork -network; this can be mitigated to some extent by periodic recalculation of idle alternate routes. (Full) LSPre-routingrerouting will be initiated by the head-end node that has either detected the LSP failure or received a Notify message and/or a PathErr message with the new error code/sub-code "Notify Error/LSP Locally Failed" for this LSP. The new LSP resources can be established using the make-before-break mechanism, where the new LSP issetupset up before the old LSP is torn down. This is done by using the mechanisms of the SESSION_ATTRIBUTE object and the Shared-Explicit (SE) reservation style (see [RFC3209]). Both the new and old LSPs can share resources at common nodes. Note that the make-before-break mechanism is not used to avoid disruption to the normal traffic flow (the latter has already been broken by the failure that is being repaired). However, it is valuable to retain the resources allocated on the original LSP that will bere-usedreused by the new alternate LSP.11.111.1. Identifiers The TunnelEnd PointEndpoint Address, Tunnel ID, Extended Tunnel ID, and Tunnel Sender Address uniquely identify both the old and new LSPs. Only the LSP_ID value differentiates the old from the new alternate LSP. The new alternate LSP issetupset up before the old LSP is torn down using Shared-Explicit (SE) reservation style. This ensures that the new (alternate) LSP is established withoutdouble countingdouble-counting resource requirements along common segments. The alternate LSP MAY besetupset up before any failure occurrence withSE styleSE-style resource reservation, the latter shares the same Tunnel End Point Address, Tunnel ID, Extended Tunnel ID, and Tunnel SenderJ.P.Lang et al. Expires February 2007 23Address with the original LSP(i.e.(i.e., only the LSP ID value MUST be different). In both cases, the Association ID of the ASSOCIATION object MUST be set to the LSP ID value of the signaled LSP.11.211.2. SignalingRe-routableReroutable LSPs A new PROTECTION object is included in the Path message during signaling of dynamicallyre-routablereroutable LSPs, with the end-to-end LSP Protection Type value set to "FullRe-routing".Rerouting". These LSPs that can be either uni- orbi-directionalbidirectional are signaled by setting in the PROTECTION object the S bit to 0, the P bit to00, and the Association ID value to the LSP_ID value of the signaled LSP. Any specific action to be taken during the provisioning phase is up to the end- node local policy. Note: when the end-to-end LSP Protection Type is set to "Unprotected", both S and P bit MUST be set to00, and the LSP SHOULD NOT bere-routedrerouted at the head-end node after failure occurrence. The Association_ID value MUST be set to the LSP_ID value of the signaled LSP. This does not mean that the Unprotected LSPcan notcannot be re- established for other reasons such as path re-optimization and bandwidth adjustment driven by policy conditions. 12. Reversion Reversion refers to a recovery switching operation, where the normal traffic returns to (or remains on) the working LSP when it has recovered from the failure. Reversion implies that resources remain allocated to the LSP that was originally routed over them even after a failure. It is important to have mechanisms that allow reversion to be performed with minimal service disruption and reconfiguration. For "1+1bi-directionalbidirectional Protection", reversion to the recovered LSP occurs by using the following sequence: 1. Clear the A bit of the ADMIN_STATUS object if set for the recovered LSP. 2. Then, apply the method describedherebelow to switch normal traffic back from the protecting to the recovered LSP. This is performed by using the new error code/sub-code "Notify Error/LSP Recovered" (Switchback Request). The procedure is as follows:1.1) The initiating (source) node sends the normal traffic onto both the working and the protecting LSPs. Once completed, the source node sends reliably a Notify message to the destination with the new error code/sub-code "Notify Error/LSP Recovered" (Switchback Request). This Notify message includes theJ.P.Lang et al. Expires February 2007 24MESSAGE_ID object. The ACK_Desired flag MUST be set in this object to request the receiver to send an acknowledgment for the message (see [RFC2961]).2.2) Upon receipt of this message, the destination selects the traffic from the working LSP. At the same time, it transmits the traffic onto both the working and protecting LSP. The destination then sends reliably a Notify message to the source confirming the completion of the operation. This message includes the MESSAGE_ID_ACK object to acknowledge reception of the received Notify message. This Notify message also includes the MESSAGE_ID object. The ACK_Desired flag MUST be set in this object to request the receiver to send an acknowledgment for the message (see [RFC2961]).3.3) When the source node receives this Notify message, it switches to receive traffic from the working LSP. The source node then sends an Ack message to the destination node confirming that the LSP has been reverted. 3. Finally, clear the O bit of the PROTECTION object sent over the protecting LSP. For "1:N Protection with Extra-traffic", reversion to the recovered LSP occurs by using the following sequence: 1. Clear the A bit of the ADMIN_STATUS object if set for the recovered LSP. 2. Then, apply the method describedherebelow to switch normal traffic back from the protecting to the recovered LSP. This is performed by using the new error code/sub-code "Notify Error/LSP Recovered" (Switchback Request). The procedure is as follows:1.1) The initiating (source) node sends the normal traffic onto both the working and the protecting LSPs. Once completed, the source node sends reliably a Notify message to the destination with the new error code/sub-code "Notify Error/LSP Recovered" (Switchback Request). This Notify message includes the MESSAGE_ID object. The ACK_Desired flag MUST be set in this object to request the receiver to send an acknowledgment for the message (see [RFC2961]).2.2) Upon receipt of this message, the destination selects the traffic from the working LSP. At the same time, it transmits the traffic onto both the working and protecting LSP. The destination then sends reliably a Notify message to theJ.P.Lang et al. Expires February 2007 25source confirming the completion of the operation. This message includes the MESSAGE_ID_ACK object to acknowledge reception of the received Notify message. This Notify message also includes the MESSAGE_ID object. The ACK_Desired flag MUST be set in this object to request the receiver to send an acknowledgment for the message (see [RFC2961]).3.3) When the source node receives this Notify message, it switches to receive traffic from the working LSP, and stops transmitting traffic on the protecting LSP. The source node then sends an Ack message to the destination node confirming that the LSP has been reverted.4.4) Upon receipt of this message, the destination node stops transmitting traffic along the protecting LSP. 3. Finally, clear the O bit of the PROTECTION object sent over the protecting LSP. For"Re-routing"Rerouting without Extra-traffic" (including the shared recovery case), reversion implies that the formerly working LSP has not been torn down by the head-end node upon PathErr messagereception i.e.reception, i.e., the head-end node kept refreshing the working LSP under failure condition. This ensures that the exact same resources are retrieved after reversion switching (except if the working LSP requiredre-signaling).re- signaling). Re-activation is performed using the following sequence: 1. Clear the A bit of the ADMIN_STATUS object if set for the recovered LSP. 2. Then, apply the method describedherebelow to switch normal traffic back from the protecting to the recovered LSP. This is performed by using the new error code/sub-code "Notify Error/LSP Recovered" (Switchback Request). The procedure is as follows:1.1) The initiating (source) node sends the normal traffic onto both the working and the protecting LSPs. Once completed, the source node sends reliably a Notify message to the destination with the new error code/sub-code "Notify Error/LSP Recovered" (Switchback Request). This Notify message includes the MESSAGE_ID object. The ACK_Desired flag MUST be set in this object to request the receiver to send an acknowledgment for the message (see [RFC2961]).2.2) Upon receipt of this message, the destination selects the traffic from the working LSP. At the same time, it transmits the traffic onto both the working and protecting LSP.J.P.Lang et al. Expires February 2007 26The destination then sends reliably a Notify message to the source confirming the completion of the operation. This message includes the MESSAGE_ID_ACK object to acknowledge reception of the received Notify message. This Notify message also includes the MESSAGE_ID object. The ACK_Desired flag MUST be set in this object to request the receiver to send an acknowledgment for the message (see [RFC2961]).3.3) When the source node receives this Notify message, it switches to receive traffic from the working LSP, and stops transmitting traffic on the protecting LSP. The source node then sends an Ack message to the destination node confirming that the LSP has been reverted.4.4) Upon receipt of this message, the destination node stops transmitting traffic along the protecting LSP. 3. Finally, de-activate the protecting LSP by setting the S bit to 1 in the PROTECTION object sent over the protecting LSP. 13. Recovery Commands This section specifies the control plane behavior when using several commands (see [RFC4427]) that can be used to influence the recovery operations. A. Lockout of recovery LSP: The Lockout (L) bit(L bit)of the ADMIN_STATUS object is used following the rules defined in Section 8 of [RFC3471] and Section 7 of [RFC3473]. The L bit must be set together with the Reflect (R) bit in the ADMIN_STATUS object sent in the Path message. Upon reception of the Resv message with the L bit set, this forces the recovery LSP to be temporarily unavailable to transport traffic (either normal orextra traffic).extra-traffic). Unlock is performed by clearing the L bit, following the rules defined in Section 7 of [RFC3473]. This procedure is only applicable when the LSP Protection Type Flag is set to either 0x04 (1:N Protection with Extra-Traffic), or 0x08 (1+1 UnidirectionalProtection)Protection), or 0x10 (1+1Bi-directionalBidirectional Protection). The updated format of the ADMIN_STATUS object to include the L bit is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Class-Num(196)| C-Type (1) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R| Reserved |L|I|C|T|A|D| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+J.P.Lang et al. Expires February 2007 27Lockout (L): 1 bit When set,indicatesforces the recovery LSP to be temporarily unavailable to transport traffic (either normal or extra traffic). The R (Reflect), T (Testing), A (Administrativelydown)down), and D (Deletion in progress) bits are defined in [RFC3471]. The C (Call control) bit is defined in [GMPLS-CALL], and the I (Inhibit alarm communication) bit in[ALARM].[RFC4783]. B. Lockout of normal traffic: The O bit of the PROTECTION object is set to 1 to force the recovery LSP to be temporarily unavailable to transport normal traffic. This operation MUST NOT occur unless the working LSP is carrying the normal traffic. Unlock is performed by clearing the O bit over the protecting LSP. This procedure is only applicable when the LSP Protection Type Flag is set to either 0x04 (1:N Protection with Extra-Traffic), or 0x08 (1+1 UnidirectionalProtection)Protection), or 0x10 (1+1Bi-directionalBidirectional Protection). C. Forced switch for normal traffic: Recovery signaling is initiated that switches normal traffic to the recovery LSP following the procedures defined in Section 6, 7,88, and 9. D. Requested switch for normal traffic: Recovery signaling is initiated that switches normal traffic to the recovery LSP following the procedures defined in Section 6, 7,88, and 9.This, except ifThis happens unless a fault condition exists on otherLSPs/spansLSPs or spans (including the recoveryLSP)LSP), orana switch command of equal or higher priorityswitch commandis in effect. E. Requested switch for recovery LSP: Recovery signaling is initiated that switches normal traffic to the working LSP following the procedure defined in Section 12.This,This request is executed except if a fault condition exists on the working LSP or an equal or higher priority switch command is in effect. 14. PROTECTION Object This section describes the extensions to the PROTECTION object to broaden its applicability to end-to-end LSP recovery.14.114.1. Format The format of the PROTECTION Object (Class-Num = 37, C-Type =2, suggested value, TBA by IANA)2) is as follows:J.P.Lang et al. Expires February 2007 280 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Class-Num(37) | C-Type(TBA)(2) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |S|P|N|O| Reserved | LSP Flags | Reserved | Link Flags| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Secondary (S): 1 bit When set to 1, this bit indicates that the requested LSP is a secondary LSP. When set to 0 (default), it indicates that the requested LSP is a primary LSP. Protecting (P): 1 bit When set to 1, this bit indicates that the requested LSP is a protecting LSP. When set to 0 (default), it indicates that the requested LSP is a working LSP. The combination, S set to 1 with P set to 0 is not valid. Notification (N): 1 bit When set to 1, this bit indicates that the control plane message exchange is only used for notification during protection switching. When set to 0 (default), it indicates that the control plane message exchanges are used forprotection switchingprotection-switching purposes. The N bit is only applicable when the LSP Protection Type Flag is set to either 0x04 (1:N Protection with Extra-Traffic), or 0x08 (1+1 UnidirectionalProtection)Protection), or 0x10 (1+1Bi-directionalBidirectional Protection). The N bit MUST be set to 0 in any other case. Operational (O): 1 bit When set to 1, this bit indicates that the protecting LSP is carrying the normal traffic after protection switching. The O bit is only applicable when the P bit is set to11, and the LSP Protection Type Flag is set to either 0x04 (1:N Protection with Extra-Traffic), or 0x08 (1+1 Unidirectional Protection) or 0x10 (1+1Bi-directionalBidirectional Protection). The O bit MUST be set to 0 in any other case. Reserved: 5 bits This field is reserved. It MUST be set to zero on transmission and MUST be ignored on receipt. These bits SHOULD be passed through unmodified by transit nodes.J.P.Lang et al. Expires February 2007 29LSP (Protection Type) Flags: 6 bits Indicates the desired end-to-end LSP recovery type. A value of 0 implies that the LSP is "Unprotected". Only one value SHOULD be set at a time. The following values are defined. All other values are reserved. 0x00 Unprotected 0x01 (Full)Re-routingRerouting 0x02Re-routingRerouting without Extra-Traffic 0x04 1:N Protection with Extra-Traffic 0x08 1+1 Unidirectional Protection 0x10 1+1Bi-directionalBidirectional Protection Reserved: 10 bits This field is reserved. It MUST be set to zero on transmission and MUST be ignored on receipt. These bits SHOULD be passed through unmodified by transit nodes. Link Flags: 6 bits Indicates the desired link protection type (see [RFC3471]). Reserved field: 32 bits Encoding of this field is detailed in[SEGREC]. 14.2[RFC4873]. 14.2. Processing Intermediate and egress nodes processing a Path message containing a PROTECTION object MUST verify that the requested LSP Protection Type can be satisfied by the incoming interface. If itcan not,cannot, the node MUST generate a PathErr message, with the new error code/sub-code "Routing problem/Unsupported LSP Protection". Intermediate nodes processing a Path message containing a PROTECTION object with the LSP Protection Type 0x02(Re-routing(Rerouting without Extra- Traffic) value set and aPRIMARY PATH ROUTEPRIMARY_PATH_ROUTE object (see Section 15) MUST verify that the requested LSP Protection Type can be supported by the outgoing interface. If itcan not,cannot, the node MUST generate a PathErr message with the new error code/sub-code "Routing problem/Unsupported LSP Protection". 15.PRIMARY PATH ROUTEPRIMARY_PATH_ROUTE Object ThePRIMARY PATH ROUTEPRIMARY_PATH_ROUTE object (PPRO) is defined to inform nodes along the path of a secondary protecting LSP about which resources (link/nodes) are being used by the associated primary protected LSP (as specified by the Association ID field). If the LSP Protection Type value is set to 0x02(Re-routing(Rerouting without Extra-Traffic), this object SHOULD be present in the Path message for thepre- J.P.Lang et al. Expires February 2007 30 provisioningpre-provisioning of the secondary protecting LSP to enable recovery resource sharing between one or more secondary protecting LSPs (see Section 9). This document does not assume or preclude any other usage for this object.PRIMARY PATH ROUTEPRIMARY_PATH_ROUTE objects carry information extracted from the EXPLICIT ROUTE object and/or the RECORD ROUTE object of the primary working LSPs they protect. Selection of the PPRO content is up to local policy of the head-end node that initiates the request. Therefore, the information included in these objects can be used as policy-based admission control to ensure that recovery resources are only shared between secondary protecting LSPs whose associated primary LSPs have link/node/SRLG disjoint paths.15.115.1. Format The primary path route is specified via the PRIMARY_PATH_ROUTE object (PPRO). The Primary Path Route Class Number (Class-Num) of form 0bbbbbbbis TBA by IANA.38. Currently one C-Type (Class-Type) is defined, Type 1, Primary Path Route. The PRIMARY_PATH_ROUTE object has the following format: Class-Num =TBA by IANA38 (of the form 0bbbbbbb), C-Type = 1(suggested)0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | // (Subobjects) // | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The contents of a PRIMARY_PATH_ROUTE object are a series of variable-length data items called subobjects (see Section 15.3). To signal a secondary protecting LSP, the Path message MAY include one or multiple PRIMARY_PATH_ROUTE objects, where each object is meaningful. The latter is useful when a given secondary protecting LSP must be link/node/SRLG disjoint from more than one primary LSP(i.e.(i.e., is protecting more than one primary LSP).15.215.2. Subobjects ThePRIMAY_PATH_ROUTEPRIMARY_PATH_ROUTE object is defined as a list of variable-length data items called subobjects. These subobjects are derived from the subobjects of the EXPLICIT ROUTE and/or RECORD ROUTE object of the primary working LSP(s). Each subobject has its own length field. The length contains the total length of the subobject in bytes, including the Type andJ.P.Lang et al. Expires February 2007 31Length fields. The length MUST always be a multiple of 4, and at least 4. The following subobjects are currently defined for thePRIMARY PATH ROUTEPRIMARY_PATH_ROUTE object: - Sub-Type 1: IPv4 Address (see [RFC3209]) - Sub-Type 2: IPv6 Address (see [RFC3209]) - Sub-Type 3: Label (see [RFC3473]) - Sub-Type 4: Unnumbered Interface (see [RFC3477]) An empty PPRO with no subobjects is consideredasillegal. If there is no first subobject, the corresponding Path message is also inerrorerror, and the receiving node SHOULD return a PathErr message with the new error code/sub-code "Routing Problem/BadPRIMARY PATH_ROUTEPRIMARY_PATH_ROUTE object". Note: an intermediate node processing a PPRO can derive SRLG identifiers from the local IGP-TE database using its Type 1,22, or 4 subobject values as pointers to the corresponding TE Links (assuming each of them has an associated SRLG TE attribute).15.315.3. Applicability The PRIMARY_PATH_ROUTE object MAY only be used when all GMPLS nodes along the path support the PRIMARY_PATH_ROUTE object and a secondary protecting LSP is being requested. The PRIMARY_PATH_ROUTE object is assigned a class value of the form 0bbbbbbb. Receiving GMPLS nodes along the path that do not support this object MUST return a PathErr message with the "Unknown Object Class" error code (see [RFC2205]). Also, the following restrictions MUST be applied with respect to the PPRO usage: - PPROs MAY only be included in Path messages when signaling secondary protecting LSPs (S bit = 1 and P bit = 1) and when the LSP Protection Type value is set to 0x02(Re-routing without Extra-Traffic)(without Rerouting Extra- Traffic) in the PROTECTION object (see Section14.).14). - PRROs SHOULD be present in the Path message for the pre- provisioning of the secondary protecting LSP to enable recovery resource sharing between one or more secondary protecting LSPs (see Section 15.4). - PPROs MUST NOT be used in any other conditions. In particular, if a PPRO is received when the S bit is set to 0 in the PROTECTION object, the receiving node MUST return a PathErr message with the new error code/sub-code "RoutingProblem/PRIMARY PATH_ROUTEProblem/PRIMARY_PATH_ROUTE object not applicable". - Crossed exchanges of PPROs over primary LSPs are forbidden(i.e.(i.e., their usage is restricted to a single set of protected LSPs).J.P.Lang et al. Expires February 2007 32- The PPRO's content MUST NOT include subobjects coming from other PPROs. In particular, received PPROs MUST NOT bere-usedreused to establish other working or protecting LSPs.15.415.4. Processing The PPRO enables sharing recovery resources between a given secondary protecting LSP and one or more secondary protecting LSPs if their corresponding primary working LSPs have mutually (link/node/SRLG) disjoint paths. Consider a node N through which n secondary protecting LSPs(say(say, P[1],...,P[n]) have already been establishedand protectingthat protect n primary working LSPs(say(say, P'[1],...,P'[n]). Suppose also that these n secondary working LSPs share a given outgoing link resource (say r). Now, suppose that node N receives a Path message for an additional secondary protecting LSP(say(say, Q, protecting Q'). The PPRO carried by this Pathmessagesmessage is processed as follows: - N checks whether the primary working LSPs P'[1],...,P'[n] associated with the LSPsP[1],...,P[n] respectivelyP[1],...,P[n], respectively, have any link,nodenode, and SLRG in common with the primary working Q' (associated with Q) by comparing the stored PPRO subobjects associated with P'[1],...,P'[n] with the PPRO subobjects associated with Q' received in the Path message. - If this is the case, N SHOULD NOT attempt to share the outgoing link resource r between P[1],...,P[n] and Q. However, upon local policy decision, N MAY allocate another available (shared) link other than r for use by Q. If this is not the case (upon the local policy decision that no other link is allowed to be allocated for Q) or if no other link is available for Q, N SHOULD return a PathErr message with the new error code/sub-code "Admission Control Failure/LSP Admission Failure". - Otherwise (if P'[1],...,P'[n] and Q' are fully disjoint), the link r selected by N for the LSP Q MAY be exactly the same as the one selected for the LSPs P[1],...,P[n].This,This happens after verifying(also from its(from the node's local policy) that the selected link r can be shared between these LSPs. If this is not the case (for instance, the sharing ratio has reached its maximum for thatlink)link), and if upon local policydecisiondecision, no other link is allowed to be allocated for Q, N SHOULD return a PathErr message with the error code/sub-code "Admission Control Failure/Requested Bandwidth Unavailable" (see [RFC2205]). Otherwise (if no other link is available), N SHOULD return a PathErr message with the new error code/sub-code "Admission Control Failure/LSP Admission Failure". Note that the process, through which m out of the n (m =< n) secondary protectingLSPsLSPs' PPROs may be selected on a local basis toJ.P.Lang et al. Expires February 2007 33perform the above comparison and subsequent link selection, is out of scope of this document. 16. ASSOCIATION Object The ASSOCIATION object is used to associate LSPs with each other. In the context of end-to-end LSP recovery, the association MUST only identify LSPs that support the same Tunnel ID as well as the same tunnel sender address and tunnelend pointendpoint address. The Association Type, AssociationSourceSource, and Association ID fields of the object together uniquely identify an association. The object uses an object class number of the form 11bbbbbb to ensure compatibility with non- supporting nodes. The ASSOCIATION object is used to associate LSPs with each other.16.116.1. Format The IPv4 ASSOCIATION object (Class-Num of the form 11bbbbbb with value =198,199, C-Type =1, suggested values, TBA by IANA)1) has the format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length |Class-Num(TBD)|Class-Num(199)| C-Type (1) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Association Type | Association ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4 Association Source | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The IPv6 ASSOCIATION object (Class-Num of the form 11bbbbbb with value =198,199, C-Type =2, suggested values, TBA by IANA)2) has the format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length |Class-Num(TBD)|Class-Num(199)| C-Type (2) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Association Type | Association ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | IPv6 Association Source | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Association Type: 16 bits Indicates the type of association being identified. Note that this value is considered when determining association. The following are values defined in this document.J.P.Lang et al. Expires February 2007 34Value Type ----- ---- 0 Reserved 1 Recovery (R) Association ID: 16 bits A value assigned by the LSP head-end. When combined with the Association Type and Association Source, this value uniquely identifies an association. Association Source: 4 or 16 bytes An IPv4 or IPv6 address, respectively, that is associated to the node that originated the association. 16.2. Processing In the end-to-end LSP recovery context, the ASSOCIATION object is used to associate a recovery LSP with the LSP(s) it is protecting or a protected LSP(s) with its recovery LSP. The object is carried in Path messages. More than one object MAY be carried in a single Path message. Transit nodes MUST transmit, without modification, any received ASSOCIATION object in the corresponding outgoing Path message. An ASSOCIATION object with an Association Type set to the value "Recovery" is used to identify anLSP Recovery relatedLSP-Recovery-related association. Any node associating a recovery LSP MUST insert an ASSOCIATION object with the following setting: -theThe Association Type MUST be set to the value "Recovery" in the Path message of the recoveryLSPLSP. -theThe (IPv4/IPv6) Association Source MUST be set to the tunnel sender address of the LSP beingprotectedprotected. -theThe Association ID MUST be set to the LSP ID of the LSP being protected by this LSP or the LSP protecting this LSP. If unknown, this value is set to its own signaled LSP_ID value (default). Also, the value of the Association ID MAY change during the lifetime of the LSP. Terminating nodes use received ASSOCIATION object(s) with the Association Type set to the value "Recovery" to associate a recovery LSP with its matching working LSP. This information is used to bind the appropriate working and recovery LSPs together. Such nodes MUST ensure that the received Pathmessagesmessages, including ASSOCIATIONobject(s)object(s), are processed with the appropriate PROTECTION object settings, if present (see Section 14 for PROTECTION object processing). Otherwise, this node MUST return a PathErr message with the new error code/sub-code "LSP Admission Failure/Bad Association Type". Similarly, terminating nodes receiving a Path message with aJ.P.Lang et al. Expires February 2007 35PROTECTION object requiring association between working and recovery LSPs MUST include an ASSOCIATION object. Otherwise, such nodes MUST return a PathErr message with the new error code/sub-code "Routing Problem/PROTECTION object not Applicable". 17. Updated RSVP Message Formats This section presents the RSVPmessage relatedmessage-related formats as modified by this document. Unmodified RSVP message formats are not listed. The format of a Path message is as follows: <Path Message> ::= <Common Header> [ <INTEGRITY> ] [ [<MESSAGE_ID_ACK> | <MESSAGE_ID_NACK>] ... ] [ <MESSAGE_ID> ] <SESSION> <RSVP_HOP> <TIME_VALUES> [ <EXPLICIT_ROUTE> ] <LABEL_REQUEST> [ <PROTECTION> ] [ <LABEL_SET> ... ] [ <SESSION_ATTRIBUTE> ] [ <NOTIFY_REQUEST> ... ] [ <ADMIN_STATUS> ] [ <ASSOCIATION> ... ] [ <PRIMARY_PATH_ROUTE> ... ] [ <POLICY_DATA> ... ] <sender descriptor> The format of the <sender descriptor> for unidirectional and bidirectional LSPs is not modified by the present document. The format of a Resv message is as follows: <Resv Message> ::= <Common Header> [ <INTEGRITY> ] [ [<MESSAGE_ID_ACK> | <MESSAGE_ID_NACK>] ... ] [ <MESSAGE_ID> ] <SESSION> <RSVP_HOP> <TIME_VALUES> [ <RESV_CONFIRM> ] [ <SCOPE> ] [ <PROTECTION> ] [ <NOTIFY_REQUEST> ] [ <ADMIN_STATUS> ] [ <POLICY_DATA> ... ] <STYLE> <flow descriptor list> <flow descriptor list> is not modified by this document. 18. Security ConsiderationsJ.P.Lang et al. Expires February 2007 36The security threats identified in [RFC4426] may be experienced due to the exchange of RSVP messages and information as detailed in this document. The following security mechanisms apply. RSVP signaling MUST be able to provide authentication and integrity. Authentication is required to ensure that the signaling messages are originating from the right place and have not been modified in transit. For this purpose, [RFC2747] provides the required RSVP message authentication and integrity for hop-by-hop RSVP message exchanges. For non hop-by-hop RSVP message exchanges the standardIPSEC basedIPsec-based integrity and authentication can be used as explained in [RFC3473]. Moreover, this document makes use of the Notify message exchange. This precludes RSVP's hop-by-hop integrity and authentication model. In the case, when the same level of security provided by [RFC2747] is desired, the standard IPsec based integrity and authentication can be used as explained in [RFC3473]. To preventfromthe consequences of poorly applied protection and the increased risk of misconnection, in particular, whenExtra Trafficextra-traffic is involved, that would deliver the wrong traffic to the wrong destination, specific mechanisms have been put in place as described in Section 7.2,8.38.3, and 10. 19. IANA Considerations IANA assigns values to RSVP protocol parameters. Within the currentdocumentdocument, a PROTECTION object (new C-Type), aPRIMARY PATH ROUTEPRIMARY_PATH_ROUTE object, and an ASSOCIATION object are defined. In addition, new Error code/sub-code values are defined in this document. Finally, registration of the ADMIN_STATUS object bits is requested. Two RSVP Class Numbers (Class-Num) and three Class Types (C-Types) values have to be defined by IANA in registry: http://www.iana.org/assignments/rsvp-parameters 1) PROTECTION object (defined in Section 14.1) o PROTECTION object: Class-Num = 37 - Type 2: C-Type = 2(suggested)2)PRIMARY PATH ROUTEPRIMARY_PATH_ROUTE object (defined in Section 15.1) oPRIMARY PATH ROUTEPRIMARY_PATH_ROUTE object: Class-Num =TBA38 (of the form 0bbbbbbb), - Primary Path Route: C-Type = 1(suggested)3) ASSOCIATION object (defined in Section 16.1)J.P.Lang et al. Expires February 2007 37o ASSOCIATION object: Class-Num =TBA199 (of the form11bbbbbb, value 198 is suggested)11bbbbbb) - IPv4 Association: C-Type = 1(suggested)- IPv6 Association: C-Type = 2(suggested)o Association Type The following values defined for the Association Type (16 bits) field of the ASSOCIATION object. Value Type ----- ---- 0 Reserved 1 Recovery (R) Assignment of values (from 2 to 65535) by IANA are subject to IETF expert reviewprocess i.e.process, i.e., IETF Standards Track RFC Action. 4) Error Code/Sub-code values The following Error code/sub-code values are defined in this document: Error Code = 01: "Admission Control Failure" (see [RFC2205]) o "Admission Control Failure/LSP Admission Failure"(suggested value = 4)(4) o "Admission Control Failure/Bad Association Type"(suggested value = 5)(5) Error Code = 02: "Policy Control Failure" (see [RFC2205]) o "Policy Control failure/Hard Pre-empted"(suggested value = 20)(20) Error Code = 24: "Routing Problem" (see [RFC3209]) o "Routing Problem/Unsupported LSP Protection"(suggested value = 17)(17) o "Routing Problem/PROTECTION object not applicable"(suggested value = 18)(18) o "Routing Problem/BadPRIMARY PATH_ROUTEPRIMARY_PATH_ROUTE object"(suggested value = 19)(19) o "RoutingProblem/PRIMARY PATH_ROUTEProblem/PRIMARY_PATH_ROUTE object not applicable"(suggested value = 20)(20) Error Code = 25: "Notify Error" (see [RFC3209]) o "Notify Error/LSP Failure"(suggested value = 6)(9) o "Notify Error/LSP Recovered"(suggested value = 7)(10) o "Notify Error/LSP Locally Failed"(suggested value = 8) J.P.Lang et al. Expires February 2007 38(11) 5) Registration of the ADMIN_STATUS object bits The ADMIN_STATUS object (Class-Num = 196, C-Type = 1) is defined in [RFC3473]. IANA is also requested to track the ADMIN_STATUS bits extended by this document. For this purpose, the following new registry entriesare requested in the registry entry:have been created: http://www.iana.org/assignments/gmpls-sig-parameters - ADMIN_STATUS bits: Name: ADMIN_STATUS bits Format: 32-bit vector of bits Position: [0] Reflect (R) bit defined in [RFC3471] [1..25] To be assigned by IANA via IETF Standards Track RFC Action. [26] Lockout (L) bit is defined in Section 13 [27] Inhibit alarm communication (I) in[ALARM][RFC4783] [28] Call control (C) bit is defined in[GMPLS- CALL][GMPLS-CALL] [29] Testing (T) bit is defined in [RFC3471] [30] Administratively down (A) bit is defined in [RFC3471] [31] Deletion in progress (D) bit is defined in [RFC3471] 20. Acknowledgments The authors would like to thank John Drake foritshis active collaboration, Adrian Farrel for his contribution to this document (in particular, to the Section 10 and 11) and his thorough review of the document, Bart Rousseau (for editorial review), Dominique Verchere, and StefaanDe_Cnodder.De Cnodder. Thanks also to Ichiro Inoue for his valuable comments. The authors wouldlikealso like to thank Lou Berger for the time and effort he spent together with the design team, in contributing to the present document. 21. References21.121.1. Normative References[RFC2026] S.Bradner, "The Internet Standards Process -- Revision 3," BCP 9, RFC 2026, October 1996.[RFC2119]S.Bradner,Bradner, S., "Key words for use in RFCs to Indicate RequirementLevels,"Levels", BCP 14, RFC 2119, March 1997.J.P.Lang et al. Expires February 2007 39[RFC2205]R.Braden (Editor),Braden, R., Zhang, L., Berson, S., Herzog, S., and S. Jamin, "ResourceReserVationReSerVation Protocol (RSVP) -- Version 1 Functional Specification", RFC 2205, September 1997. [RFC2747]F.Baker et al.,Baker, F., Lindell, B., and M. Talwar, "RSVP Cryptographic Authentication", RFC 2747,OctoberJanuary 2000. [RFC2961]L.Berger et al.,Berger, L., Gan, D., Swallow, G., Pan, P., Tommasi, F., and S. Molendini, "RSVP Refresh Overhead ReductionExtensions,"Extensions", RFC 2961, April 2001. [RFC3209]D.Awduche et al.,Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., and G. Swallow, "RSVP-TE: Extensions to RSVP for LSPTunnels,"Tunnels", RFC 3209, December 2001. [RFC3471]L.Berger (Editor) et al.,Berger, L., "Generalized Multi-Protocol Label Switching (GMPLS)–Signaling FunctionalDescription,"Description", RFC 3471, January 2003. [RFC3473]L.Berger (Editor) et al.,Berger, L., "Generalized Multi-Protocol Label Switching (GMPLS) Signaling–ResourceReservation Protocol - TrafficReserVation Protocol-Traffic Engineering (RSVP-TE)Extensions,"Extensions", RFC 3473, January 2003. [RFC3477]K.Kompella,Kompella, K. andY.Rekhter, "SignalingY. Rekhter, "Signalling Unnumbered Links in ResourceReservationReSerVation Protocol - Traffic Engineering(RSVP-TE),"(RSVP-TE)", RFC 3477, January 2003. [RFC3945]E.Mannie (Editor),Mannie, E., "Generalized Multi-Protocol Label Switching (GMPLS)Architecture,"Architecture", RFC 3945, October 2004.[RFC4202] K.Kompella (Editor), " Routing Extensions in Support of Generalized Multi-Protocol Label Switching (GMPLS)," RFC 4202, October 2005. [RFC4204] J.Lang (Editor), "Link Management Protocol (LMP)," RFC 4204, October 2005.[RFC4426]J.P.Lang, B.Rajagopalan,Lang, J., Rajagopalan, B., andD.Papadimitriou (Editors),D. Papadimitriou, "GeneralizedMPLSMulti-Protocol Label Switching (GMPLS) Recovery FunctionalSpecification,"Specification", RFC 4426, March 2006.[SEGREC] L.Berger et al.,[RFC4873] Berger, L., Bryskin, I., Papdimitriou, D., and A. Farrel, "GMPLSBasedSegment Recovery,"Internet Draft, Work in progress, draft-ietf-ccamp- gmpls-segment-recovery-03.txt, October 2006. 21.2RFC 4873, May 2007. 21.2. Informative References[ALARM] L.Berger (Editor),[RFC4783] Berger, L., "GMPLS - Communication of Alarm Information",Internet draft, Work in progress, draft- ietf-ccamp-gmpls-alarm-spec-06.txt, SeptemberRFC 4783, December 2006.J.P.Lang et al. Expires February 2007 40[CRANK]A.Farrel (Editor),Farrel, A., Ed., "Crankback Signaling Extensions for MPLS and GMPLSSignaling", Internet Draft,RSVP-TE", Work inprogress, draft-ietf-ccamp-crankback-05.txt, May 2005.Progress, January 2007. [GMPLS-CALL]D.PapadimitriouPapadimitriou, D., Ed., andA.Farrel (Editors),A. Farrel, Ed., "Generalized MPLS (GMPLS) RSVP-TE Signaling Extensions in support of Calls",Internet draft,Work inprogress, draft-ietf- ccamp-gmpls-rsvp-te-call-01.txt, August 2006.Progress, January 2007. [RFC4090]P.Pan (Editor),Pan, P., Ed., Swallow, G., Ed., and A. Atlas, Ed., "Fast Reroute Extensions to RSVP-TE for LSPTunnels,"Tunnels", RFC 4090, May 2005. [RFC4427]E.MannieMannie, E., Ed., andD.Papadimitriou (Editors),D. Papadimitriou, Ed., "Recovery (Protection and Restoration) Terminology forGMPLS,"Generalized Multi-Protocol Label Switching (GMPLS)", RFC 4427, March 2006.[XRO] C.Y.Lee et al.[RFC4874] Lee, CY., Farrel, A., and S. De Cnodder, "Exclude Routes - Extension toRSVP-TE," Internet Draft, Work in progress, draft-ietf-ccamp- rsvp-te-exclude-route-05.txt, August 2005. For information on the availability of the following documents, please see http://www.itu.intResource ReserVation Protocol-Traffic Engineering (RSVP-TE)", RFC 4874, April 2007. [G.841] ITU-T, "Types and Characteristics of SDH Network Protection Architectures," Recommendation G.841, October1998.1998, available from http://www.itu.int. 22.Editor's Addresses Jonathan P. Lang Sonos 506 Chapala Street Santa Barbara, CA 93101, USA EMail: jplang@ieee.org Yakov Rekhter Juniper 1194 N. Mathilda Avenue Sunnyvale, CA 94089, USA EMail: yakov@juniper.net Dimitri Papadimitriou Alcatel Copernicuslaan 50 B-2018, Antwerpen, Belgium EMail: dimitri.papadimitriou@alcatel.be 23.Contributors This document is the result of the CCAMP Working Group Protection and Restoration design team joint effort. The following are the authors that contributed to the present document:J.P.Lang et al. Expires February 2007 41Deborah Brungard (AT&T) Rm. D1-3C22 - 200, S. Laurel Ave. Middletown, NJ 07748, USA EMail: dbrungard@att.com Sudheer Dharanikota EMail: sudheer@ieee.orgJonathan P. Lang (Sonos) 506 Chapala Street Santa Barbara, CA 93101, USA EMail: jplang@ieee.orgGuangzhi Li (AT&T) 180 Park Avenue Florham Park, NJ 07932, USA EMail: gli@research.att.com Eric Mannie (Perceval) Rue Tenbosch, 9 1000 Brussels, Belgium Phone: +32-2-6409194 EMail: eric.mannie@perceval.netDimitri Papadimitriou (Alcatel) Copernicuslaan 50 B-2018 Antwerpen, Belgium EMail: dimitri.papadimitriou@alcatel.beBala Rajagopalan (Intel Broadband Wireless Division) 2111 NE 25th Ave. Hillsboro, OR 97124, USA EMail: bala.rajagopalan@intel.com Editors' Addresses Jonathan P. Lang Sonos 506 Chapala Street Santa Barbara, CA 93101, USA EMail: jplang@ieee.org Yakov Rekhter(Juniper)Juniper 1194 N. Mathilda Avenue Sunnyvale, CA 94089, USA EMail: yakov@juniper.netJ.P.Lang et al. Expires February 2007 42Dimitri Papadimitriou Alcatel Copernicuslaan 50 B-2018, Antwerpen, Belgium EMail: dimitri.papadimitriou@alcatel-lucent.be Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual PropertyStatementThe IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. AcknowledgmentAcknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.J.P.Lang et al. Expires February 2007 43