NetBSD/share/man/man4/mpls.4

306 lines
10 KiB
Groff

.\" $NetBSD: mpls.4,v 1.11 2018/09/14 08:11:30 rin Exp $
.\"
.\" Copyright (c) 2010 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd September 14, 2018
.Dt MPLS 4
.Os
.Sh NAME
.Nm mpls
.Nd Multiprotocol Label Switching
.Sh SYNOPSIS
.Cd options MPLS
.Cd pseudo-device mpls
.In sys/types.h
.In netmpls/mpls.h
.Sh DESCRIPTION
MultiProtocol Label Switching represents a mechanism which directs
and carries data in high-performance networks, its techniques being
applicable to any network layer protocol.
.Pp
In an MPLS domain the assignment of a particular packet a particular
Forward Equivalence Class is done just once, as the packet enters the
network.
The FEC to which the packet is assigned is encoded as a
short fixed length value known as a
.Dq label .
When a packet is forwarded to the next hop, the label is sent along
with it; that is, the packets are
.Dq labeled
before they are forwarded.
.Pp
A router capable of receiving and forwarding MPLS frames is called
.Dq Label Switch Router
or LSR.
Label scope is generally router-wide meaning that a certain
label has a specific meaning only for a certain LSR.
.Pp
Currently,
.Nx
supports MPLS over Ethernet interfaces and GRE tunnels.
For these kind of interfaces, a label is contained by a fixed
sized
.Dq shim
that precedes any network layer headers, just after data
link layer headers.
.Ss MPLS shim header structure
In network bit order:
.Bd -literal
-------------------------------------------
| | | | |
| Label | TC | BoS | TTL |
| 20 bits | 3 bits | 1 bit | 8 bits |
| | | | |
-------------------------------------------
.Ed
.Bl -tag -width "Bottom of Stack"
.It Label
20 bits representing FEC, consequently the only information
used to forward the frame to next-hop
.It Traffic Class Field
3 bits that are used for specifying a traffic class, usually used for defining
a type of service.
This field was named the "Experimental Field" in most early
.Pf ( pre- Ns Li RFC 5462 )
documents.
.It Bottom of Stack
One bit that is set for the last entry in the shim stack and 0 for all others.
An MPLS frame may contain more than one shim, the last one before the
network headers being marked by setting the BoS bit.
.It TTL
8 bits, representing Time to Live, decremented at every LSR.
.El
.Sh USAGE
The MPLS behavior is controlled by the
.Li net.mpls
.Xr sysctl 8
tree:
.Bl -tag -width "net.mpls.inet6_map_prec"
.It Li net.mpls.accept
If zero, MPLS frames are dropped on sight on ingress interfaces.
.It Li net.mpls.forwarding
If zero, MPLS frames are not forwarded to next-hop.
.It Li net.mpls.ttl
The default ttl for self generated MPLS frames.
.It Li net.mpls.inet_mapttl
If set, TTL field from IP header will be mapped
into the MPLS shim on encapsulation, and the TTL field from MPLS shim
will be copied into IP header on decapsulation.
.It Li net.mpls.inet6_mapttl
The IPv6 version of the above.
.It Li net.mpls.inet_map_prec
If set, precedence field from IP header will be
mapped into MPLS shim in TC field on encapsulation, and the MPLS TC
field will be copied into IP Precedence field on decapsulation.
.It Li net.mpls.inet6_map_prec
The IPv6 version of the above.
.It Li net.mpls.icmp_respond
Returns ICMP TTL exceeded in transit when an MPLS
frame is dropped because of TTL = 0 on egress interface.
.It Li net.mpls.rfc4182
Pop the Explicit Null labels as specified by
.Li RFC 4182
.El
In order to encapsulate and decapsulate to and from MPLS, an mpls
pseudo-interface must be created and packets that should be encapsulated
must be routed to that interface.
.Pp
MPLS routes may be created using
.Dv AF_MPLS
.Li sa_family
sockaddrs for destination and tag fields.
Other protocols can be encapsulated using
routes pointing to mpls pseudo-interfaces, and
.Dv AF_MPLS
sockaddrs for tags.
Decapsulation can be made using values of reserved labels set in
the tag field (see below).
For more information about doing this using
userland utilities see the
.Sx EXAMPLES
section of this manual page.
.Pp
The
.Xr netstat 1
and
.Xr route 8
utilities should be used to manage routes from userland.
.Pp
The
.Nx
implementation stores route tagging information into a sockaddr_mpls structure
that is referenced by the rt_tag field of rtentry struct.
For storing multiple labels associated with the next-hop, the current
implementation abuses the sockaddr_mpls structure, extending it in order to fit
a stack of labels.
.Pp
.Xr ldpd 8
should be used in order to automatically import, manage and
distribute labels among LSRs in the same MPLS domain.
.Ss RESERVED LABELS
MPLS labels 0 through 15 are reserved.
Out of those, only four are currently defined:
.Bl -tag -width X
.It 0
IPv4 Explicit NULL label.
This label value is only legal at the bottom of the label stack.
It indicates that the label stack must be popped,
and the forwarding of the packet must then be based on the IPv4 header.
.It 1
Router Alert Label.
Currently not implemented in
.Nx .
.It 2
IPv6 Explicit NULL label.
It indicates that the label stack must be popped, and the forwarding
of the packet must then be based on the IPv6 header.
.It 3
Implicit NULL label.
This is a label that an LSR may assign and
distribute, but which never actually appears in the encapsulation.
When an LSR would otherwise replace the label at the top of the stack
with a new label, but the new label is
.Dq Implicit NULL ,
the LSR will pop the stack instead of doing the replacement.
In this case, the LSR will have to deduce by itself what is the original
address family of the encapsulated network packet.
Currently,
.Nx
implementation is assuming that the latter address family
is equal to the next-hop address family specified in the Implicit Null Label
MPLS route.
.El
.Sh EXAMPLES
.Bl -enum
.It
Create an MPLS interface and set an IP address:
.Bd -literal
# ifconfig mpls0 create up
# ifconfig mpls0 inet 192.168.0.1/32
.Ed
.It
Route IP packets into MPLS domain with a specific tag
.Bd -literal
# route add 10.0.0.0/8 -ifp mpls0 -tag 25 -inet 192.168.1.100
.Ed
.It
Create a static MPLS forwarding rule - swap the incoming
label 50 to 33 and forward the frame to 192.168.1.101 and verify
the route
.Bd -literal
# route add -mpls 50 -tag 33 -inet 192.168.1.101
add host 50: gateway 192.168.1.101
# route -n get -mpls 50
route to: 50
destination: 50
gateway: 192.168.1.101
Tag: 33
local addr: 192.168.1.180
interface: sk0
flags: <UP,GATEWAY,HOST,DONE,STATIC>
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
0 0 0 0 0 0 0 0
sockaddrs: <DST,GATEWAY,IFP,IFA,TAG>
.Ed
.It
Route IP packets into MPLS domain but use a different source
address for local generated packets.
.Bd -literal
# route add 10.0.0.0/8 -ifa 192.168.1.180 -ifp mpls0 -tag 25 -inet 192.168.1.100
.Ed
For the latter example, setting an IP address for the mpls0 interface
is not necessary.
.It
Route MPLS packets encapsulated with label 60 to 192.168.1.100 and POP label
.Bd -literal
# route add -mpls 60 -tag 3 -inet 192.168.1.100
.Ed
.It
Route IP packets into MPLS domain and prepend more tags
.Bd -literal
# route add 10/8 -ifa 192.168.1.200 -ifp mpls0 -tag 20,30,40 -inet 192.168.1.100
.Ed
For the above example, tag 20 will be inserted at Bottom of Stack, while tag 40
will be set into the outermost shim.
.It
Replace label 60 with label 30, prepend two more labels: 40 and 41 (in this order)
and forward the result to 192.168.1.100
.Bd -literal
# route add -mpls 60 -tag 30,40,41 -inet 192.168.1.100
.Ed
.El
.Sh SEE ALSO
.Xr netstat 1 ,
.Xr route 4 ,
.Xr ldpd 8 ,
.Xr route 8 ,
.Xr sysctl 8
.Rs
.%R RFC 3031
.%T Multiprotocol Label Switching Architecture
.Re
.Rs
.%R RFC 3032
.%T MPLS Label Stack Encoding
.Re
.Rs
.%R RFC 4182
.%T Removing a Restriction on the use of MPLS Explicit NULL
.Re
.Rs
.%R RFC 5462
.%T MPLS Label Stack Entry: "EXP" Field Renamed to "Traffic Class" Field
.Re
.Sh HISTORY
The
.Nm
support appeared in
.Nx 6.0 .
.Sh SECURITY CONSIDERATIONS
User must be aware that encapsulating IP packets in MPLS implies a
major security effect when using firewalls.
Currently neither
.Xr ipf 4
nor
.Xr pf 4
implement the heuristics in order to look inside an MPLS frame.
Moreover, it's technically impossible in most cases for an LSR to
know information related to encapsulated packet.
Therefore, MPLS Domains should be strictly controlled and, in most
cases, limited to trusted connections inside the same Autonomous
System.
.Pp
Users must be aware that the MPLS forwarding domain is entirely separated
from the inner (IP, IPv6 etc.) forwarding domain and once a packet is
encapsulated in MPLS, the former forwarding is used.
This could result in a different path for MPLS encapsulated packets
than the original non-MPLS one.
.Pp
IP or IPv6 forwarding is not necessary for MPLS forwarding.
Your system may still forward IP or IPv6 packets encapsulated into
MPLS if
.Li net.mpls.forwarding
is set.