306 lines
10 KiB
Groff
306 lines
10 KiB
Groff
.\" $NetBSD: mpls.4,v 1.11 2018/09/14 08:11:30 rin Exp $
|
|
.\"
|
|
.\" Copyright (c) 2010 The NetBSD Foundation, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd September 14, 2018
|
|
.Dt MPLS 4
|
|
.Os
|
|
.Sh NAME
|
|
.Nm mpls
|
|
.Nd Multiprotocol Label Switching
|
|
.Sh SYNOPSIS
|
|
.Cd options MPLS
|
|
.Cd pseudo-device mpls
|
|
.In sys/types.h
|
|
.In netmpls/mpls.h
|
|
.Sh DESCRIPTION
|
|
MultiProtocol Label Switching represents a mechanism which directs
|
|
and carries data in high-performance networks, its techniques being
|
|
applicable to any network layer protocol.
|
|
.Pp
|
|
In an MPLS domain the assignment of a particular packet a particular
|
|
Forward Equivalence Class is done just once, as the packet enters the
|
|
network.
|
|
The FEC to which the packet is assigned is encoded as a
|
|
short fixed length value known as a
|
|
.Dq label .
|
|
When a packet is forwarded to the next hop, the label is sent along
|
|
with it; that is, the packets are
|
|
.Dq labeled
|
|
before they are forwarded.
|
|
.Pp
|
|
A router capable of receiving and forwarding MPLS frames is called
|
|
.Dq Label Switch Router
|
|
or LSR.
|
|
Label scope is generally router-wide meaning that a certain
|
|
label has a specific meaning only for a certain LSR.
|
|
.Pp
|
|
Currently,
|
|
.Nx
|
|
supports MPLS over Ethernet interfaces and GRE tunnels.
|
|
For these kind of interfaces, a label is contained by a fixed
|
|
sized
|
|
.Dq shim
|
|
that precedes any network layer headers, just after data
|
|
link layer headers.
|
|
.Ss MPLS shim header structure
|
|
In network bit order:
|
|
.Bd -literal
|
|
-------------------------------------------
|
|
| | | | |
|
|
| Label | TC | BoS | TTL |
|
|
| 20 bits | 3 bits | 1 bit | 8 bits |
|
|
| | | | |
|
|
-------------------------------------------
|
|
.Ed
|
|
.Bl -tag -width "Bottom of Stack"
|
|
.It Label
|
|
20 bits representing FEC, consequently the only information
|
|
used to forward the frame to next-hop
|
|
.It Traffic Class Field
|
|
3 bits that are used for specifying a traffic class, usually used for defining
|
|
a type of service.
|
|
This field was named the "Experimental Field" in most early
|
|
.Pf ( pre- Ns Li RFC 5462 )
|
|
documents.
|
|
.It Bottom of Stack
|
|
One bit that is set for the last entry in the shim stack and 0 for all others.
|
|
An MPLS frame may contain more than one shim, the last one before the
|
|
network headers being marked by setting the BoS bit.
|
|
.It TTL
|
|
8 bits, representing Time to Live, decremented at every LSR.
|
|
.El
|
|
.Sh USAGE
|
|
The MPLS behavior is controlled by the
|
|
.Li net.mpls
|
|
.Xr sysctl 8
|
|
tree:
|
|
.Bl -tag -width "net.mpls.inet6_map_prec"
|
|
.It Li net.mpls.accept
|
|
If zero, MPLS frames are dropped on sight on ingress interfaces.
|
|
.It Li net.mpls.forwarding
|
|
If zero, MPLS frames are not forwarded to next-hop.
|
|
.It Li net.mpls.ttl
|
|
The default ttl for self generated MPLS frames.
|
|
.It Li net.mpls.inet_mapttl
|
|
If set, TTL field from IP header will be mapped
|
|
into the MPLS shim on encapsulation, and the TTL field from MPLS shim
|
|
will be copied into IP header on decapsulation.
|
|
.It Li net.mpls.inet6_mapttl
|
|
The IPv6 version of the above.
|
|
.It Li net.mpls.inet_map_prec
|
|
If set, precedence field from IP header will be
|
|
mapped into MPLS shim in TC field on encapsulation, and the MPLS TC
|
|
field will be copied into IP Precedence field on decapsulation.
|
|
.It Li net.mpls.inet6_map_prec
|
|
The IPv6 version of the above.
|
|
.It Li net.mpls.icmp_respond
|
|
Returns ICMP TTL exceeded in transit when an MPLS
|
|
frame is dropped because of TTL = 0 on egress interface.
|
|
.It Li net.mpls.rfc4182
|
|
Pop the Explicit Null labels as specified by
|
|
.Li RFC 4182
|
|
.El
|
|
In order to encapsulate and decapsulate to and from MPLS, an mpls
|
|
pseudo-interface must be created and packets that should be encapsulated
|
|
must be routed to that interface.
|
|
.Pp
|
|
MPLS routes may be created using
|
|
.Dv AF_MPLS
|
|
.Li sa_family
|
|
sockaddrs for destination and tag fields.
|
|
Other protocols can be encapsulated using
|
|
routes pointing to mpls pseudo-interfaces, and
|
|
.Dv AF_MPLS
|
|
sockaddrs for tags.
|
|
Decapsulation can be made using values of reserved labels set in
|
|
the tag field (see below).
|
|
For more information about doing this using
|
|
userland utilities see the
|
|
.Sx EXAMPLES
|
|
section of this manual page.
|
|
.Pp
|
|
The
|
|
.Xr netstat 1
|
|
and
|
|
.Xr route 8
|
|
utilities should be used to manage routes from userland.
|
|
.Pp
|
|
The
|
|
.Nx
|
|
implementation stores route tagging information into a sockaddr_mpls structure
|
|
that is referenced by the rt_tag field of rtentry struct.
|
|
For storing multiple labels associated with the next-hop, the current
|
|
implementation abuses the sockaddr_mpls structure, extending it in order to fit
|
|
a stack of labels.
|
|
.Pp
|
|
.Xr ldpd 8
|
|
should be used in order to automatically import, manage and
|
|
distribute labels among LSRs in the same MPLS domain.
|
|
.Ss RESERVED LABELS
|
|
MPLS labels 0 through 15 are reserved.
|
|
Out of those, only four are currently defined:
|
|
.Bl -tag -width X
|
|
.It 0
|
|
IPv4 Explicit NULL label.
|
|
This label value is only legal at the bottom of the label stack.
|
|
It indicates that the label stack must be popped,
|
|
and the forwarding of the packet must then be based on the IPv4 header.
|
|
.It 1
|
|
Router Alert Label.
|
|
Currently not implemented in
|
|
.Nx .
|
|
.It 2
|
|
IPv6 Explicit NULL label.
|
|
It indicates that the label stack must be popped, and the forwarding
|
|
of the packet must then be based on the IPv6 header.
|
|
.It 3
|
|
Implicit NULL label.
|
|
This is a label that an LSR may assign and
|
|
distribute, but which never actually appears in the encapsulation.
|
|
When an LSR would otherwise replace the label at the top of the stack
|
|
with a new label, but the new label is
|
|
.Dq Implicit NULL ,
|
|
the LSR will pop the stack instead of doing the replacement.
|
|
In this case, the LSR will have to deduce by itself what is the original
|
|
address family of the encapsulated network packet.
|
|
Currently,
|
|
.Nx
|
|
implementation is assuming that the latter address family
|
|
is equal to the next-hop address family specified in the Implicit Null Label
|
|
MPLS route.
|
|
.El
|
|
.Sh EXAMPLES
|
|
.Bl -enum
|
|
.It
|
|
Create an MPLS interface and set an IP address:
|
|
.Bd -literal
|
|
# ifconfig mpls0 create up
|
|
# ifconfig mpls0 inet 192.168.0.1/32
|
|
.Ed
|
|
.It
|
|
Route IP packets into MPLS domain with a specific tag
|
|
.Bd -literal
|
|
# route add 10.0.0.0/8 -ifp mpls0 -tag 25 -inet 192.168.1.100
|
|
.Ed
|
|
.It
|
|
Create a static MPLS forwarding rule - swap the incoming
|
|
label 50 to 33 and forward the frame to 192.168.1.101 and verify
|
|
the route
|
|
.Bd -literal
|
|
# route add -mpls 50 -tag 33 -inet 192.168.1.101
|
|
add host 50: gateway 192.168.1.101
|
|
# route -n get -mpls 50
|
|
route to: 50
|
|
destination: 50
|
|
gateway: 192.168.1.101
|
|
Tag: 33
|
|
local addr: 192.168.1.180
|
|
interface: sk0
|
|
flags: <UP,GATEWAY,HOST,DONE,STATIC>
|
|
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
|
|
0 0 0 0 0 0 0 0
|
|
sockaddrs: <DST,GATEWAY,IFP,IFA,TAG>
|
|
.Ed
|
|
.It
|
|
Route IP packets into MPLS domain but use a different source
|
|
address for local generated packets.
|
|
.Bd -literal
|
|
# route add 10.0.0.0/8 -ifa 192.168.1.180 -ifp mpls0 -tag 25 -inet 192.168.1.100
|
|
.Ed
|
|
For the latter example, setting an IP address for the mpls0 interface
|
|
is not necessary.
|
|
.It
|
|
Route MPLS packets encapsulated with label 60 to 192.168.1.100 and POP label
|
|
.Bd -literal
|
|
# route add -mpls 60 -tag 3 -inet 192.168.1.100
|
|
.Ed
|
|
.It
|
|
Route IP packets into MPLS domain and prepend more tags
|
|
.Bd -literal
|
|
# route add 10/8 -ifa 192.168.1.200 -ifp mpls0 -tag 20,30,40 -inet 192.168.1.100
|
|
.Ed
|
|
For the above example, tag 20 will be inserted at Bottom of Stack, while tag 40
|
|
will be set into the outermost shim.
|
|
.It
|
|
Replace label 60 with label 30, prepend two more labels: 40 and 41 (in this order)
|
|
and forward the result to 192.168.1.100
|
|
.Bd -literal
|
|
# route add -mpls 60 -tag 30,40,41 -inet 192.168.1.100
|
|
.Ed
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr netstat 1 ,
|
|
.Xr route 4 ,
|
|
.Xr ldpd 8 ,
|
|
.Xr route 8 ,
|
|
.Xr sysctl 8
|
|
.Rs
|
|
.%R RFC 3031
|
|
.%T Multiprotocol Label Switching Architecture
|
|
.Re
|
|
.Rs
|
|
.%R RFC 3032
|
|
.%T MPLS Label Stack Encoding
|
|
.Re
|
|
.Rs
|
|
.%R RFC 4182
|
|
.%T Removing a Restriction on the use of MPLS Explicit NULL
|
|
.Re
|
|
.Rs
|
|
.%R RFC 5462
|
|
.%T MPLS Label Stack Entry: "EXP" Field Renamed to "Traffic Class" Field
|
|
.Re
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
support appeared in
|
|
.Nx 6.0 .
|
|
.Sh SECURITY CONSIDERATIONS
|
|
User must be aware that encapsulating IP packets in MPLS implies a
|
|
major security effect when using firewalls.
|
|
Currently neither
|
|
.Xr ipf 4
|
|
nor
|
|
.Xr pf 4
|
|
implement the heuristics in order to look inside an MPLS frame.
|
|
Moreover, it's technically impossible in most cases for an LSR to
|
|
know information related to encapsulated packet.
|
|
Therefore, MPLS Domains should be strictly controlled and, in most
|
|
cases, limited to trusted connections inside the same Autonomous
|
|
System.
|
|
.Pp
|
|
Users must be aware that the MPLS forwarding domain is entirely separated
|
|
from the inner (IP, IPv6 etc.) forwarding domain and once a packet is
|
|
encapsulated in MPLS, the former forwarding is used.
|
|
This could result in a different path for MPLS encapsulated packets
|
|
than the original non-MPLS one.
|
|
.Pp
|
|
IP or IPv6 forwarding is not necessary for MPLS forwarding.
|
|
Your system may still forward IP or IPv6 packets encapsulated into
|
|
MPLS if
|
|
.Li net.mpls.forwarding
|
|
is set.
|