OPSAWG C. Lin Internet-Draft New H3C Technologies Intended status: Standards Track Z. Li Expires: 31 December 2026 China Mobile Y. Liu ZTE 29 June 2026 Export of Segment Routing Policy Attributes in IP Flow Information Export (IPFIX) draft-lin-opsawg-ipfix-sr-policy-01 Abstract This document defines new IP Flow Information Export (IPFIX) Information Elements (IEs) to export attributes of Segment Routing (SR) and Segment Routing over IPv6 (SRv6) policies applied to IP flows, which enables correlation between observed traffic flows and the SR/SRv6 policies that carry them. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 31 December 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components Lin, et al. Expires 31 December 2026 [Page 1] Internet-Draft Export of SR Policy Attr in IPFIX June 2026 extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. IPFIX Information Elements for SR Policy Attributes . . . . . 4 4. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Service Assurance and SLA Validation . . . . . . . . . . 5 4.2. Troubleshooting and Fault Isolation . . . . . . . . . . . 5 4.3. Traffic Engineering Analysis and Capacity Planning . . . 5 4.4. Security Monitoring and Anomaly Detection . . . . . . . . 5 4.5. Per-Policy Traffic Monitoring and Performance Diagnostics . . . . . . . . . . . . . . . . . . . . . . . 6 5. Operational Considerations . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7.1. New IPFIX IEs for SR Policy Attributes . . . . . . . . . 8 7.1.1. srPolicyHeadendIPv4Address . . . . . . . . . . . . . 8 7.1.2. srPolicyHeadendIPv6Address . . . . . . . . . . . . . 9 7.1.3. srPolicyColor . . . . . . . . . . . . . . . . . . . . 9 7.1.4. srPolicyEndpointIPv4 . . . . . . . . . . . . . . . . 9 7.1.5. srPolicyEndpointIPv6 . . . . . . . . . . . . . . . . 10 7.1.6. srPolicyType . . . . . . . . . . . . . . . . . . . . 10 7.2. IPFIX Sub-Registry for SR Policy Types . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction Segment Routing (SR) [RFC8402] and Segment Routing over IPv6 (SRv6) [RFC8986] have become widely deployed technologies for source routing and traffic engineering in modern networks. SR Policy [RFC9256] provides a mechanism to steer traffic through an ordered list of segments to meet Service Level Agreements (SLAs) and other operational requirements. An SR Policy is uniquely identified by the tuple , where: * Headend: The node where the policy is instantiated. * Color: A 32-bit numerical value representing the policy intent or class. Lin, et al. Expires 31 December 2026 [Page 2] Internet-Draft Export of SR Policy Attr in IPFIX June 2026 * Endpoint: The destination address of the policy (IPv4 or IPv6). While network operators can monitor traffic flows using IP Flow Information Export (IPFIX) [RFC7011] and observe which SR policies are configured in the network, there has been no standardized way to correlate individual IP flows with the specific SR policies that carry them. This correlation is essential for: * Service Assurance: Verifying that traffic is being forwarded according to the intended policy. * Troubleshooting: Identifying which flows are affected when a policy fails. * Routing Planning: Understanding traffic forwarding patterns per policy class. * Security Monitoring: Detecting policy bypass or hijacking attempts. * Per-Policy Traffic Monitoring: Monitoring real-time performance metrics (such as transmitted/dropped packet counts) for individual SR Policies. This document defines new IPFIX Information Elements (IEs) to export SR and SRv6 policy attributes (headend, color, endpoint, and type) associated with observed IP flows. These IEs enable Exporting Processes to report which SR policy was applied to each flow and where, providing crucial visibility into the relationship between traffic and network policies. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. This document makes use of the terms defined in [RFC7011], and [RFC8402]. The following terms are used as defined in [RFC7011]: * IPFIX * IPFIX Information Elements Lin, et al. Expires 31 December 2026 [Page 3] Internet-Draft Export of SR Policy Attr in IPFIX June 2026 The following terms are used as defined in [RFC8402]: * Segment Routing (SR) * SR-MPLS * SRv6 3. IPFIX Information Elements for SR Policy Attributes This section defines new IPFIX IEs for exporting SR Policy attributes. srPolicyHeadendIPv4Address The IPv4 address of the headend node encapsulating the SR policy, identifying the SR Policy headend node. This address is typically the loopback address of the headend device. srPolicyHeadendIPv6Address The IPv6 address of the headend node encapsulating the SR policy, identifying the SR Policy headend node. This address is typically the loopback address of the headend device. srPolicyColor The color value of the SR Policy applied to the flow. The color is a 32-bit unsigned integer that identifies the intent or class of the SR Policy. srPolicyEndpointIPv4 The 32-bit IPv4 endpoint address of the SR Policy applied to the flow. srPolicyEndpointIPv6 The 128-bit IPv6 endpoint address of the SR Policy applied to the flow. srPolicyType The type of SR Policy applied to the flow. It is used to distinguish between SR-MPLS and SRv6 policies. 4. Use Cases This section outlines representative deployment scenarios where the extensions defined in this document provide significant value. Lin, et al. Expires 31 December 2026 [Page 4] Internet-Draft Export of SR Policy Attr in IPFIX June 2026 4.1. Service Assurance and SLA Validation Operators need to verify that traffic for critical services (e.g., VoIP, financial transactions) is indeed being forwarded along the intended SR Policy path and meeting predefined Service Level Agreements (SLAs). In this case, the monitored "flow" is defined by the SR Policy identifier (Headend, Endpoint, Color, and Type), representing all packets belonging to that service class. It enables direct, policy-level measurement of performance metrics (latency, loss, jitter) against SLAs. This moves assurance from the network-wide inference to per-service, per-path validation. 4.2. Troubleshooting and Fault Isolation When a service degradation occurs, rapid isolation of the fault domain is critical. This use case focuses on identifying if an issue is localized to a specific SR Policy. In this case, the "flow" is again keyed by the SR Policy. By comparing metrics across different policies sharing network segments, the faulty component can be isolated. It dramatically reduces Mean Time to Repair (MTTR) by answering the question: "Is this a general network problem or a problem specific to my policy for Service X?" 4.3. Traffic Engineering Analysis and Capacity Planning Network planners require an understanding of actual traffic distribution across different SR Policy paths to optimize network resources and plan for capacity upgrades. Here, the "flow" per SR Policy provides the atomic unit of analysis for traffic volume (byte/packet counts) over time. It provides a clear, intent-based view of traffic matrices, showing how much traffic each policy class carries. This data is essential for validating the efficacy of traffic engineering decisions and for predictive capacity planning. 4.4. Security Monitoring and Anomaly Detection Detecting deviations from intended forwarding paths is crucial for security. This includes identifying potential policy bypass, hijacking, or unexpected traffic attraction to a specific policy. Lin, et al. Expires 31 December 2026 [Page 5] Internet-Draft Export of SR Policy Attr in IPFIX June 2026 A baseline of normal "flow" volumes and paths per SR Policy is established. Deviations from this baseline trigger alerts. It provides a new layer of control-plane/data-plane consistency checking. Unexpected traffic appearing on, or disappearing from, a policy can be a key security indicator. 4.5. Per-Policy Traffic Monitoring and Performance Diagnostics This is the granular, real-time monitoring of performance metrics for individual SR Policies, forming the foundation for the use cases above. The "flow" record is anchored to a single SR Policy and contains Key Performance Indicators (KPIs) as non-key fields. It delivers fundamental visibility into the health of each logical path, providing metrics such as forwarded/dropped packet counts. This is the primary data source for service dashboards and automated diagnostics. 5. Operational Considerations For 'srPolicyHeadendIPv4Address' and 'srPolicyHeadendIPv6Address' IEs, Implementers SHOULD select the appropriate IE based on the actual address family of the SR policy. For a pure IPv4 environment, use only 'srPolicyHeadendIPv4Address'. For a pure IPv6 environment, use only 'srPolicyHeadendIPv6Address'. For a dual-stack environment, use the corresponding IE identifying the SR policy headend node in the IPFIX record according to the address family of the specific SR policy. A single flow record SHOULD NOT contain both IEs simultaneously. For 'srPolicyColor' IE, a value of 0 indicates that no SR Policy was applied to the flow (i.e., the flow was forwarded using conventional routing). Color values are locally significant to the headend node but are often coordinated network-wide to represent consistent service classes. For 'srPolicyEndpointIPv4' and 'srPolicyEndpointIPv6' IEs, A value of 0.0.0.0 for IPv4 address and ::/128 (all zeros) for IPv6 address indicates that no SR Policy with an IPv4 or IPv6 endpoint was applied to the flow. When these IEs is used with 'srPolicyColor' IE, this pair uniquely identifies an SR Policy from the perspective of the headend node. Lin, et al. Expires 31 December 2026 [Page 6] Internet-Draft Export of SR Policy Attr in IPFIX June 2026 When multiple SR Policies could apply to a flow (e.g., through policy nesting), all IEs defined in this document SHOULD report the value of the outermost or primary policy. These IEs about SR Policy attributes are only collected and reported by the headend node of the SR Policy - that is, the node where the policy is instantiated and where packets enter the SR Policy path. In this document, all IEs about SR Policy attributes complement existing IPFIX IEs. When reporting SR Policy attributes, Exporting Processes SHOULD also include basic flow identification IEs such as source/destination addresses, protocol, and ports to provide context for the policy application. 6. Security Considerations The Security Considerations for IPFIX [RFC7011] apply to this document as well. SR Policy attributes reveal network engineering decisions and traffic steering policies. Unauthorized access to this information could aid in traffic analysis or network reconnaissance. Export of these IEs SHOULD be protected using IPFIX over TLS [RFC7011] or DTLS [RFC9147]. Manipulation of SR Policy attributes in flow records could mislead network operators about traffic paths, potentially hiding policy violations or attacks. Collecting Processes SHOULD verify data integrity when possible. While SR Policy attributes deliver vital operational insights into business traffic patterns, their correlation with flow data can reveal internal system relationships. Consequently, their implementation SHOULD incorporate data governance measures to ensure utility is balanced with the protection of sensitive operational information. Exporting additional IEs increases the size of flow records and template definitions. Exporting Processes SHOULD implement appropriate rate limiting and resource controls. The ability to correlate flows with policies enables verification that traffic is following intended paths, which can help detect policy bypass attacks or configuration errors. 7. IANA Considerations Lin, et al. Expires 31 December 2026 [Page 7] Internet-Draft Export of SR Policy Attr in IPFIX June 2026 7.1. New IPFIX IEs for SR Policy Attributes This document specifies new IPFIX IEs to enable export of SR Policy Attributes along with other flow information. This document requests IANA to add these IPFIX IEs to the "IPFIX Information Elements" registry available at [IANA-IPFIX]. Table 1 lists the new IPFIX IEs for SR Policy Attributes: +============+============================+===============+ | Element ID | Name | Reference | +============+============================+===============+ | TBD1 | srPolicyHeadendIPv4Address | This document | +------------+----------------------------+---------------+ | TBD2 | srPolicyHeadendIPv6Address | This document | +------------+----------------------------+---------------+ | TBD3 | srPolicyColor | This document | +------------+----------------------------+---------------+ | TBD4 | srPolicyEndpointIPv4 | This document | +------------+----------------------------+---------------+ | TBD5 | srPolicyEndpointIPv6 | This document | +------------+----------------------------+---------------+ | TBD6 | srPolicyType | This document | +------------+----------------------------+---------------+ Table 1: New IEs in the "IPFIX Information Elements" Registry 7.1.1. srPolicyHeadendIPv4Address Name: srPolicyHeadendIPv4Address Element ID: TBD1 Description: The IPv4 address of the headend node encapsulating the SR policy, identifying the SR Policy headend node. This address is typically the loopback address of the headend device. Abstract Data Type: ipv4Address Data Type Semantics: identifier Status: current Reference: [this document] Lin, et al. Expires 31 December 2026 [Page 8] Internet-Draft Export of SR Policy Attr in IPFIX June 2026 7.1.2. srPolicyHeadendIPv6Address Name: srPolicyHeadendIPv6Address Element ID: TBD2 Description: The IPv6 address of the headend node encapsulating the SR policy, identifying the SR Policy headend node. This address is typically the loopback address of the headend device. Abstract Data Type: ipv6Address Data Type Semantics: identifier Status: current Reference: [this document] 7.1.3. srPolicyColor Name: srPolicyColor Element ID: TBD3 Description: The color value of the SR Policy applied to the flow. The color is a 32-bit unsigned integer that identifies the intent or class of the SR Policy. A value of 0 indicates that no SR Policy was applied to the flow. Abstract Data Type: unsigned32 Data Type Semantics: identifier Status: current Reference: [this document] 7.1.4. srPolicyEndpointIPv4 Name: srPolicyEndpointIPv4 Element ID: TBD4 Description: The IPv4 endpoint address of the Segment Routing Policy applied to the flow. A value of 0.0.0.0 indicates that no SR Policy with an IPv4 endpoint was applied to the flow. Abstract Data Type: ipv4Address Lin, et al. Expires 31 December 2026 [Page 9] Internet-Draft Export of SR Policy Attr in IPFIX June 2026 Data Type Semantics: identifier Status: current Reference: [this document] 7.1.5. srPolicyEndpointIPv6 Name: srPolicyEndpointIPv6 Element ID: TBD5 Description: The IPv6 endpoint address of the Segment Routing Policy applied to the flow. The ::/128 (all zeros) address indicates that no SR Policy with an IPv6 endpoint was applied to the flow. Abstract Data Type: ipv6Address Data Type Semantics: identifier Status: current Reference: [this document] 7.1.6. srPolicyType Name: srPolicyType Element ID: TBD6 Description: The type of Segment Routing Policy applied to the flow. A value of 0 indicates the policy type is unknown or not applicable. Values are defined in the "SR Policy Types" sub- registry Abstract Data Type: unsigned8 Data Type Semantics: identifier Status: current Reference: [this document] 7.2. IPFIX Sub-Registry for SR Policy Types IANA is requested to create a new sub-registry titled "SR Policy Types" under the "IPFIX Information Elements" registry. Lin, et al. Expires 31 December 2026 [Page 10] Internet-Draft Export of SR Policy Attr in IPFIX June 2026 +=======+=====================================+===============+ | Value | Description | Reference | +=======+=====================================+===============+ | 0 | Unknown or unspecified policy type | This document | +-------+-------------------------------------+---------------+ | 1 | SR-MPLS policy | This document | +-------+-------------------------------------+---------------+ | 2 | SRv6 policy | This document | +-------+-------------------------------------+---------------+ | 255 | Reserved for experimentation | This document | +-------+-------------------------------------+---------------+ Table 2: SR Policy Types Sub-Registry 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information", STD 77, RFC 7011, DOI 10.17487/RFC7011, September 2013, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., Decraene, B., Litkowski, S., and R. Shakir, "Segment Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, July 2018, . [RFC8986] Filsfils, C., Ed., Camarillo, P., Ed., Leddy, J., Voyer, D., Matsushima, S., and Z. Li, "Segment Routing over IPv6 (SRv6) Network Programming", RFC 8986, DOI 10.17487/RFC8986, February 2021, . [RFC9256] Filsfils, C., Talaulikar, K., Ed., Voyer, D., Bogdanov, A., and P. Mattes, "Segment Routing Policy Architecture", RFC 9256, DOI 10.17487/RFC9256, July 2022, . Lin, et al. Expires 31 December 2026 [Page 11] Internet-Draft Export of SR Policy Attr in IPFIX June 2026 8.2. Informative References [IANA-IPFIX] "IP Flow Information Export (IPFIX) Entities", n.d., . [RFC9147] Rescorla, E., Tschofenig, H., and N. Modadugu, "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3", RFC 9147, DOI 10.17487/RFC9147, April 2022, . Authors' Addresses Changwang Lin New H3C Technologies Beijing China Email: linchangwang.04414@h3c.com Zhenqiang Li China Mobile 29 Finance Avenue, Xicheng District Beijing China Email: lizhenqiang@chinamobile.com Yao Liu ZTE China Email: liu.yao71@zte.com.cn Lin, et al. Expires 31 December 2026 [Page 12]