1.\" $NetBSD: mpls.4,v 1.11 2018/09/14 08:11:30 rin Exp $ 2.\" 3.\" Copyright (c) 2010 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25.\" POSSIBILITY OF SUCH DAMAGE. 26.\" 27.Dd September 14, 2018 28.Dt MPLS 4 29.Os 30.Sh NAME 31.Nm mpls 32.Nd Multiprotocol Label Switching 33.Sh SYNOPSIS 34.Cd options MPLS 35.Cd pseudo-device mpls 36.In sys/types.h 37.In netmpls/mpls.h 38.Sh DESCRIPTION 39MultiProtocol Label Switching represents a mechanism which directs 40and carries data in high-performance networks, its techniques being 41applicable to any network layer protocol. 42.Pp 43In an MPLS domain the assignment of a particular packet a particular 44Forward Equivalence Class is done just once, as the packet enters the 45network. 46The FEC to which the packet is assigned is encoded as a 47short fixed length value known as a 48.Dq label . 49When a packet is forwarded to the next hop, the label is sent along 50with it; that is, the packets are 51.Dq labeled 52before they are forwarded. 53.Pp 54A router capable of receiving and forwarding MPLS frames is called 55.Dq Label Switch Router 56or LSR. 57Label scope is generally router-wide meaning that a certain 58label has a specific meaning only for a certain LSR. 59.Pp 60Currently, 61.Nx 62supports MPLS over Ethernet interfaces and GRE tunnels. 63For these kind of interfaces, a label is contained by a fixed 64sized 65.Dq shim 66that precedes any network layer headers, just after data 67link layer headers. 68.Ss MPLS shim header structure 69In network bit order: 70.Bd -literal 71------------------------------------------- 72| | | | | 73| Label | TC | BoS | TTL | 74| 20 bits | 3 bits | 1 bit | 8 bits | 75| | | | | 76------------------------------------------- 77.Ed 78.Bl -tag -width "Bottom of Stack" 79.It Label 8020 bits representing FEC, consequently the only information 81used to forward the frame to next-hop 82.It Traffic Class Field 833 bits that are used for specifying a traffic class, usually used for defining 84a type of service. 85This field was named the "Experimental Field" in most early 86.Pf ( pre- Ns Li RFC 5462 ) 87documents. 88.It Bottom of Stack 89One bit that is set for the last entry in the shim stack and 0 for all others. 90An MPLS frame may contain more than one shim, the last one before the 91network headers being marked by setting the BoS bit. 92.It TTL 938 bits, representing Time to Live, decremented at every LSR. 94.El 95.Sh USAGE 96The MPLS behavior is controlled by the 97.Li net.mpls 98.Xr sysctl 8 99tree: 100.Bl -tag -width "net.mpls.inet6_map_prec" 101.It Li net.mpls.accept 102If zero, MPLS frames are dropped on sight on ingress interfaces. 103.It Li net.mpls.forwarding 104If zero, MPLS frames are not forwarded to next-hop. 105.It Li net.mpls.ttl 106The default ttl for self generated MPLS frames. 107.It Li net.mpls.inet_mapttl 108If set, TTL field from IP header will be mapped 109into the MPLS shim on encapsulation, and the TTL field from MPLS shim 110will be copied into IP header on decapsulation. 111.It Li net.mpls.inet6_mapttl 112The IPv6 version of the above. 113.It Li net.mpls.inet_map_prec 114If set, precedence field from IP header will be 115mapped into MPLS shim in TC field on encapsulation, and the MPLS TC 116field will be copied into IP Precedence field on decapsulation. 117.It Li net.mpls.inet6_map_prec 118The IPv6 version of the above. 119.It Li net.mpls.icmp_respond 120Returns ICMP TTL exceeded in transit when an MPLS 121frame is dropped because of TTL = 0 on egress interface. 122.It Li net.mpls.rfc4182 123Pop the Explicit Null labels as specified by 124.Li RFC 4182 125.El 126In order to encapsulate and decapsulate to and from MPLS, an mpls 127pseudo-interface must be created and packets that should be encapsulated 128must be routed to that interface. 129.Pp 130MPLS routes may be created using 131.Dv AF_MPLS 132.Li sa_family 133sockaddrs for destination and tag fields. 134Other protocols can be encapsulated using 135routes pointing to mpls pseudo-interfaces, and 136.Dv AF_MPLS 137sockaddrs for tags. 138Decapsulation can be made using values of reserved labels set in 139the tag field (see below). 140For more information about doing this using 141userland utilities see the 142.Sx EXAMPLES 143section of this manual page. 144.Pp 145The 146.Xr netstat 1 147and 148.Xr route 8 149utilities should be used to manage routes from userland. 150.Pp 151The 152.Nx 153implementation stores route tagging information into a sockaddr_mpls structure 154that is referenced by the rt_tag field of rtentry struct. 155For storing multiple labels associated with the next-hop, the current 156implementation abuses the sockaddr_mpls structure, extending it in order to fit 157a stack of labels. 158.Pp 159.Xr ldpd 8 160should be used in order to automatically import, manage and 161distribute labels among LSRs in the same MPLS domain. 162.Ss RESERVED LABELS 163MPLS labels 0 through 15 are reserved. 164Out of those, only four are currently defined: 165.Bl -tag -width X 166.It 0 167IPv4 Explicit NULL label. 168This label value is only legal at the bottom of the label stack. 169It indicates that the label stack must be popped, 170and the forwarding of the packet must then be based on the IPv4 header. 171.It 1 172Router Alert Label. 173Currently not implemented in 174.Nx . 175.It 2 176IPv6 Explicit NULL label. 177It indicates that the label stack must be popped, and the forwarding 178of the packet must then be based on the IPv6 header. 179.It 3 180Implicit NULL label. 181This is a label that an LSR may assign and 182distribute, but which never actually appears in the encapsulation. 183When an LSR would otherwise replace the label at the top of the stack 184with a new label, but the new label is 185.Dq Implicit NULL , 186the LSR will pop the stack instead of doing the replacement. 187In this case, the LSR will have to deduce by itself what is the original 188address family of the encapsulated network packet. 189Currently, 190.Nx 191implementation is assuming that the latter address family 192is equal to the next-hop address family specified in the Implicit Null Label 193MPLS route. 194.El 195.Sh EXAMPLES 196.Bl -enum 197.It 198Create an MPLS interface and set an IP address: 199.Bd -literal 200# ifconfig mpls0 create up 201# ifconfig mpls0 inet 192.168.0.1/32 202.Ed 203.It 204Route IP packets into MPLS domain with a specific tag 205.Bd -literal 206# route add 10.0.0.0/8 -ifp mpls0 -tag 25 -inet 192.168.1.100 207.Ed 208.It 209Create a static MPLS forwarding rule - swap the incoming 210label 50 to 33 and forward the frame to 192.168.1.101 and verify 211the route 212.Bd -literal 213# route add -mpls 50 -tag 33 -inet 192.168.1.101 214add host 50: gateway 192.168.1.101 215# route -n get -mpls 50 216 route to: 50 217destination: 50 218 gateway: 192.168.1.101 219 Tag: 33 220 local addr: 192.168.1.180 221 interface: sk0 222 flags: <UP,GATEWAY,HOST,DONE,STATIC> 223recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 224 0 0 0 0 0 0 0 0 225sockaddrs: <DST,GATEWAY,IFP,IFA,TAG> 226.Ed 227.It 228Route IP packets into MPLS domain but use a different source 229address for local generated packets. 230.Bd -literal 231# route add 10.0.0.0/8 -ifa 192.168.1.180 -ifp mpls0 -tag 25 -inet 192.168.1.100 232.Ed 233For the latter example, setting an IP address for the mpls0 interface 234is not necessary. 235.It 236Route MPLS packets encapsulated with label 60 to 192.168.1.100 and POP label 237.Bd -literal 238# route add -mpls 60 -tag 3 -inet 192.168.1.100 239.Ed 240.It 241Route IP packets into MPLS domain and prepend more tags 242.Bd -literal 243# route add 10/8 -ifa 192.168.1.200 -ifp mpls0 -tag 20,30,40 -inet 192.168.1.100 244.Ed 245For the above example, tag 20 will be inserted at Bottom of Stack, while tag 40 246will be set into the outermost shim. 247.It 248Replace label 60 with label 30, prepend two more labels: 40 and 41 (in this order) 249and forward the result to 192.168.1.100 250.Bd -literal 251# route add -mpls 60 -tag 30,40,41 -inet 192.168.1.100 252.Ed 253.El 254.Sh SEE ALSO 255.Xr netstat 1 , 256.Xr route 4 , 257.Xr ldpd 8 , 258.Xr route 8 , 259.Xr sysctl 8 260.Rs 261.%R RFC 3031 262.%T Multiprotocol Label Switching Architecture 263.Re 264.Rs 265.%R RFC 3032 266.%T MPLS Label Stack Encoding 267.Re 268.Rs 269.%R RFC 4182 270.%T Removing a Restriction on the use of MPLS Explicit NULL 271.Re 272.Rs 273.%R RFC 5462 274.%T MPLS Label Stack Entry: "EXP" Field Renamed to "Traffic Class" Field 275.Re 276.Sh HISTORY 277The 278.Nm 279support appeared in 280.Nx 6.0 . 281.Sh SECURITY CONSIDERATIONS 282User must be aware that encapsulating IP packets in MPLS implies a 283major security effect when using firewalls. 284Currently neither 285.Xr ipf 4 286nor 287.Xr pf 4 288implement the heuristics in order to look inside an MPLS frame. 289Moreover, it's technically impossible in most cases for an LSR to 290know information related to encapsulated packet. 291Therefore, MPLS Domains should be strictly controlled and, in most 292cases, limited to trusted connections inside the same Autonomous 293System. 294.Pp 295Users must be aware that the MPLS forwarding domain is entirely separated 296from the inner (IP, IPv6 etc.) forwarding domain and once a packet is 297encapsulated in MPLS, the former forwarding is used. 298This could result in a different path for MPLS encapsulated packets 299than the original non-MPLS one. 300.Pp 301IP or IPv6 forwarding is not necessary for MPLS forwarding. 302Your system may still forward IP or IPv6 packets encapsulated into 303MPLS if 304.Li net.mpls.forwarding 305is set. 306