Network Working Group                                       A. Bashandy
Internet Draft                                                   Arrcus                                       S. Litkowski
Internet-Draft                                                    Orange
Intended status: Standard Standards Track                             C. Filsfils                             A. Bashandy
Expires: June September 6, 2019                                    Individual
                                                             C. Filsfils
                                                           Cisco Systems
                                                         Bruno
                                                             B. Decraene
                                                     Stephane Litkowski
                                                                  Orange
                                                         Pierre
                                                             P. Francois
                                                               INSA Lyon
                                                                D. Voyer
                                                             Bell Canada
                                                           Francois
                                                                 F. Clad
                                                         Pablo
                                                            P. Camarillo
                                                           Cisco Systems
                                                       December 3, 2018
                                                           March 5, 2019

        Topology Independent Fast Reroute using Segment Routing
                draft-ietf-rtgwg-segment-routing-ti-lfa-00
               draft-ietf-rtgwg-segment-routing-ti-lfa-01

Abstract

   This document presents Topology Independent Loop-free Alternate Fast
   Re-route (TI-LFA), aimed at providing protection of node and
   adjacency segments within the Segment Routing (SR) framework.  This
   Fast Re-route (FRR) behavior builds on proven IP-FRR concepts being
   LFAs, remote LFAs (RLFA), and remote LFAs with directed forwarding
   (DLFA).  It extends these concepts to provide guaranteed coverage in
   any IGP network.  A key aspect of TI-LFA is the FRR path selection
   approach establishing protection over the expected post-convergence
   paths from the point of local repair, dramatically reducing the
   operational need to control the tie-breaks among various FRR options.

Status of this This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008. The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts.
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html
   This Internet-Draft will expire on June 3, September 6, 2019.

Copyright Notice

   Copyright (c) 2018 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info)
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction...................................................3  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Conventions used in this document.........................5 document . . . . . . . . . . . .   7
   2. Terminology....................................................5  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   7
   3.  Intersecting P-Space and Q-Space with post-convergence paths...6 paths    8
     3.1.  P-Space property computation for a resource X.............6 X . . . . . .   8
     3.2.  Q-Space property computation for a link S-F,   over post-
           convergence paths..............................................6 paths . . . . . . . . . . . . . . . . . . . .   8
     3.3.  Q-Space property computation for a set of links adjacent
           to S,   over post-convergence paths.................................7 paths . . . . . . . . . . .   9
     3.4.  Q-Space property computation for a node F,   over post-
           convergence paths..............................................7 paths . . . . . . . . . . . . . . . . . . . .   9
     3.5.  Scaling considerations when computing Q-Space . . . . . .   9
   4.  TI-LFA Repair Tunnel...........................................7 Tunnel  . . . . . . . . . . . . . . . . . . . .   9
     4.1. The repair node is  FRR path using a direct neighbor......................7 neighbor  . . . . . . . . . . . .  10
     4.2. The repair node is  FRR path using a PQ node..............................8 node  . . . . . . . . . . . . . . . .  10
     4.3. The repair is  FRR path using a Q node, neighbor of the last P node.......8 node and Q node that are adjacent  . .  10
     4.4.  Connecting distant P and Q nodes along post-convergence
      paths..........................................................8
           paths . . . . . . . . . . . . . . . . . . . . . . . . . .  10
   5.  Protecting segments............................................8 segments . . . . . . . . . . . . . . . . . . . . .  10
     5.1.  The active segment is a node segment......................8 segment  . . . . . . . . . .  11
     5.2.  The active segment is an adjacency segment................9 segment  . . . . . . .  11
       5.2.1.  Protecting [Adjacency, Adjacency] segment lists......9 lists . . .  11
       5.2.2.  Protecting [Adjacency, Node] segment lists...........9 lists  . . . . .  12
     5.3.  Protecting SR policy midpoints against node failure......10 failure . . .  13
       5.3.1.  Protecting {F, T, D} or {S->F, T, D}................10 D}  . . . . . . . .  13
       5.3.2.  Protecting {F, F->T, D} or {S->F, F->T, D}..........11 D}  . . . . .  14
   6.  TI-LFA and SR algorithms  . . . . . . . . . . . . . . . . . .  15
   7.  Usage of Adjacency segments in the repair list  . . . . . . .  16
   8.  Measurements on Real Networks.................................12
   7. Security Considerations.......................................17
   8. IANA Considerations...........................................17 Networks . . . . . . . . . . . . . . . .  16
   9. Conclusions...................................................17  Security Considerations . . . . . . . . . . . . . . . . . . .  21
   10. References...................................................17
      10.1. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  21
   11. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . .  21
   12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  21
   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .  22
     13.1.  Normative References....................................17
      10.2. References . . . . . . . . . . . . . . . . . .  22
     13.2.  Informative References..................................17
   11. Acknowledgments..............................................18 References . . . . . . . . . . . . . . . . .  22
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  23

1.  Introduction

   Segment Routing aims at supporting services with tight SLA guarantees [1].
   [RFC8402].  By relying on segment routing SR this document provides a local repair
   mechanism for standard IGP shortest path capable of restoring end-to-end end-to-
   end connectivity in the case of a sudden directly connected failure
   of a network component.  Non-SR mechanisms for local repair are
   beyond the scope of this document.  Non-local failures are addressed
   in a separate document [6]. [I-D.bashandy-rtgwg-segment-routing-uloop].

   The term topology independent (Ti) (TI) refers to the ability to provide a
   loop free backup path irrespective of the topologies prior used in the
   failure
   network.  This provides a major improvment compared to LFA
   ([RFC5286]) and after the failure. remote LFA ([RFC7490]) which cannot be applicable in
   some topologies ([RFC6571]).

   For each destination in the network, TI-LFA prepares pre-installs a data-plane
   switch-over backup
   forwarding entry for each protected destination ready to be activated
   upon detection of the failure of a link used to reach the
   destination.  TI-LFA provides protection in the event of any one of
   the following: single link failure, single node failure, or single local
   SRLG failure.  In link failure mode, the destination is protected
   assuming the failure of the link.  In node protection mode, the
   destination is protected assuming that the neighbor connected to the
   primary link has failed.  In local SRLG protecting mode, the destination is
   protected assuming that a configured set of links sharing fate with
   the primary link has failed (e.g. a linecard).

   Protection techniques outlined in linecard or a set of links
   sharing a common transmission pipe).

   Protection techniques outlined in this document are limited to
   protecting links, nodes, and local SRLGs that are within a routing domain.
   Protecting domain exit routers and/or links attached to another
   routing domains are beyond the scope of this document

   Using segment routing, there is no need

   Thanks to establish SR, TI-LFA does not require the establishment of TLDP
   sessions with remote nodes in order to take advantage of the
   applicability of remote LFAs (RLFA) [4][5] [RFC7490][RFC7916] or remote LFAs
   with directed forwarding
   (DLFA)[2]. (DLFA)[RFC5714].  All the Segment
   Identifiers (SIDs) are available in the link state database (LSDB) of
   the IGP.  As a result, preferring LFAs over RLFAs or DLFAs, as well
   as minimizing the number of RLFA or DLFA repair nodes is not required

   Using
   anymore.

   Thanks to SR, there is no need to create state in the network in
   order to enforce an explicit FRR path thereby relieving path.  This relieves the nodes
   themselves from the having to maintain extra state , and it relieves the
   operator from having to deploy an extra protocol or extra protocol
   sessions just to enhance FRR coverage.

   The FRR behavior suggested in this document tailors the repair paths
   over the post-convergence path from the PLR to the protected
   destination, given the enabled protection mode for the interface.
   Using the post-convergence path in TI-LFA resolves some of coverage.

   [RFC7916] raised several operational issues with considerations when using LFA selection that are mentioned in or
   remote LFA.  [RFC7916] Section 3 of [5] (e.g. using PE routers to protect against presents a case where a high
   bandwidth link between two core failures, or
   selecting links routers is protected through a PE
   router connected with low BW while links with high BW are available),
   because these issues presumably have been taken care of by bandwidth links.  In such a case,
   congestion may happen when the FRR backup path is activated.
   [RFC7916] introduces a local policy framework to let the
   network operator as part of
   tuning manually the best alternate election based on its original own
   requirements.

   From a network engineering. Hence
   traffic capacity planning point of view, it is often assumed
   that permanently uses the PLR after if a link L fails on a particular node X, the failure achieves
   maximum benefits. Traffic that does not use bandwidth consumed
   on L will be spread over some of the PLR prior remaining links of X.  The
   remaining links to and
   after be used are determined by the failure remains unaffected. Traffic IGP routing
   considering that temporarily
   continues to use the PLR after link L has failed (we assume that the failure benefits traffic
   uses the post-convergence path starting from the quick
   switching node X).  In
   Figure 1, we consider a network with all metrics equal to 1 except
   the backup path metrics on links used by minimizing PE1, PE2 and PE3 which are 1000.  An
   easy network capacity planning method is to consider that if the link
   L (X-B) fails, the traffic loss until remote
   node(s) reacts. actually flowing through L     ____
                                 S----F--{____}----D
                                /\    |          /
                               |  |   | _______ /
                               |__}---Q{_______}

                       Figure 1 TI-LFA Protection

   We use Figure 1 to illustrate will be spread
   over the TI-LFA approach.

   The Point of Local Repair (PLR), S, needs to find a node Q (a repair
   node) that is capable remaining links of safely forwarding X (X-H, X-D, X-A).  Considering the traffic IGP
   metrics, only X-H and X-D can only be used in reality to a
   destination D affected by carry the failure of
   traffic flowing through the protected link L, L.  As a set consequence, the bandwidth
   of adjacent links including X-H and X-D is sized according to this rule.  We should
   observe that this capacity planning policy works, however it is not
   fully accurate.

   In Figure 1, considering that the source of traffic is only from PE1
   and PE4, when the link L (local SRLG), or fails, depending on the node F itself.
   The PLR also needs convergence speed of
   the nodes, X may reroute its forwarding entries to find the remote PEs
   onto X-H or X-D; however in a way similar timeframe, PE1 will also
   reroute a subset of its traffic (the subset destined to reach Q without being affected
   by PE2) out of
   its nominal path reducing the convergence state quantity of traffic received by X.  The
   capacity planning rule presented previously has the nodes over drawback of
   oversizing the paths network, however it wants to use allows to reach Q.

   In Section 2 we define the main notations used in the document.
   They are prevent any transient
   congestion (when for example X reroutes traffic before PE1 does).

              H --- I --- J
              |           | \
   PE4        |           |  PE3
      \       | (L)       | /
        A --- X --- B --- G
       /      |           | \
    PE1       |           |  PE2
       \      |           | /
        C --- D --- E --- F

                                 Figure 1

   Based on this assumption, in line with [2].

   In Section 3, we suggest order to compute facilitate the P-Space operation of
   FRR, and Q-Space
   properties defined in Section 2, for limit the specific case implementation of nodes
   lying over local FRR policies, it looks
   interesting to steer the traffic onto the post-convergence paths towards path from
   the protected
   destinations.

   Using PLR point of view during the properties defined in Section 3, Section 4 describes
   how FRR phasis.  In our example, when
   link L fails, X switches the traffic destined to compute protection lists that encode a loopfree post-
   convergence path towards the destination.

   Section 5 defines PE3 and PE2 on the segment operations to be applied by
   post-convergence paths.  This is perfectly inline with the PLR
   to ensure consistency capacity
   planning rule that was presented before and also inline with the forwarding state of fact
   X may converge before PE1 (or any other upstream router) and may
   spread the repair node.

   By applying X-B traffic onto the algorithms specified in this document post-convergence paths rooted at X.

   It should be noted, that some networks may have a different capacity
   planning rule, leading to actual
   service providers an allocation of less bandwidth on X-H and large enterprise networks, we provide real
   life measurements for
   X-D links.  In such a case, using the number of SIDs used by repair paths.
   Section 6 summarizes these measurements.

1.1. Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", post-convergence paths rooted
   at X during FRR may introduce some congestion on X-H and "OPTIONAL" in this
   document are X-D links.
   However it is important to be interpreted as described in RFC-2119

   In this document, these words will appear with note, that interpretation
   only a transient congestion may
   possibly happen, even without FRR activated, for instance when in ALL CAPS. Lower case uses of these words X
   converges before the upstream routers.  Operators are not still free to be
   interpreted as carrying RFC-2119 significance.

2. Terminology

   We define
   use the main notations used policy framework defined in this document as the following.

   We refer to "old" and "new" topologies as the LSDB state before and
   after [RFC7916] if the considered failure.

   SPT_old(R) is usage of the Shortest Path Tree
   post-convergence paths rooted at node R in the initial
   state PLR is not suitable.

   Readers should be aware that FRR protection is pre-computing a backup
   path to protect against a particular type of failure (link, node,
   SRLG).  When using the network.

   SPT_new(R, X) is post-convergence path as FRR backup path, the Shortest Path Tree rooted at node R in
   computed post-convergence path is the
   state of one considering the network after the resource X has failed.

   Dist_old(A,B) failure we
   are protecting against.  This means that FRR is the shortest distance using an expected
   post-convergence path, and this expected post-convergence path may be
   actually different from node A to node B in
   SPT_old(A).

   Dist_new(A,B, X) is the shortest distance from node A to node B in
   SPT_new(A,X).

   PLR stands for "Point of Local Repair". It is post-convergence path used if the router failure
   that
   applies fast traffic restoration after detecting happened is different from the failure in a
   directly attached link, set of links, and/or node.

   Similar to [4], we use FRR was protecting
   against.  As an example, if the concept of P-Space and Q-Space for TI-
   LFA.

   The P-Space P(R,X) of operator has implemented a node R w.r.t. protection
   against a resource X (e.g. node failure, the expected post-convergence path used
   during FRR will be the one considering that the node has failed.
   However, even if a single link S-F,
   a node F, is failing or a local SRLG) is the set of nodes links is
   failing (instead of the full node), the node-protecting post-
   convergence path will be used.  The consequence is that are reachable
   from R without passing through X. It the path used
   during FRR is not optimal with respect to the set of nodes failure that has
   actually occured.

   Another consideration to take into account is: while using the
   expected post-convergence path for SR traffic using node segments
   only (for instance, PE to PE traffic using shortest path) has some
   advantages, these advantages reduce when SR policies
   ([I-D.ietf-spring-segment-routing-policy]) are
   not downstream of X involved.  A segment-
   list used in SPT_old(R).

   The Extended P-Space P'(R,X) of a node R w.r.t. a resource X an SR policy is the computed to obey a set of nodes that are reachable from R path
   constraints defined locally at the head-end or centrally in a neighbor of R, without
   passing through X.

   The Q-Space Q(D,X)
   controller.  TI-LFA cannot be aware of a destination node D w.r.t. a resource X such path constraints and
   there is
   the set of nodes which do not use X no reason to reach D expect the TI-LFA backup path protecting one
   the segments in that segment list to obey those constraints.  When SR
   policies are used and the initial state operator wants to have a backup path which
   still follows the policy requirements, this backup path should be
   computed as part of the network.  In other words, it is SR policy in the ingress node (or central
   controller) and the SR policy should not rely on local protection.
   Another option could be to use FlexAlgo ([I-D.ietf-lsr-flex-algo]) to
   express the set of nodes which have D
   in their P-Space w.r.t. S-F, F, or constraints and use a set of links adjacent single node segment
   associated with a FlexAlgo to S).

   A symmetric network is reach the destination.  When using a network such that
   node segment associated with a FlexAlgo, TI-LFA keeps providing an
   optimal backup by applying the IGP metric appropriate set of each
   link is constraints.  The
   relationship between TI-LFA and the same SR-algorithm is detailled in both directions of the link.

3. Intersecting P-Space and Q-Space with post-convergence paths

   In this section, we suggest
   Section 6.

   Thanks to determine the P-Space SR and Q-Space
   properties the combination of Adjacency segments and Node
   segments, the nodes along expression of the expected post-convergence paths from path rooted
   at the PLR to the protected destination is facilitated and compute an SR-based explicit
   path from P to Q when they are does not adjacent.  Such properties will
   be used in Section 4 create any additional state on
   intermediate nodes.  The easiest way to compute express the TI-LFA repair list.

3.1. P-Space property computation for expected post-
   convergence path in a resource X

   A node N loop-free manner is in P(R, X) if to encode it is not downstream as a list of X
   adjacency segments.  However, in SPT_old(R).
   X can be a link, a node, or an MPLS world, this may create a set
   long stack of links adjacent labels to the PLR. A
   node N is in P'(R,X) if it is be pushed that some hardware may not downstream be able
   to push.  One of X in SPT_old(N),
   for at least one neighbor N the challenges of R.

3.2. Q-Space property computation for a link S-F, over post-
   convergence paths

   We want TI-LFA is to determine which nodes on encode the expected
   post-convergence path from
   the PLR by combining adjacency segments and node
   segments.  Each implementation will be free to the destination D are in the Q-Space of destination D
   w.r.t. link S-F. have its own path
   compression optimization algorithm.  This can document details the basic
   concepts that could be found by intersecting used to build the post-convergence SR backup path as well as
   the associated dataplane procedures.

                                    L     ____
                                 S----F--{____}----D
                                /\    |          /
                               |  |   | _______ /
                               |__}---Q{_______}

                        Figure 2: TI-LFA Protection

   We use Figure 2 to D,
   assuming illustrate the failure of S-F, with Q(D, S-F).

3.3. Q-Space property computation for a set TI-LFA approach.

   The Point of links adjacent to Local Repair (PLR), S,
   over post-convergence paths

   We want needs to determine which nodes on the post-convergence path from find a node Q (a repair
   node) that is capable of safely forwarding the PLR traffic to the a
   destination D are in affected by the Q-Space failure of destination D
   w.r.t. the protected link L, a set
   of links adjacent to S (S being including L (SRLG), or the PLR).  That is, we
   aim node F itself.  The PLR also
   needs to find a way to reach Q without being affected by the set
   convergence state of the nodes on over the post-convergence path that paths it wants to use
   none of the members of the protected set of links, to
   reach D.

   This can be found by intersecting Q: the post-convergence PLR needs a loop-free path to D,
   assuming reach Q.

   Section 2 defines the failure of main notations used in the set of links, document.  They are
   in line with the intersection
   among Q(D, S->X) for all S->X belonging [RFC5714].

   Section 3 suggests to compute the set of links.

3.4. P-Space and Q-Space property computation properties
   defined in Section 2, for a node F, the specific case of nodes lying over the
   post-convergence paths

   We want to determine which nodes on towards the post-convergence from protected destinations.

   Using the
   PLR properties defined in Section 3, Section 4 describes how to
   compute protection lists that encode a loop-free post- convergence
   path towards the destination D are in destination.

   Section 5 defines the Q-Space of destination D w.r.t.
   node F.

   This can segment operations to be found applied by intersecting the post-convergence path PLR to D,
   assuming
   ensure consistency with the failure forwarding state of F, with Q(D, F).

4. TI-LFA Repair Tunnel

   The TI-LFA the repair tunnel consists of an outgoing interface node.

   By applying the algorithms specified in this document to actual
   service providers and a
   list large enterprise networks, we provide real life
   measurements for the number of segments (repair list) SIDs used by repair paths.  Section 8
   summarizes these measurements.

1.1.  Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to insert on be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  Terminology

   We define the SR header.  The
   repair list encodes main notations used in this document as the explicit post-convergence path following.

   We refer to "old" and "new" topologies as the
   destination, which avoids LSDB state before and
   after the protected resource X and, considered failure.

   SPT_old(R) is the Shortest Path Tree rooted at node R in the same
   time, is guaranteed to be loop free irrespective initial
   state of the network.

   SPT_new(R, X) is the Shortest Path Tree rooted at node R in the state
   of
   FIBs along the nodes belonging to network after the explicit path. Thus there is
   no need resource X has failed.

   PLR stands for any co-ordination or message exchange between "Point of Local Repair".  It is the PLR
   and any other router that
   applies fast traffic restoration after detecting failure in a
   directly attached link, set of links, and/or node.

   Similar to [RFC7490], we use the network. concept of P-Space and Q-Space for
   TI- LFA.

   The TI-LFA repair tunnel P-Space P(R,X) of a node R w.r.t. a resource X (e.g. a link S-F,
   a node F, or a SRLG) is found by intersecting P(S,X) and Q(D,X)
   with the post-convergence path to D and computing the explicit SR-
   based path EP(P, Q) from P to Q when these set of nodes that are not adjacent
   along the post convergence path.  The TI-LFA repair list reachable from R
   without passing through X.  It is
   expressed generally as (Node_SID(P), EP(P, Q)).

   Most often, the TI-LFA repair list has a simpler form, as described
   in the following sections. Section 6 provides statistics for the
   number set of SIDs nodes that are not
   downstream of X in the explicit path to protect against various
   failures.

4.1. SPT_old(R).

   The repair node is Extended P-Space P'(R,X) of a direct neighbor

   When the repair node is R w.r.t. a direct neighbor, the outgoing interface resource X is the
   set to of nodes that are reachable from R or a neighbor and the repair segment list is empty.

   This is comparable to a post-convergence LFA FRR repair.

4.2. of R, without
   passing through X.

   The repair node is Q-Space Q(D,X) of a PQ node

   When the repair destination node D w.r.t. a resource X is the
   set of nodes which do not use X to reach D in P(S,X), the repair list initial state of
   the network.  In other words, it is made the set of nodes which have D in
   their P-Space w.r.t.  S-F, F, or a
   single node segment set of links adjacent to the repair node.

   This S).

   A symmetric network is comparable to a post-convergence RLFA repair tunnel.

4.3. The repair network such that the IGP metric of each
   link is a Q node, neighbor the same in both directions of the last P node

   When link.

3.  Intersecting P-Space and Q-Space with post-convergence paths

   One of the repair node challenges of defining an SR path following the expected
   post-convergence path is adjacent to P(S,X), reduce the repair list is made size of two segments: A node segment to the adjacent P node, and an
   adjacency segment from that node list.  In
   order to reduce this segment list, an implementation MAY determine
   the repair node.

   This is comparable to a post-convergence DLFA repair tunnel.

4.4. Connecting distant P P-Space/Extended P-Space and Q Q-Space properties (defined in
   [RFC7490]) of the nodes along post-convergence paths

   In some cases, there is no adjacent P and Q node along the post-
   convergence path.  However, expected post-convergence path from
   the PLR can perform additional
   computations to the protected destination and compute a list of segments that represent a loopfree an SR-based explicit
   path from P to Q.

5. Protecting segments

   In this section, we explain how a protecting router S processes the
   active segment of a packet upon the failure of its primary outgoing
   interface for the packet, S-F.

   The behavior depends on the type of active segment to Q when they are not adjacent.  Such properties will be protected.

5.1. The active segment is
   used in Section 4 to compute the TI-LFA repair list.

3.1.  P-Space property computation for a resource X

   A node segment

   The active segment N is kept on the SR header, unchanged (1).  The
   repair list in P(R, X) if it is inserted at the head not downstream of the list.  The active segment
   becomes the first segment X in SPT_old(R).  X
   can be a link, a node, or a set of links adjacent to the inserted repair list.

   Note (1): If SR-MPLS PLR.  A node
   N is being used and the SRGB in P'(R,X) if it is not downstream of X in SPT_old(N), for at
   least one neighbor N of R.

3.2.  Q-Space property computation for a link S-F, over post-convergence
      paths

   We want to determine which nodes on the repair node
   is different post-convergence path from
   the SRGB at PLR to the PLR, then destination D are in the active segment MUST Q-Space of destination D
   w.r.t. link S-F.

   This can be updated found by intersecting the post-convergence path to fit D,
   assuming the SRGB failure of S-F, with Q(D, S-F).

3.3.  Q-Space property computation for a set of links adjacent to S,
      over post-convergence paths

   We want to determine which nodes on the repair node.

   In Section 5.3, we describe post-convergence path from
   the node protection behavior of PLR S,
   for to the specific case where destination D are in the active segment is Q-Space of destination D
   w.r.t. a prefix segment
   for the neighbor F itself.

5.2. The set of links adjacent to S (S being the PLR).  That is, we
   aim to find the set of nodes on the post-convergence path that use
   none of the members of the protected set of links, to reach D.

   This can be found by intersecting the post-convergence path to D,
   assuming the failure of the set of links, with the intersection among
   Q(D, S->X) for all S->X belonging to the set of links.

3.4.  Q-Space property computation for a node F, over post-convergence
      paths

   We want to determine which nodes on the post-convergence from the PLR
   to the destination D are in the Q-Space of destination D w.r.t.  node
   F.

   This can be found by intersecting the post-convergence path to D,
   assuming the failure of F, with Q(D, F).

3.5.  Scaling considerations when computing Q-Space

   [RFC7490] raises scaling concerns about computing a Q-Space per
   destination.  Similar concerns may affect TI-LFA computation if an
   implementation tries to compute a reverse SPT for every destination
   in the network to determine the Q-Space.  It will be up to each
   implementation to determine the good tradeoff between scaling and
   accuracy of the optimization.

4.  TI-LFA Repair Tunnel

   The TI-LFA repair tunnel consists of an outgoing interface and a list
   of segments (repair list) to insert on the SR header.  The repair
   list encodes the explicit post-convergence path to the destination,
   which avoids the protected resource X and, at the same time, is
   guaranteed to be loop-free irrespective of the state of FIBs along
   the nodes belonging to the explicit path.  Thus there is no need for
   any co-ordination or message exchange between the PLR and any other
   router in the network.

   The TI-LFA repair tunnel is found by intersecting P(S,X) and Q(D,X)
   with the post-convergence path to D and computing the explicit SR-
   based path EP(P, Q) from P to Q when these nodes are not adjacent
   along the post convergence path.  The TI-LFA repair list is expressed
   generally as (Node_SID(P), EP(P, Q)).

   Most often, the TI-LFA repair list has a simpler form, as described
   in the following sections.  Section 8 provides statistics for the
   number of SIDs in the explicit path to protect against various
   failures.

4.1.  FRR path using a direct neighbor

   When a direct neighbor is in P(S,X) and Q(D,x) and on the post-
   convergence path, the outgoing interface is set to that neighbor and
   the repair segment list MUST be empty.

   This is comparable to a post-convergence LFA FRR repair.

4.2.  FRR path using a PQ node

   When a remote node R is in P(S,X) and Q(D,x) and on the post-
   convergence path, the repair list MUST be made of a single node
   segment to R and the outgoing interface MUST be set to the outgoing
   interface used to reach R.

   This is comparable to a post-convergence RLFA repair tunnel.

4.3.  FRR path using a P node and Q node that are adjacent

   When a node P is in P(S,X) and a node Q is in Q(D,x) and both are on
   the post-convergence path and both are adjacent to each other, the
   repair list MUST be made of two segments: A node segment to P (to be
   processed first), followed by an adjacency segment from P to Q.

   This is comparable to a post-convergence DLFA repair tunnel.

4.4.  Connecting distant P and Q nodes along post-convergence paths

   In some cases, there is no adjacent P and Q node along the post-
   convergence path.  However, the PLR can perform additional
   computations to compute a list of segments that represent a loop-free
   path from P to Q.  How these computations are done is out of scope of
   this document.

5.  Protecting segments

   In this section, we explain how a protecting router S processes the
   active segment of a packet upon the failure of its primary outgoing
   interface for the packet, S-F.

   The behavior depends on the type of active segment to be protected.

5.1.  The active segment is a node segment

   The active segment MUST be kept on the SR header unchanged and the
   repair list MUST be inserted at the head of the list.  The active
   segment becomes the first segment of the inserted repair list.

   This behavior is slightly modified when SR-MPLS is used:

   o  If the repair list ends with an adjacency segment terminating on
      the tail-end of the active segment, and if the active segment has
      been signalled with penultimate hop popping, the active segment
      MUST be popped before pushing the repair list.

   o  If the SRGB at the Q node is different from the SRGB at the PLR,
      then the active segment (before the insertion of the repair list)
      MUST be updated to fit the SRGB of the Q node.

   In Section 5.3, we describe the node protection behavior of PLR S,
   for the specific case where the active segment is a prefix segment
   for the neighbor F itself.

5.2.  The active segment is an adjacency segment

   We define hereafter the FRR behavior applied by S for any packet
   received with an active adjacency segment S-F for which protection
   was enabled.  As protection has been enabled for the segment S-F and
   signalled in the IGP, any SR policy using this segment knows that it
   may be transiently rerouted out of S-F in case of S-F failure.

   We distinguish the case where this active segment is followed by
   another adjacency segment from the case where it is followed by a
   node segment.

5.2.1.  Protecting [Adjacency, Adjacency] segment lists

   If the next segment in the list is an Adjacency segment, then the
   packet has to be conveyed to F.

   To do so, S applies MUST apply a "NEXT" operation on Adj(S-F) and then two
   consecutive "PUSH" operations: first it pushes a node segment for F,
   and then it pushes a protection repair list allowing to reach F while bypassing
   S-F.  For details on the "NEXT" and "PUSH" operations,
   refer to [7].

   Upon failure "PUSH" operations, refer to
   [RFC8402].

   Upon failure of S-F, a packet reaching S with a segment list matching
   [adj(S-F),adj(F-M),...] will thus leave S with a segment list
   matching [RT(F),node(F),adj(F-M)], where RT(F) is the repair tunnel
   for destination F.

   This behavior is slightly modified when SR-MPLS is used:

   o  If the repair list ends with an adjacency segment terminating on
      F, and if the node segment of F has been signalled with
      penultimate hop popping, the implementation MUST pop Adj(S-F) and
      then push the repair list (the node segment of S-F, a F is not pushed).
      The packet reaching S with a segment list
   matching [adj(S-F),adj(M),...] will thus leave S with a segment list matching [RT(F),node(F),adj(M)], where RT(F) is the repair tunnel
   for destination F.
      [RT(F),adj(F-M)].

   o  If MPLS forwarding plane the SRGB at the Q node is used, then Note(1) different from Section 5.1 applies here. Hence the SRGB at the PLR,
      then MPLS label representing
   Node(F) node(F) MUST be calculated according to as per the exit point
      SRGB of the repair
   tunnel "RT(F)" Q node.

   In Section 5.3.2, we describe the TI-LFA behavior of PLR S when node
   protection is applied and the two first segments are Adjacency
   Segments.

5.2.2.  Protecting [Adjacency, Node] segment lists

   If the next segment in the stack is a node segment, say for node T,
   the segment list on the packet matches [adj(S-F),node(T),...].

   A first solution would consist in steering the packet back to F while
   avoiding S-F.  To do so, S applies MUST apply a "NEXT" operation on Adj(S-F)
   and then two consecutive "PUSH" operations: first it pushes a node
   segment for F, and then it pushes a repair list allowing to reach F
   while bypassing S-F.

   Upon failure of S-F, a packet reaching S with a segment list matching
   [adj(S-F),node(T),...] will thus leave S with a segment list matching
   [RT(F),node(F),node(T)]. Again if MPLS forwarding
   plane

   This behavior is slightly modified when SR-MPLS is used, used:

   o  If the repair list ends with an adjacency segment terminating on
      F, and if the node segment of F has been signalled with
      penultimate hop popping, the implementation MUST pop Adj(S-F) and
      then Note(1) push the repair list (the node segment of F is not pushed).
      The packet will leave S with a segment list matching
      [RT(F),node(T)].

   o  If the SRGB at the Q node is different from Section 5.1 applies and the SRGB at the PLR,
      then MPLS label representing the node(F) MUST be calculated according to as per the
      SRGB of the last node in the repair tunnel RT(F). Q node.

   Another solution is to not steer the packet back via F but rather
   follow the new shortest path to T.  In this case, S just needs to MUST apply a
   "NEXT" operation on the Adjacency segment related to S-F,
   and push followed by
   a "PUSH" of a repair list redirecting the traffic to a node Q, whose
   path to node segment T is not affected by the failure.

   Upon failure of S-F, packets reaching S with a segment list matching
   [adj(L), node(T), ...], would affected by the failure.

   Upon failure of S-F, packets reaching S with a segment list matching
   [adj(S-F), node(T), ...], would leave S with a segment list matching
   [RT(Q),node(T), ...].  Note that this second behavior is the one
   followed for node protection, as described in Section 5.3.1.

   This behavior is slightly modified when SR-MPLS is used:

   o  If the repair list ends with an adjacency segment terminating on T
      (T being the Q node), and if the node segment of T has been
      signalled with penultimate hop popping, the implementation MUST
      pop Adj(S-F) and then push the repair list (the node segment of T
      is not pushed).  The packet will leave S with a segment list
      matching
   [RT(Q),node(T), [RT(Q=T), ...].  Note that this second behavior is

   o  If the one
   followed for node protection, as described in Section 5.3.1.

   Just like SRGB at the first solution above, if MPLS forwarding plane Q node is
   used, then Note(1) different from Section 5.1 applies. Hence the SRGB at the PLR,
      then the MPLS label
   corresponding to Node(T) representing node(T) MUST be calculated according to as per
      the SRGB of
   node Q. the Q node.

   The first proposal which merges back the traffic at the remote end of
   the adjacency segment has the advantage of keeping as much as
   possible the traffic on the existing path.  As stated in Section 1,
   when SR policies are involved and a strict compliance of the policy
   is required, an end-to-end protection should be preferred over a
   local repair mechanism.

5.3.  Protecting SR policy midpoints against node failure

   In this section, we describe the behavior of a node S configured to
   interpret the failure of link S->F as the node failure of F, in in the
   specific case where the active segment of the packet received by S is
   a Prefix SID of F represented as "F"), or an Adjacency SID for the
   link S-F (represented as "S->F").

5.3.1.  Protecting {F, T, D} or {S->F, T, D}

   This section describes the protection behavior of S when all of the
   following conditions are true:

   1.  the active segment is a prefix SID for a neighbor F, or an
       adjacency segment S->F

   2.  the primary interface used to forward the packet failed
   3.  the segment following the active segment is a prefix SID (for
       node T)

   4.  node protection is active for that interface.

   In such a case, the PLR MUST:

   1.  apply a NEXT operation; the segment F or S->F is removed

   2.  Confirm that the next segment is in the SRGB of F, meaning that
       the
   specific case where next segment is a prefix segment, e.g. for node T

   3.  Retrieve the active segment ID of T (as per the packet received SRGB of F)

   4.  Apply a NEXT operation followed by S
   is a Prefix SID PUSH operation of F represented as "F"), or an Adjacency SID for T's
       segment based on the link S-F (represented as "S->F").

5.3.1. SRGB of node S.

   5.  Look up T's segment (based on the updated label value) and
       forward accordingly.

5.3.2.  Protecting {F, T, F->T, D} or {S->F, T, F->T, D}

   This section describes the protection behavior of S when all of the
   following conditions are true:

   1.  the active segment is a prefix SID for a neighbor F, or an
       adjacency segment S->F

   2.  the primary interface used to forward the packet failed

   3.  the segment following the active segment is a prefix an adjacency SID (for
      node T) (F-
       >T)

   4.  node protection is active for that interface.

   The TILFA Node FRR behavior becomes equivalent to:

   In such a case, the PLR MUST:

   1. Pop;  Apply a NEXT operation; the segment F or S->F is removed

   2.  Confirm that the next segment is in an adjacency SID of F, say F->T

   3.  Retrieve the node segment ID associated to T (as per the set of
       Adjacency Segments of F)

   4.  Apply a NEXT operation on the next segment followed by a PUSH of
       T's segment based on the SRGB of F, meaning the node S.

   5.  Look up T's segment (based on the updated label value) and
       forward accordingly.

   It is noteworthy to mention that node "S" in the procedures described
   in Sections 5.3.1 and 5.3.2 can always determine whether the next segment
   after popping the top segment is an adjacency SID or a prefix segment, e.g. for prefix-SID of
   the next-hop "F" as follows:

   1.  In a link state environment, the node T "S" knows the SRGB and the
       adj-SIDs of the neighboring node "F"

   2.  If the new segment after popping the top segment is within the
       SRGB or the adj-SIDs of "F", then node "S" is certain that the
       failure of node "F" is a midpoint failure and hence node "S"
       applies the procedures specified in Sections 5.3.1 or 5.3.2,
       respectively.

   3. Identify T (as per the SRGB of F)

   4. Pop  Otherwise the next segment failure is not a midpoint failure and push T's segment based on hence the SRGB of
       node "S".

   5. forward the packet according to T.

5.3.2. Protecting {F, F->T, D} or {S->F, F->T, D}

   This section describes the "S" may apply other protection behavior of S when all of the
   following conditions techniques that are true:

   1. beyond
       the active segment is scope of this document or simply drop the packet and wait for
       normal protocol convergence.

6.  TI-LFA and SR algorithms

   SR allows an operator to bind an algorithm to a prefix SID for a neighbor F, or an
      adjacency segment S->F

   2. (as
   defined in [RFC8402].  The algorithm value dictates how the primary interface used path to forward the packet failed

   3. the segment following
   the active segment prefix is computed.  The SR default algorithm is known has the
   "Shortest Path" algorithm.  The SR default algorithm allows an adjacency SID (F-
      >T)

   4. node protection
   operator to override the IGP shortest path by using local policies.
   When TI-LFA uses Node-SIDs associated with the default algorithm,
   there is active for no guarantee that interface.

   The TILFA Node FRR behavior the path will be loop-free as a local
   policy may have overriden the expected IGP path.  As the local
   policies are defined by the operator, it becomes equivalent to:

   1. Pop; the segment F or S->F is removed

   2. Confirm responsibility
   of this operator to ensure that the next segment deployed policies do not affect
   the TI-LFA deployment.  It should be noted that such situation can
   already happen today with existing mechanisms as remote LFA.

   When a Node-SID is an adjacency associated with the SR default algorithm,
   enforcing TI-LFA to use Node-SIDs associated with a strict SPF
   algorithm is a definitive solution to this problem.

   [I-D.ietf-lsr-flex-algo] defines a flexible algorithm (FlexAlgo)
   framework to be associated with Prefix SIDs.  FlexAlgo allows a user
   to associate a constrained path to a Prefix SID of F, say F->T

   3. Identify T (as per rather than using the set of Adjacency Segments of F)

   4. Pop
   regular IGP shortest path.  An implementation MAY support TI-LFA to
   protect Node-SIDs associated to a FlexAlgo.  In such a case, rather
   than computing the next segment and push T's segment expected post-convergence path based on the SRGB
   regular SPF, an implementation SHOULD use the constrained SPF
   algorithm bound to the FlexAlgo instead of the node "S"

   5. forward regular Dijkstra in
   all the packet according to T.

   It is noteworthy to mention SPF/rSPF computations that node "S" in are occurring during the procedures
   described in Sections 5.3.1 TI-LFA
   computation.  This includes the computation of the P-Space and 5.3.2 can always determine whether
   Q-Space as well as the segment after popping post-convergence path.

7.  Usage of Adjacency segments in the top segment is an repair list

   The repair list of segments computed by TI-LFA may contain one or
   more adjacency SID segments.  An adjacency segment may be protected or
   not protected.

           S --- R2 --- R3 --- R4 --- R5 --- D
                    \    |  \  /
                       R7 -- R8
                        |    |
                       R9 -- R10

                                 Figure 3

   In Figure 3, all the metrics are equal to 1 except
   R2-R7,R7-R8,R8-R4,R7-R9 which have a
   prefix-SID metric of the next-hop "F" 1000.  Considering R2
   as follows:

   1. In a link state environment, PLR to protect against the failure of node "S" knows R3 for the SRGB and traffic
   S->D, the
      adj-SIDs of repair list computed by R2 will be [adj(R7-R8),adj(R8-R4)]
   and the neighboring node "F"

   2. outgoing interface will be to R7.  If R3 fails, R2 pushes the new segment after popping the top segment is within the
      SRGB or
   repair list onto the adj-SIDs of "F", then node "S" is certain that incoming packet to D.  During the
      failure of node "F" is a midpoint failure FRR, if R7-R8
   fails and hence node "S"
      applies the procedures specified in Sections 5.3.1 or 5.3.2,
      respectively.

   3. Otherwise the failure is not if TI-LFA has picked a midpoint failure and hence protected adjacency segment for
   adj(R7-R8), R7 will push an additional repair list onto the
      node "S" may apply other protection techniques that are beyond packet
   following the scope procedures defined in Section 5.

   To avoid the possibility of this document or simply drop double FRR, an implementation of TI-
   LFA MAY pick only non protected adjacency segments when building the packet and wait for
      normal protocol conversion.

6.
   repair list.

8.  Measurements on Real Networks

   This section presents measurements performed on real service provider
   and large enterprise networks.  The objective of the measurements is
   to assess the number of SIDs required in an explicit path when the
   mechanism described in this document are used to protect against the
   failure scenarios within the scope of this document.  The number of
   segments described in this section are applicable to instantiating
   segment routing over the MPLS forwarding plane.

   The measurements below indicate that for link and local SRLG
   protection, a 1 SID repair path delivers more than 99% coverage.  For
   node protection a 2 SIDs repair path yields 99% coverage.

   Table 1 below lists the characteristics of the networks used in our
   measurements.  The measurements are carried out as follows

   o  For each network, the algorithms described in this document are
      applied to protect all prefixes against link, node, and local SRLG
      failure

   o  For each prefix, the number of SIDs used by the repair path is
      recored

   o  The percentage of number of SIDs are listed in Tables 2A/B, 3A/B,
      and 4A/B

   The measurements listed in the tables indicate that for link and
   local SRLG protection, 1 SID repair paths are sufficient to protect
   more than 99% of the prefix in almost all cases.  For node protection
   2 SIDs repair paths yield 99% coverage.

   +-------------+------------+------------+------------+------------+
   |   Network   |    Nodes   |  Circuits  |Node-to-Link| SRLG info? |
   |             |            |            |    Ratio   |            |
   +-------------+------------+------------+------------+------------+
   |    T1       |    408     |      665   |    1 : 63  |    Yes     |
   +-------------+------------+------------+------------+------------+
   |    T2       |    587     |     1083   |    1 : 84  |     No     |
   +-------------+------------+------------+------------+------------+
   |    T3       |    93      |      401   |    4 : 31  |    Yes     |
   +-------------+------------+------------+------------+------------+
   |    T4       |    247     |      393   |    1 : 59  |    Yes     |
   +-------------+------------+------------+------------+------------+
   |    T5       |    34      |      96    |    2 : 82  |    Yes     |
   +-------------+------------+------------+------------+------------+
   |    T6       |    50      |      78    |    1 : 56  |     No     |
   +-------------+------------+------------+------------+------------+
   |    T7       |    82      |      293   |    3 : 57  |     No     |
   +-------------+------------+------------+------------+------------+
   |    T8       |    35      |      41    |    1 : 17  |    Yes     |
   +-------------+------------+------------+------------+------------+
   |    T9       |    177     |     1371   |    7 : 74  |    Yes     |
   +-------------+------------+------------+------------+------------+
                       Table 1: Data Set Definition

   The rest of this section presents the measurements done on the actual
   topologies.  The convention that we use is as follows

   o  0 SIDs: the calculated repair path starts with a directly
      connected neighbor that is also a loop free alternate, in which
      case there is no need to explicitly route the traffic using
      additional SIDs.  This scenario is described in Section 4.1.

   o  1 SIDs: the repair node is a PQ node, in which case only 1 SID is
      needed to guarantee loop-freeness.  This scenario is covered in
      Section 4.2.

   o  2 or more SIDs: The repair path consists of 2 or more SIDs as
      described in Sections 4.3 and 4.4.  We do not cover the case for 2
      SIDs (Section 4.3) separately because there was no granularity in
      the result.  Also we treat the node-SID+adj-SID and node-SID +
      node-SID the same because they do not differ from the data plane
      point of view.

   Table 2A and 2B below summarize the measurements on the number of
   SIDs needed for link protection

   +-------------+------------+------------+------------+------------+
   |   Network   |    0 SIDs  |    1 SID   |   2 SIDs   |   3 SIDs   |
   +-------------+------------+------------+------------+------------+
   |    T1       |  74.227%   |   25.256%  |   0.517%   |   0.001%   |
   +-------------+------------+------------+------------+------------+
   |    T2       |  81.097%   |   18.738%  |   0.165%   |   0.0%     |
   +-------------+------------+------------+------------+------------+
   |    T3       |  95.878%   |    4.067%  |   0.056%   |   0.0%     |
   +-------------+------------+------------+------------+------------+
   |    T4       |  62.547%   |   35.666%  |   1.788%   |   0.0%     |
   +-------------+------------+------------+------------+------------+
   |    T5       |  85.733%   |   14.267%  |   0.0%     |   0.0%     |
   +-------------+------------+------------+------------+------------+
   |    T6       |  81.252%   |   18.714%  |   0.033%   |   0.0%     |
   +-------------+------------+------------+------------+------------+
   |    T7       |  98,857%   |   1.143%   |   0.0%     |   0.0%     |
   +-------------+------------+------------+------------+------------+
   |    T8       |  94,118%   |   5.882%   |   0.0%     |   0.0%     |
   +-------------+------------+------------+------------+------------+
   |    T9       |  98.950%   |   1.050%   |   0.0%     |   0.0%     |
   +-------------+------------+------------+------------+------------+
           Table 2A: Link protection (repair size distribution)

   +-------------+------------+------------+------------+------------+
   |   Network   |    0 SIDs  |    1 SID   |   2 SIDs   |   3 SIDs   |
   +-------------+------------+------------+------------+------------+
   |    T1       |  74.227%   |   99.482%  |    99.999% |   100.0%   |
   +-------------+------------+------------+------------+------------+
   |    T2       |  81.097%   |   99.835%  |   100.0%   |   100.0%   |
   +-------------+------------+------------+------------+------------+
   |    T3       |  95.878%   |   99.944%  |   100.0%   |   100.0%   |
   +-------------+------------+------------+------------+------------+
   |    T4       |  62.547%   |   98.212%  |   100.0%   |   100.0%   |
   +-------------+------------+------------+------------+------------+
   |    T5       |  85.733%   |  100.000%  |   100.0%   |   100.0%   |
   +-------------+------------+------------+------------+------------+
   |    T6       |  81.252%   |   99.967%  |   100.0%   |   100.0%   |
   +-------------+------------+------------+------------+------------+
   |    T7       |  98,857%   |  100.000%  |   100.0%   |   100.0%   |
   +-------------+------------+------------+------------+------------+
   |    T8       |  94,118%   |  100.000%  |   100.0%   |   100.0%   |
   +-------------+------------+------------+------------+------------+
   |    T9       |  98,950%   |  100.000%  |   100.0%   |   100.0%   |
   +-------------+------------+------------+------------+------------+
       Table 2B: Link protection repair size cumulative distribution
   Table 3A and 3B summarize the measurements on the number of SIDs
   needed for local SRLG protection.

   +-------------+------------+------------+------------+------------+
   |   Network   |    0 SIDs  |    1 SID   |   2 SIDs   |   3 SIDs   |
   +-------------+------------+------------+------------+------------+
   |    T1       |  74.177%   |   25.306%  |   0.517%   |   0.001%   |
   +-------------+------------+------------+------------+------------+
   |    T2       |                No SRLG Information                |
   +-------------+------------+------------+------------+------------+
   |    T3       |  93.650%   |    6.301%  |   0.049%   |   0.0%     |
   +-------------+------------+------------+------------+------------+
   |    T4       |  62,547%   |   35.666%  |   1.788%   |   0.0%     |
   +-------------+------------+------------+------------+------------+
   |    T5       |  83.139%   |   16.861%  |   0.0%     |   0.0%     |
   +-------------+------------+------------+------------+------------+
   |    T6       |                No SRLG Information                |
   +-------------+---------------------------------------------------+
   |    T7       |                No SRLG Information                |
   +-------------+------------+------------+------------+------------+
   |    T8       |  85.185%   |   14.815%  |   0.0%     |   0.0%     |
   +-------------+------------+------------+------------+------------+
   |    T9       |  98,940%   |    1.060%  |   0.0%     |   0.0%     |
   +-------------+------------+------------+------------+------------+
         Table 3A: Local SRLG protection repair size distribution

   +-------------+------------+------------+------------+------------+
   |   Network   |    0 SIDs  |    1 SID   |   2 SIDs   |   3 SIDs   |
   +-------------+------------+------------+------------+------------+
   |    T1       |  74.177%   |   99.482%  |  99.999%   | 100.001%   |
   +-------------+------------+------------+------------+------------+
   |    T2       |                No SRLG Information                |
   +-------------+------------+------------+------------+------------+
   |    T3       |  93.650%   |    99.951% | 100.000%   |   0.0%     |
   +-------------+------------+------------+------------+------------+
   |    T4       |  62,547%   |   98.212%  | 100.000%   | 100.0%     |
   +-------------+------------+------------+------------+------------+
   |    T5       |  83.139%   |  100.000%  | 100.0%     | 100.0%     |
   +-------------+------------+------------+------------+------------+
   |    T6       |                No SRLG Information                |
   +-------------+---------------------------------------------------+
   |    T7       |                No SRLG Information                |
   +-------------+------------+------------+------------+------------+
   |    T8       |  85.185%   |   100,000% | 100.000%   | 100.0%     |
   +-------------+------------+------------+------------+------------+
   |    T9       |  98,940%   |   100,000% | 100.000%   | 100.0%     |
   +-------------+------------+------------+------------+------------+
    Table 3B: Local SRLG protection repair size Cumulative distribution
   The remaining two tables summarize the measurements on the number of
   SIDs needed for node protection.

   +---------+----------+----------+----------+----------+----------+
   | Network |  0 SIDs  |   1 SID  | 2 SIDs   |  3 SIDs  |  4 SIDs  |
   +---------+----------+----------+----------+----------+----------+
   |    T1   |  49.771% | 47.902%  | 2.156%   |  0.148%  |  0.023%  |
   +---------+----------+----------+----------+----------+----------+
   |    T2   |  36,528% | 59.625%  | 3.628%   |  0.194%  |  0.025%  |
   +---------+----------+----------+----------+----------+----------+
   |    T3   |  73,287% | 25,574%  | 1,128%   |  0.010%  |  0%      |
   +---------+----------+----------+----------+----------+----------+
   |    T4   |  36.112% | 57.350%  | 6.329%   |  0.199%  |  0.010%  |
   +---------+----------+----------+----------+----------+----------+
   |    T5   |  73.185% | 26.815%  | 0%       |  0%      |  0%      |
   +---------+----------+----------+----------+----------+----------+
   |    T6   |  78.362% | 21.320%  | 0.318%   |  0%      |  0%      |
   +---------+----------+----------+----------+----------+----------+
   |    T7   |  66.106% | 32.813%  | 1.082%   |  0%      |  0%      |
   +---------+----------+----------+----------+----------+----------+
   |    T8   |  59.712% | 40.288%  | 0%       |  0%      |  0%      |
   +---------+----------+----------+----------+----------+----------+
   |    T9   |  98.950% | 1.050%   | 0%       |  0%      |  0%      |
   +---------+----------+----------+----------+----------+----------+
           Table 4A: Node protection (repair size distribution)

   +---------+----------+----------+----------+----------+----------+
   | Network |  0 SIDs  |   1 SID  | 2 SIDs   |  3 SIDs  |  4 SIDs  |
   +---------+----------+----------+----------+----------+----------+
   |    T1   |  49.771% |  97.673% |  99.829% | 99.977%  |  100%    |
   +---------+----------+----------+----------+----------+----------+
   |    T2   |  36,528% |  96.153% |  99.781% | 99.975%  |  100%    |
   +---------+----------+----------+----------+----------+----------+
   |    T3   |  73,287% |  98.862% |  99.990% |100.0%    |  100%    |
   +---------+----------+----------+----------+----------+----------+
   |    T4   |  36.112% |  93.461% |  99.791% | 99.990%  |  100%    |
   +---------+----------+----------+----------+----------+----------+
   |    T5   |  73.185% | 100.0%   | 100.0%   |100.0%    |  100%    |
   +---------+----------+----------+----------+----------+----------+
   |    T6   |  78.362% | 99.682%  | 100.0%   |100.0%    |  100%    |
   +---------+----------+----------+----------+----------+----------+
   |    T7   |  66.106% | 98,918%  | 100.0%   |100.0%    |  100%    |
   +---------+----------+----------+----------+----------+----------+
   |    T8   |  59.712% | 100.0%   | 100.0%   |100.0%    |  100%    |
   +---------+----------+----------+----------+----------+----------+
   |    T9   |  98.950% | 100.0%   | 100.0%   |100.0%    |  100%    |
   +---------+----------+----------+----------+----------+----------+
      Table 4B: Node protection (repair size cumulative distribution)

7.

9.  Security Considerations

   The techniques described in this document is are internal
   functionality
   functionalities to a router that result in the ability to guarantee
   an upper bound on the time taken to restore traffic flow upon the
   failure of a directly connected link or node.  As these techniques
   steer traffic to the post-convergence path as quickly as possible,
   this serves to minimize the disruption associated with a local
   failure which can be seen as a modest security enhancement.  The
   protection mechanisms does not protect external destinations, but
   rather provides quick restoration for destination that are internal
   to a routing domain.

8.

10.  IANA Considerations

   No requirements for IANA

9.

11.  Conclusions

   This document proposes a mechanism that is able to pre-calculate a
   backup path for every primary path so as to be able to protect
   against the failure of a directly connected link, node, or SRLG.  The
   mechanism is able to calculate the backup path irrespective of the
   topology as long as the topology is sufficiently redundant.

10.

12.  Acknowledgments

   We would like to thank Les Ginsberg, Stewart Bryant, Alexander
   Vainsthein, Chris Bowers for their valuable comments.

13.  References

10.1.

13.1.  Normative References

10.2. Informative References

   [1]

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC7916]  Litkowski, S., Ed., Decraene, B., Filsfils, C., Raza, K.,
              Horneffer, M., and P. Sarkar, "Operational Management of
              Loop-Free Alternates", RFC 7916, DOI 10.17487/RFC7916,
              July 2016, <https://www.rfc-editor.org/info/rfc7916>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8402]  Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L.,
              Decraene, B., Litkowski, S., and R. Shakir, "Segment
              Routing Architecture", draft-ietf-spring-
         segment-routing-08 RFC 8402, DOI 10.17487/RFC8402,
              July 2018, <https://www.rfc-editor.org/info/rfc8402>.

13.2.  Informative References

   [I-D.bashandy-rtgwg-segment-routing-uloop]
              Bashandy, A., Filsfils, C., Litkowski, S., and P.
              Francois, "Loop avoidance using Segment Routing", draft-
              bashandy-rtgwg-segment-routing-uloop-04 (work in
              progress), May 2016.

   [2] September 2018.

   [I-D.ietf-lsr-flex-algo]
              Psenak, P., Hegde, S., Filsfils, C., Talaulikar, K., and
              A. Gulko, "IGP Flexible Algorithm", draft-ietf-lsr-flex-
              algo-01 (work in progress), November 2018.

   [I-D.ietf-spring-segment-routing-policy]
              Filsfils, C., Sivabalan, S., daniel.voyer@bell.ca, d.,
              bogdanov@google.com, b., and P. Mattes, "Segment Routing
              Policy Architecture", draft-ietf-spring-segment-routing-
              policy-02 (work in progress), October 2018.

   [RFC5286]  Atlas, A., Ed. and A. Zinin, Ed., "Basic Specification for
              IP Fast Reroute: Loop-Free Alternates", RFC 5286,
              DOI 10.17487/RFC5286, September 2008,
              <https://www.rfc-editor.org/info/rfc5286>.

   [RFC5714]  Shand, M. and S. Bryant, "IP Fast Reroute Framework",
              RFC 5714, DOI 10.17487/RFC5714, January 2010.

   [3] 2010,
              <https://www.rfc-editor.org/info/rfc5714>.

   [RFC6571]  Filsfils, C., Ed., Francois, P., Ed., Shand, M., Decraene,
              B., Uttaro, J., Leymann, N., and M. Horneffer, "Loop-Free
              Alternate (LFA) Applicability in Service Provider (SP)
              Networks", RFC 6571, DOI 10.17487/RFC6571, June 2012.

   [4] 2012,
              <https://www.rfc-editor.org/info/rfc6571>.

   [RFC7490]  Bryant, S., Filsfils, C., Previdi, S., Shand, M., and N.
              So, "Remote Loop-Free Alternate (LFA) Fast Reroute (FRR)",
              RFC 7490, DOI 10.17487/RFC7490, April 2015, <http://www.rfc-
         editor.org/info/rfc7490>.

   [5]   Litkowski, S., Ed., Decraene, B., Filsfils, C., Raza, K.,
         Horneffer, M., and P. Sarkar, "Operational Management of Loop-
         Free Alternates", RFC 7916, DOI 10.17487/RFC7916, July 2016,
         <https://www.rfc-editor.org/info/rfc7916>.

   [6]   Bashandy, A., Filsfils, C., and Litkowski, S., " Loop
         avoidance using Segment Routing", draft-bashandy-rtgwg-
         segment-routing-uloop-00, (work in progress), May 2017

   [7]   Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., and
         Shakir, R, "Segment Routing Architecture", draft-ietf-spring-
         segment-routing-11 (work in progress), February 2017

11. Acknowledgments

   We would like to give Les Ginsberg special thanks for the valuable
   comments and contribution

   This document was prepared using 2-Word-v2.0.template.dot.
              <https://www.rfc-editor.org/info/rfc7490>.

Authors' Addresses

   Pierre Francois
   INSA Lyon

   Stephane Litkowski
   Orange
   France

   Email: pierre.francois@insa-lyon.fr stephane.litkowski@orange.com

   Ahmed Bashandy
   Arrcus
   Individual

   Email: abashandy.ietf@gmail.com

   Clarence Filsfils
   Cisco Systems
   Brussels,
   Brussels
   Belgium

   Email: cfilsfil@cisco.com

   Bruno Decraene
   Orange
   Issy-les-Moulineaux
   FR
   France

   Email: bruno.decraene@orange.com

   Stephane Litkowski
   Orange
   FR
   Pierre Francois
   INSA Lyon

   Email: stephane.litkowski@orange.com pierre.francois@insa-lyon.fr

   Daniel Voyer
   Bell Canada
   Canada

   Email: daniel.voyer@bell.ca

   Pablo Camarillo
   Cisco Systems
   Email: pcamaril@cisco.com

   Francois Clad
   Cisco Systems

   Email: fclad@cisco.com

   Pablo Camarillo
   Cisco Systems

   Email: pcamaril@cisco.com