| RFC 9789 | MNA Framework | July 2025 |
| Andersson, et al. | Informational | [Page] |
This document describes an architectural framework for MPLS Network Action (MNA) technologies. MNA technologies are used to indicate actions that impact the forwarding or other processing (such as monitoring) of the packet along the Label Switched Path (LSP) of the packet and to transfer any additional data needed for these actions.¶
This document provides the foundation for the development of a common set of network actions and information elements supporting additional operational models and capabilities of MPLS networks.¶
This document is not an Internet Standards Track specification; it is published for informational purposes.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9789.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document describes an architectural framework for MPLSNetwork Action (MNA) technologies. MNA technologies are used toindicate actions for Label Switched Paths (LSPs) and/or MPLS packetsand to transfer data needed for these actions.¶
This document provides the foundation for the development of a commonset of network actions and information elements supporting additionaloperational models and capabilities of MPLS networks. MNA solutionsderived from this framework are intended to address the requirementsfound in[RFC9613]. In addition, MNA maysupport actions that overlap existing MPLS functionality. This may bebeneficial for numerous reasons, such as making it more efficient tocombine existing functionality and new functions in the same MPLSpacket.¶
MPLS forwarding actions are instructions to MPLS routers to applyadditional actions when forwarding a packet. These might includeload-balancing a packet given its entropy, indicating whether or notto perform Fast Reroute on a failure, and indicating whether or not a packet has metadatarelevant to the forwarding actions along the path.¶
This document generalizes the concept of MPLS "forwarding actions" to"network actions" that include any action that an MPLS router isrequested to take on the packet. Network actions include any MPLS forwardingactions but may also include other operations (such as security functions,Operations, Administration, and Maintenance (OAM) procedures, etc.) that are not directly related to forwarding ofthe packet. MPLS network actions are always triggered by an MNApacket but may have implications for subsequent traffic, includingnon-MNA packets, as discussed inSection 2.4.¶
MNA technologies may redefine the semantics of the Label, TrafficClass (TC), and Time to Live (TTL) fields in an MPLS Label Stack Entry(LSE) within a Network Action Sub-Stack (NAS).¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Although this is an Informational document, these conventions areapplied to achieve clarity in the requirements that are presented.¶
This document adopts the definitions of the following terms andabbreviations from[RFC9613] asnormative: "Network Action", "Network Action Indicator (NAI)","Ancillary Data (AD)", and "Scope".¶
In addition, this document defines the following terms:¶
| Abbreviation | Meaning | Reference |
|---|---|---|
| AD | Ancillary Data | [RFC9613] |
| BIER | Bit Index Explicit Replication | [RFC8279] |
| BoS | Bottom of Stack | [RFC6790] |
| bSPL | Base Special-Purpose Label | [RFC9017] |
| ECMP | Equal-Cost Multipath | [RFC9522] |
| EL | Entropy Label | [RFC6790] |
| ERLD | Entropy Readable Label Depth | [RFC8662] |
| eSPL | Extended Special-Purpose Label | [RFC9017] |
| HbH | Hop by Hop | In the MNA context, this document. |
| I2E | Ingress to Egress | In the MNA context, this document. |
| IGP | Interior Gateway Protocol | |
| ISD | In-Stack Data | [RFC9613] |
| LSE | Label Stack Entry | [RFC3032] |
| LSP | Label Switched Path | |
| MNA | MPLS Network Action | [RFC9613] |
| MSD | Maximum SID Depth | [RFC8491] |
| NAI | Network Action Indicator | [RFC9613] |
| NAS | Network Action Sub-Stack | This document |
| NSI | Network Action Sub-Stack Indicator | This document |
| PSD | Post-Stack Data | [RFC9613] andSection 3.6 of this document |
| RLD | Readable Label Depth | This document |
| SID | Segment Identifier | [RFC8402] |
| SPL | Special-Purpose Label | [RFC9017] |
| TC | Traffic Class | |
| TTL | Time to Live |
An MNA solution specifies one or more network actions to apply to anMPLS packet. These network actions and their ancillary data may be carried insub-stacks within the MPLS label stack and/or post-stackdata. A solution must specify where the networkaction sub-stacks occur in the label stack, if and how frequently they should bereplicated within the label stack, and how the network actionsub-stack and post-stack data are encoded.¶
It seems highly likely that some ancillary data will be needed at manypoints along an LSP. Replication of ancillary data throughout thelabel stack would be highly inefficient, as would a full rewrite ofthe label stack at each hop; thus, MNA allows encoding of network actionsand ancillary data deeper in the label stack, requiringimplementations to look past the first LSE. Processing of the labelstack past the top-of-stack LSE was first introduced with the EntropyLabel (EL)[RFC6790].¶
A network action sub-stack contains:¶
Network Action Sub-Stack Indicator (NSI): The first LSE in the NAS, whichcontains a special-purpose label, called the MNA label, thatis used to indicate the start of a network action sub-stack.¶
Network Action Indicators (NAIs): Optionally, a set of indicators thatdescribes the set of network actions. If the set of indicators is notin the sub-stack, a solution could encode them in post-stack data. Anetwork action is said to be present if there is an indicator in thepacket that invokes the action.¶
In-Stack Data (ISD): A set of zero or more LSEs that carry ancillary datafor the network actions that are present. Network action indicatorsare not considered ancillary data.¶
Each network action present in the network action sub-stack may havezero or more LSEs of in-stack data. The ordering of the in-stack dataLSEs corresponds to the ordering of the network action indicators. Theencoding of the in-stack data, if any, for a network action must bespecified in the document that defines the network action. In-stackdata may be referenced by multiple network actions.¶
As an example, in-stack data might look like the following label stack with anembedded NAS:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Label | TC |0| TTL | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Label | TC |0| TTL | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Label | TC |0| TTL | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Network Action Sub-Stack |0| | ~ ~ | Network Action Sub-Stack continued |0| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Label | TC |0| TTL | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Label | TC |1| TTL | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload |
Certain network actions may also specify that data is carried afterthe label stack. This is called post-stack data. The encoding of thepost-stack data, if any, for a network action must be specified in thedocument that defines the network action. If multiple network actionsare present and have post-stack data, the ordering of their post-stackdata corresponds to the ordering of the network action indicators.¶
As an example, a packet containing post-stack data might contain a label stack followed by post-stack data, followed by the payload:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Label | TC |0| TTL | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Label | TC |1| TTL | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Post-Stack Data | ~ ~ | Post-Stack Data continued | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload |
A solution must specify the order for network actions to beapplied to the packet for the actions to have consistentsemantics. Since there are many possible orderings, especially withbit catalogs (Section 3.5.1), the solution must provide an unambiguousspecification. The precise semantics of an action are dependent on thecontents of the packet, including any ancillary data, and the state ofthe router.¶
This document assumes that the MPLS WG will select a singlesolution for the encoding of ISD and not more than one solution forthe encoding of PSD.¶
A network action may need to be processed by every node along thepath or some subset of the nodes along its path. Some of the scopesthat an action may have are:¶
Hop by Hop (HbH): Every node along the path will perform the action.¶
Ingress to Egress (I2E): Only the last node on the path will performthe action.¶
Select: Only specific nodes along the path will perform the action.¶
If a solution supports the select scope, it must describe how itspecifies the set of nodes to perform the actions.¶
This framework does not place any constraints on the scope of, or theancillary data for, a network action. Any network action may appearin any scope or combination of scopes, may have no ancillary data, andmay require in-stack data and/or post-stack data. Some combinationsmay be suboptimal, but this framework does not restrict the combinationsin an MNA solution. A specific MNA solution may define suchconstraints.¶
As described in[RFC3031], legacy devices that do not recognize theMNA label will discard the packet if the top label is the MNA label.¶
Devices that do recognize the MNA label might not implement all of thenetwork actions that are present. A solution must specify howunrecognized network actions that are present should be handled.¶
One alternative is that an implementation should stop processingnetwork actions when it encounters an unrecognized networkaction. Subsequent present network actions would not beapplied. The result is dependent on the solution's order ofoperations.¶
Another alternative is that an implementation should drop any packetthat contains any unrecognized present network actions.¶
A third alternative is that an implementation should perform allrecognized present network actions but ignore all unrecognizedpresent network actions.¶
Other alternatives may also be possible. The solution should specify thealternative adopted.¶
In some solutions, an indication may be provided in the packet or inthe action as to how the forwarder should proceed if it does notrecognize the action. Where an action needs to be processed at every hop,it is recommended that care be taken not to construct an LSP thattraverses nodes that do not support that action. It is recognized that,in some circumstances, it may not be possible to construct an LSP thatavoids such nodes, such as when a network is reconvergingfollowing a failure or when IP Fast Reroute (IPFRR)[RFC5714] is taking place.¶
A node that wishes to make use of MNA and apply network actions to apacket must understand the nodes that the packet will transit, whetheror not the nodes support MNA, and the network actions that are to beinvoked. These capabilities are presumed to be signaled by protocolsthat are out of scope for this document and are presumed to haveper-network-action granularity. If a solution requires alternatesignaling, it must specify that explicitly.¶
Readable Label Depth (RLD) is defined as the number of LSEs, startingfrom the top of the stack, that a router can read in an incoming MPLSpacket with no performance impact.[RFC8662] introduced EntropyReadable Label Depth (ERLD). Readable Label Depth is the same concept,but it is generalized and not specifically associated with the Entropy Label(EL) or MNA.¶
ERLD is not redundant with RLD because ERLD specifies a value of zero if a system does not support the EntropyLabel. Since a system could reasonably support MNA or other MPLSfunctions and needs to advertise an RLD value but not support theEntropy Label, another advertised value is required.¶
A node that pushes a NAS onto the label stack is responsible forensuring that all nodes that are expected to process the NAS will havethe entire NAS within their RLD. A nodeSHOULD use signaling (e.g., the signaling described in[RFC9088] and[RFC9089]) to determine this. An exception might be,for example, when the node has out-of-band knowledge that all nodesalong the path do not have RLD limitations and thus could avoid theunnecessary overhead of using signaling.¶
Per[RFC8662], a node that does not support EL will advertise avalue of zero for its ERLD, so advertising ERLD alone does not sufficein all cases. A nodeMAY advertise both ERLD and RLD, and itSHOULD do soif its ERLD and RLD values are different. Again, if a node hasout-of-band knowledge that all nodes do not have RLD limitations, thensignaling can be avoided. If a node's ERLD and RLD values are thesame, itMAY only advertise ERLD for efficiency reasons. If a nodesupports MNA but does not support EL, then itSHOULD advertise RLDunless it has out-of-band knowledge that no nodes in the domain haveRLD restrictions.¶
RLD is advertised by an IGP MSD-Type value of 3 andMAY beadvertised as a Node MSD,Link MSD, or both.¶
An MNA nodeMUST use the RLD determined by selecting the firstadvertised non-zero value from the following:¶
A node's RLD is a function of its hardware capabilities and is notexpected to depend on the specifics of the MNA solution.¶
Several possible ways to encode NAIs have been proposed. Thissection summarizes the proposals and some considerations forthe various alternatives.¶
When network actions are carried in the MPLS label stack, thenregardless of their type, they are represented by a set of LSEs termeda Network Action Sub-Stack (NAS). A NAS consists of a special-purpose label,optionally followed by LSEs that specify which network actions are tobe performed on the packet and the in-stack ancillary data for eachindicated network action. Different network actions may be placedtogether in one NAS or may be carried in different sub-stacks.¶
[RFC9613] requires that a solution not add unnecessary LSEs to the sub-stack (see requirement 9 inSection 3.1 of [RFC9613]). Accordingly, solutions should also make efficient use of the bits within the sub-stack (except the S-bit), as inefficient use of the bits could result in the addition of unnecessary LSEs.¶
The first LSE in a network action sub-stack contains a special-purpose labelthat indicates a network action sub-stack. A solution has severalchoices for this special-purpose label.¶
A solution may reuse an existing Base SPL (bSPL). If it elects to doso, it must explain how the usage is backward compatible, includingin the case where there is ISD.¶
If an existing inactive bSPL is selected that will not bebackward compatible, then it must first be retired per[RFC7274] and then reallocated.¶
A solution may select a new bSPL.¶
A solution may select a new Extended SPL (eSPL). If it elects to do so, it mustaddress the requirement for the minimal number of LSEs.¶
A solution may allow the network operator to define the label thatindicates the network action sub-stack. This creates managementoverhead for the network operator to coordinate the use of this labelacross all nodes on the path using management or signalingprotocols. The user-defined label could be network-wide orLSP-specific. If a solution elects to use a user-defined label, thesolution should justify this overhead.¶
In the first LSE of the network action sub-stack, only the 20 bits ofthe Label value and the Bottom of Stack bit are used by the NSI; the TC field(3 bits) and the TTL (8 bits) are not used. This could leave 11 bitsthat could be used for MNA purposes.¶
If the solution elects to retain the TC and TTL fields, then the firstLSE of the network action sub-stack would appear as described in[RFC3032]:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Label | TC |S| TTL | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Further LSEs would be needed to encode NAIs. If a solution elects toretain the TC and TTL fields, it must address the requirement for the minimalnumber of LSEs.¶
If the solution elects to reuse the TC and TTL fields, then the firstLSE of the network action sub-stack would appear as follows:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Label |x x x|S|x x x x x x x x| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The solution may use more LSEs to contain NAIs. If a solution electsto use more LSEs, it must address the requirement for the minimalnumber of LSEs.¶
A solution must have a mechanism (such as an indication of the length of the NAS) to enable an implementation to find the end of the NAS. This must be easily processed even by implementations that do not understand the full contents of the NAS. Two options are described below; other solutions may be possible.¶
A solution may use a bit per LSE to indicate whether or not the NAS continuesinto the next LSE. The bit may indicate continuation by beingset or by being clear. The overhead of this approach is one bit perLSE and has the advantage that it can effectively encode anarbitrarily sized NAS. This approach is efficient if the NAS is small.¶
A solution may opt to have a fixed-size Length field at a fixedlocation within the NAS. The fixed size of the Length field may not belarge enough to support all possible NAS contents. This approach maybe more efficient if the NAS is long, but not longer than can bedescribed by the Length field.¶
One hardware designer recommends a Length field as thisminimizes branching in the logic.¶
A solution may choose to explicitly encode the scope of each actioncontained in a network action sub-stack. For example, a NAS mightcontain Action A (HbH), Action B (HbH), and Action C (HbH). Asolution may alternately choose to have the scope encoded implicitly,based on the actions present in the network action sub-stack. Forexample, a NAS might contain the following actions with HbH scope: A, B, and C. This choicemay have performance implications as an implementation might have toparse the network actions that are present in a network actionsub-stack only to discover that there are no actions for it toperform.¶
For example, suppose that a NAS is embedded in a label stack at adepth of six LSEs and the NAS contains three actions, each with Selectscope. These actions are not applicable at the current node and shouldbe ignored. If the scope is encoded explicitly with each action, thenan implementation must parse each action. However, if the scope isencoded as part of the NAS, then an implementation only needs to parse thestart of the NAS and not individual actions.¶
Solutions need to consider the order of scoped NAIs and theirassociated AD within individual sub-stacks and the order of per-scopesub-stacks, so that network actions and the AD can bereadily found and not be processed by nodes that are not requiredto handle those actions.¶
Two options for encoding NAIs are described below; other solutions maybe possible. Any solution should allow the encoding of an arbitrarynumber of NAIs.¶
A solution may opt to encode the set of network actions as a list ofbits, sometimes known as a catalog. The solution must provide amechanism to determine how many LSEs are devoted to the catalog whenthe NAIs are carried in-stack. A set bit in the catalog would indicatethat the corresponding network action is present.¶
Catalogs are efficient if the number of present network actions isrelatively high and if the size of the necessary catalog is small. Forexample, if the first 16 actions are all present, a catalog can encodethis in 16 bits. However, if the number of possible actions is large,then a catalog can become inefficient. Selecting only one action thatis the 256th action would require a catalog of 256 bits, which wouldrequire more than one LSE when the NAIs are carried in-stack.¶
A solution may include a bit-remapping mechanism so that a givendomain may optimize for its commonly used actions.¶
A solution may opt to encode the set of present network actions as alist of operation codes (opcodes). Each opcode is a fixed number ofbits. The size of the opcode bounds the number of network actionsthat the solution can support.¶
Opcodes are efficient if there are only one or two active networkactions. For example, if an opcode is 8 bits, then two active networkactions could be encoded in 16 bits. However, if 16actions are required, then opcodes would consume 128 bits. Opcodes areefficient at encoding a large number of possible actions. If onlythe 256th action is to be selected, that still requires 8 bits.¶
A solution may carry NAI and AD as PSD. For ease of parsing, allAD should be co-located with its NAI.¶
If there are multiple instances of post-stack data, they should occurin the same order as their relevant network action sub-stacks and thenin the same order as their relevant network actions occur within thenetwork action sub-stacks.¶
The first nibble after the label stack has been used to convey information in certain cases[RFC4385]. A consolidated view of the uses of the first nibble is provided in[RFC9790].¶
For example, in[RFC4928], this nibble is investigated to find out if it has the value "4" or "6". If it does not, it is assumed that the packet payload is not IPv4 or IPv6, and Equal-Cost Multipath (ECMP) is not performed.¶
It should be noted that this is an inexact method. For example, an Ethernet pseudowire without a control word might have "4" or "6" in the first nibble and thus will be subject to ECMP forwarding.¶
Nevertheless, the method is implemented and deployed; it is used today and will be for the foreseeable future.¶
The use of the first nibble for Bit Index Explicit Replication (BIER) is specified in[RFC8296]. BIER sets the first nibble to 5. The same is true for a BIER payload as for any use of the first nibble: it is not possible to conclude that the payload is BIER even if the first nibble is set to 5 because an Ethernet pseudowire without a control word might begin with a 5. However, the BIER approach meets the design goal of[RFC8296] to determine that the payload is IPv4, IPv6, or a packet with a header that includes a pseudowire control word.¶
[RFC4385] allocates 0b0000 for the pseudowire control word and 0b0001 as the control word for the pseudowire Associated Channel Header (ACH).¶
A PSD solution should specify the contents of the first nibble, theactions to be taken for the value, and the interaction with post-stackdata used concurrently by other MPLS applications.¶
For MNA to be consistent across implementations and predictable inoperational environments, its semantics need to be entirelypredictable. An MNA solutionMUST specify a deterministic order forprocessing each of the network actions in a packet. Each networkaction must specify how it interacts with all other previously definednetwork actions. Private network actions are network actions that arenot publicly documented. Private network actionsMUST be included inthe ordering of network actions, but the interactions of privateactions with other actions are outside of the scope of this document.¶
A document defining a network action must contain the following:¶
A solution should create an IANA registry for networkactions.¶
Network operators will need to be cognizant of which network actionsare supported by which nodes and will need to ensure that this issignaled. Some solutions may require network-wideconfiguration to synchronize the use of the labels that indicate thestart of a NAS. Solution documents must clearly state what managementconsiderations apply to the solutions they are describing. Solutiondocuments must describe mechanisms for performing network diagnosticsin the presence of MNAs.¶
An analysis of the security of MPLS systems is provided in[RFC5920], which also notes that the MPLS forwarding plane has nobuilt-in security mechanisms.¶
Central to the security of MPLS networks is operational security ofthe network, something that operators of MPLS networks are well versedin. The deployment of link-level security (e.g.,[MACsec]) preventslink traffic observation covertly acquiring the label stack for anattack. This is particularly important in the case of a networkdeploying MNA, because the MNA information may be sensitive. Thus, theconfidentiality and authentication achieved through the use oflink-level security is particularly advantageous.¶
Some additional proposals to add encryption to the MPLS forwarding plane have been suggested[MPLS-OPP-SEC], but no mechanisms have been agreed upon at the time of publication of this document.[MPLS-OPP-SEC] offers hop-by-hop security that encrypts the label stack and is functionally equivalent to that provided by[MACsec]. Alternatively, it also offers end-to-end encryption of the MPLS payload with no cryptographic integrity protection of the MPLS label stack.¶
Particular care is needed when introducing any end-to-endsecurity mechanism to allow an in-stack MNA solution that needs toemploy on-path modification of the MNA data or where post-stackMNA data needs to be examined on-path.¶
A cornerstone of MPLS security is to protect the network fromprocessing MPLS labels that originated outside the network.¶
Operators have considerable experience in excluding MPLS-encodedpackets at the network boundaries, for example, by excluding all MPLSpackets and all packets that are revealed to be carrying an MPLS packet as the payload of IP tunnels. Where such packets are acceptedinto an MPLS network from an untrusted third party, non-MPLS packets are immediately encapsulated in an MPLS label stack specified by theMPLS network operator, and MPLS packets have additional labelstack entries imported as specified by the MPLS network operator. Thus, it is difficult for an attacker to pass an MPLS-encodedpacket into a network or to present any instructions to the networkforwarding system.¶
Within a single well-managed domain, an adjacent domain may beconsidered to be trusted provided that it is sufficiently shieldedfrom third-party traffic ingress and third-party traffic observation.In such a situation, no new security vulnerabilities are introduced byMNA.¶
In some inter-domain applications (including carrier's carrier) wherea first network's MPLS traffic is encapsulated directly over a secondMPLS network by simply pushing additional MPLS LSEs, the contents ofthe first network's payload and label stack may be visible to theforwarders in the second network. Historically, this has been benignand indeed useful for ECMP. However, if the first network's traffichas MNA information, this may be exposed to MNA-capable forwarders andcause unpredictable behavior or modification of the customer MPLSlabel stack or MPLS payload. This is an increased vulnerabilityintroduced by MNA thatSHOULD be addressed in any MNA solution.¶
Several mitigations are available to an operator:¶
A mitigation that we reject as unsafe is having the ingress Label Switching Router (LSR) pushsufficient additional labels such that any MNA information received inpackets entering the network from a third-party network is madeinaccessible due to it being below the RLD. This is unsafe in thepresence of an overly conservative RLD value and can result in thethird-party MNA information becoming visible to and acted on by anMNA forwarder in the carrier network.¶
IANA has allocated the following code point in the "IGPMSD-Types" registry[MSD] within the "Interior Gateway Protocol (IGP)Parameters" registry group:¶
| Value | Name | Data Plane | Reference |
|---|---|---|---|
| 3 | Readable Label Depth | MPLS | RFC 9789 |
This document is the result of work started in MPLS Open Design Team, with participation by the MPLS, PALS, and DETNET Working Groups.¶
The authors would like to thankAdrian Farrel for his contributions. The authors would also like to thankJohn Drake,Toerless Eckert, andJie Dong for their comments.¶