SRv6 (Segment Routing IPv6):

What is HMAC in SRv6 ??

HMAC (Hash-based Message Authentication Code) in SRv6 is a mechanism used to ensure the integrity and authenticity of SRv6 packets. It employs cryptographic techniques to generate a hash value, or digital signature, that can be used to verify the integrity of the packet and authenticate its source.

In SRv6, HMAC can be implemented using the Authentication TLV (Type-Length-Value) in the SRH (Segment Routing Header). The Authentication TLV carries the HMAC value, which is computed based on the packet data and a pre-shared secret key. The key should be securely shared between the sender and the receiver.



Here's an example of how HMAC can be used in SRv6:

1. Configuration: - Configure the SRv6 nodes with the shared secret key. - Enable HMAC on the sender and receiver nodes.

2. Packet Generation: - The sender node creates an SRv6 packet with the desired IPv6 destination address and SRH. - Before sending the packet, the sender computes the HMAC by applying a hash function (e.g., SHA-256) to the packet data concatenated with the secret key. - The calculated HMAC value is added to the Authentication TLV in the SRH.

3. Packet Transmission: - The sender node transmits the SRv6 packet over the network.

4. Packet Reception: - The receiver node receives the SRv6 packet. - The receiver extracts the Authentication TLV from the SRH. - The receiver performs the same HMAC calculation using the packet data and the shared secret key. - The calculated HMAC value is compared with the received HMAC value from the Authentication TLV.

5. Verification: - If the calculated HMAC value matches the received HMAC value, the receiver can be confident that the packet has not been modified during transit and is from a trusted source. - If the HMAC values do not match, it indicates that the packet may have been tampered with or that the sender's key does not match the receiver's key.

To configure HMAC in SRv6, the specific steps may vary depending on the network equipment and software being used. Generally, the configuration involves:

1. Generating and securely sharing the secret key between the sender and receiver nodes.

2. Enabling HMAC support on the SRv6 nodes.

3. Configuring the specific hash function to be used for HMAC calculations (e.g., SHA-256).

4. Configuring the Authentication TLV in the SRH to carry the HMAC value.

It's important to note that HMAC in SRv6 provides a strong mechanism for ensuring packet integrity and authenticity. By validating the HMAC value, network operators can detect any tampering attempts and ensure the trustworthiness of their SRv6 traffic.
 

How HMAC is generated and verified?

HMAC (Hash-based Message Authentication Code) in SRv6 is generated and verified using cryptographic functions and the shared secret key between the sender and receiver. Here's a step-by-step explanation of how HMAC is generated and verified in SRv6:

HMAC Generation:

1. Select a Cryptographic Hash Function: Choose a secure cryptographic hash function, such as SHA-256 or SHA-3, to generate the HMAC.

2. Shared Secret Key: Both the sender and receiver must have a pre-shared secret key that is known only to them. This key should be securely exchanged and kept confidential.

3. Prepare the Packet: Assemble the SRv6 packet with the necessary headers and payload.

4. HMAC Calculation:

a. Concatenation: Concatenate the packet data with the shared secret key. The packet data includes the entire packet contents that need to be protected by HMAC.

b. Hash Function Application: Apply the selected cryptographic hash function (e.g., SHA-256) to the concatenated data.

c. Keyed-Hashing: Use the shared secret key as the key for the hash function. This ensures that only authorized parties with the same key can generate and verify the HMAC.

d. Generate HMAC: Compute the hash value, resulting in the HMAC. The length of the HMAC depends on the chosen hash function (e.g., 256 bits for SHA-256).

5. Insert HMAC into the Packet: Include the generated HMAC value into the Authentication TLV of the SRH. This TLV is part of the SRv6 packet and carries the HMAC.

HMAC Verification:

1. Packet Reception: When the receiver receives the SRv6 packet, it extracts the Authentication TLV from the SRH.

2. HMAC Calculation:

a. Concatenation: Concatenate the packet data (excluding the received HMAC) with the shared secret key.

b. Hash Function Application: Apply the same cryptographic hash function used for HMAC generation (e.g., SHA-256).

c. Keyed-Hashing: Use the shared secret key as the key for the hash function.

3. Calculate HMAC: Compute the hash value using the hash function and shared secret key, resulting in a calculated HMAC value.

4. Compare HMAC Values: Compare the calculated HMAC value with the received HMAC value from the Authentication TLV.

- If the calculated HMAC matches the received HMAC, it indicates that the packet has not been tampered with and comes from a trusted source.

- If the HMAC values do not match, it suggests that the packet may have been modified during transit or the sender's key does not match the receiver's key.

By performing this HMAC verification process, SRv6 receivers can validate the integrity and authenticity of the received packets, ensuring that they have not been tampered with and originate from trusted sources.
 

SRH Packet flow–

Segment Routing Header with examples and configuration: configuration for SRv6 on Cisco:

Topology:



Configuration on PE1:

1. Enable Segment Routing:



2. Configure Loopback interfaces:



3. Enable SRv6 on the interfaces:



4. Configure the SRv6 SID and policy:



5. Configure BGP:



6. Enable SRv6 EVPN:



7. Configure BGP EVPN and advertise Ethernet segment:



Please note that this is a configuration example and assumes the use of BGP for EVPN control plane and MPLS for forwarding. It's important to adapt the configuration to match your specific network environment, addressing, and routing requirements.

Ensure that you replace the placeholder values (e.g., ``, ``) with the appropriate values for your network setup.

Packet walk flow for SRv6:

1. Packet from CE1 to PE1:

- CE1 sends an Ethernet frame with the destination MAC address of PE1.

- The frame enters the interface GigabitEthernet0/0/0/0 on PE1.

2. Ingress Processing on PE1:

- The packet is received on the ingress interface GigabitEthernet0/0/0/0.

- The Ethernet frame is decapsulated, and the inner IPv6 packet is extracted.

- The IPv6 packet contains the SRv6 header with the SRv6 SID.

3. SRv6 Steering and Policy Lookup:

- The SRv6 SID in the packet is matched against the SRv6 policy configured on PE1. - Based on the policy, the next-hop or forwarding behavior is determined.

4. SRv6 Encapsulation:

- Based on the policy, PE1 encapsulates the packet with an SRv6 header.

- The SRv6 header includes the SID of the next-hop or the destination.

5. Routing and Forwarding:

- The packet is forwarded based on the routing table and the encapsulated SRv6 header.

- The encapsulated packet is sent to the next-hop device.

6. Packet Forwarding to PE2:

- The encapsulated packet is received on PE2 via the interface connected to PE1.

- The packet is decapsulated, and the original IPv6 packet is extracted.

7. EVPN Processing on PE2:

- PE2 performs EVPN processing on the decapsulated packet.

- The Ethernet segment associated with the destination MAC address is determined.

8. EVPN Lookup and Forwarding:

- PE2 looks up the MAC address and determines the corresponding Ethernet segment.

- The packet is forwarded to the appropriate Ethernet segment and delivered to the destination CE.

It's important to note that the packet walk flow may vary based on the specific configuration, policies, and services implemented in the network. This flow provides a general overview of how the packet is processed and forwarded in an SRv6-enabled network.

 

An Additional Example of Segment Routing v6 on Cisco IOS-XR:

let's consider a network topology with 3 Cisco IOS XR routers (Router1, Router2, and Router3) connected in a linear fashion.

Here's an example of a configuration for Segment Routing IPv6 (SRv6) on each router, focusing on the SRH (Segment Routing Header) packet flow. 

Router1 Configuration:

! Enable IPv6 and Segment Routing on the router
router isis 1
  address-family ipv6 unicast
    metric-style wide
    segment-routing mpls connected-prefix-sid-map
      address-family ipv6
        2001:db8::1/64 index 10 range 10
    !
  !
!

! Configure interfaces
interface GigabitEthernet0/0/0/0
  ipv6 address 2001:db8::1/64
  isis enable 1
  isis metric 10
  isis passive
!

! Enable Segment Routing on the router
segment-routing
  global-block 16000 23999
!

! Configure SRv6 policy
segment-routing srv6
  locator LOC1
    prefix 2001:db8::/64
  !
  policy POL1
    color 10 end-point 2001:db8::3
    candidate-paths
      preference 100
        explicit segment-list SL1
          segment 1
            type function
            address 2001:db8::2
          !
          segment 2
            type function
            address 2001:db8::3
          !
        !
      !
    !
  !
!

Router2 Configuration:

! Enable IPv6 and Segment Routing on the router
router isis 1
  address-family ipv6 unicast
    metric-style wide
    segment-routing mpls connected-prefix-sid-map
      address-family ipv6
        2001:db8::2/64 index 20 range 10
    !
  !
!

! Configure interfaces
interface GigabitEthernet0/0/0/0
  ipv6 address 2001:db8::2/64
  isis enable 1
  isis metric 10
!

! Enable Segment Routing on the router
segment-routing
  global-block 16000 23999
!

Router3 Configuration:

! Enable IPv6 and Segment Routing on the router
router isis 1
  address-family ipv6 unicast
    metric-style wide
    segment-routing mpls connected-prefix-sid-map
      address-family ipv6
        2001:db8::3/64 index 30 range 10
    !
  !
!

! Configure interfaces
interface GigabitEthernet0/0/0/0
  ipv6 address 2001:db8::3/64
  isis enable 1
  isis metric 10
  isis passive
!

! Enable Segment Routing on the router
segment-routing
  global-block 16000 23999
!


This configuration enables Segment Routing with IS-IS as the IGP, sets up an interface with an IPv6 address on each router, and configures a Segment Routing policy. The segment-routing global-block command defines the range of labels that the router can use for Segment Routing.

In the SRv6 policy on Router1, we define a segment list (SL1) with two segments, each corresponding to a router in the network. The SRH in the packets sent from Router1 will contain

These segments and the packets will be routed through the network based on these segments.

Note: Please replace the IPv6 addresses and interface names with the actual values for your network.  

In terms of SRH packet flow, when a packet is sent from Router1 to Router3, the SRH will contain two segments: one for Router2 (2001:db8::2) and one for Router3 (2001:db8::3). The packet will first be sent to Router2, which will process the packet and forward it to Router3 based on the next segment in the SRH. Once the packet reaches Router3, all segments in the SRH have been processed, and the packet is delivered to its final destination.

This is a simplified explanation of the SRH packet flow in an SRv6 network. The actual packet flow can be more complex and can involve additional features such as traffic engineering, load balancing, and protection mechanisms.

Packet Flow - 

  1. A packet is generated at Router1 with a destination of Router3. The packet is encapsulated with an SRH that contains two segments: one for Router2 (2001:db8::2) and one for Router3 (2001:db8::3).

  2. The packet is sent to Router2, the first segment in the SRH. Router2 processes the packet, removes its own segment from the SRH, and forwards the packet to the next segment in the SRH, which is Router3.

  3. Router3 receives the packet, processes it, and removes its own segment from the SRH. Since there are no more segments in the SRH, Router3 delivers the packet to its final destination.

Verification Outputs:

You can verify the operation of Segment Routing in your network by using various show commands on the Cisco IOS XR routers. Here are some examples:

Router1# show segment-routing mpls connected-prefix-sid-map

This command displays the connected prefix SID map on Router1. You should see an entry for the connected prefix 2001:db8::1/64 with an index of 10.

Router2# show segment-routing mpls connected-prefix-sid-map

This command displays the connected prefix SID map on Router2. You should see an entry for the connected prefix 2001:db8::2/64 with an index of 20.

Router3# show segment-routing mpls connected-prefix-sid-map

This command displays the connected prefix SID map on Router3. You should see an entry for the connected prefix 2001:db8::3/64 with an index of 30.

Router1# show segment-routing srv6 locator

This command displays the SRv6 locators on Router1. You should see a locator with a prefix of 2001:db8::/64.

Router1# show segment-routing srv6 policy

This command displays the SRv6 policies on Router1. You should see a policy with a color of 10 and an end-point of 2001:db8::3. The policy should have a candidate path with a preference of 100 and an explicit segment list containing two segments: 2001:db8::2 and 2001:db8::3.

Conclusion:

In Part 2 of our blog series on SRv6 (Segment Routing IPv6), we have explored practical implementations, real-world use cases, and the benefits of adopting SRv6 in network infrastructure.

By embracing SRv6, organizations can unlock a multitude of advantages. It offers granular control over packet forwarding paths, enabling efficient traffic engineering and optimized network performance. SRv6 simplifies network operations by reducing the reliance on complex protocols and minimizing the need for network overlays. Additionally, SRv6 brings flexibility and scalability to network architectures, making it easier to accommodate evolving business requirements.

Throughout this blog, we have examined various use cases where SRv6 shines. From seamless service chaining to efficient traffic engineering and network slicing, SRv6 proves its versatility and adaptability across diverse environments.

We hope this two-part series has provided valuable insights into SRv6 and its potential to revolutionize network routing. By understanding the fundamentals, implementation considerations, and real-world applications of SRv6, you are better equipped to leverage this cutting-edge technology and drive innovation in your network infrastructure.