Summary
- MPLS has provided a stable, scalable foundation for service provider networks, enabling efficient core design, traffic engineering, and gradual IPv6 adoption.
- SRv6 builds on IPv6 to simplify network architecture, eliminate protocol overhead, and enable programmable, intent-driven traffic control.
- By embedding routing intelligence directly into packets, SRv6 unlocks faster service delivery, improved performance, and greater operational automation.
- In the face of advanced persistent threats (APTs) like Salt Typhoon, SRv6 enables more observable, segmented, and defensible networks—making lateral movement harder and anomalies easier to detect.
SRv6: A tip of the hat to MPLS
For more than 20 years, I’ve designed and operated traditional multiprotocol label switching (MPLS)-based service provider backbones. MPLS earned its reputation as the most reliable and ubiquitous transport underlay in the industry. There were always compelling reasons to keep it in place, such as its stability, its operational familiarity, and its ability to adapt as networks grew.
With MPLS, we were able to support capabilities such as:
- Lean-core P-routers with a Border Gateway Protocol (BGP)-free core
- BGP Label Unicast (LU) for scalable, distributed backbone growth
- IPv6 services running over an IPv4 MPLS Label Distribution Protocol (LDP) underlay via 6VPE/6PE
- Deferring full IPv6 deployments by containing complexity at the services edge (Provider Edge, PE) through VRF-based service delivery over VPNv4/VPNv6 BGP
- MPLS traffic engineering (TE) with RSVP
Since 2012, Internet Protocol version 6 (IPv6) adoption and implementation have ramped up. It became clear that IPv6 wasn’t just another protocol. It is the foundation of a simpler, more scalable network architecture. Built natively with those key foundational principles in mind, segment routing over IPv6 (SRv6) was born. Modern SRv6 architecture is simple and scalable, leading transport services into the future and beyond.
Defensible architecture for service providers
Carrier-grade SRv6 delivers what MPLS never fully could: a unified, IPv6-based transport that simplifies the network, streamlines operations, and provides the architectural runway for the next 20 years. By encoding instructions directly into IPv6 addresses, SRv6 removes layers of protocol overhead, accelerates service activation, and enables a level of programmability that MPLS can’t match.
Over the past few years, nation-state threat groups such as Salt Typhoon have shown how deeply they can burrow into telecom and service provider networks, quietly harvesting credentials, exfiltrating configs, and pivoting across legacy infrastructures. In that reality, carrier-grade SRv6 isn’t just a cleaner architecture — it’s a way to build a more observable, segmented, and defensible backbone for the next wave of services. For a deeper dive on Salt Typhoon and other advanced persistent threats (APTs), see our post on warding off Salt Typhoon cyberattacks and similar APTs.
In short, IPv6 gave us the addressing model for the future — and SRv6 is the transport architecture that finally lets us use it to its full potential.
Why SRv6?
Segment routing, and especially SRv6, provides a clean architectural reset from MPLS transport — purpose‑built for scale, automation, simplicity, and service agility.
A single unified routing model (back to packet level transport forwarding)
Segment routing is one architecture delivered across two data planes:
SR-MPLS
- Segment routing applied to the MPLS data plane
- Source-based routing where the node/adjacency segment is encoded using an MPLS label
SRv6
- Segment routing applied to the IPv6 data plane
- One or more segments encoded directly inside an IPv6 address (MicroSID/uSID)
SR-MPLS has driven major advancements in IP networking — fast reroute, delay based routing, and centralized and distributed TE. It modernizes MPLS‑LDP but still depends on MPLS label‑shim technology and a layer 2.5 architecture.
SRv6 advances this further by transporting segment routing instructions natively in IPv6. Instead of MPLS labels, SRv6 encodes segment IDs (SIDs/uSIDs) as IPv6 addresses. Any router capable of forwarding IPv6 traffic can participate, eliminating the end to end dependency on MPLS and enabling SR‑based services across any IPv6 enabled transport — including the public internet.
This unlocks new possibilities like delivering Ethernet VPN (EVPN) L2VPN/L3VPN services over globally reachable IPv6 Global Unicast Address (GUA) without requiring a private MPLS backbone. Non SRv6 nodes simply perform standard IPv6 longest prefix match forwarding, ensuring seamless operation even in mixed environments of both SRv6 and non-SRv6 nodes in the same network.
What defines an SRv6‑capable solution?
Carrier‑grade SRv6 implementations support an extensive feature set, including:
- uSID MicroSID (based on RFC9800)
- IPv6 base /24 and F3216 IPv6 plan for SRv6 transport
- /48 locators per node — used for services breakout
- IPv6 GUA or Unique Local Address (ULA) addressing
- Flexible Algorithm (Flex‑Algo)
- Topology‑Independent Loop‑Free Alternate (TI-LFA) Fast Reroute
- Full services overlay support
- BGP L2VPN/L3VPN + IPv6 global routing
- IPv4 as a service edge over SRv6
- Path computation element (SR‑PCE) for SR‑TE automation
- Delay‑ and constraint‑based traffic engineering
- Supports IPv6 backbone-native use cases
SRv6 continues to evolve rapidly, expanding its feature set beyond SR‑MPLS while simplifying the overall architecture.
Image From: SRv6 Micro-SID (uSID) Basics
What EVPN overlay services gain from SRv6 transport -programmable network
SRv6 turns network intent into instructions carried directly in the packet — no label databases, no MPLS shims. Features such as IPv6 flow labels enable simplified QoS and improved ECMP load balancing.
Your benefits:
- Rapid service activation
- Path modification without outages
- More consistent end‑user performance
- Enhanced SLAs with closed‑loop remediation
- New SR performance measurement + advanced telemetry
SRv6 aligns with automation pipelines, Infrastructure as Code workflows, and cloud‑driven operations.
Services stop waiting on the network to catch up.
With SRv6 you can:
- Dynamically program routing paths.
- Steer traffic based on latency or congestion.
- Insert security or telemetry services on demand.
- Create new revenue opportunities (e.g., path disjointness services).
- Reduce latency using Flex‑Algo.
This transforms the network into an extension of the application — no longer a rigid transport system.
Native IPv6 scale
IPv6’s vast addressing space removes scaling barriers inherent in IPv4 and MPLS.
SRv6 delivers:
- Large‑scale L3 summarization (hundreds to thousands of nodes can be summarized under a single regional /32 or /40 using F3216 IPv6 networks)
- Efficient uSID‑based service chaining
- Locator‑based routing structures that avoid label exhaustion or depth limitations
- An IP planning do-over or makeover with IPv6
For organizations expanding across regions, clouds, or global footprints, SRv6 provides long‑term architectural headroom using routing packet layer summarization.
Built-in security and predictability
By inheriting IPv6’s security model, SRv6 provides:
- Strong isolation
- Antispoofing protections
- Deterministic routing (intent carried in the packet)
- Simplified compliance validation
- Native IPv6 IPsec support
This makes troubleshooting simpler and faster by inspecting the packet header rather than the entire network or MPLS LSP label switch path.
Advanced adversaries like Salt Typhoon don’t “break in” once — they quietly move laterally, expand credentials, and repurpose the same tools operators rely on daily. In a carrier-grade SRv6 architecture, you can:
- Use locator-based routing and uSID chains to enforce micro-segmented paths between critical domains, making lateral movement and infrastructure pivoting far harder.
- Design deterministic, intent-driven paths that are easy to verify and monitor, so unexpected route changes or traffic detours stand out quickly.
- Standardize on native IPv6 security controls and IPsec, instead of a patchwork of legacy MPLS tunnels and deprecated protocols that APTs routinely exploit.
These architectural choices don’t “solve” threats from malicious actors like Salt Typhoon on their own, but they do give operators a transport fabric that’s easier to harden, observe, and validate against these kinds of long-game intrusions.
Simplified, seamless deployment
SRv6 supports:
- Brownfield dual‑IGP underlay networks
- SRv6 “walled garden” IS‑IS implementations
- ISISv6 coexistence with existing OSPFv2/MPLS‑LDP environments
- Gradual migration of EVPN overlay services to SRv6 underlay
The resulting migration reduces the overall number of protocols, shims, and tunnels compared with MPLS-LDP/MPLS‑TE/RSVP tunnels.
Future‑ready for 5G, IoT, and edge
SRv6 provides the low-latency, high-bandwidth, and flexible transport needed for next‑generation applications:
- 5G transport
- Edge compute fabrics
- Multicloud networking
- Distributed IoT architectures
- Service provider network slicing
SRv6 offers the operational runway required for modern and future workloads.
Moving beyond MPLS to a programmable, resilient future
MPLS has served the industry well, delivering decades of reliable, scalable transport. But as networks evolve to support cloud, edge, and increasingly sophisticated threat landscapes, their limitations are becoming more apparent.
SRv6 implementation is more than an incremental upgrade — it’s a shift toward a simpler, programmable, and massively scalable network aligned with modern operational principles.
SRv6 enables:
- A fully serviceready IPv6 underlay
- IPv4 delivered as a service, not the transport
- Faster service rollout
- Lower operational overhead
- Easier troubleshooting
- Superior performance consistency
- Longterm architectural resilience
In other words, a carrier-grade SRv6 implementation enables your services to move at the pace your business demands—while strengthening your network against Salt Typhoon–style threats, an outcome GDT is helping service providers achieve.
