| draft-ietf-idr-flowspec-interfaceset-03.txt | draft-ietf-idr-flowspec-interfaceset-04.txt | |||
|---|---|---|---|---|
| Routing Area Working Group S. Litkowski | Inter-Domain Routing S. Litkowski | |||
| Internet-Draft Orange | Internet-Draft Orange | |||
| Intended status: Standards Track A. Simpson | Intended status: Standards Track A. Simpson | |||
| Expires: September 12, 2017 Nokia | Expires: December 30, 2018 Nokia | |||
| K. Patel | K. Patel | |||
| Arrcus, Inc | Arrcus, Inc | |||
| J. Haas | J. Haas | |||
| Juniper Networks | Juniper Networks | |||
| L. Yong | L. Yong | |||
| Huawei | Huawei | |||
| March 11, 2017 | June 28, 2018 | |||
| Applying BGP flowspec rules on a specific interface set | Applying BGP flowspec rules on a specific interface set | |||
| draft-ietf-idr-flowspec-interfaceset-03 | draft-ietf-idr-flowspec-interfaceset-04 | |||
| Abstract | Abstract | |||
| BGP flowspec is an extension to BGP that allows for the dissemination | The BGP Flow Specification (flowspec) Network Layer Reachability | |||
| of traffic flow specification rules. The primary application of this | Information (BGP NLRI) extension ([RFC5575]) is used to distribute | |||
| extension is DDoS mitigation where the flowspec rules are applied in | traffic flow specifications into BGP. The primary application of | |||
| most cases to all peering routers of the network. | this extension is the distribution of traffic filtering policies for | |||
| the mitigation of distributed denial of service (DDoS) attacks. | ||||
| This document will present another use case of BGP flowspec where | ||||
| flow specifications are used to maintain some access control lists at | ||||
| network boundary. BGP flowspec is a very efficient distributing | ||||
| machinery that can help in saving OPEX while deploying/updating ACLs. | ||||
| This new application requires flow specification rules to be applied | ||||
| only on a specific subset of interfaces and in a specific direction. | ||||
| The current specification of BGP flowspec ([RFC5575]) introduces the | ||||
| notion of flow specification (which describes the matching criterion) | ||||
| and traffic filtering actions. The flow specification is encoded as | ||||
| part of the NLRI while the traffic filtering actions are encoded as | ||||
| extended communities. The combination of a flow specification and | ||||
| one or more actions is known as a flow specification rule. [RFC5575] | ||||
| does not detail where the flow specification rules need to be | ||||
| applied. | ||||
| Besides the flow specification and traffic filtering actions, this | By default, flow specification filters are applied on all forwarding | |||
| document introduces the notion of traffic filtering scope in order to | interfaces that are enabled for use by the BGP flowspec extension. A | |||
| drive where a particular rule must be applied. In particular, this | network operator may wish to apply a given filter selectively to a | |||
| document introduces the "interface-set" traffic filtering scope that | subset of interfaces based on an internal classification scheme. | |||
| could be used in parallel of traffic filtering actions (marking, | Examples of this include "all customer interfaces", "all peer | |||
| rate-limiting ...). The purpose of this extension is to inform | interfaces", "all transit interfaces", etc. | |||
| remote routers about groups of interfaces where the rule must be | ||||
| applied. | ||||
| This extension can also be used in a DDoS mitigation context where a | This document defines BGP Extended Communities ([RFC4360]) that | |||
| provider wants to apply the filtering only on specific peers. | permit such filters to be selectively applied to sets of forwarding | |||
| interfaces sharing a common group identifier. The BGP Extended | ||||
| Communities carrying this group identifier are referred to as the BGP | ||||
| Flowspec "interface-set" Extended Communities. | ||||
| Requirements Language | Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 2, line 29 ¶ | skipping to change at page 2, line 15 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 12, 2017. | This Internet-Draft will expire on December 30, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Use case . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Use case . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Specific filtering for DDoS . . . . . . . . . . . . . . . 3 | 2. Interface specific filtering using BGP flowspec . . . . . . . 3 | |||
| 1.2. ACL maintenance . . . . . . . . . . . . . . . . . . . . . 4 | 3. Interface-set extended community . . . . . . . . . . . . . . 4 | |||
| 2. Collaborative filtering and managing filter direction . . . . 5 | 4. Scaling of per-interface rules . . . . . . . . . . . . . . . 6 | |||
| 3. Traffic filtering scope . . . . . . . . . . . . . . . . . . . 6 | 5. Deployment Considerations . . . . . . . . . . . . . . . . . . 6 | |||
| 4. Interface specific filtering using BGP flowspec . . . . . . . 7 | 5.1. Add-Paths . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5. Interface-set extended community . . . . . . . . . . . . . . 8 | 5.2. Inter-domain Considerations . . . . . . . . . . . . . . . 6 | |||
| 6. Handling rules from different sources in the processing pipe 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.1. Combining Policy Based Routing with BGP flowspec and | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| interface-set . . . . . . . . . . . . . . . . . . . . . . 10 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.2. Combining flow collection with BGP flowspec and | 8.1. FlowSpec Transitive Extended Communities . . . . . . . . 7 | |||
| interface-set . . . . . . . . . . . . . . . . . . . . . . 11 | 8.2. FlowSpec Non-Transitive Extended Communities . . . . . . 7 | |||
| 7. Scaling of per interface rules . . . . . . . . . . . . . . . 11 | 8.3. FlowSpec interface-set Extended Community . . . . . . . . 8 | |||
| 8. Deployment considerations . . . . . . . . . . . . . . . . . . 12 | 8.4. Allocation Advice to IANA . . . . . . . . . . . . . . . . 8 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 9. Normative References . . . . . . . . . . . . . . . . . . . . 8 | |||
| 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | ||||
| 11.1. FlowSpec Transitive Extended Communities . . . . . . . . 13 | ||||
| 11.2. FlowSpec Non-Transitive Extended Communities . . . . . . 13 | ||||
| 11.3. FlowSpec interface-set Extended Community . . . . . . . 13 | ||||
| 11.4. Allocation Advice to IANA . . . . . . . . . . . . . . . 13 | ||||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | ||||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . 14 | ||||
| 12.2. Informative References . . . . . . . . . . . . . . . . . 14 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | ||||
| 1. Use case | 1. Use case | |||
| 1.1. Specific filtering for DDoS | While a network may provide connectivity to a homogenous class of | |||
| users, it often provides connectivity to different groups of users. | ||||
| ----------------- --- (ebgp) - Peer3 (BW 10G) | The nature of these different groups, and how they're classified, | |||
| / \/ | varies based on the purpose of the network. In an enterprise | |||
| | /| | network, connectivity may exist between data centers, offices, and | |||
| | PE --- (ebgp) - Transit1(BW 4x10G) | external connectivity. In a virtual private networking (VPN) | |||
| Cust1 --- (ebgp) --- PE | | network, it may consist of customers in different sites connected | |||
| | PE ---- (ebgp) - Peer2 (BW 4*10G) | through a VPN, the provider core network, and external networks such | |||
| | \| | as the Internet. In a traditional Internet service provider (ISP) | |||
| Cust2 --- (ebgp) --- PE |----- (ebgp) - Customer3 | network, the network may consist of points of presence (POPs), | |||
| /| | | internal infrastructure networks, customer networks, peer networks, | |||
| Peer1(BW10G)-(ebgp) | PE --- (ebgp) - Transit2(BW 4x10G) | and transit networks. | |||
| | | | ||||
| \ / | ||||
| ------------------ | ||||
| Figure 1 | ||||
| The figure 1 above displays a typical service provider Internet | ||||
| network owing Customers, Peers and Transit. To protect pro actively | ||||
| against some attacks (e.g. DNS, NTP ...), the service provider may | ||||
| want to deploy some rate-limiting of some flows on peers and transit | ||||
| links. But depending on link bandwidth, the provider may want to | ||||
| apply different rate-limiting values. | ||||
| For 4*10G links peer/transit, it may want to apply a rate-limiting of | ||||
| DNS flows of 1G, while on 10G links, the rate-limiting would be set | ||||
| to 250Mbps. Customer interfaces must not be rate-limited. | ||||
| BGP flowspec infrastructure may already be present on the network, | ||||
| and all PEs may have a BGP session running flowspec address family. | ||||
| The flowspec infrastructure may be reused by the service provider to | ||||
| implement such rate-limiting in a very quick manner and being able to | ||||
| adjust values in future quickly without having to configure each node | ||||
| one by one. Using the current BGP flowspec specification, it would | ||||
| not be possible to implement different rate limiter on different | ||||
| interfaces of a same router. The flowspec rule is applied to all | ||||
| interfaces in all directions or on some interfaces where flowspec is | ||||
| activated but flowspec rule set would be the same among all | ||||
| interfaces. | ||||
| Section Section 4 will detail a solution to address this use case | ||||
| using BGP flowspec. | ||||
| 1.2. ACL maintenance | ||||
| --------------- --- (ebgp) - Cust4_VPN | ||||
| / \/ | ||||
| Cust1_INT -- (ebgp) --- PE /| | ||||
| | PE ------ (ebgp) - Transit1 | ||||
| Cust3_VPN -- (ebgp) --- PE | | ||||
| | PE ------ (ebgp) - Peer2 | ||||
| | \| | ||||
| Cust2_INT -- (ebgp) --- PE |----- (ebgp) - Cust4_INT | ||||
| /| | | ||||
| Peer1 ------ (ebgp) -- | PE ------ (ebgp) - Transit2 | ||||
| | | | ||||
| \ / | ||||
| ---------------- | ||||
| Figure 2 | ||||
| The figure 1 above displays a typical service provider multiservice | ||||
| network owing Customers, Peers and Transit for Internet, as well as | ||||
| VPN services. The service provider requires to ensure security of | ||||
| its infrastructure by applying ACLs at network boundary. Maintaining | ||||
| and deploying ACLs on hundreds/thousands of routers is really painful | ||||
| and time consuming and a service provider would be interested to | ||||
| deploy/updates ACLs using BGP flowspec. In this scenario, depending | ||||
| on the interface type (Internet customer, VPN customer, Peer, Transit | ||||
| ...) the content of the ACL may be different. | ||||
| We foresee two main cases : | ||||
| o Maintaining complete ACLs using flowspec : in this case all the | ||||
| ingress ACL are maintained and deployed using BGPflowspec. See | ||||
| section Section 9 for more details on security aspects. | ||||
| o Requirement of a quick deployment of a new filtering term due to a | ||||
| security alert : new security alerts often requires a fast | ||||
| deployment of new ACL terms. Using traditional CLI and hop by hop | ||||
| provisioning, such deployment takes time and network is | ||||
| unprotected during this time window. Using BGP flowspec to deploy | ||||
| such rule, a service provider can protect its network in few | ||||
| seconds. Then the SP can decide to keep the rule permanently in | ||||
| BGP flowspec or update its ACL or remove the entry (in case | ||||
| equipments are not vulnerable anymore). | ||||
| Section Section 4 will detail a solution to address this use case | ||||
| using BGP flowspec. | ||||
| 2. Collaborative filtering and managing filter direction | ||||
| [RFC5575] states in Section 5. : "This mechanism is primarily | ||||
| designed to allow an upstream autonomous system to perform inbound | ||||
| filtering in their ingress routers of traffic that a given downstream | ||||
| AS wishes to drop.". | ||||
| In case of networks collaborating in filtering, there is a use case | ||||
| for performing outbound filtering. Outbound filtering allows to | ||||
| apply traffic action one step before and so may allow to prevent | ||||
| impact like congestions. | ||||
| ---------------------- | ||||
| / \ | ||||
| | Upstream provider | | ||||
| \ / | ||||
| ----------------------- | ||||
| | | | ||||
| |P2 |P1 | ||||
| ---------------------- | ||||
| / \ | ||||
| | MyAS | | ||||
| \ / | ||||
| ----------------------- | ||||
| Figure 3 | ||||
| In the figure above, MyAS is connected to an upstream provider. If a | ||||
| malicious traffic comes in from the upstream provider, it may | ||||
| congestion P1 or P2 links. If MyAS apply inbound filtering on P1/P2 | ||||
| using BGP flowspec, the congestion issue will not be solved. | ||||
| Using collaborative filtering, the upstream provider may propose to | ||||
| MyAS to filter malicious traffic sent to it. We propose to enhance | ||||
| [RFC5575] to make myAS able to send BGP flowspec updates (on eBGP | ||||
| sessions) to the upstream provider to request outbound filtering on | ||||
| peering interfaces towards MyAS. When the upstream provider will | ||||
| receive the BGP flowspec update from MyAS, the BGP flowspec update | ||||
| will contain request for outbound filtering on a specific set of | ||||
| interfaces. The upstream provider will apply automatically the | ||||
| requested filter and congestion will be prevented. | ||||
| 3. Traffic filtering scope | ||||
| We see with the use case described above that some BGP flowspec rules | ||||
| may need to be applied only on specific elements of the network | ||||
| (interfaces, nodes ...). The basic specification detailed in | ||||
| [RFC5575] does not address this and does not give any detail on where | ||||
| the traffic filtering rule need to be applied. | ||||
| In addition to the flow specification (flow matching criterion) and | The BGP flowspec extension permits traffic filters to be distributed | |||
| traffic filtering actions described in [RFC5575], this document | to routers throughout a network. However, these filters often should | |||
| introduces the notion of traffic filtering scope. The traffic | not be uniformly applied to all network interfaces. As an example, a | |||
| filtering scope will describe where a particular flow specification | rate-limiting filter applied to the SMTP protocol may be applied to | |||
| rule must be applied. | customer networks, but not other networks. Similarly, a DDoS attack | |||
| on the SSH protocol may be deemed appropriate to drop at upstream | ||||
| peering routers but not customer routers. | ||||
| Using a traffic filtering scope in a BGP flowspec rule is optional. | By default, BGP flowspec filters are applied at all interfaces that | |||
| When a rule does not contain any traffic filtering scope parameter, | permit flowspec filters to be installed. What is needed is a way to | |||
| [RFC5575] applies. | selectively apply those filters to subsets of interfaces in a | |||
| network. | ||||
| 4. Interface specific filtering using BGP flowspec | 2. Interface specific filtering using BGP flowspec | |||
| The use case detailed above requires application of different BGP | The uses case detailed above require application of different BGP | |||
| flowspec rules on different set of interfaces. | flowspec rules on different sets of interfaces. | |||
| We propose to introduce, within BGP flowspec, a traffic filtering | We propose to introduce, within BGP flowspec, a traffic filtering | |||
| scope that identifies a group of interfaces where a particular filter | scope that identifies a group of interfaces where a particular filter | |||
| should apply on. Identification of interfaces within BGP flowspec | should be applied. Identification of interfaces within BGP flowspec | |||
| will be done through group identifiers. A group identifier marks a | will be done through group identifiers. A group identifier marks a | |||
| set of interfaces sharing a common administrative property. Like a | set of interfaces sharing a common administrative property. Like a | |||
| BGP community, the group identifier itself does not have any | BGP community, the group identifier itself does not have any | |||
| significance. It is up to the network administrator to associate a | significance. It is up to the network administrator to associate a | |||
| particular meaning to a group identifier value (e.g. group ID#1 | particular meaning to a group identifier value (e.g. group ID#1 | |||
| associated to Internet customer interfaces). The group identifier is | associated to Internet customer interfaces). The group identifier is | |||
| a local interface property. Any interface may be associated with one | a local interface property. Any interface may be associated with one | |||
| or more group identifiers using manual configuration. | or more group identifiers using manual configuration. | |||
| When a filtering rule advertised through BGP flowspec must be applied | When a filtering rule advertised through BGP flowspec must be applied | |||
| only to particular sets of interfaces, the BGP flowspec BGP update | only to particular sets of interfaces, the BGP flowspec BGP UPDATE | |||
| will contain the identifiers associated with the relevant sets of | will contain the identifiers associated with the relevant sets of | |||
| interfaces. In addition to the group identifiers, it will also | interfaces. In addition to the group identifiers, it will also | |||
| contain the direction the filtering rule must be applied in (see | contain the direction the filtering rule must be applied in (see | |||
| Section 5). | Section 3). | |||
| Configuration of group identifiers associated to interfaces may | Configuration of group identifiers associated to interfaces may | |||
| change over time. An implementation MUST ensure that the filtering | change over time. An implementation MUST ensure that the filtering | |||
| rules (learned from BGP flowspec) applied to a particular interface | rules (learned from BGP flowspec) applied to a particular interface | |||
| are always updated when the group identifier mapping is changing. | are always updated when the group identifier mapping is changing. | |||
| Considering figure 2, we can imagine the following design : | As an example, we can imagine the following design : | |||
| o Internet customer interfaces are associated with group-identifier | o Internet customer interfaces are associated with group-identifier | |||
| 1. | 1. | |||
| o VPN customer interfaces are associated with group-identifier 2. | o VPN customer interfaces are associated with group-identifier 2. | |||
| o All customer interfaces are associated with group-identifier 3. | o All customer interfaces are associated with group-identifier 3. | |||
| o Peer interfaces are associated with group-identifier 4. | o Peer interfaces are associated with group-identifier 4. | |||
| o Transit interfaces are associated with group-identifier 5. | o Transit interfaces are associated with group-identifier 5. | |||
| o All external provider interfaces are associated with group- | o All external provider interfaces are associated with group- | |||
| identifier 6. | identifier 6. | |||
| o All interfaces are associated with group-identifier 7. | o All interfaces are associated with group-identifier 7. | |||
| If the service provider wants to deploy a specific inbound filtering | If the service provider wants to deploy a specific inbound filtering | |||
| on external provider interfaces only, the provider can send the BGP | on external provider interfaces only, the provider can send the BGP | |||
| flow specification using group-identifier 6 and including inbound | flow specification using group-identifier 6 for the inbound | |||
| direction. | direction. | |||
| There are some cases where nodes are dedicated to specific functions | There are some cases where nodes are dedicated to specific functions | |||
| (Internet peering, Internet Edge, VPN Edge, Service Edge ...), in | (Internet peering, Internet Edge, VPN Edge, Service Edge ...), in | |||
| this kind of scenario, there is an interest for a constrained | this kind of scenario, there is an interest for a constrained | |||
| distribution of filtering rules that are using the interface specific | distribution of filtering rules that are using the interface specific | |||
| filtering. Without the constrained route distribution, all nodes | filtering. Without the constrained route distribution, all nodes | |||
| will received all the filters even if they are not interested in | will received all the filters even if they are not interested in | |||
| those filters. Constrained route distribution of flowspec filters | those filters. Constrained route distribution of flowspec filters | |||
| would allow for a more optimized distribution. | would allow for a more optimized distribution. | |||
| 5. Interface-set extended community | 3. Interface-set extended community | |||
| This document proposes a new BGP Route Target extended community | This document proposes a new BGP Route Target extended community | |||
| called "flowspec interface-set". This document so expands the | called the "flowspec interface-set". This document expands the | |||
| definition of the Route Target extended community to allow a new | definition of the Route Target extended community to allow a new | |||
| value of high order octet (Type field) to be TBD (in addition to the | value of high order octet (Type field) to be 0x07 for the transitive | |||
| values specified in [RFC4360]). | flowspec interface-set extended community, or 0x47 for the non- | |||
| transitive flowspec interface-set extended community. These are in | ||||
| In order to ease intra-AS and inter-AS use cases, this document | addition to the values specified in [RFC4360]. | |||
| proposes to have a transitive as well as a non transitive version of | ||||
| this extended community. | ||||
| This new BGP Route Target extended community is encoded as follows : | This new BGP Route Target extended community is encoded as follows : | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type (TBD) | 0x02 | Autonomous System Number : | | 0x07 or 0x47 | 0x02 | Autonomous System Number : | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| : AS Number (cont.) |O|I| Group Identifier | | : AS Number (cont.) |O|I| Group Identifier | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| The flags are : | The flags are : | |||
| o O : if set, the flow specification rule MUST be applied in | o O : if set, the flow specification rule MUST be applied in | |||
| outbound direction to the interface set referenced by the | outbound direction to the interface set referenced by the | |||
| following group-identifier. | following group-identifier. | |||
| o I : if set, the flow specification rule MUST be applied in input | o I : if set, the flow specification rule MUST be applied in inbound | |||
| direction to the interface set referenced by the following group- | direction to the interface set referenced by the following group- | |||
| identifier. | identifier. | |||
| Both flags can be set at the same time in the interface-set extended | Both flags can be set at the same time in the interface-set extended | |||
| community leading to flow rule to be applied in both directions. An | community leading to flow rule to be applied in both directions. An | |||
| interface-set extended community with both flags set to zero MUST be | interface-set extended community with both flags set to zero MUST be | |||
| treated as an error and as consequence, the flowspec update MUST be | treated as an error and as consequence, the flowspec update MUST be | |||
| discarded. As having no direction indicated as no sense, there is no | discarded. As having no direction indicated as no sense, there is no | |||
| need to propagate the filter informations in the network. | need to propagate the filter informations in the network. | |||
| The Group Identifier is coded as a 14-bit number (values goes from 0 | The Group Identifier is encoded as a 14-bit number, values 0..16383. | |||
| to 16383). | ||||
| Multiple instances of the interface-set community may be present in a | ||||
| BGP update. This may appear if the flow rule need to be applied to | ||||
| multiple set of interfaces. | ||||
| Multiple instances of the community in a BGP update MUST be | ||||
| interpreted as a "OR" operation : if a BGP update contains two | ||||
| interface-set communities with group ID 1 and group ID 2, the filter | ||||
| would need to be installed on interfaces belonging to Group ID 1 or | ||||
| Group ID 2. | ||||
| As using a Route Target, route distribution of flowspec NLRI with | ||||
| interface-set may be subject to constrained distribution as defined | ||||
| in [RFC4684]. Constrained route distribution for flowspec routes | ||||
| using interface-set requires discussion and will be addressed in a | ||||
| future revision of the document. | ||||
| 6. Handling rules from different sources in the processing pipe | ||||
| A packet on a router may be processed by multiple rules that are | ||||
| originated by different sources (e.g. statically configured, I2RS | ||||
| ephemeral, BGP ephemeral ...). [RFC5575] does not provide any | ||||
| guidance regarding the precedence of BGP flowspec rules compared to | ||||
| other sources. A new version of BGP flowspec | ||||
| [I-D.hares-idr-flowspec-v2] should address these precedence rules | ||||
| definition in future. | ||||
| This document only addresses the usage of "interface-set" in the | ||||
| framework of [RFC5575] and the following generic rules SHOULD be used | ||||
| by an implementation: | ||||
| o An inbound flowspec rule using interface-set SHOULD be processed | ||||
| after all existing inbound traffic processing rules (ACL, PBR, | ||||
| QoS, flow collection ...) and SHOULD be applied before forwarding | ||||
| decision is made. | ||||
| o An outbound flowspec rule using interface-set SHOULD be processed | ||||
| after all existing outbound traffic processing rules (ACL, PBR, | ||||
| QoS, flow collection ...) and SHOULD be applied after forwarding | ||||
| decision has been made. | ||||
| Inbound processing Forwarding Outbound processing | ||||
| ACL->PBR->BGP_FS in -> Lookup -> PBR->QoS->I2RS->BGP_FS out | ||||
| Example of packet processing pipe | ||||
| In the example above, any BGP flowspec rule ([RFC5575]) with an | ||||
| inbound interface-set is processed after all existing features (ACL, | ||||
| PBR and QoS) but before the lookup is done. The outbound BGP | ||||
| flowspec rules with interface-set are applied after the lookup and | ||||
| after all any existing feature. | ||||
| This section gives two examples of combining existing features with | ||||
| BGP flowspec+interface-set attribute on an interface. | ||||
| 6.1. Combining Policy Based Routing with BGP flowspec and interface-set | ||||
| In this example, a router has an already configured inbound policy on | ||||
| an interface IF1 with the following rules: | ||||
| o Static policy IN: | ||||
| * Entry 1: from udp 10/8 to 11/8 port 53 then set dscp af11 and | ||||
| accept | ||||
| * Entry 2: from tcp 10/8 to 11/8 port 22 then set dscp af22 and | ||||
| accept | ||||
| * Entry 3: from tcp 10/8 to 11/8 port 80 then set dscp af11 and | ||||
| accept | ||||
| * Entry 4: from ip 10/8 to 11/8 then drop | ||||
| In addition to this static inbound ACL, the router receives the | ||||
| following unordered BGP flowspec version 1 rules with an interface- | ||||
| set matching IF1. | ||||
| o flowspec rules IN : | ||||
| * from udp 10.0.0.1/32 to 11/8 port 53 then drop | ||||
| * from tcp 10/8 to 11/8 port 80 then set dscp af32 and accept | ||||
| * from udp 10/8 to 11/8 then accept | ||||
| The combination of the static inbound ACL and the inbound "interface- | ||||
| set" flowspec rules should result in the following packet processing: | ||||
| o a UDP flow from 10.0.0.1 to 11.0.0.2 on port 53 will be rejected: | ||||
| firstly, it is allowed by the static ACL and DSCP is set to af11 | ||||
| but then it is dropped by the flowspec filter. | ||||
| o a UDP flow from 10.0.0.2 to 11.0.0.2 on port 53 will be accepted | ||||
| and DSCP will be set to af11. | ||||
| o a TCP flow from 10.0.0.2 to 11.0.0.2 on port 80 will be accepted | Multiple instances of the interface-set extended community may be | |||
| and DSCP will be set to af32: firstly, the static PBR rule set the | present in a BGP update. This may occur if the flowspec rule needs | |||
| DSCP to af11 and accepts the packet, then the flowspec filter | to be applied to multiple sets of interfaces. | |||
| rewrites the DSCP to af32 and accepts it also. | ||||
| 6.2. Combining flow collection with BGP flowspec and interface-set | Multiple instances of the extended community in a BGP update MUST be | |||
| interpreted as a "OR" operation. For example, if a BGP UPDATE | ||||
| contains two interface-set extended communities with group ID 1 and | ||||
| group ID 2, the filter would need to be installed on interfaces | ||||
| belonging to Group ID 1 or Group ID 2. | ||||
| A router may activate flow collection features (used in collaboration | Similar to using a Route Target extended community, route | |||
| with Netflow export). Flow collection can be done at input side or | distribution of flowspec NLRI with interface-set extended communities | |||
| output side. When a router is configured to collect flow | may be subject to constrained distribution as defined in [RFC4684]. | |||
| informations on an inbound interface, the flow collection happens | ||||
| before any BGP flowspec rule with interface-set: if a particular | ||||
| packet flow is denied by a BGP flowspec rule, it will still be | ||||
| collected. | ||||
| The same happens if a router is configured to collect flow | 4. Scaling of per-interface rules | |||
| informations on an outbound interface, the flow collection happens, | ||||
| and then the BGP flowspec rule is applied: the flow is collected | ||||
| whatever the result of the BGP flowspec rule. | ||||
| 7. Scaling of per interface rules | In the absence of an interface-set extended community, a flowspec | |||
| filter is applied to all flowspec enabled interfaces. When | ||||
| interface-set extended communities are present, different interfaces | ||||
| may have different filtering rules, with different terms and actions. | ||||
| These differing rules may make it harder to share forwarding | ||||
| instructions within the forwarding plane. | ||||
| Without "interface-set", all the interfaces are using the same | Flowspec implementations supporting the interface-set extended | |||
| flowspec filter, while with "interface-set" different interfaces may | community SHOULD take care to minimize the scaling impact in such | |||
| have different flowspec filters (with different terms and actions). | circumstances. How this is accomplished is out of the scope of this | |||
| Having such flowspec rules that are applied on specific interfaces | document. | |||
| may create forwarding instructions that may be harder to share within | ||||
| the forwarding plane: a particular term may be present or not in the | ||||
| filter of a particular interface. | ||||
| An implementation SHOULD take care about trying to keep sharing | 5. Deployment Considerations | |||
| forwarding structures as much as possible in order to limit the | ||||
| scaling impact. How the implementation would do so is out of scope | ||||
| of the document. | ||||
| 8. Deployment considerations | 5.1. Add-Paths | |||
| There are some cases where a particular BGP flowspec NLRI may be | There are some cases where a particular BGP flowspec NLRI may be | |||
| advertised to different interface groups with a different action. | advertised to different interface groups with a different action. | |||
| For example, a service provider may want to discard all ICMP traffic | For example, a service provider may want to discard all ICMP traffic | |||
| from customer interfaces to infrastructure addresses and want to | from customer interfaces to infrastructure addresses and want to | |||
| rate-limit the same traffic when it comes from some internal | rate-limit the same traffic when it comes from some internal | |||
| platforms. These particular cases require ADD-PATH to be deployed in | platforms. These particular cases require ADD-PATH ([RFC7911]) to be | |||
| order to ensure that all paths (NLRI+interface-set group-id+actions) | deployed in order to ensure that all paths (NLRI+interface-set group- | |||
| are propagated within the BGP control plane. Without ADD-PATH, only | id+actions) are propagated within the BGP control plane. Without | |||
| a single "NLRI+interface-set group-id+actions" will be propagated, so | ADD-PATH, only a single "NLRI+interface-set group-id+actions" will be | |||
| some filtering rules will never be applied. | propagated, so some filtering rules will never be applied. | |||
| 9. Security Considerations | 5.2. Inter-domain Considerations | |||
| Managing permanent Access Control List by using BGP flowspec as | The Group Identifier used by the interface-set extended community has | |||
| described in Section 1.2 helps in saving roll out time of such ACL. | local significance to its provisioning Autonomous System. While | |||
| However some ACL especially at network boundary are critical for the | [RFC5575] permits inter-as advertisement of flowspec NLRI, care must | |||
| network security and loosing the ACL configuration may lead to | be taken to not accept these communities when they would result in | |||
| network open for attackers. | unacceptable filtering policies. | |||
| By design, BGP flowspec rules are ephemeral : the flow rule exists in | Filtering of interface-set extended communities at Autonomous System | |||
| the router while the BGP session is UP and the BGP path for the rule | border routers (ASBRs) may thus be desirable. | |||
| is valid. We can imagine a scenario where a Service Provider is | ||||
| managing the network boundary ACLs by using only flowspec. In this | ||||
| scenario, if , for example, an attacker succeed to make the internal | ||||
| BGP session of a router to be down , it can open all boundary ACLs on | ||||
| the node, as flowspec rules will disappear due to the BGP session | ||||
| down. | ||||
| In reality, the chance for such attack to occur is low, as boundary | Note that the default behavior without the interface-set feature | |||
| ACLs should protect the BGP session from being attacked. | would to have been to install the flowspec filter on all flowspec | |||
| enabled interfaces. | ||||
| In order to complement the BGP flowspec solution is such deployment | 6. Security Considerations | |||
| scenario and provides security against such attack, a service | ||||
| provider may activate Long lived Graceful Restart | ||||
| [I-D.uttaro-idr-bgp-persistence] on the BGP session owning flowspec | ||||
| address family. So in case of BGP session to be down, the BGP paths | ||||
| of flowspec rules would be retained and the flowspec action will be | ||||
| retained. | ||||
| 10. Acknowledgements | This document extends the Security Considerations of [RFC5575] by | |||
| permitting flowspec filters to be selectively applied to subsets of | ||||
| network interfaces in a particular direction. Care must be taken to | ||||
| not permit the inadvertant manipulation of the interface-set extended | ||||
| community to bypass expected traffic manipulation. | ||||
| 7. Acknowledgements | ||||
| Authors would like to thanks Wim Hendrickx and Robert Raszuk for | Authors would like to thanks Wim Hendrickx and Robert Raszuk for | |||
| their valuable comments. | their valuable comments. | |||
| 11. IANA Considerations | 8. IANA Considerations | |||
| 11.1. FlowSpec Transitive Extended Communities | 8.1. FlowSpec Transitive Extended Communities | |||
| This document requests a new type from the "BGP Transitive Extended | This document requests a new type from the "BGP Transitive Extended | |||
| Community Types" extended community registry from the First Come | Community Types" extended community registry from the First Come | |||
| First Served range. This type name shall be 'FlowSpec Transitive | First Served range. This type name shall be 'FlowSpec Transitive | |||
| Extended Communities'. | Extended Communities'. IANA has assigned the value 0x07 to this | |||
| type. | ||||
| This document requests creation of a new registry called "FlowSpec | This document requests creation of a new registry called "FlowSpec | |||
| Transitive Extended Community Sub-Types". This registry contains | Transitive Extended Community Sub-Types". This registry contains | |||
| values of the second octet (the "Sub-Type" field) of an extended | values of the second octet (the "Sub-Type" field) of an extended | |||
| community when the value of the first octet (the "Type" field) is the | community when the value of the first octet (the "Type" field) is the | |||
| value allocated in this document. The registration procedure for | value allocated in this document. The registration procedure for | |||
| values in this registry shall be First Come First Served. | values in this registry shall be First Come First Served. | |||
| 11.2. FlowSpec Non-Transitive Extended Communities | 8.2. FlowSpec Non-Transitive Extended Communities | |||
| This document requests a new type from the "BGP Non-Transitive | This document requests a new type from the "BGP Non-Transitive | |||
| Extended Community Types" extended community registry from the First | Extended Community Types" extended community registry from the First | |||
| Come First Served range. This type name shall be 'FlowSpec Non- | Come First Served range. This type name shall be 'FlowSpec Non- | |||
| Transitive Extended Communities'. | Transitive Extended Communities'. IANA has assigned the value 0x47 | |||
| to this type. | ||||
| This document requests creation of a new registry called "FlowSpec | This document requests creation of a new registry called "FlowSpec | |||
| Non-Transitive Extended Community Sub-Types". This registry contains | Non-Transitive Extended Community Sub-Types". This registry contains | |||
| values of the second octet (the "Sub-Type" field) of an extended | values of the second octet (the "Sub-Type" field) of an extended | |||
| community when the value of the first octet (the "Type" field) is the | community when the value of the first octet (the "Type" field) is the | |||
| value allocated in this document. The registration procedure for | value allocated in this document. The registration procedure for | |||
| values in this registry shall be First Come First Served. | values in this registry shall be First Come First Served. | |||
| 11.3. FlowSpec interface-set Extended Community | 8.3. FlowSpec interface-set Extended Community | |||
| Within the two new registries above, this document requests a new | Within the two new registries above, this document requests a new | |||
| subtype (suggested value 0x02). This sub-type shall be named | subtype (suggested value 0x02). This sub-type shall be named | |||
| "interface-set", with a reference to this document. | "interface-set", with a reference to this document. | |||
| 11.4. Allocation Advice to IANA | 8.4. Allocation Advice to IANA | |||
| IANA is requested to allocate the values of the FlowSpec Transitive | IANA is requested to allocate the values of the FlowSpec Transitive | |||
| and Non-Transitive Extended Communities such that their values are | and Non-Transitive Extended Communities such that their values are | |||
| identical when ignoring the second high-order bit (Transitive). See | identical when ignoring the second high-order bit (Transitive). See | |||
| section 2, [RFC4360]. An example allocation would be 0x09/0x49. | section 2, [RFC4360]. | |||
| It is suggested to IANA that, when possible, allocations from the | It is suggested to IANA that, when possible, allocations from the | |||
| FlowSpec Transitive/Non-Transitive Extended Community Sub-Types | FlowSpec Transitive/Non-Transitive Extended Community Sub-Types | |||
| registries are made for transitive or non-transitive versions of | registries are made for transitive or non-transitive versions of | |||
| features (section 2, [RFC4360]) that their code point in both | features (section 2, [RFC4360]) that their code point in both | |||
| registries is identical. | registries is identical. | |||
| 12. References | 9. Normative References | |||
| 12.1. Normative References | ||||
| [I-D.ietf-idr-rtc-no-rt] | ||||
| Rosen, E., Patel, K., Haas, J., and R. Raszuk, "Route | ||||
| Target Constrained Distribution of Routes with no Route | ||||
| Targets", draft-ietf-idr-rtc-no-rt-06 (work in progress), | ||||
| November 2016. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | |||
| <http://www.rfc-editor.org/info/rfc2119>. | editor.org/info/rfc2119>. | |||
| [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended | [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended | |||
| Communities Attribute", RFC 4360, DOI 10.17487/RFC4360, | Communities Attribute", RFC 4360, DOI 10.17487/RFC4360, | |||
| February 2006, <http://www.rfc-editor.org/info/rfc4360>. | February 2006, <https://www.rfc-editor.org/info/rfc4360>. | |||
| [RFC4684] Marques, P., Bonica, R., Fang, L., Martini, L., Raszuk, | [RFC4684] Marques, P., Bonica, R., Fang, L., Martini, L., Raszuk, | |||
| R., Patel, K., and J. Guichard, "Constrained Route | R., Patel, K., and J. Guichard, "Constrained Route | |||
| Distribution for Border Gateway Protocol/MultiProtocol | Distribution for Border Gateway Protocol/MultiProtocol | |||
| Label Switching (BGP/MPLS) Internet Protocol (IP) Virtual | Label Switching (BGP/MPLS) Internet Protocol (IP) Virtual | |||
| Private Networks (VPNs)", RFC 4684, DOI 10.17487/RFC4684, | Private Networks (VPNs)", RFC 4684, DOI 10.17487/RFC4684, | |||
| November 2006, <http://www.rfc-editor.org/info/rfc4684>. | November 2006, <https://www.rfc-editor.org/info/rfc4684>. | |||
| [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., | [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., | |||
| and D. McPherson, "Dissemination of Flow Specification | and D. McPherson, "Dissemination of Flow Specification | |||
| Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, | Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, | |||
| <http://www.rfc-editor.org/info/rfc5575>. | <https://www.rfc-editor.org/info/rfc5575>. | |||
| 12.2. Informative References | ||||
| [I-D.hares-idr-flowspec-v2] | ||||
| Hares, S., "BGP Flow Specification Version 2", draft- | ||||
| hares-idr-flowspec-v2-00 (work in progress), June 2016. | ||||
| [I-D.uttaro-idr-bgp-persistence] | [RFC7911] Walton, D., Retana, A., Chen, E., and J. Scudder, | |||
| Uttaro, J., Chen, E., Decraene, B., and J. Scudder, | "Advertisement of Multiple Paths in BGP", RFC 7911, | |||
| "Support for Long-lived BGP Graceful Restart", draft- | DOI 10.17487/RFC7911, July 2016, <https://www.rfc- | |||
| uttaro-idr-bgp-persistence-03 (work in progress), November | editor.org/info/rfc7911>. | |||
| 2013. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Stephane Litkowski | Stephane Litkowski | |||
| Orange | Orange | |||
| Email: stephane.litkowski@orange.com | Email: stephane.litkowski@orange.com | |||
| Adam Simpson | Adam Simpson | |||
| Nokia | Nokia | |||
| Email: adam.1.simpson@nokia.com | Email: adam.1.simpson@nokia.com | |||
| skipping to change at page 15, line 19 ¶ | skipping to change at page 9, line 22 ¶ | |||
| Adam Simpson | Adam Simpson | |||
| Nokia | Nokia | |||
| Email: adam.1.simpson@nokia.com | Email: adam.1.simpson@nokia.com | |||
| Keyur Patel | Keyur Patel | |||
| Arrcus, Inc | Arrcus, Inc | |||
| Email: keyur@arrcus.com | Email: keyur@arrcus.com | |||
| Jeff Haas | Jeffrey Haas | |||
| Juniper Networks | Juniper Networks | |||
| Email: jhaas@juniper.net | Email: jhaas@juniper.net | |||
| Lucy Yong | Lucy Yong | |||
| Huawei | Huawei | |||
| Email: lucy.yong@huawei.com | Email: lucy.yong@huawei.com | |||
| End of changes. 57 change blocks. | ||||
| 414 lines changed or deleted | 147 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||