| draft-ietf-idr-flowspec-interfaceset-04.txt | draft-ietf-idr-flowspec-interfaceset-05.txt | |||
|---|---|---|---|---|
| Inter-Domain Routing S. Litkowski | Inter-Domain Routing S. Litkowski | |||
| Internet-Draft Orange | Internet-Draft Individual | |||
| Intended status: Standards Track A. Simpson | Intended status: Standards Track A. Simpson | |||
| Expires: December 30, 2018 Nokia | Expires: May 21, 2020 Nokia | |||
| K. Patel | K. Patel | |||
| Arrcus, Inc | Arrcus, Inc | |||
| J. Haas | J. Haas | |||
| Juniper Networks | Juniper Networks | |||
| L. Yong | L. Yong | |||
| Huawei | Huawei | |||
| June 28, 2018 | November 18, 2019 | |||
| Applying BGP flowspec rules on a specific interface set | Applying BGP flowspec rules on a specific interface set | |||
| draft-ietf-idr-flowspec-interfaceset-04 | draft-ietf-idr-flowspec-interfaceset-05 | |||
| Abstract | Abstract | |||
| The BGP Flow Specification (flowspec) Network Layer Reachability | The BGP Flow Specification (flowspec) Network Layer Reachability | |||
| Information (BGP NLRI) extension ([RFC5575]) is used to distribute | Information (BGP NLRI) extension (draft-ietf-idr-rfc5575bis) is used | |||
| traffic flow specifications into BGP. The primary application of | to distribute traffic flow specifications into BGP. The primary | |||
| this extension is the distribution of traffic filtering policies for | application of this extension is the distribution of traffic | |||
| the mitigation of distributed denial of service (DDoS) attacks. | filtering policies for the mitigation of distributed denial of | |||
| service (DDoS) attacks. | ||||
| By default, flow specification filters are applied on all forwarding | By default, flow specification filters are applied on all forwarding | |||
| interfaces that are enabled for use by the BGP flowspec extension. A | interfaces that are enabled for use by the BGP flowspec extension. A | |||
| network operator may wish to apply a given filter selectively to a | network operator may wish to apply a given filter selectively to a | |||
| subset of interfaces based on an internal classification scheme. | subset of interfaces based on an internal classification scheme. | |||
| Examples of this include "all customer interfaces", "all peer | Examples of this include "all customer interfaces", "all peer | |||
| interfaces", "all transit interfaces", etc. | interfaces", "all transit interfaces", etc. | |||
| This document defines BGP Extended Communities ([RFC4360]) that | This document defines BGP Extended Communities (RFC4360) that allow | |||
| permit such filters to be selectively applied to sets of forwarding | such filters to be selectively applied to sets of forwarding | |||
| interfaces sharing a common group identifier. The BGP Extended | interfaces sharing a common group identifier. The BGP Extended | |||
| Communities carrying this group identifier are referred to as the BGP | Communities carrying this group identifier are referred to as the BGP | |||
| Flowspec "interface-set" Extended Communities. | Flowspec "interface-set" Extended Communities. | |||
| Requirements Language | Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| document are to be interpreted as described in [RFC2119]. | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | ||||
| capitals, as shown here. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 30, 2018. | This Internet-Draft will expire on May 21, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Use case . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Use case . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Interface specific filtering using BGP flowspec . . . . . . . 3 | 2. Interface specific filtering using BGP flowspec . . . . . . . 3 | |||
| 3. Interface-set extended community . . . . . . . . . . . . . . 4 | 3. Interface-set extended community . . . . . . . . . . . . . . 5 | |||
| 4. Scaling of per-interface rules . . . . . . . . . . . . . . . 6 | 4. Scaling of per-interface rules . . . . . . . . . . . . . . . 6 | |||
| 5. Deployment Considerations . . . . . . . . . . . . . . . . . . 6 | 5. Deployment Considerations . . . . . . . . . . . . . . . . . . 6 | |||
| 5.1. Add-Paths . . . . . . . . . . . . . . . . . . . . . . . . 6 | 5.1. Add-Paths . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.2. Inter-domain Considerations . . . . . . . . . . . . . . . 6 | 5.2. Inter-domain Considerations . . . . . . . . . . . . . . . 6 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 8.1. FlowSpec Transitive Extended Communities . . . . . . . . 7 | 8.1. FlowSpec Transitive Extended Communities . . . . . . . . 7 | |||
| 8.2. FlowSpec Non-Transitive Extended Communities . . . . . . 7 | 8.2. FlowSpec Non-Transitive Extended Communities . . . . . . 7 | |||
| 8.3. FlowSpec interface-set Extended Community . . . . . . . . 8 | 8.3. FlowSpec interface-set Extended Community . . . . . . . . 8 | |||
| skipping to change at page 6, line 38 ¶ | skipping to change at page 6, line 45 ¶ | |||
| platforms. These particular cases require ADD-PATH ([RFC7911]) to be | platforms. These particular cases require ADD-PATH ([RFC7911]) to be | |||
| deployed in order to ensure that all paths (NLRI+interface-set group- | deployed in order to ensure that all paths (NLRI+interface-set group- | |||
| id+actions) are propagated within the BGP control plane. Without | id+actions) are propagated within the BGP control plane. Without | |||
| ADD-PATH, only a single "NLRI+interface-set group-id+actions" will be | ADD-PATH, only a single "NLRI+interface-set group-id+actions" will be | |||
| propagated, so some filtering rules will never be applied. | propagated, so some filtering rules will never be applied. | |||
| 5.2. Inter-domain Considerations | 5.2. Inter-domain Considerations | |||
| The Group Identifier used by the interface-set extended community has | The Group Identifier used by the interface-set extended community has | |||
| local significance to its provisioning Autonomous System. While | local significance to its provisioning Autonomous System. While | |||
| [RFC5575] permits inter-as advertisement of flowspec NLRI, care must | [I-D.ietf-idr-rfc5575bis] permits inter-as advertisement of flowspec | |||
| be taken to not accept these communities when they would result in | NLRI, care must be taken to not accept these communities when they | |||
| unacceptable filtering policies. | would result in unacceptable filtering policies. | |||
| Filtering of interface-set extended communities at Autonomous System | Filtering of interface-set extended communities at Autonomous System | |||
| border routers (ASBRs) may thus be desirable. | border routers (ASBRs) may thus be desirable. | |||
| Note that the default behavior without the interface-set feature | Note that the default behavior without the interface-set feature | |||
| would to have been to install the flowspec filter on all flowspec | would to have been to install the flowspec filter on all flowspec | |||
| enabled interfaces. | enabled interfaces. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| This document extends the Security Considerations of [RFC5575] by | This document extends the Security Considerations of | |||
| permitting flowspec filters to be selectively applied to subsets of | [I-D.ietf-idr-rfc5575bis] by permitting flowspec filters to be | |||
| network interfaces in a particular direction. Care must be taken to | selectively applied to subsets of network interfaces in a particular | |||
| not permit the inadvertant manipulation of the interface-set extended | direction. Care must be taken to not permit the inadvertant | |||
| community to bypass expected traffic manipulation. | manipulation of the interface-set extended community to bypass | |||
| expected traffic manipulation. | ||||
| 7. Acknowledgements | 7. Acknowledgements | |||
| Authors would like to thanks Wim Hendrickx and Robert Raszuk for | Authors would like to thanks Wim Hendrickx and Robert Raszuk for | |||
| their valuable comments. | their valuable comments. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| 8.1. FlowSpec Transitive Extended Communities | 8.1. FlowSpec Transitive Extended Communities | |||
| skipping to change at page 8, line 26 ¶ | skipping to change at page 8, line 28 ¶ | |||
| section 2, [RFC4360]. | section 2, [RFC4360]. | |||
| It is suggested to IANA that, when possible, allocations from the | It is suggested to IANA that, when possible, allocations from the | |||
| FlowSpec Transitive/Non-Transitive Extended Community Sub-Types | FlowSpec Transitive/Non-Transitive Extended Community Sub-Types | |||
| registries are made for transitive or non-transitive versions of | registries are made for transitive or non-transitive versions of | |||
| features (section 2, [RFC4360]) that their code point in both | features (section 2, [RFC4360]) that their code point in both | |||
| registries is identical. | registries is identical. | |||
| 9. Normative References | 9. Normative References | |||
| [I-D.ietf-idr-rfc5575bis] | ||||
| Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M. | ||||
| Bacher, "Dissemination of Flow Specification Rules", | ||||
| draft-ietf-idr-rfc5575bis-17 (work in progress), June | ||||
| 2019. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | DOI 10.17487/RFC2119, March 1997, | |||
| editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended | [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended | |||
| Communities Attribute", RFC 4360, DOI 10.17487/RFC4360, | Communities Attribute", RFC 4360, DOI 10.17487/RFC4360, | |||
| February 2006, <https://www.rfc-editor.org/info/rfc4360>. | February 2006, <https://www.rfc-editor.org/info/rfc4360>. | |||
| [RFC4684] Marques, P., Bonica, R., Fang, L., Martini, L., Raszuk, | [RFC4684] Marques, P., Bonica, R., Fang, L., Martini, L., Raszuk, | |||
| R., Patel, K., and J. Guichard, "Constrained Route | R., Patel, K., and J. Guichard, "Constrained Route | |||
| Distribution for Border Gateway Protocol/MultiProtocol | Distribution for Border Gateway Protocol/MultiProtocol | |||
| Label Switching (BGP/MPLS) Internet Protocol (IP) Virtual | Label Switching (BGP/MPLS) Internet Protocol (IP) Virtual | |||
| Private Networks (VPNs)", RFC 4684, DOI 10.17487/RFC4684, | Private Networks (VPNs)", RFC 4684, DOI 10.17487/RFC4684, | |||
| November 2006, <https://www.rfc-editor.org/info/rfc4684>. | November 2006, <https://www.rfc-editor.org/info/rfc4684>. | |||
| [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., | ||||
| and D. McPherson, "Dissemination of Flow Specification | ||||
| Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, | ||||
| <https://www.rfc-editor.org/info/rfc5575>. | ||||
| [RFC7911] Walton, D., Retana, A., Chen, E., and J. Scudder, | [RFC7911] Walton, D., Retana, A., Chen, E., and J. Scudder, | |||
| "Advertisement of Multiple Paths in BGP", RFC 7911, | "Advertisement of Multiple Paths in BGP", RFC 7911, | |||
| DOI 10.17487/RFC7911, July 2016, <https://www.rfc- | DOI 10.17487/RFC7911, July 2016, | |||
| editor.org/info/rfc7911>. | <https://www.rfc-editor.org/info/rfc7911>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | ||||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Stephane Litkowski | Stephane Litkowski | |||
| Orange | Individual | |||
| Email: stephane.litkowski@orange.com | Email: slitkows.ietf@gmail.com | |||
| Adam Simpson | Adam Simpson | |||
| Nokia | Nokia | |||
| Email: adam.1.simpson@nokia.com | Email: adam.1.simpson@nokia.com | |||
| Keyur Patel | Keyur Patel | |||
| Arrcus, Inc | Arrcus, Inc | |||
| Email: keyur@arrcus.com | Email: keyur@arrcus.com | |||
| End of changes. 20 change blocks. | ||||
| 36 lines changed or deleted | 45 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||