--- 1/draft-ietf-idr-flowspec-interfaceset-04.txt 2019-11-18 03:13:16.764025401 -0800 +++ 2/draft-ietf-idr-flowspec-interfaceset-05.txt 2019-11-18 03:13:16.788026015 -0800 @@ -1,90 +1,93 @@ Inter-Domain Routing S. Litkowski -Internet-Draft Orange +Internet-Draft Individual Intended status: Standards Track A. Simpson -Expires: December 30, 2018 Nokia +Expires: May 21, 2020 Nokia K. Patel Arrcus, Inc J. Haas Juniper Networks L. Yong Huawei - June 28, 2018 + November 18, 2019 Applying BGP flowspec rules on a specific interface set - draft-ietf-idr-flowspec-interfaceset-04 + draft-ietf-idr-flowspec-interfaceset-05 Abstract The BGP Flow Specification (flowspec) Network Layer Reachability - Information (BGP NLRI) extension ([RFC5575]) is used to distribute - traffic flow specifications into BGP. The primary application of - this extension is the distribution of traffic filtering policies for - the mitigation of distributed denial of service (DDoS) attacks. + Information (BGP NLRI) extension (draft-ietf-idr-rfc5575bis) is used + to distribute traffic flow specifications into BGP. The primary + application of this extension is the distribution of traffic + filtering policies for the mitigation of distributed denial of + service (DDoS) attacks. By default, flow specification filters are applied on all forwarding interfaces that are enabled for use by the BGP flowspec extension. A network operator may wish to apply a given filter selectively to a subset of interfaces based on an internal classification scheme. Examples of this include "all customer interfaces", "all peer interfaces", "all transit interfaces", etc. - This document defines BGP Extended Communities ([RFC4360]) that - permit such filters to be selectively applied to sets of forwarding + This document defines BGP Extended Communities (RFC4360) that allow + such filters to be selectively applied to sets of forwarding interfaces sharing a common group identifier. The BGP Extended Communities carrying this group identifier are referred to as the BGP Flowspec "interface-set" Extended Communities. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in [RFC2119]. + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in BCP + 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- - Drafts is at http://datatracker.ietf.org/drafts/current/. + Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 30, 2018. + This Internet-Draft will expire on May 21, 2020. Copyright Notice - Copyright (c) 2018 IETF Trust and the persons identified as the + Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents - (http://trustee.ietf.org/license-info) in effect on the date of + (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Use case . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Interface specific filtering using BGP flowspec . . . . . . . 3 - 3. Interface-set extended community . . . . . . . . . . . . . . 4 + 3. Interface-set extended community . . . . . . . . . . . . . . 5 4. Scaling of per-interface rules . . . . . . . . . . . . . . . 6 5. Deployment Considerations . . . . . . . . . . . . . . . . . . 6 5.1. Add-Paths . . . . . . . . . . . . . . . . . . . . . . . . 6 5.2. Inter-domain Considerations . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 8.1. FlowSpec Transitive Extended Communities . . . . . . . . 7 8.2. FlowSpec Non-Transitive Extended Communities . . . . . . 7 8.3. FlowSpec interface-set Extended Community . . . . . . . . 8 @@ -260,38 +264,39 @@ platforms. These particular cases require ADD-PATH ([RFC7911]) to be deployed in order to ensure that all paths (NLRI+interface-set group- id+actions) are propagated within the BGP control plane. Without ADD-PATH, only a single "NLRI+interface-set group-id+actions" will be propagated, so some filtering rules will never be applied. 5.2. Inter-domain Considerations The Group Identifier used by the interface-set extended community has local significance to its provisioning Autonomous System. While - [RFC5575] permits inter-as advertisement of flowspec NLRI, care must - be taken to not accept these communities when they would result in - unacceptable filtering policies. + [I-D.ietf-idr-rfc5575bis] permits inter-as advertisement of flowspec + NLRI, care must be taken to not accept these communities when they + would result in unacceptable filtering policies. Filtering of interface-set extended communities at Autonomous System border routers (ASBRs) may thus be desirable. Note that the default behavior without the interface-set feature would to have been to install the flowspec filter on all flowspec enabled interfaces. 6. Security Considerations - This document extends the Security Considerations of [RFC5575] by - permitting flowspec filters to be selectively applied to subsets of - network interfaces in a particular direction. Care must be taken to - not permit the inadvertant manipulation of the interface-set extended - community to bypass expected traffic manipulation. + This document extends the Security Considerations of + [I-D.ietf-idr-rfc5575bis] by permitting flowspec filters to be + selectively applied to subsets of network interfaces in a particular + direction. Care must be taken to not permit the inadvertant + manipulation of the interface-set extended community to bypass + expected traffic manipulation. 7. Acknowledgements Authors would like to thanks Wim Hendrickx and Robert Raszuk for their valuable comments. 8. IANA Considerations 8.1. FlowSpec Transitive Extended Communities @@ -337,52 +342,57 @@ section 2, [RFC4360]. It is suggested to IANA that, when possible, allocations from the FlowSpec Transitive/Non-Transitive Extended Community Sub-Types registries are made for transitive or non-transitive versions of features (section 2, [RFC4360]) that their code point in both registries is identical. 9. Normative References + [I-D.ietf-idr-rfc5575bis] + Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M. + Bacher, "Dissemination of Flow Specification Rules", + draft-ietf-idr-rfc5575bis-17 (work in progress), June + 2019. + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, - DOI 10.17487/RFC2119, March 1997, . + DOI 10.17487/RFC2119, March 1997, + . [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended Communities Attribute", RFC 4360, DOI 10.17487/RFC4360, February 2006, . [RFC4684] Marques, P., Bonica, R., Fang, L., Martini, L., Raszuk, R., Patel, K., and J. Guichard, "Constrained Route Distribution for Border Gateway Protocol/MultiProtocol Label Switching (BGP/MPLS) Internet Protocol (IP) Virtual Private Networks (VPNs)", RFC 4684, DOI 10.17487/RFC4684, November 2006, . - [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., - and D. McPherson, "Dissemination of Flow Specification - Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, - . - [RFC7911] Walton, D., Retana, A., Chen, E., and J. Scudder, "Advertisement of Multiple Paths in BGP", RFC 7911, - DOI 10.17487/RFC7911, July 2016, . + DOI 10.17487/RFC7911, July 2016, + . + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, . Authors' Addresses Stephane Litkowski - Orange + Individual - Email: stephane.litkowski@orange.com + Email: slitkows.ietf@gmail.com Adam Simpson Nokia Email: adam.1.simpson@nokia.com Keyur Patel Arrcus, Inc Email: keyur@arrcus.com