| draft-ietf-idr-flowspec-mpls-match-00.txt | draft-ietf-idr-flowspec-mpls-match-01.txt | |||
|---|---|---|---|---|
| IDR Working Group L. Yong | IDR Working Group L. Yong | |||
| Internet-Draft S. Hares | Internet-Draft S. Hares | |||
| Intended status: Standards Track Q. Liang | Intended status: Standards Track Q. Liang | |||
| Expires: December 2, 2016 J. You | Expires: June 9, 2017 J. You | |||
| Huawei | Huawei | |||
| May 31, 2016 | December 6, 2016 | |||
| BGP Flow Specification Filter for MPLS Label | BGP Flow Specification Filter for MPLS Label | |||
| draft-ietf-idr-flowspec-mpls-match-00.txt | draft-ietf-idr-flowspec-mpls-match-01.txt | |||
| Abstract | Abstract | |||
| This draft proposes BGP flow specification rules that are used to | This draft proposes BGP flow specification rules that are used to | |||
| filter MPLS labeled packets. | filter MPLS labeled packets. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 33 ¶ | skipping to change at page 1, line 33 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 2, 2016. | This Internet-Draft will expire on June 9, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. The Flow Specification Encoding for MPLS Match . . . . . . . 3 | 2. The Flow Specification Encoding for MPLS Match . . . . . . . 3 | |||
| 3. Deployment Example: DDoS Traffic . . . . . . . . . . . . . . 5 | 3. Deployment Example: DDoS Traffic . . . . . . . . . . . . . . 4 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 7 | 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1. Introduction | 1. Introduction | |||
| BGP Flow Specification (BGP-FS) [RFC5575] is an extension to that | BGP Flow Specification (BGP-FS) [RFC5575] is an extension to that | |||
| allows for the dissemination of traffic flow specification rules via | allows for the dissemination of traffic flow specification rules via | |||
| BGP ([RFC4271]). BGP-FS policies have a match condition that may be | BGP ([RFC4271]). BGP-FS policies have a match condition that may be | |||
| n-tuple match in a policy, and an action that modifies the packet and | n-tuple match in a policy, and an action that modifies the packet and | |||
| forwards/drops the packet. Via BGP, new filter rules can be sent to | forwards/drops the packet. Via BGP, new filter rules can be sent to | |||
| all BGP peers simultaneously without changing router configuration, | all BGP peers simultaneously without changing router configuration, | |||
| skipping to change at page 2, line 40 ¶ | skipping to change at page 2, line 40 ¶ | |||
| (NLRI) format used to distribute traffic flow specification rules. | (NLRI) format used to distribute traffic flow specification rules. | |||
| NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1, | NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1, | |||
| SAFI=134)is for BGP/MPLS VPN filtering. [I-D.ietf-idr-flow-spec-v6] | SAFI=134)is for BGP/MPLS VPN filtering. [I-D.ietf-idr-flow-spec-v6] | |||
| defines flow-spec extension for IPv6 data packets. | defines flow-spec extension for IPv6 data packets. | |||
| [I-D.ietf-idr-flowspec-l2vpn] extends the flow-spec rules for layer 2 | [I-D.ietf-idr-flowspec-l2vpn] extends the flow-spec rules for layer 2 | |||
| Ethernet packets (AFI=25, SAFI=133, SAFI=134). All these flow | Ethernet packets (AFI=25, SAFI=133, SAFI=134). All these flow | |||
| specifications match parts only reflect single layer IP (source/ | specifications match parts only reflect single layer IP (source/ | |||
| destination IP prefix, protocol type, ports, etc.) and Ethernet | destination IP prefix, protocol type, ports, etc.) and Ethernet | |||
| information with matches for source/destination MAC | information with matches for source/destination MAC | |||
| [I-D.hr-idr-rfc5575bis] provides updates to [RFC5575] to resolve | ||||
| unclear sections in text and conflicts with interactions of filtering | ||||
| actions. | ||||
| MPLS technologies [RFC3031] have been widely deployed in WAN | MPLS technologies [RFC3031] have been widely deployed in WAN | |||
| networks. MPLS label stack [RFC3032] is the foundation for label | networks. MPLS label stack [RFC3032] is the foundation for label | |||
| switched data plane. A label on a label stack may represent a label | switched data plane. A label on a label stack may represent a label | |||
| switch path (LSP), application identification such as Pseudo Wire | switch path (LSP), application identification such as Pseudo Wire | |||
| (PW), a reserved label that triggers a specific data plane action, or | (PW), a reserved label that triggers a specific data plane action, or | |||
| etc. The data plane label switching operations includes pop, push, | etc. The data plane label switching operations includes pop, push, | |||
| or swap label on the label stack. | or swap label on the label stack. | |||
| For value added services, it is valuable for a MPLS network to have | For value added services, it is valuable for a MPLS network to have | |||
| BGP-FS policy filter that matches on the MPLS portion of a packet and | BGP-FS policy filter that matches on the MPLS portion of a packet and | |||
| an action to modify the MPLS packet header and/or monitor the packets | an action to modify the MPLS packet header and/or monitor the packets | |||
| that match the policy. This document specifies an MPLS match filter. | that match the policy. This document specifies an MPLS match filter. | |||
| [I-D.ietf-idr-bgp-flowspec-label] specifies a BGP action to modify | ||||
| [I-D.liang-idr-bgp-flowspec-label] specifies a BGP action to modify | ||||
| the MPLS label. | the MPLS label. | |||
| [I-D.hares-idr-flowspec-combo] describes the following two options | [I-D.hares-idr-flowspec-v2] describes the following two options for | |||
| for extending [RFC5575]: | extending [RFC5575]: creating a version 2 of BGP Flow Specification | |||
| which can run in parallel to the original BGP Flow specification. | ||||
| o Option 1: Extend [RFC5575] with new filters, match filters and | Version 2 may also include improved security features (ROAs or | |||
| actions. Extend the match default order by type and require that | [I-D.ietf-idr-bgp-flowspec-oid]) | |||
| all matches be combined with an "AND". Extend the actions and | ||||
| define a default order and the resolution of conflicts. | ||||
| o Option 2: Create a version 2 of BGP flow Specification which can | This MPLS match option can be used for RFC5575 ([RFC5575], | |||
| run in parallel to Option 1 which supports explicit ordering of | [I-D.hr-idr-rfc5575bis]) or version 2 of the flow specification. | |||
| match filters and actions. Option 2 will also refine the BGP-FS | ||||
| security to optionally include ROAs between ASes, and other | ||||
| mechanisms ([I-D.ietf-idr-bgp-flowspec-oid]) | ||||
| 2. The Flow Specification Encoding for MPLS Match | 2. The Flow Specification Encoding for MPLS Match | |||
| This document proposes new flow specifications rules that is encoded | This document proposes new flow specifications rules that is encoded | |||
| in NLRI. | in NLRI. | |||
| Type TBD1- MPLS Match1 | Type TBD1- MPLS Match1 | |||
| Function: The match1 applies to MPLS Label field on the label | Function: The match1 applies to MPLS Label field on the label | |||
| stack. | stack. | |||
| skipping to change at page 5, line 42 ¶ | skipping to change at page 5, line 36 ¶ | |||
| BGP Flow Specification | BGP Flow Specification | |||
| Match Policy | Match Policy | |||
| Destination IP address (0/0) [Required by RFC5575] | Destination IP address (0/0) [Required by RFC5575] | |||
| MPLS Label match (label-1) | MPLS Label match (label-1) | |||
| Action Policy | Action Policy | |||
| Traffic-rate (n bytes) | Traffic-rate (n bytes) | |||
| 4. Security Considerations | 4. Security Considerations | |||
| The validation of BGP Flow Specification policy is considered in | The validation of BGP Flow Specification policy relies on the | |||
| [I-D.hares-idr-flowspec-combo] for option 1, and for option 2. For | security of the BGP protocol and RFC 5575 checks ([RFC5575], | |||
| [I-D.hr-idr-rfc5575bis]) for BGP Flow specification version 1 and BGP | ||||
| Flow specification version 2 ([I-D.hares-idr-flowspec-v2]). For | ||||
| Option 1, the MPLS Match can be one of the match filtes, and and the | Option 1, the MPLS Match can be one of the match filtes, and and the | |||
| final match is an "AND" of all the filters. Match filters are tested | final match is an "AND" of all the filters. Match filters are tested | |||
| in the order specified in [I-D.hares-idr-flowspec-combo] and/or an | in the order specified in [I-D.hares-idr-flowspec-v2] and/or an | |||
| RFC5575bis document. | RFC5575bis document. | |||
| The traffic rate action described above is described in [RFC5575]. | ||||
| [I-D.hares-idr-flowspec-combo] suggests a default order for filters | ||||
| and for the BGP-FS action proposed after [RFC5575], and this document | ||||
| discusses how conflicts between action are handled. | ||||
| 5. IANA Considerations | 5. IANA Considerations | |||
| This section complies with [RFC7153] | This section complies with [RFC7153] | |||
| IANA is requested to a new entry in "Flow Spec component types | IANA is requested to a new entry in "Flow Spec component types | |||
| registry" with the following values: | registry" with the following values: | |||
| Value Name: Value Reference | Value Name: Value Reference | |||
| =========== ===== ========= | =========== ===== ========= | |||
| MPLS-Match1 TBD1 [This Document] | MPLS-Match1 TBD1 [This Document] | |||
| skipping to change at page 7, line 7 ¶ | skipping to change at page 6, line 45 ¶ | |||
| and D. McPherson, "Dissemination of Flow Specification | and D. McPherson, "Dissemination of Flow Specification | |||
| Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, | Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, | |||
| <http://www.rfc-editor.org/info/rfc5575>. | <http://www.rfc-editor.org/info/rfc5575>. | |||
| [RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP | [RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP | |||
| Extended Communities", RFC 7153, DOI 10.17487/RFC7153, | Extended Communities", RFC 7153, DOI 10.17487/RFC7153, | |||
| March 2014, <http://www.rfc-editor.org/info/rfc7153>. | March 2014, <http://www.rfc-editor.org/info/rfc7153>. | |||
| 6.2. Informative References | 6.2. Informative References | |||
| [I-D.hares-idr-flowspec-combo] | [I-D.hares-idr-flowspec-v2] | |||
| Hares, S., "An Information Model for Basic Network Policy | Hares, S., "BGP Flow Specification Version 2", draft- | |||
| and Filter Rules", draft-hares-idr-flowspec-combo-01 (work | hares-idr-flowspec-v2-00 (work in progress), June 2016. | |||
| in progress), March 2016. | ||||
| [I-D.hr-idr-rfc5575bis] | ||||
| Hares, S., Raszuk, R., McPherson, D., Loibl, C., and M. | ||||
| Bacher, "Dissemination of Flow Specification Rules", | ||||
| draft-hr-idr-rfc5575bis-02 (work in progress), November | ||||
| 2016. | ||||
| [I-D.ietf-idr-bgp-flowspec-label] | ||||
| liangqiandeng, l., Hares, S., You, J., Raszuk, R., and d. | ||||
| danma@cisco.com, "Carrying Label Information for BGP | ||||
| FlowSpec", draft-ietf-idr-bgp-flowspec-label-00 (work in | ||||
| progress), June 2016. | ||||
| [I-D.ietf-idr-bgp-flowspec-oid] | [I-D.ietf-idr-bgp-flowspec-oid] | |||
| Uttaro, J., Filsfils, C., Smith, D., Alcaide, J., and P. | Uttaro, J., Filsfils, C., Smith, D., Alcaide, J., and P. | |||
| Mohapatra, "Revised Validation Procedure for BGP Flow | Mohapatra, "Revised Validation Procedure for BGP Flow | |||
| Specifications", draft-ietf-idr-bgp-flowspec-oid-03 (work | Specifications", draft-ietf-idr-bgp-flowspec-oid-03 (work | |||
| in progress), March 2016. | in progress), March 2016. | |||
| [I-D.ietf-idr-flow-spec-v6] | [I-D.ietf-idr-flow-spec-v6] | |||
| McPherson, D., Raszuk, R., Pithawala, B., Andy, A., and S. | McPherson, D., Raszuk, R., Pithawala, B., | |||
| Hares, "Dissemination of Flow Specification Rules for | akarch@cisco.com, a., and S. Hares, "Dissemination of Flow | |||
| IPv6", draft-ietf-idr-flow-spec-v6-07 (work in progress), | Specification Rules for IPv6", draft-ietf-idr-flow-spec- | |||
| March 2016. | v6-07 (work in progress), March 2016. | |||
| [I-D.ietf-idr-flowspec-l2vpn] | [I-D.ietf-idr-flowspec-l2vpn] | |||
| Weiguo, H., Litkowski, S., and S. Zhuang, "Dissemination | Weiguo, H., liangqiandeng, l., Litkowski, S., and S. | |||
| of Flow Specification Rules for L2 VPN", draft-ietf-idr- | Zhuang, "Dissemination of Flow Specification Rules for L2 | |||
| flowspec-l2vpn-04 (work in progress), May 2016. | VPN", draft-ietf-idr-flowspec-l2vpn-04 (work in progress), | |||
| May 2016. | ||||
| [I-D.liang-idr-bgp-flowspec-label] | ||||
| Hares, S., You, J., Raszuk, R., and d. danma@cisco.com, | ||||
| "Carrying Label Information for BGP FlowSpec", draft- | ||||
| liang-idr-bgp-flowspec-label-02 (work in progress), March | ||||
| 2016. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Lucy Yong | Lucy Yong | |||
| Huawei | Huawei | |||
| Email: lucy.yong@huawei.com | Email: lucy.yong@huawei.com | |||
| Susan Hares | Susan Hares | |||
| Huawei | Huawei | |||
| End of changes. 17 change blocks. | ||||
| 46 lines changed or deleted | 47 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||