--- 1/draft-ietf-idr-flowspec-mpls-match-00.txt 2016-12-06 09:13:15.187690514 -0800 +++ 2/draft-ietf-idr-flowspec-mpls-match-01.txt 2016-12-06 09:13:15.207690996 -0800 @@ -1,20 +1,20 @@ IDR Working Group L. Yong Internet-Draft S. Hares Intended status: Standards Track Q. Liang -Expires: December 2, 2016 J. You +Expires: June 9, 2017 J. You Huawei - May 31, 2016 + December 6, 2016 BGP Flow Specification Filter for MPLS Label - draft-ietf-idr-flowspec-mpls-match-00.txt + draft-ietf-idr-flowspec-mpls-match-01.txt Abstract This draft proposes BGP flow specification rules that are used to filter MPLS labeled packets. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. @@ -22,47 +22,47 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 2, 2016. + This Internet-Draft will expire on June 9, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. The Flow Specification Encoding for MPLS Match . . . . . . . 3 - 3. Deployment Example: DDoS Traffic . . . . . . . . . . . . . . 5 + 3. Deployment Example: DDoS Traffic . . . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 - 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 - 6.2. Informative References . . . . . . . . . . . . . . . . . 7 + 6.2. Informative References . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction BGP Flow Specification (BGP-FS) [RFC5575] is an extension to that allows for the dissemination of traffic flow specification rules via BGP ([RFC4271]). BGP-FS policies have a match condition that may be n-tuple match in a policy, and an action that modifies the packet and forwards/drops the packet. Via BGP, new filter rules can be sent to all BGP peers simultaneously without changing router configuration, @@ -74,49 +74,47 @@ (NLRI) format used to distribute traffic flow specification rules. NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1, SAFI=134)is for BGP/MPLS VPN filtering. [I-D.ietf-idr-flow-spec-v6] defines flow-spec extension for IPv6 data packets. [I-D.ietf-idr-flowspec-l2vpn] extends the flow-spec rules for layer 2 Ethernet packets (AFI=25, SAFI=133, SAFI=134). All these flow specifications match parts only reflect single layer IP (source/ destination IP prefix, protocol type, ports, etc.) and Ethernet information with matches for source/destination MAC + [I-D.hr-idr-rfc5575bis] provides updates to [RFC5575] to resolve + unclear sections in text and conflicts with interactions of filtering + actions. + MPLS technologies [RFC3031] have been widely deployed in WAN networks. MPLS label stack [RFC3032] is the foundation for label switched data plane. A label on a label stack may represent a label switch path (LSP), application identification such as Pseudo Wire (PW), a reserved label that triggers a specific data plane action, or etc. The data plane label switching operations includes pop, push, or swap label on the label stack. For value added services, it is valuable for a MPLS network to have BGP-FS policy filter that matches on the MPLS portion of a packet and an action to modify the MPLS packet header and/or monitor the packets that match the policy. This document specifies an MPLS match filter. - - [I-D.liang-idr-bgp-flowspec-label] specifies a BGP action to modify + [I-D.ietf-idr-bgp-flowspec-label] specifies a BGP action to modify the MPLS label. - [I-D.hares-idr-flowspec-combo] describes the following two options - for extending [RFC5575]: - - o Option 1: Extend [RFC5575] with new filters, match filters and - actions. Extend the match default order by type and require that - all matches be combined with an "AND". Extend the actions and - define a default order and the resolution of conflicts. + [I-D.hares-idr-flowspec-v2] describes the following two options for + extending [RFC5575]: creating a version 2 of BGP Flow Specification + which can run in parallel to the original BGP Flow specification. + Version 2 may also include improved security features (ROAs or + [I-D.ietf-idr-bgp-flowspec-oid]) - o Option 2: Create a version 2 of BGP flow Specification which can - run in parallel to Option 1 which supports explicit ordering of - match filters and actions. Option 2 will also refine the BGP-FS - security to optionally include ROAs between ASes, and other - mechanisms ([I-D.ietf-idr-bgp-flowspec-oid]) + This MPLS match option can be used for RFC5575 ([RFC5575], + [I-D.hr-idr-rfc5575bis]) or version 2 of the flow specification. 2. The Flow Specification Encoding for MPLS Match This document proposes new flow specifications rules that is encoded in NLRI. Type TBD1- MPLS Match1 Function: The match1 applies to MPLS Label field on the label stack. @@ -217,32 +215,29 @@ BGP Flow Specification Match Policy Destination IP address (0/0) [Required by RFC5575] MPLS Label match (label-1) Action Policy Traffic-rate (n bytes) 4. Security Considerations - The validation of BGP Flow Specification policy is considered in - [I-D.hares-idr-flowspec-combo] for option 1, and for option 2. For + The validation of BGP Flow Specification policy relies on the + security of the BGP protocol and RFC 5575 checks ([RFC5575], + [I-D.hr-idr-rfc5575bis]) for BGP Flow specification version 1 and BGP + Flow specification version 2 ([I-D.hares-idr-flowspec-v2]). For Option 1, the MPLS Match can be one of the match filtes, and and the final match is an "AND" of all the filters. Match filters are tested - in the order specified in [I-D.hares-idr-flowspec-combo] and/or an + in the order specified in [I-D.hares-idr-flowspec-v2] and/or an RFC5575bis document. - The traffic rate action described above is described in [RFC5575]. - [I-D.hares-idr-flowspec-combo] suggests a default order for filters - and for the BGP-FS action proposed after [RFC5575], and this document - discusses how conflicts between action are handled. - 5. IANA Considerations This section complies with [RFC7153] IANA is requested to a new entry in "Flow Spec component types registry" with the following values: Value Name: Value Reference =========== ===== ========= MPLS-Match1 TBD1 [This Document] @@ -276,47 +271,53 @@ and D. McPherson, "Dissemination of Flow Specification Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, . [RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP Extended Communities", RFC 7153, DOI 10.17487/RFC7153, March 2014, . 6.2. Informative References - [I-D.hares-idr-flowspec-combo] - Hares, S., "An Information Model for Basic Network Policy - and Filter Rules", draft-hares-idr-flowspec-combo-01 (work - in progress), March 2016. + [I-D.hares-idr-flowspec-v2] + Hares, S., "BGP Flow Specification Version 2", draft- + hares-idr-flowspec-v2-00 (work in progress), June 2016. + + [I-D.hr-idr-rfc5575bis] + Hares, S., Raszuk, R., McPherson, D., Loibl, C., and M. + Bacher, "Dissemination of Flow Specification Rules", + draft-hr-idr-rfc5575bis-02 (work in progress), November + 2016. + + [I-D.ietf-idr-bgp-flowspec-label] + liangqiandeng, l., Hares, S., You, J., Raszuk, R., and d. + danma@cisco.com, "Carrying Label Information for BGP + FlowSpec", draft-ietf-idr-bgp-flowspec-label-00 (work in + progress), June 2016. [I-D.ietf-idr-bgp-flowspec-oid] Uttaro, J., Filsfils, C., Smith, D., Alcaide, J., and P. Mohapatra, "Revised Validation Procedure for BGP Flow Specifications", draft-ietf-idr-bgp-flowspec-oid-03 (work in progress), March 2016. [I-D.ietf-idr-flow-spec-v6] - McPherson, D., Raszuk, R., Pithawala, B., Andy, A., and S. - Hares, "Dissemination of Flow Specification Rules for - IPv6", draft-ietf-idr-flow-spec-v6-07 (work in progress), - March 2016. + McPherson, D., Raszuk, R., Pithawala, B., + akarch@cisco.com, a., and S. Hares, "Dissemination of Flow + Specification Rules for IPv6", draft-ietf-idr-flow-spec- + v6-07 (work in progress), March 2016. [I-D.ietf-idr-flowspec-l2vpn] - Weiguo, H., Litkowski, S., and S. Zhuang, "Dissemination - of Flow Specification Rules for L2 VPN", draft-ietf-idr- - flowspec-l2vpn-04 (work in progress), May 2016. - - [I-D.liang-idr-bgp-flowspec-label] - Hares, S., You, J., Raszuk, R., and d. danma@cisco.com, - "Carrying Label Information for BGP FlowSpec", draft- - liang-idr-bgp-flowspec-label-02 (work in progress), March - 2016. + Weiguo, H., liangqiandeng, l., Litkowski, S., and S. + Zhuang, "Dissemination of Flow Specification Rules for L2 + VPN", draft-ietf-idr-flowspec-l2vpn-04 (work in progress), + May 2016. Authors' Addresses Lucy Yong Huawei Email: lucy.yong@huawei.com Susan Hares Huawei