wdiff draft-ietf-idr-flowspec-nvo3-00.txt draft-ietf-idr-flowspec-nvo3-01.txt

IDR Working Group W.
INTERNET-DRAFT Donald Eastlake
Intended Status: Proposed Standard Weiguo Hao
S.
Shunwan Zhuang
Z.
Zhenbin Li
Internet Draft
Huawei
Intended status: Standards Track R.Gu Technologies
Rong Gu
China Mobile Mobil
Expires: November 2016 May 17, 2016 15, 2018 November 16, 2017

Dissemination of NVO3 Flow Specification Rules for NVO3
draft-ietf-idr-flowspec-nvo3-00.txt
<draft-ietf-idr-flowspec-nvo3-01.txt>

Abstract
This draft proposes a new subset of component types to support the
NVO3 flow-spec application.

Status of this Memo This Document

This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.

Distribution of this document is unlimited. Comments should be sent
to the authors or the TRILL Working Group mailing list
<dnsext@ietf.org>.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft
Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.

INTERNET-DRAFT NVO3 BGP Flow-Spec

Table of Contents

1. Introduction ................................................ 2 Introduction............................................3
1.1 Terminology............................................5

2. The NVO3 Flow Specification encoding for NVO3..................... 4 Encoding........................6

3. The NVO3 Flow Specification Traffic Actions for NVO3.............. 6 Actions.................8

4. Security Considerations...................................... 6 Considerations.................................8

5. IANA Considerations ......................................... 6
5.1. Considerations.....................................9

Normative References.................................... 7
5.2. References......................................10
Informative References.................................. 7
6. Acknowledgments ............................................. 8 References....................................11

Acknowledgments...........................................12
Authors' Addresses........................................12

INTERNET-DRAFT NVO3 BGP Flow-Spec

1. Introduction

BGP Flow-spec is an extension to BGP that allows for supports the dissemination
of traffic flow specification rules. It leverages uses the BGP Control Plane
to simplify the distribution of ACLs, ACLs and allows new filter rules can to
be injected to all BGP peers simultaneously without changing router
configuration. The A typical application of BGP Flow-
spec Flow-spec is to automate
the distribution of traffic filter lists to routers for DDOS
mitigation.

RFC5575

[RFC5575] defines a new BGP Network Layer Reachability Information
(NLRI) format used to distribute traffic flow specification rules.
NLRI (AFI=1, SAFI=133)is SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1,
SAFI=134)is
SAFI=134) is for BGP/MPLS VPN filtering. [IPv6-FlowSpec] and [Layer2-
FlowSpec] extend the flow-spec rules for IPv6 and layer 2 Ethernet
packets respectively. All these previous flow specifications match parts
only
reflect single layer IP/Ethernet information like source/destination
MAC, source/destination IP prefix, protocol type, ports, and etc. the
like.

In the cloud computing era, multi-tenancy has become a core
requirement for data centers. Since NVO3 can satisfy multi-tenancy
key requirements, this technology is being deployed in an increasing
number of cloud data center network. networks. NVO3 is an overlay technology,
VXLAN [RFC7348] and NVGRE [RFC7367] are two typical NVO3
encapsulations. GENEVE [draft-
ietf-nvo3-geneve-00],GUE[draft-ietf-nvo3-gue-01] [GENEVE], GUE [GUE] and GPE [draft-
ietf-nvo3-vxlan-gpe-00] [GPE] are three
emerging NVO3 encapsulations in
progress. encapsulations. Because it is an overlay technology,
flow specification matching on an inner header as well as the outer
header, as specifified below, is needed.

+--+
|CE|
+--+
|
+----+
+----| PE |----+
+---------+ | +----+ | +---------+
+----+ | +---+ +---+ | +----+
|NVE1|--| | | | | |--|NVE3|
+----+ | |GW1| |GW3| | +----+
| +---+ +---+ |
| NVO-1 | MPLS | NVO-2 |
| +---+ +---+ |
| | | | | |
+----+ | |GW2| |GW4| | +----+
|NVE2|--| +---+ +---+ |--|NVE4|
+----+ +---------+ | | +---------+ +----+
+--------------+

Figure 1 1. NVO3 data center interconnection Data Center Interconnection

INTERNET-DRAFT NVO3 BGP Flow-Spec

The MPLS L2/L3 VPN in the WAN network can be used for NVO3 based data
center network interconnection. When the DC and the WAN are operated
by the same administrative entity, the Service Provider can decide to
integrate the GW and WAN Edge PE functions in the same router for
obvious CAPEX capital and OPEX operational cost saving reasons. This is
illustrated in Figure 1. There are two interconnection solutions as
follows:

1. End to end End-to-end NVO3 tunnel across different data centers. centers: NVE1 perform
NVO3 encapsulation for DCI DC interconnection with NVE3, the
destination VTEP IP is NVE3's IP. The GW doesn't perform NVO3
tunnel termination. The DCI DC interconnect WAN is pure an underlay
network.

2. Segmented NVO3 tunnels across different data centers. centers: NVE1 doesn't
perform end to end end-to-end NVO3 encapsulation to NVE3 for DCI DC
interconnection. The GW performs NVO3 tunnel encapsulation
termination, and then transmits the inner original traffic through
MPLS network to the peer data center GW. The peer data center GW
terminates MPLS encapsulation, and then performs NVO3
encapsulation to transmit the traffic to the local NVE3.

In the first solution, to differentiate bandwidth and QOS among
different tenants or applications, different TE tunnels in the WAN
network will be used to carry the end to end end-to-end NVO3 encapsulation
traffic using VN ID, NVO3 outer header DSCP and etc as traffic
classification match part. BGP Flow-spec protocol can be used to set
the traffic classification on all GWs simultaneously.

In the second solution, a centralized BGP speaker can be deployed for
DDOS mitigation in the WAN network. When the analyzer detects
abnormal traffic, it will automatically generate Flow-spec rules and
distribute it them to each GW through BGP Flow-spec protocol, the match
part should include matching on inner or outer L2/L3 layer or NVO3 header.
headers.

In summary, the Flow specification match part on the GW/PE should
include inner layer 2 Ethernet header, inner layer 3 IP header, outer
layer 2 Ethernet header, outer layer 3 IP header, and/or NVO3 header
information. Because the current match part lacks flow-spec matching facilities lack a
layer indicator and NVO3 header information, so it they can't be used
directly for the traffic filtering based on NVO3 header or on a
specified layer header directly. This draft will propose specifies a new subset of
component types to support the NVO3 flow-spec application.

2. The Flow Specification encoding for NVO3

In default, the current flow-spec rules can only impose on the outer
layer header of

INTERNET-DRAFT NVO3 encapsulation data packets. To make traffic
filtering BGP Flow-Spec

1.1 Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].

The reader is assumed to be familiar with BGP and NVO3 terminology.
The following terms and acronyms are used in this document with the
meaning indicated:

DC - Data Center

DDOS - Distributed Denial of Service (Attack).

GW - gateway

VN - virtual network

WAN - wide area network

INTERNET-DRAFT NVO3 BGP Flow-Spec

2. NVO3 Flow Specification Encoding

The current Flow-spec rules can only recognize flows based on the
outer layer header of NVO3 encapsulation data packets. To enable
traffic filtering based on an NVO3 header and inner header of NVO3
packets, a new component type acts acting as a delimiter is introduced.
The delimiter type is used to specify the boundary of between the inner
or outer layer component types for NVO3 data packets. All the
component types defined in [RFC5575],[IPv6-FlowSpec],[Layer2-FlowSpec],and etc [RFC5575], [IPv6-FlowSpec],
[Layer2-FlowSpec], and the like can be used between two delimiters.

The

Because the NVO3 outer layer address normally belongs to a public
network, the "Flow Specification" NLRI only for the outer layer header
doesn't need to include a Route Distinguisher field (8 bytes). If the
outer layer address belongs to a VPN, the NLRI format for the outer
header should consist of a fixed-length Route Distinguisher field (8
bytes) corresponding to the VPN, the RD VPN. This Route Distinguisher is followed
by the detail flow specifications for the outer layer.

The VN ID is the identification for each tenant network, the network. The "Flow
Specification" NLRI for an NVO3 header part should always include VN
ID
field, field but a Route Distinguisher field doesn't need to be included.

The inner layer MAC/IP address is always associates associated with a VN ID, ID.
Thus the NLRI format for the inner header should consist of a fixed-length
VNID fixed-
length VN ID field (4 bytes), the VNID bytes). The VN ID is followed by the detail detailed
flow specifications for the inner layer. The NLRI length field shall
include both the 4 bytes of the VN ID as well as the subsequent flow
specification. In the NVO3 terminating into a VPN scenario, if
multiple access VN ID maps IDs map to one VPN instance, one share shared VN ID can
be carried in the Flow-Spec rule to enforce the rule to the entire
VPN
instance, instance and the share VN ID and VPN correspondence should be
configured on each VPN PE beforehand, beforehand. In this case, the function of
the layer3 VN ID is the same with as a Route Distinguisher to act Distinguisher: it acts as the
identification of the VPN instance.

This document proposes specifies the following extended specifications Flow-Spec Component Types for
use with NVO3 flow: flows:

Type TBD1 - Delimiter type
Encoding: <type (1 octet), length (1 octet), Value>.

When the this delimiter type is present, it indicates the component
types for the inner or outer next layer of NVO3 packets will be followed
immediately. header fields immediately
follow. At the same time, it indicates the end of the component
types belonging to the former delimiter. previous layer of header fields.

The value field defines encapsulation type and is encoded as:

INTERNET-DRAFT NVO3 BGP Flow-Spec

| 0 1 2 3 4 5 6 7 |
+---+---+---+---+---+---+---+---+
| Encap Type |
+---+---+---+---+---+---+---+---+
| I | O | Resv |
+---+---+---+---+---+---+---+---+

This document defines the following Encap types:

- VXLAN: Tunnel Type = 0

- NVGRE: Tunnel Type = 1

I: If I is set to one, it indicates the component types for the
inner layer of NVO3 packets will be followed immediately. headers immediately follow.

O: If O is set to one, it indicates the component types for the
outer layer of NVO3 packets will be followed immediately. headers immediately follow.

For NVO3 header part, the following additional component types are
introduced.

Type TBD2 - VNID VN ID

Encoding: <type (1 octet), [op, value]+>.

Defines a list of {operation, value} pairs used to match 24-bit VN
ID which is used as tenant identification in NVO3 network. For
NVGRE encapsulation, the VNID VN ID is equivalent to VSID. Values are
encoded as 1- to 3-byte quantities.

Type TBD3 - Flow ID

Encoding: <type (1 octet), [op, value]+>

Defines a list of {operation, value} pairs used to match 8-bit
Flow
id ID fields which are only useful for NVGRE encapsulation.
Values are encoded as 1-byte quantity.

INTERNET-DRAFT NVO3 BGP Flow-Spec

3. The NVO3 Flow Specification Traffic Actions for NVO3

The current traffic filtering actions can still be are used for NVO3 encapsulation
traffic. For Traffic Marking, only the DSCP in the outer header can
be modified.

4. Security Considerations

No new security issues are introduced to the BGP protocol by this
specification.

INTERNET-DRAFT NVO3 BGP Flow-Spec

5. IANA Considerations

IANA is requested to create and maintain a assign three new registry entitled:

"Flow spec NVO3 Flow Spec Component Types": Types as
follows:

Type Name Reference
---- -------------- ---------
TBD1 - Delimiter type

Type [this document]
TBD2 - VNID

Type VN ID [this document]
TBD3 - Flow ID

5.1. [this document]

INTERNET-DRAFT NVO3 BGP Flow-Spec

Normative References

[1]

[RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119,
March 1997.

[2] 1997, <https://www.rfc-editor.org/info/rfc2119>.

[RFC5575] - Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch,
J., and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
<https://www.rfc-editor.org/info/rfc5575>.

[GENEVE] - J. Gross, T. Sridhar, etc, " Geneve: "Geneve: Generic Network
Virtualization Encapsulation", draft-ietf-nvo3-geneve-00, May
2015.

[3] draft-ietf-nvo3-geneve, work in
progress.

[GUE] - T. Herbert, L. Yong, O. Zia, " Generic "Generic UDP Encapsulation", draft-ietf-nvo3-gue-01, Jun 2015.

[4] [GPE] P. Quinn,etc, " Generic Protocol Extension for VXLAN",
draft-ietf-nvo3-vxlan-gpe-00, May 2015.

5.2. Informative References

[1] [EVPN-Overlays] A. Sajassi,etc, " A Network Virtualization
Overlay Solution using EVPN", draft-ietf-bess-evpn-overlay-01 ,
work in progress, February, 2014.

[2] [Inter-Overlays] J. Rabadan,etc, " Interconnect Solution for
EVPN Overlay networks", draft-ietf-bess-dci-evpn-overlay-01,
draft-ietf-nvo3-gue, work in progress, July, 2015.

[3] progress.

INTERNET-DRAFT NVO3 BGP Flow-Spec

Informative References

[RFC7348] M. - Mahalingam, etc, M., Dutt, D., Duda, K., Agarwal, P., Kreeger,
L., Sridhar, T., Bursell, M., and C. Wright, "Virtual
eXtensible Local Area Network (VXLAN): A Framework for
Overlaying Virtualized Layer 2 Networks over Layer 3 Networks", RFC7348,
RFC 7348, DOI 10.17487/RFC7348, August 2014.

[4] [NVGRE] P. 2014, <https://www.rfc-
editor.org/info/rfc7348>.

[RFC7367] - Garg, etc, P., Ed., and Y. Wang, Ed., "NVGRE: Network
Virtualization using Using Generic Routing Encapsulation", draft-sridharan-
virtualization-nvgre-08, April 13, 2015.

[5] RFC 7637,
DOI 10.17487/RFC7637, September 2015, <https://www.rfc-
editor.org/info/rfc7637>.

[EVPN-Overlays] - A. Sajassi,etc, "A Network Virtualization Overlay
Solution using EVPN", draft-ietf-bess-evpn-overlay, work in
progress, February.

[Inter-Overlays] - J. Rabadan,etc, "Interconnect Solution for EVPN
Overlay networks", draft-ietf-bess-dci-evpn-overlay, work in
progress.

[IPv6-FlowSpec] - R. Raszuk, etc, " Dissemination "Dissemination of Flow
Specification Rules for IPv6", draft-ietf-idr-flow-spec-v6-06,
November 2014.

[6] draft-ietf-idr-flow-spec-v6,
work in progress.

[Layer2-FlowSpec] - W. Hao, etc, "Dissemination of Flow Specification
Rules for L2 VPN", draft-ietf-idr-flowspec-
l2vpn-02, August 2015.

[7] [RFC5575] draft-ietf-idr-flowspec-l2vpn, work in
progress.

[GPE] - P. Marques, N. Sheth, R. Raszuk, B. Greene, J.Mauch,
D. McPherson, "Dissemination of Flow Specification Rules", RFC
5575, August 2009.

6. Quinn,etc, "Generic Protocol Extension for VXLAN", draft-
ietf-nvo3-vxlan-gpe, work in progress.

INTERNET-DRAFT NVO3 BGP Flow-Spec

Acknowledgments

The authors wish to acknowledge the important contributions of Jeff
Haas, Susan Hares, Qiandeng Liang, Nan Wu, Yizhou Li, and Lucy Yong.

Authors' Addresses

Donald Eastlake
Huawei Technologies
155 Beaver Street
Milford, MA 01757 USA

Tel: +1-508-333-2270
Email: d3e3e3@gmail.com

Weiguo Hao
Huawei Technologies
101 Software Avenue,
Nanjing 210012 China

Email: haoweiguo@huawei.com

Shunwan Zhuang
Huawei Technologies
Huawei Bld., No.156 Beiqing Rd.
Beijing 100095 China

Email: zhuangshunwan@huawei.com

Zhenbin Li
Huawei Technologies
Huawei Bld., No.156 Beiqing Rd.
Beijing 100095 China

Email: lizhenbin@huawei.com

Rong Gu
China Mobile

Email: gurong_cmcc@outlook.com

INTERNET-DRAFT NVO3 BGP Flow-Spec

This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.