draft-ietf-idr-flowspec-nvo3-01.txt   draft-ietf-idr-flowspec-nvo3-02.txt 
INTERNET-DRAFT Donald Eastlake INTERNET-DRAFT Donald Eastlake
Intended Status: Proposed Standard Weiguo Hao Intended Status: Proposed Standard Weiguo Hao
Shunwan Zhuang Shunwan Zhuang
Zhenbin Li Zhenbin Li
Huawei Technologies Huawei Technologies
Rong Gu Rong Gu
China Mobil China Mobil
Expires: May 15, 2018 November 16, 2017 Expires: September 20, 2018 March 21, 2018
Dissemination of NVO3 Flow Specification Rules BGP Dissemination of
<draft-ietf-idr-flowspec-nvo3-01.txt> Network Virtualization Overlays (NVO3) Flow Specification Rules
<draft-ietf-idr-flowspec-nvo3-02.txt>
Abstract Abstract
This draft proposes a new subset of component types to support the This draft specifies a new subset of component types to support the
NVO3 flow-spec application. (Network Virtualization Overlays (NVO3) flow-spec application.
Status of This Document Status of This Document
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Distribution of this document is unlimited. Comments should be sent Distribution of this document is unlimited. Comments should be sent
to the authors or the TRILL Working Group mailing list to the authors or the TRILL Working Group mailing list
<dnsext@ietf.org>. <dnsext@ietf.org>.
skipping to change at page 2, line 17 skipping to change at page 2, line 17
Table of Contents Table of Contents
1. Introduction............................................3 1. Introduction............................................3
1.1 Terminology............................................5 1.1 Terminology............................................5
2. NVO3 Flow Specification Encoding........................6 2. NVO3 Flow Specification Encoding........................6
3. NVO3 Flow Specification Traffic Actions.................8 3. NVO3 Flow Specification Traffic Actions.................8
4. Security Considerations.................................8 4. Security Considerations.................................8
5. IANA Considerations.....................................8
5. IANA Considerations.....................................9 Normative References.......................................9
Informative References.....................................9
Normative References......................................10
Informative References....................................11
Acknowledgments...........................................12 Acknowledgments...........................................10
Authors' Addresses........................................12 Authors' Addresses........................................10
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
1. Introduction 1. Introduction
BGP Flow-spec is an extension to BGP that supports the dissemination BGP Flow-spec is an extension to BGP that supports the dissemination
of traffic flow specification rules. It uses the BGP Control Plane of traffic flow specification rules. It uses the BGP Control Plane
to simplify the distribution of ACLs and allows new filter rules to to simplify the distribution of ACLs and allows new filter rules to
be injected to all BGP peers simultaneously without changing router be injected to all BGP peers simultaneously without changing router
configuration. A typical application of BGP Flow-spec is to automate configuration. A typical application of BGP Flow-spec is to automate
the distribution of traffic filter lists to routers for DDOS the distribution of traffic filter lists to routers for Distributed
mitigation. Denial of Service (DDOS) mitigation.
[RFC5575] defines a new BGP Network Layer Reachability Information [RFC5575] defines a new BGP Network Layer Reachability Information
(NLRI) format used to distribute traffic flow specification rules. (NLRI) format used to distribute traffic flow specification rules.
NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1, NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1,
SAFI=134) is for BGP/MPLS VPN filtering. [IPv6-FlowSpec] and [Layer2- SAFI=134) is for BGP/MPLS VPN filtering. [IPv6-FlowSpec] and [Layer2-
FlowSpec] extend the flow-spec rules for IPv6 and layer 2 Ethernet FlowSpec] extend the flow-spec rules for IPv6 and layer 2 Ethernet
packets respectively. All these previous flow specifications match packets respectively. All these previous flow specifications match
only single layer IP/Ethernet information like source/destination only single layer IP/Ethernet information fields like
MAC, source/destination IP prefix, protocol type, ports, and the source/destination MAC, source/destination IP prefix, protocol type,
like. ports, and the like.
In the cloud computing era, multi-tenancy has become a core In the cloud computing era, multi-tenancy has become a core
requirement for data centers. Since NVO3 can satisfy multi-tenancy requirement for data centers. Since Network Virtualization Overlays
key requirements, this technology is being deployed in an increasing (NVO3) can satisfy multi-tenancy key requirements, this technology is
number of cloud data center networks. NVO3 is an overlay technology, being deployed in an increasing number of cloud data center networks.
VXLAN [RFC7348] and NVGRE [RFC7367] are two typical NVO3 NVO3 is an overlay technology and VXLAN [RFC7348] and NVGRE [RFC7367]
encapsulations. GENEVE [GENEVE], GUE [GUE] and GPE [GPE] are three are two typical NVO3 encapsulations. GENEVE [GENEVE], GUE [GUE] and
emerging NVO3 encapsulations. Because it is an overlay technology, GPE [GPE] are three emerging NVO3 encapsulations. Because it is an
flow specification matching on an inner header as well as the outer overlay technology, flow specification matching on an inner header as
header, as specifified below, is needed. well as the outer header, as specified below, is needed.
+--+ +--+
|CE| |CE|
+--+ +--+
| |
+----+ +----+
+----| PE |----+ +----| PE |----+
+---------+ | +----+ | +---------+ +---------+ | +----+ | +---------+
+----+ | +---+ +---+ | +----+ +----+ | +---+ +---+ | +----+
|NVE1|--| | | | | |--|NVE3| |NVE1|--| | | | | |--|NVE3|
skipping to change at page 4, line 8 skipping to change at page 4, line 8
+----+ | |GW2| |GW4| | +----+ +----+ | |GW2| |GW4| | +----+
|NVE2|--| +---+ +---+ |--|NVE4| |NVE2|--| +---+ +---+ |--|NVE4|
+----+ +---------+ | | +---------+ +----+ +----+ +---------+ | | +---------+ +----+
+--------------+ +--------------+
Figure 1. NVO3 Data Center Interconnection Figure 1. NVO3 Data Center Interconnection
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
The MPLS L2/L3 VPN in the WAN network can be used for NVO3 based data The MPLS L2/L3 VPN in the WAN network can be used for NVO3 based data
center network interconnection. When the DC and the WAN are operated center network interconnection. When the Data Center (DC) and the WAN
by the same administrative entity, the Service Provider can decide to are operated by the same administrative entity, the Service Provider
integrate the GW and WAN Edge PE functions in the same router for can decide to integrate the gateway (GW) and WAN Edge PE functions in
obvious capital and operational cost saving reasons. This is the same router for obvious capital and operational cost saving
illustrated in Figure 1. There are two interconnection solutions as reasons. This is illustrated in Figure 1. There are two
follows: interconnection solutions as follows:
1. End-to-end NVO3 tunnel across different data centers: NVE1 perform 1. End-to-end NVO3 tunnel across different data centers: NVE1 perform
NVO3 encapsulation for DC interconnection with NVE3, the NVO3 encapsulation for DC interconnection with NVE3, the
destination VTEP IP is NVE3's IP. The GW doesn't perform NVO3 destination VTEP IP is NVE3's IP. The GW doesn't perform NVO3
tunnel termination. The DC interconnect WAN is pure an underlay tunnel termination. The DC interconnect WAN is pure an underlay
network. network.
2. Segmented NVO3 tunnels across different data centers: NVE1 doesn't 2. Segmented NVO3 tunnels across different data centers: NVE1 doesn't
perform end-to-end NVO3 encapsulation to NVE3 for DC perform end-to-end NVO3 encapsulation to NVE3 for DC
interconnection. The GW performs NVO3 tunnel encapsulation interconnection. The GW performs NVO3 tunnel encapsulation
termination, and then transmits the inner original traffic through termination, and then transmits the inner original traffic through
MPLS network to the peer data center GW. The peer data center GW MPLS network to the peer data center GW. The peer data center GW
terminates MPLS encapsulation, and then performs NVO3 terminates MPLS encapsulation, and then performs NVO3
encapsulation to transmit the traffic to the local NVE3. encapsulation to transmit the traffic to the local NVE3.
In the first solution, to differentiate bandwidth and QOS among In the first solution, to differentiate bandwidth and QOS among
different tenants or applications, different TE tunnels in the WAN different tenants or applications, different TE tunnels in the WAN
network will be used to carry the end-to-end NVO3 encapsulation network will be used to carry the end-to-end NVO3 encapsulation
traffic using VN ID, NVO3 outer header DSCP and etc as traffic traffic using VN ID, NVO3 outer header DSCP and etc as traffic
classification match part. BGP Flow-spec protocol can be used to set classification match part. The BGP Flow-spec protocol can be used to
the traffic classification on all GWs simultaneously. set the traffic classification on all GWs simultaneously.
In the second solution, a centralized BGP speaker can be deployed for In the second solution, a centralized BGP speaker can be deployed for
DDOS mitigation in the WAN network. When the analyzer detects DDOS mitigation in the WAN network. When the analyzer detects
abnormal traffic, it will automatically generate Flow-spec rules and abnormal traffic, it will automatically generate Flow-spec rules and
distribute them to each GW through BGP Flow-spec protocol, the match distribute them to each GW through BGP Flow-spec protocol, the match
part should include matching on inner or outer L2/L3 layer or NVO3 part should include matching on inner or outer L2/L3 layer or NVO3
headers. headers.
In summary, the Flow specification match part on the GW/PE should In summary, the Flow specification match part on the GW/PE should
include inner layer 2 Ethernet header, inner layer 3 IP header, outer include inner layer 2 Ethernet header, inner layer 3 IP header, outer
skipping to change at page 5, line 10 skipping to change at page 5, line 10
layer indicator and NVO3 header information, they can't be used layer indicator and NVO3 header information, they can't be used
directly for the traffic filtering based on NVO3 header or on a directly for the traffic filtering based on NVO3 header or on a
specified layer header directly. This draft specifies a new subset of specified layer header directly. This draft specifies a new subset of
component types to support the NVO3 flow-spec application. component types to support the NVO3 flow-spec application.
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
1.1 Terminology 1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in RFC 2119 [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
The reader is assumed to be familiar with BGP and NVO3 terminology. The reader is assumed to be familiar with BGP and NVO3 terminology.
The following terms and acronyms are used in this document with the The following terms and acronyms are used in this document with the
meaning indicated: meaning indicated:
DC - Data Center DC - Data Center
DDOS - Distributed Denial of Service (Attack). DDOS - Distributed Denial of Service (Attack).
GW - gateway GW - gateway
skipping to change at page 6, line 14 skipping to change at page 6, line 14
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
2. NVO3 Flow Specification Encoding 2. NVO3 Flow Specification Encoding
The current Flow-spec rules can only recognize flows based on the The current Flow-spec rules can only recognize flows based on the
outer layer header of NVO3 encapsulation data packets. To enable outer layer header of NVO3 encapsulation data packets. To enable
traffic filtering based on an NVO3 header and inner header of NVO3 traffic filtering based on an NVO3 header and inner header of NVO3
packets, a new component type acting as a delimiter is introduced. packets, a new component type acting as a delimiter is introduced.
The delimiter type is used to specify the boundary between the inner The delimiter type is used to specify the boundary between the inner
or outer layer component types for NVO3 data packets. All the and outer layer component types for NVO3 data packets. All the
component types defined in [RFC5575], [IPv6-FlowSpec], component types defined in [RFC5575], [IPv6-FlowSpec],
[Layer2-FlowSpec], and the like can be used between two delimiters. [Layer2-FlowSpec], and the like can be used between two delimiters.
Because the NVO3 outer layer address normally belongs to a public Because the NVO3 outer layer address normally belongs to a public
network, the "Flow Specification" NLRI for the outer layer header network, the "Flow Specification" NLRI for the outer layer header
doesn't need to include a Route Distinguisher field (8 bytes). If the doesn't need to include a Route Distinguisher field (8 bytes). If the
outer layer address belongs to a VPN, the NLRI format for the outer outer layer address belongs to a VPN, the NLRI format for the outer
header should consist of a fixed-length Route Distinguisher field (8 header should consist of a fixed-length Route Distinguisher field (8
bytes) corresponding to the VPN. This Route Distinguisher is followed bytes) corresponding to the VPN. This Route Distinguisher is followed
by the detail flow specifications for the outer layer. by the detail flow specifications for the outer layer.
skipping to change at page 9, line 5 skipping to change at page 8, line 18
The current traffic filtering actions are used for NVO3 encapsulation The current traffic filtering actions are used for NVO3 encapsulation
traffic. For Traffic Marking, only the DSCP in the outer header can traffic. For Traffic Marking, only the DSCP in the outer header can
be modified. be modified.
4. Security Considerations 4. Security Considerations
No new security issues are introduced to the BGP protocol by this No new security issues are introduced to the BGP protocol by this
specification. specification.
INTERNET-DRAFT NVO3 BGP Flow-Spec
5. IANA Considerations 5. IANA Considerations
IANA is requested to assign three new Flow Spec Component Types as IANA is requested to assign three new values in the "Flow Spec
follows: Component Types" registry as follows:
Type Name Reference Type Name Reference
---- -------------- --------- ---- -------------- ---------
TBD1 Delimiter type [this document] TBD1 Delimiter type [this document]
TBD2 VN ID [this document] TBD2 VN ID [this document]
TBD3 Flow ID [this document] TBD3 Flow ID [this document]
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
Normative References Normative References
[RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119,
March 1997, <https://www.rfc-editor.org/info/rfc2119>. March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC5575] - Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, [RFC5575] - Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch,
J., and D. McPherson, "Dissemination of Flow Specification J., and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
<https://www.rfc-editor.org/info/rfc5575>. <https://www.rfc-editor.org/info/rfc5575>.
[RFC8174] - [RFC8174] - Leiba, B., "Ambiguity of Uppercase vs
Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI
10.17487/RFC8174, May 2017, <https://www.rfc-
editor.org/info/rfc8174>.
[GENEVE] - J. Gross, T. Sridhar, etc, "Geneve: Generic Network [GENEVE] - J. Gross, T. Sridhar, etc, "Geneve: Generic Network
Virtualization Encapsulation", draft-ietf-nvo3-geneve, work in Virtualization Encapsulation", draft-ietf-nvo3-geneve, work in
progress. progress.
[GUE] - T. Herbert, L. Yong, O. Zia, "Generic UDP Encapsulation", [GUE] - T. Herbert, L. Yong, O. Zia, "Generic UDP Encapsulation",
draft-ietf-nvo3-gue, work in progress. draft-ietf-nvo3-gue, work in progress.
INTERNET-DRAFT NVO3 BGP Flow-Spec
Informative References Informative References
[RFC7348] - Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, [RFC7348] - Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger,
L., Sridhar, T., Bursell, M., and C. Wright, "Virtual L., Sridhar, T., Bursell, M., and C. Wright, "Virtual
eXtensible Local Area Network (VXLAN): A Framework for eXtensible Local Area Network (VXLAN): A Framework for
Overlaying Virtualized Layer 2 Networks over Layer 3 Networks", Overlaying Virtualized Layer 2 Networks over Layer 3 Networks",
RFC 7348, DOI 10.17487/RFC7348, August 2014, <https://www.rfc- RFC 7348, DOI 10.17487/RFC7348, August 2014, <https://www.rfc-
editor.org/info/rfc7348>. editor.org/info/rfc7348>.
[RFC7367] - Garg, P., Ed., and Y. Wang, Ed., "NVGRE: Network [RFC7367] - Garg, P., Ed., and Y. Wang, Ed., "NVGRE: Network
Virtualization Using Generic Routing Encapsulation", RFC 7637, Virtualization Using Generic Routing Encapsulation", RFC 7637,
DOI 10.17487/RFC7637, September 2015, <https://www.rfc- DOI 10.17487/RFC7637, September 2015, <https://www.rfc-
editor.org/info/rfc7637>. editor.org/info/rfc7637>.
[EVPN-Overlays] - A. Sajassi,etc, "A Network Virtualization Overlay
Solution using EVPN", draft-ietf-bess-evpn-overlay, work in
progress, February.
[Inter-Overlays] - J. Rabadan,etc, "Interconnect Solution for EVPN
Overlay networks", draft-ietf-bess-dci-evpn-overlay, work in
progress.
[IPv6-FlowSpec] - R. Raszuk, etc, "Dissemination of Flow [IPv6-FlowSpec] - R. Raszuk, etc, "Dissemination of Flow
Specification Rules for IPv6", draft-ietf-idr-flow-spec-v6, Specification Rules for IPv6", draft-ietf-idr-flow-spec-v6,
work in progress. work in progress.
[Layer2-FlowSpec] - W. Hao, etc, "Dissemination of Flow Specification [Layer2-FlowSpec] - W. Hao, etc, "Dissemination of Flow Specification
Rules for L2 VPN", draft-ietf-idr-flowspec-l2vpn, work in Rules for L2 VPN", draft-ietf-idr-flowspec-l2vpn, work in
progress. progress.
[GPE] - P. Quinn,etc, "Generic Protocol Extension for VXLAN", draft- [GPE] - P. Quinn, etc, "Generic Protocol Extension for VXLAN", draft-
ietf-nvo3-vxlan-gpe, work in progress. ietf-nvo3-vxlan-gpe, work in progress.
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
Acknowledgments Acknowledgments
The authors wish to acknowledge the important contributions of Jeff The authors wish to acknowledge the important contributions of Jeff
Haas, Susan Hares, Qiandeng Liang, Nan Wu, Yizhou Li, and Lucy Yong. Haas, Susan Hares, Qiandeng Liang, Nan Wu, Yizhou Li, and Lucy Yong.
Authors' Addresses Authors' Addresses
skipping to change at page 13, line 9 skipping to change at page 11, line 9
Rong Gu Rong Gu
China Mobile China Mobile
Email: gurong_cmcc@outlook.com Email: gurong_cmcc@outlook.com
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
Copyright, Disclaimer, and Additional IPR Provisions Copyright, Disclaimer, and Additional IPR Provisions
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
 End of changes. 20 change blocks. 
51 lines changed or deleted 46 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/