draft-ietf-idr-flowspec-nvo3-04.txt   draft-ietf-idr-flowspec-nvo3-05.txt 
INTERNET-DRAFT D. Eastlake INTERNET-DRAFT D. Eastlake
Intended Status: Proposed Standard W. Hao Intended Status: Proposed Standard W. Hao
S. Zhuang S. Zhuang
Z. Li Z. Li
Huawei Technologies Huawei Technologies
R. Gu R. Gu
China Mobil China Mobil
Expires: September 3, 2019 March 4, 2019 Expires: October 26, 2019 April 27, 2019
BGP Dissemination of BGP Dissemination of
Network Virtualization Overlays (NVO3) Flow Specification Rules Network Virtualization Overlays (NVO3) Flow Specification Rules
<draft-ietf-idr-flowspec-nvo3-04.txt> <draft-ietf-idr-flowspec-nvo3-05.txt>
Abstract Abstract
This draft specifies a new subset of component types to support the This draft specifies a new subset of component types to support the
(Network Virtualization Overlays (NVO3)) flow-spec application. (Network Virtualization Overlays (NVO3)) flow-spec application.
Status of This Document Status of This Document
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 2, line 22 skipping to change at page 2, line 22
2. NVO3 Flow Specification Encoding........................6 2. NVO3 Flow Specification Encoding........................6
3. NVO3 Flow Specification Traffic Actions.................8 3. NVO3 Flow Specification Traffic Actions.................8
4. Security Considerations.................................8 4. Security Considerations.................................8
5. IANA Considerations.....................................8 5. IANA Considerations.....................................8
Normative References.......................................9 Normative References.......................................9
Informative References.....................................9 Informative References.....................................9
Acknowledgments...........................................10 Acknowledgments...........................................11
Authors' Addresses........................................10 Authors' Addresses........................................11
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
1. Introduction 1. Introduction
BGP Flow-spec is an extension to BGP that supports the dissemination BGP Flow-spec is an extension to BGP that supports the dissemination
of traffic flow specification rules. It uses the BGP Control Plane of traffic flow specification rules. It uses the BGP Control Plane
to simplify the distribution of Access Control Lists (ACLs) and to simplify the distribution of Access Control Lists (ACLs) and
allows new filter rules to be injected to all BGP peers allows new filter rules to be injected to all BGP peers
simultaneously without changing router configuration. A typical simultaneously without changing router configuration. A typical
application of BGP Flow-spec is to automate the distribution of application of BGP Flow-spec is to automate the distribution of
traffic filter lists to routers for Distributed Denial of Service traffic filter lists to routers for Distributed Denial of Service
(DDOS) mitigation. (DDOS) mitigation.
[RFC5575] defines a new BGP Network Layer Reachability Information [RFC5575bis] defines a new BGP Network Layer Reachability Information
(NLRI) format used to distribute traffic flow specification rules. (NLRI) format used to distribute traffic flow specification rules.
NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1, NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1,
SAFI=134) is for BGP/MPLS VPN filtering. [IPv6-FlowSpec] and [Layer2- SAFI=134) is for BGP/MPLS VPN filtering. [IPv6-FlowSpec] and [Layer2-
FlowSpec] extend the flow-spec rules for IPv6 and layer 2 Ethernet FlowSpec] extend the flow-spec rules for IPv6 and layer 2 Ethernet
packets respectively. All these previous flow specifications match packets respectively. All these previous flow specifications match
only single layer IP/Ethernet information fields like only single layer IP/Ethernet information fields like
source/destination MAC, source/destination IP prefix, protocol type, source/destination MAC, source/destination IP prefix, protocol type,
ports, and the like. ports, and the like.
In the cloud computing era, multi-tenancy has become a core In the cloud computing era, multi-tenancy has become a core
requirement for data centers. Since Network Virtualization Overlays requirement for data centers. Since Network Virtualization Overlays
(NVO3) can satisfy multi-tenancy key requirements, this technology is (NVO3 [RFC8014]) can satisfy multi-tenancy key requirements, this
being deployed in an increasing number of cloud data center networks. technology is being deployed in an increasing number of cloud data
NVO3 is an overlay technology and VXLAN [RFC7348] and NVGRE [RFC7367] center networks. NVO3 is an overlay technology and VXLAN [RFC7348]
are two typical NVO3 encapsulations. GENEVE [GENEVE], GUE [GUE] and and NVGRE [RFC7367] are two typical NVO3 encapsulations. GENEVE
GPE [GPE] are three emerging NVO3 encapsulations. Because it is an [GENEVE], GUE [GUE] and GPE [GPE] are three emerging NVO3
overlay technology involving an additional level of encapsulation, encapsulations. Because it is an overlay technology involving an
flow specification matching on the inner header as well as the outer additional level of encapsulation, flow specification matching on the
header, as specified below, is needed. inner header as well as the outer header, as specified below, is
needed.
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
+--+ +--+
|CE| |CE|
+--+ +--+
| |
+----+ +----+
+----| PE |----+ +----| PE |----+
+---------+ | +----+ | +---------+ +---------+ | +----+ | +---------+
skipping to change at page 4, line 47 skipping to change at page 4, line 47
performs NVO3 encapsulation for DC interconnection with NVE3. The performs NVO3 encapsulation for DC interconnection with NVE3. The
destination VTEP IP is NVE3's IP. The GW doesn't perform NVO3 destination VTEP IP is NVE3's IP. The GW doesn't perform NVO3
tunnel termination. The DC interconnect WAN is pure an underlay tunnel termination. The DC interconnect WAN is pure an underlay
network. network.
2. Segmented NVO3 tunnels across different data centers: NVE1 doesn't 2. Segmented NVO3 tunnels across different data centers: NVE1 doesn't
perform end-to-end NVO3 encapsulation to NVE3 for DC perform end-to-end NVO3 encapsulation to NVE3 for DC
interconnection. The GW performs NVO3 tunnel encapsulation interconnection. The GW performs NVO3 tunnel encapsulation
termination, and then transmits the inner original traffic through termination, and then transmits the inner original traffic through
an MPLS network to the peer data center GW. The peer data center an MPLS network to the peer data center GW. The peer data center
GW again terminates MPLS encapsulation, and then performs NVO3 GW terminates MPLS encapsulation, and then performs NVO3
encapsulation to transmit the traffic to the local NVE3. encapsulation to transmit the traffic to the local NVE3.
In the first solution, to differentiate bandwidth and Quality of In the first solution, to differentiate bandwidth and Quality of
Service (QoS) among different tenants or applications, different TE Service (QoS) among different tenants or applications, different
tunnels in the WAN network will be used to carry the end-to-end NVO3 traffic engneered tunnels in the WAN network will be used to carry
encapsulation traffic using VN ID, NVO3 outer header DSCP, and other the end-to-end NVO3 encapsulation traffic using VN ID, NVO3 outer
fields as the traffic classification match part. The BGP Flow-spec header DSCP, and other fields as the traffic classification match
protocol can be used to set the traffic classification on all GWs part. The BGP Flow-spec protocol can be used to set the traffic
simultaneously. classification on all GWs simultaneously.
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
In the second solution, a centralized BGP speaker can be deployed for In the second solution, a centralized BGP speaker can be deployed for
DDOS mitigation in the WAN network. When the analyzer detects DDOS mitigation in the WAN network. When the analyzer detects
abnormal traffic, it will automatically generate Flow-spec rules and abnormal traffic, it will automatically generate Flow-spec rules and
distribute them to each GW through the BGP Flow-spec protocol, the distribute them to each GW through the BGP Flow-spec protocol, the
match part should include matching on inner or outer L2/L3 layer or match part should include matching on inner or outer L2/L3 layer or
NVO3 headers. NVO3 headers.
skipping to change at page 5, line 42 skipping to change at page 5, line 42
The reader is assumed to be familiar with BGP and NVO3 terminology. The reader is assumed to be familiar with BGP and NVO3 terminology.
The following terms and acronyms are used in this document with the The following terms and acronyms are used in this document with the
meaning indicated: meaning indicated:
ACL - Access Control List ACL - Access Control List
DC - Data Center DC - Data Center
DDOS - Distributed Denial of Service (Attack) DDOS - Distributed Denial of Service (Attack)
DSCP - Differentiated Services Code Point
GW - gateway GW - gateway
VN - virtual network VN - virtual network
VTEP - Virtual Tunnel End Point VTEP - Virtual Tunnel End Point
WAN - wide area network WAN - wide area network
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
2. NVO3 Flow Specification Encoding 2. NVO3 Flow Specification Encoding
The current Flow-spec rules can only recognize flows based on the The current Flow-spec rules can only recognize flows based on the
outer layer header of NVO3 encapsulation data packets. To enable outer layer header of NVO3 encapsulation data packets. To enable
traffic filtering based on an NVO3 header and on an inner header of traffic filtering based on an NVO3 header and on an inner header of
NVO3 packets, a new component type acting as a delimiter is NVO3 packets, a new component type acting as a delimiter is
introduced. The delimiter type is used to indicate the boundary introduced. The delimiter type is used to indicate the boundary
between the inner and outer layer component types for NVO3 data between the inner and outer layer component types for NVO3 data
packets. All the component types defined in [RFC5575], packets. All the component types defined in [RFC5575bis],
[IPv6-FlowSpec], [Layer2-FlowSpec], and the like can be used for the [IPv6-FlowSpec], [Layer2-FlowSpec], and the like can be used for the
inner or outer header as indicated by the use of delimiters. inner or outer header as indicated by the use of delimiters.
Because the NVO3 outer layer address normally belongs to a public Because the NVO3 outer layer address normally belongs to a public
network, the "Flow Specification" NLRI for the outer layer header network, the "Flow Specification" NLRI for the outer layer header
doesn't need to include a Route Distinguisher field (8 bytes). If the doesn't need to include a Route Distinguisher field (8 bytes). If the
outer layer address belongs to a VPN, the NLRI format for the outer outer layer address belongs to a VPN, the NLRI format for the outer
header should consist of a fixed-length Route Distinguisher field (8 header should consist of a fixed-length Route Distinguisher field (8
bytes) corresponding to the VPN. This Route Distinguisher is followed bytes) corresponding to the VPN. This Route Distinguisher is followed
by the detail flow specifications for the outer layer. by the detail flow specifications for the outer layer.
skipping to change at page 7, line 26 skipping to change at page 7, line 26
- VXLAN: Tunnel Type = 0 - VXLAN: Tunnel Type = 0
- NVGRE: Tunnel Type = 1 - NVGRE: Tunnel Type = 1
I: If I is set to one, it indicates the component types for the I: If I is set to one, it indicates the component types for the
inner layer of NVO3 headers immediately follow. inner layer of NVO3 headers immediately follow.
O: If O is set to one, it indicates the component types for the O: If O is set to one, it indicates the component types for the
outer layer of NVO3 headers immediately follow. outer layer of NVO3 headers immediately follow.
For the NVO3 header part, the following additional component types are For the NVO3 header part, the following additional two component types
introduced. are introduced.
Type TBD2 - VN ID Type TBD2 - VN ID
Encoding: <type (1 octet), [op, value]+>. Encoding: <type (1 octet), length (1 octet), [op, value]+>.
Defines a list of {operation, value} pairs used to match the Defines a list of {operation, value} pairs used to match the
24-bit VN ID that is used as the tenant identification in NVO3 24-bit VN ID that is used as the tenant identification in NVO3
networks. For NVGRE encapsulation, the VN ID is equivalent to networks. For NVGRE encapsulation, the VN ID is equivalent to
VSID. Values are encoded as 1- to 3-byte quantities. VSID. Values are encoded as 1- to 3-byte quantities.
Type TBD3 - Flow ID Type TBD3 - Flow ID
Encoding: <type (1 octet), [op, value]+> Encoding: <type (1 octet), length (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match 8-bit Defines a list of {operation, value} pairs used to match 8-bit
Flow ID fields which are only useful for NVGRE encapsulation. Flow ID fields which are only useful for NVGRE encapsulation.
Values are encoded as 1-byte quantity. Values are encoded as 1-byte quantity.
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
3. NVO3 Flow Specification Traffic Actions 3. NVO3 Flow Specification Traffic Actions
The current traffic filtering actions are used for NVO3 encapsulation The current traffic filtering actions are used for NVO3 encapsulation
skipping to change at page 9, line 13 skipping to change at page 9, line 13
TBD3 Flow ID [this document] TBD3 Flow ID [this document]
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
Normative References Normative References
[RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119,
March 1997, <https://www.rfc-editor.org/info/rfc2119>. March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC5575] - Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch,
J., and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
<https://www.rfc-editor.org/info/rfc5575>.
[RFC8174] - [RFC8174] - Leiba, B., "Ambiguity of Uppercase vs [RFC8174] - [RFC8174] - Leiba, B., "Ambiguity of Uppercase vs
Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI
10.17487/RFC8174, May 2017, <https://www.rfc- 10.17487/RFC8174, May 2017, <https://www.rfc-
editor.org/info/rfc8174>. editor.org/info/rfc8174>.
[GENEVE] - J. Gross, T. Sridhar, etc, "Geneve: Generic Network [GENEVE] - J. Gross, T. Sridhar, etc, "Geneve: Generic Network
Virtualization Encapsulation", draft-ietf-nvo3-geneve, work in Virtualization Encapsulation", draft-ietf-nvo3-geneve, work in
progress. progress.
[GUE] - T. Herbert, L. Yong, O. Zia, "Generic UDP Encapsulation", [GUE] - T. Herbert, L. Yong, O. Zia, "Generic UDP Encapsulation",
draft-ietf-nvo3-gue, work in progress. draft-ietf-nvo3-gue, work in progress.
[RFC5575bis] - Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch,
J., and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
<https://www.rfc-editor.org/info/rfc5575>.
Informative References Informative References
[RFC7348] - Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, [RFC7348] - Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger,
L., Sridhar, T., Bursell, M., and C. Wright, "Virtual L., Sridhar, T., Bursell, M., and C. Wright, "Virtual
eXtensible Local Area Network (VXLAN): A Framework for eXtensible Local Area Network (VXLAN): A Framework for
Overlaying Virtualized Layer 2 Networks over Layer 3 Networks", Overlaying Virtualized Layer 2 Networks over Layer 3 Networks",
RFC 7348, DOI 10.17487/RFC7348, August 2014, <https://www.rfc- RFC 7348, DOI 10.17487/RFC7348, August 2014, <https://www.rfc-
editor.org/info/rfc7348>. editor.org/info/rfc7348>.
[RFC7367] - Garg, P., Ed., and Y. Wang, Ed., "NVGRE: Network [RFC7367] - Garg, P., Ed., and Y. Wang, Ed., "NVGRE: Network
Virtualization Using Generic Routing Encapsulation", RFC 7637, Virtualization Using Generic Routing Encapsulation", RFC 7637,
DOI 10.17487/RFC7637, September 2015, <https://www.rfc- DOI 10.17487/RFC7637, September 2015, <https://www.rfc-
editor.org/info/rfc7637>. editor.org/info/rfc7637>.
[RFC8014] - Black, D., Hudson, J., Kreeger, L., Lasserre, M., and T.
Narten, "An Architecture for Data-Center Network Virtualization
over Layer 3 (NVO3)", RFC 8014, DOI 10.17487/RFC8014, December
2016, <https://www.rfc-editor.org/info/rfc8014>.
[IPv6-FlowSpec] - R. Raszuk, etc, "Dissemination of Flow [IPv6-FlowSpec] - R. Raszuk, etc, "Dissemination of Flow
Specification Rules for IPv6", draft-ietf-idr-flow-spec-v6, Specification Rules for IPv6", draft-ietf-idr-flow-spec-v6,
work in progress. work in progress.
[Layer2-FlowSpec] - W. Hao, etc, "Dissemination of Flow Specification [Layer2-FlowSpec] - W. Hao, etc, "Dissemination of Flow Specification
Rules for L2 VPN", draft-ietf-idr-flowspec-l2vpn, work in Rules for L2 VPN", draft-ietf-idr-flowspec-l2vpn, work in
INTERNET-DRAFT NVO3 BGP Flow-Spec
progress. progress.
[GPE] - P. Quinn, etc, "Generic Protocol Extension for VXLAN", draft- [GPE] - P. Quinn, etc, "Generic Protocol Extension for VXLAN", draft-
ietf-nvo3-vxlan-gpe, work in progress. ietf-nvo3-vxlan-gpe, work in progress.
INTERNET-DRAFT NVO3 BGP Flow-Spec INTERNET-DRAFT NVO3 BGP Flow-Spec
Acknowledgments Acknowledgments
The authors wish to acknowledge the important contributions of Jeff The authors wish to acknowledge the important contributions of Jeff
 End of changes. 16 change blocks. 
30 lines changed or deleted 41 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/