--- 1/draft-ietf-idr-flowspec-nvo3-04.txt 2019-04-29 07:13:28.024814099 -0700 +++ 2/draft-ietf-idr-flowspec-nvo3-05.txt 2019-04-29 07:13:28.128816729 -0700 @@ -1,23 +1,23 @@ INTERNET-DRAFT D. Eastlake Intended Status: Proposed Standard W. Hao S. Zhuang Z. Li Huawei Technologies R. Gu China Mobil -Expires: September 3, 2019 March 4, 2019 +Expires: October 26, 2019 April 27, 2019 BGP Dissemination of Network Virtualization Overlays (NVO3) Flow Specification Rules - + Abstract This draft specifies a new subset of component types to support the (Network Virtualization Overlays (NVO3)) flow-spec application. Status of This Document This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. @@ -50,56 +50,57 @@ 2. NVO3 Flow Specification Encoding........................6 3. NVO3 Flow Specification Traffic Actions.................8 4. Security Considerations.................................8 5. IANA Considerations.....................................8 Normative References.......................................9 Informative References.....................................9 - Acknowledgments...........................................10 - Authors' Addresses........................................10 + Acknowledgments...........................................11 + Authors' Addresses........................................11 INTERNET-DRAFT NVO3 BGP Flow-Spec 1. Introduction BGP Flow-spec is an extension to BGP that supports the dissemination of traffic flow specification rules. It uses the BGP Control Plane to simplify the distribution of Access Control Lists (ACLs) and allows new filter rules to be injected to all BGP peers simultaneously without changing router configuration. A typical application of BGP Flow-spec is to automate the distribution of traffic filter lists to routers for Distributed Denial of Service (DDOS) mitigation. - [RFC5575] defines a new BGP Network Layer Reachability Information + [RFC5575bis] defines a new BGP Network Layer Reachability Information (NLRI) format used to distribute traffic flow specification rules. NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1, SAFI=134) is for BGP/MPLS VPN filtering. [IPv6-FlowSpec] and [Layer2- FlowSpec] extend the flow-spec rules for IPv6 and layer 2 Ethernet packets respectively. All these previous flow specifications match only single layer IP/Ethernet information fields like source/destination MAC, source/destination IP prefix, protocol type, ports, and the like. In the cloud computing era, multi-tenancy has become a core requirement for data centers. Since Network Virtualization Overlays - (NVO3) can satisfy multi-tenancy key requirements, this technology is - being deployed in an increasing number of cloud data center networks. - NVO3 is an overlay technology and VXLAN [RFC7348] and NVGRE [RFC7367] - are two typical NVO3 encapsulations. GENEVE [GENEVE], GUE [GUE] and - GPE [GPE] are three emerging NVO3 encapsulations. Because it is an - overlay technology involving an additional level of encapsulation, - flow specification matching on the inner header as well as the outer - header, as specified below, is needed. + (NVO3 [RFC8014]) can satisfy multi-tenancy key requirements, this + technology is being deployed in an increasing number of cloud data + center networks. NVO3 is an overlay technology and VXLAN [RFC7348] + and NVGRE [RFC7367] are two typical NVO3 encapsulations. GENEVE + [GENEVE], GUE [GUE] and GPE [GPE] are three emerging NVO3 + encapsulations. Because it is an overlay technology involving an + additional level of encapsulation, flow specification matching on the + inner header as well as the outer header, as specified below, is + needed. INTERNET-DRAFT NVO3 BGP Flow-Spec +--+ |CE| +--+ | +----+ +----| PE |----+ +---------+ | +----+ | +---------+ @@ -129,30 +130,30 @@ performs NVO3 encapsulation for DC interconnection with NVE3. The destination VTEP IP is NVE3's IP. The GW doesn't perform NVO3 tunnel termination. The DC interconnect WAN is pure an underlay network. 2. Segmented NVO3 tunnels across different data centers: NVE1 doesn't perform end-to-end NVO3 encapsulation to NVE3 for DC interconnection. The GW performs NVO3 tunnel encapsulation termination, and then transmits the inner original traffic through an MPLS network to the peer data center GW. The peer data center - GW again terminates MPLS encapsulation, and then performs NVO3 + GW terminates MPLS encapsulation, and then performs NVO3 encapsulation to transmit the traffic to the local NVE3. In the first solution, to differentiate bandwidth and Quality of - Service (QoS) among different tenants or applications, different TE - tunnels in the WAN network will be used to carry the end-to-end NVO3 - encapsulation traffic using VN ID, NVO3 outer header DSCP, and other - fields as the traffic classification match part. The BGP Flow-spec - protocol can be used to set the traffic classification on all GWs - simultaneously. + Service (QoS) among different tenants or applications, different + traffic engneered tunnels in the WAN network will be used to carry + the end-to-end NVO3 encapsulation traffic using VN ID, NVO3 outer + header DSCP, and other fields as the traffic classification match + part. The BGP Flow-spec protocol can be used to set the traffic + classification on all GWs simultaneously. INTERNET-DRAFT NVO3 BGP Flow-Spec In the second solution, a centralized BGP speaker can be deployed for DDOS mitigation in the WAN network. When the analyzer detects abnormal traffic, it will automatically generate Flow-spec rules and distribute them to each GW through the BGP Flow-spec protocol, the match part should include matching on inner or outer L2/L3 layer or NVO3 headers. @@ -177,39 +178,41 @@ The reader is assumed to be familiar with BGP and NVO3 terminology. The following terms and acronyms are used in this document with the meaning indicated: ACL - Access Control List DC - Data Center DDOS - Distributed Denial of Service (Attack) + DSCP - Differentiated Services Code Point + GW - gateway VN - virtual network VTEP - Virtual Tunnel End Point WAN - wide area network INTERNET-DRAFT NVO3 BGP Flow-Spec 2. NVO3 Flow Specification Encoding The current Flow-spec rules can only recognize flows based on the outer layer header of NVO3 encapsulation data packets. To enable traffic filtering based on an NVO3 header and on an inner header of NVO3 packets, a new component type acting as a delimiter is introduced. The delimiter type is used to indicate the boundary between the inner and outer layer component types for NVO3 data - packets. All the component types defined in [RFC5575], + packets. All the component types defined in [RFC5575bis], [IPv6-FlowSpec], [Layer2-FlowSpec], and the like can be used for the inner or outer header as indicated by the use of delimiters. Because the NVO3 outer layer address normally belongs to a public network, the "Flow Specification" NLRI for the outer layer header doesn't need to include a Route Distinguisher field (8 bytes). If the outer layer address belongs to a VPN, the NLRI format for the outer header should consist of a fixed-length Route Distinguisher field (8 bytes) corresponding to the VPN. This Route Distinguisher is followed by the detail flow specifications for the outer layer. @@ -259,35 +262,35 @@ - VXLAN: Tunnel Type = 0 - NVGRE: Tunnel Type = 1 I: If I is set to one, it indicates the component types for the inner layer of NVO3 headers immediately follow. O: If O is set to one, it indicates the component types for the outer layer of NVO3 headers immediately follow. -For the NVO3 header part, the following additional component types are - introduced. +For the NVO3 header part, the following additional two component types + are introduced. Type TBD2 - VN ID - Encoding: . + Encoding: . Defines a list of {operation, value} pairs used to match the 24-bit VN ID that is used as the tenant identification in NVO3 networks. For NVGRE encapsulation, the VN ID is equivalent to VSID. Values are encoded as 1- to 3-byte quantities. Type TBD3 - Flow ID - Encoding: + Encoding: Defines a list of {operation, value} pairs used to match 8-bit Flow ID fields which are only useful for NVGRE encapsulation. Values are encoded as 1-byte quantity. INTERNET-DRAFT NVO3 BGP Flow-Spec 3. NVO3 Flow Specification Traffic Actions The current traffic filtering actions are used for NVO3 encapsulation @@ -311,57 +314,65 @@ TBD3 Flow ID [this document] INTERNET-DRAFT NVO3 BGP Flow-Spec Normative References [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . - [RFC5575] - Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, - J., and D. McPherson, "Dissemination of Flow Specification - Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, - . - [RFC8174] - [RFC8174] - Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [GENEVE] - J. Gross, T. Sridhar, etc, "Geneve: Generic Network Virtualization Encapsulation", draft-ietf-nvo3-geneve, work in progress. [GUE] - T. Herbert, L. Yong, O. Zia, "Generic UDP Encapsulation", draft-ietf-nvo3-gue, work in progress. + [RFC5575bis] - Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, + J., and D. McPherson, "Dissemination of Flow Specification + Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, + . + Informative References [RFC7348] - Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, L., Sridhar, T., Bursell, M., and C. Wright, "Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014, . [RFC7367] - Garg, P., Ed., and Y. Wang, Ed., "NVGRE: Network Virtualization Using Generic Routing Encapsulation", RFC 7637, DOI 10.17487/RFC7637, September 2015, . + [RFC8014] - Black, D., Hudson, J., Kreeger, L., Lasserre, M., and T. + Narten, "An Architecture for Data-Center Network Virtualization + over Layer 3 (NVO3)", RFC 8014, DOI 10.17487/RFC8014, December + 2016, . + [IPv6-FlowSpec] - R. Raszuk, etc, "Dissemination of Flow Specification Rules for IPv6", draft-ietf-idr-flow-spec-v6, work in progress. [Layer2-FlowSpec] - W. Hao, etc, "Dissemination of Flow Specification Rules for L2 VPN", draft-ietf-idr-flowspec-l2vpn, work in + +INTERNET-DRAFT NVO3 BGP Flow-Spec + progress. [GPE] - P. Quinn, etc, "Generic Protocol Extension for VXLAN", draft- ietf-nvo3-vxlan-gpe, work in progress. INTERNET-DRAFT NVO3 BGP Flow-Spec Acknowledgments The authors wish to acknowledge the important contributions of Jeff