| draft-ietf-idr-flowspec-nvo3-08.txt | draft-ietf-idr-flowspec-nvo3-09.txt | |||
|---|---|---|---|---|
| INTERNET-DRAFT D. Eastlake | INTERNET-DRAFT D. Eastlake | |||
| Intended Status: Proposed Standard Futurewei Technologies | Intended Status: Proposed Standard Futurewei Technologies | |||
| W. Hao | W. Hao | |||
| S. Zhuang | S. Zhuang | |||
| Z. Li | Z. Li | |||
| Huawei Technologies | Huawei Technologies | |||
| R. Gu | R. Gu | |||
| China Mobil | China Mobil | |||
| Expires: July 15, 2020 January 16, 2020 | Expires: October 11, 2020 April 12, 2020 | |||
| BGP Dissemination of | BGP Dissemination of | |||
| Flow Specification Rules for Tunneled Traffic | Flow Specification Rules for Tunneled Traffic | |||
| draft-ietf-idr-flowspec-nvo3-08 | draft-ietf-idr-flowspec-nvo3-09 | |||
| Abstract | Abstract | |||
| This draft specifies a Border Gateway Protocol Network Layer | This draft specifies a Border Gateway Protocol (BGP) Network Layer | |||
| Reachability Information (BGP NLRI) encoding format for flow | Reachability Information (NLRI) encoding format for flow | |||
| specifications (RFC 5575bis) that can match on a variety of tunneled | specifications (RFC 5575bis) that can match on a variety of tunneled | |||
| traffic. In addition, flow specification components are specified for | traffic. In addition, flow specification components are specified for | |||
| certain tunneling header fields. | certain tunneling header fields. | |||
| Status of This Document | Status of This Document | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Distribution of this document is unlimited. Comments should be sent | Distribution of this document is unlimited. Comments should be sent | |||
| skipping to change at page 2, line 5 ¶ | skipping to change at page 2, line 5 ¶ | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft | http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft | |||
| Shadow Directories can be accessed at | Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction............................................3 | 1. Introduction............................................3 | |||
| 1.1 Terminology............................................3 | 1.1 Terminology............................................3 | |||
| 2. Tunneled Traffic Flow Specification NLRI................5 | 2. Tunneled Traffic Flow Specification NLRI................5 | |||
| 2.1 The SAFI Code Point....................................7 | 2.1 The SAFI Code Point....................................7 | |||
| 2.2 Tunnel Header Component Code Points....................8 | 2.2 Tunnel Header Component Code Points....................8 | |||
| 2.3 Specific Tunnel Types..................................9 | 2.3 Specific Tunnel Types..................................9 | |||
| 2.3.1 VXLAN................................................9 | 2.3.1 VXLAN................................................9 | |||
| 2.3.2 VXLAN-GPE...........................................10 | 2.3.2 VXLAN-GPE...........................................10 | |||
| 2.3.3 NVGRE...............................................11 | 2.3.3 NVGRE...............................................11 | |||
| 2.3.4 L2TPv3..............................................11 | 2.3.4 L2TPv3..............................................11 | |||
| 2.3.5 GRE.................................................12 | 2.3.5 GRE.................................................12 | |||
| 2.3.6 IP-in-IP............................................12 | 2.3.6 IP-in-IP............................................12 | |||
| 2.4 Tunneled Traffic Actions..............................12 | 2.4 Tunneled Traffic Actions..............................13 | |||
| 3. Order of Traffic Filtering Rules.......................13 | 3. Order of Traffic Filtering Rules.......................14 | |||
| 4. Flow Spec Validation...................................14 | 4. Flow Spec Validation...................................15 | |||
| 5. Security Considerations................................14 | 5. Security Considerations................................15 | |||
| 6. IANA Considerations....................................14 | 6. IANA Considerations....................................15 | |||
| Normative References......................................15 | Normative References......................................16 | |||
| Informative References....................................16 | Informative References....................................17 | |||
| Acknowledgments...........................................17 | Acknowledgments...........................................18 | |||
| Authors' Addresses........................................17 | Authors' Addresses........................................18 | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| 1. Introduction | 1. Introduction | |||
| BGP Flow-spec [RFC5575bis] is an extension to BGP that supports the | BGP Flow Specification (flowspec [RFC5575bis]) is an extension to BGP | |||
| dissemination of traffic flow specification rules. It uses the BGP | that supports the dissemination of traffic flow specification rules. | |||
| control plane to simplify the distribution of Access Control Lists | It uses the BGP control plane to simplify the distribution of Access | |||
| (ACLs) and allows new filter rules to be injected to all BGP peers | Control Lists (ACLs) and allows new filter rules to be injected to | |||
| simultaneously without changing router configuration. A typical | all BGP peers simultaneously without changing router configuration. A | |||
| application of BGP Flow-spec is to automate the distribution of | typical application of BGP flowspec is to automate the distribution | |||
| traffic filter lists to routers for Distributed Denial of Service | of traffic filter lists to routers for Distributed Denial of Service | |||
| (DDOS) mitigation. | (DDOS) mitigation. | |||
| BGP Flow-spec defines a BGP Network Layer Reachability Information | BGP flowspec defines BGP Network Layer Reachability Information | |||
| (NLRI) format used to distribute traffic flow specification rules. | (NLRI) formats used to distribute traffic flow specification rules. | |||
| AFI=1/SAFI=133 is for IPv4 unicast filtering. AFI=1/SAFI=134 is for | AFI=1/SAFI=133 is for IPv4 unicast filtering. AFI=1/SAFI=134 is for | |||
| IPv4 BGP/MPLS VPN filtering. [FlowSpecV6] and [FlowSpecL2] extend the | IPv4 BGP/MPLS VPN filtering. [FlowSpecV6] and [FlowSpecL2] extend the | |||
| flow-spec rules for IPv6 and layer 2 Ethernet packets respectively. | flowspec rules for IPv6 and Layer 2 Ethernet packets respectively. | |||
| None of these previous flow specifications are suitable for matching | None of these previously defined flow specifications are suitable for | |||
| in cases of tunneling or encapsulation where there might be | matching in cases of tunneling or encapsulation where there might be | |||
| duplicates of a layer of header such as two IPv6 headers in IP-in-IP | duplicates of a layer of header such as two IPv6 headers in IP-in-IP | |||
| or a nested header sequence such as the layer 2 and 3 headers | or a nested header sequence such as the Layer 2 and 3 headers | |||
| encapsulated in VXLAN [RFC7348]. | encapsulated in VXLAN [RFC7348]. | |||
| In the cloud computing era, multi-tenancy has become a core | In the cloud computing era, multi-tenancy has become a core | |||
| requirement for data centers. It is increasingly common to see | requirement for data centers. It is increasingly common to see | |||
| tunneled traffic with a field to distinguish tenants. An example is | tunneled traffic with a field to distinguish tenants. An example is | |||
| the Network Virtualization Over Layer 3 (NVO3 [RFC8014]) overlay | the Network Virtualization Over Layer 3 (NVO3 [RFC8014]) overlay | |||
| technology that can satisfy multi-tenancy key requirements. VXLAN | technology that can satisfy multi-tenancy key requirements. VXLAN | |||
| [RFC7348] and NVGRE [RFC7637] are two typical NVO3 encapsulations. | [RFC7348] and NVGRE [RFC7637] are two typical NVO3 encapsulations. | |||
| Other encapsulations such as IP-in-IP or GRE may be encountered. | Other encapsulations such as IP-in-IP or GRE may be encountered. | |||
| Because these tunnel / overlay technologies involving an additional | Because these tunnel / overlay technologies involving an additional | |||
| level of encapsulation, flow specification that can match on the | level of encapsulation, flow specification that can match on the | |||
| inner header as well as the outer header are needed. | inner header as well as the outer header and fields in any tunneling | |||
| header are needed. | ||||
| In summary, Flow specifications should be able to include inner | In summary, Flow Specifications should be able to include inner | |||
| nested header information as well as fields specific to the type of | nested header information as well as fields specific to the type of | |||
| tunneling in use such as virtual network / tenant ID. This draft | tunneling in use such as virtual network / tenant ID. This draft | |||
| specifies methods for accomplishing this using SAFI=TBD1 and a new | specifies methods for accomplishing this using SAFI=TBD1 and a new | |||
| NLRI encoding. | NLRI encoding. | |||
| 1.1 Terminology | 1.1 Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| The reader is assumed to be familiar with BGP terminology. The | The reader is assumed to be familiar with BGP terminology. The | |||
| following terms and acronyms are used in this document with the | following terms and acronyms are used in this document with the | |||
| meaning indicated: | meaning indicated: | |||
| ACL - Access Control List | ACL - Access Control List | |||
| DDOS - Distributed Denial of Service (Attack) | DDoS - Distributed Denial of Service (Attack) | |||
| DSCP - Differentiated Services Code Point | DSCP - Differentiated Services Code Point | |||
| GRE - Generic Router Encapsulation [RFC2890] | GRE - Generic Router Encapsulation [RFC2890] | |||
| L2TPv3 - Layer Two Tunneling Protocol - Version 3 [RFC3931] | L2TPv3 - Layer Two Tunneling Protocol - Version 3 [RFC3931] | |||
| NLRI - Network Layer Reachability Information | NLRI - Network Layer Reachability Information | |||
| NVGRE - Network Virtualization Using Generic Routing Encapsulation | NVGRE - Network Virtualization Using Generic Routing Encapsulation | |||
| [RFC7637] | [RFC7637] | |||
| NVO3 - Network Virtual Overlay Layer 3 [RFC8014] | NVO3 - Network Virtual Overlay Layer 3 [RFC8014] | |||
| PE - Provider Edge | ||||
| VN - virtual network | VN - virtual network | |||
| VXLAN - Virtual eXtensible Local Area Network [RFC7348] | VXLAN - Virtual eXtensible Local Area Network [RFC7348] | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| 2. Tunneled Traffic Flow Specification NLRI | 2. Tunneled Traffic Flow Specification NLRI | |||
| The Flow-spec rules specified in [RFC5575bis], [FlowSpecV6], and | The Flowspec rules specified in [RFC5575bis], [FlowSpecV6], and | |||
| [FlowSpecL2] cannot match or filter tunneled traffic based on the | [FlowSpecL2] cannot match or filter tunneled traffic based on the | |||
| tunnel type, any tunnel header fields, or headers past the tunnel | tunnel type, any tunnel header fields, or headers past the tunnel | |||
| header. To enable flow specification of tunneled traffic, a new SAFI | header. To enable flow specification of tunneled traffic, a new SAFI | |||
| (TBD1) and NLRI encoding are introduced. This encoding, shown in | (TBD1) and NLRI encoding are introduced. This encoding, shown in | |||
| Figure 1, enables flow specification of more than one layer of header | Figure 1, enables flow specification of more than one layer of header | |||
| when needed. | when needed. | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| | Length 2 octets | | | Length 2 octets | | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| | Tunnel Type 2 octets | | | Tunnel Type 2 octets | | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| Flags: | Flags: | |||
| +--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+ | |||
| | D| I| Reserved | 1 octet | | D| I| Reserved | 1 octet | |||
| +--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+ | |||
| Optional Routing Discriminator: | Optional Routing Distinguisher: | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| | | | | | | |||
| + + | + + | |||
| | | | | | | |||
| + Routing Discriminator 8 octets + | + Routing Distinguisher 8 octets + | |||
| | | | | | | |||
| + + | + + | |||
| | | | | | | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| Outer Flow-spec: | Outer Flowspec: | |||
| +--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+ | |||
| | Outer Flowspec Length : 1 or 2 octets | | Outer Flowspec Length : 1 or 2 octets | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| | Outer Flow-spec variable : | | Outer Flowspec variable : | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| Tunnel Header Flow-Spec: | Tunnel Header Flowspec: | |||
| +--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+ | |||
| | Tunnel Flowspec Length: 1 or 2 octets | | Tunnel Flowspec Length: 1 or 2 octets | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| | Tunnel Header Flow-spec variable : | | Tunnel Header Flowspec variable : | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| Optional Inner Flow-spec: | Optional Inner Flowspec: | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| | Inner AFI 2 octets | | | Inner AFI 2 octets | | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| | Inner Flowspec Length : 1 or 2 octets | | Inner Flowspec Length : 1 or 2 octets | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| | Inner Flow-spec variable : | | Inner Flowspec variable : | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| Figure 1. Tunneled Traffic Flow-spec NLRI | Figure 1. Tunneled Traffic Flowspec NLRI | |||
| Length - The NLRI Length including the Tunnel Type encoded as an | Length - The NLRI Length including the Tunnel Type encoded as an | |||
| unsigned integer. | unsigned integer. | |||
| Tunnel Type - The type of tunnel using a value from the IANA BGP | Tunnel Type - The type of tunnel using a value from the IANA BGP | |||
| Tunnel Encapsulation Attribute Tunnel Types registry. | Tunnel Encapsulation Attribute Tunnel Types registry. | |||
| Flags: D bit - Indicates the presence of the Routing Discriminator | Flags: D bit - Indicates the presence of the Routing Distinguisher | |||
| (see below). | (see below). | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| Flags: I bit - Indicates the presence of the Inner AFI and the Inner | Flags: I bit - Indicates the presence of the Inner AFI and the Inner | |||
| Flow-spec. | Flowspec (see below). | |||
| Flags: Reserved - Six bits that MUST be sent as zero and ignored on | Flags: Reserved - Six bits that MUST be sent as zero and ignored on | |||
| receipt. | receipt. | |||
| Routing Discriminator - If the outer Layer 3 address belongs to a | Routing Distinguisher - If the outer Layer 3 address belongs to a | |||
| BGP/MPLS VPN, the routing discriminator can be included to | BGP/MPLS VPN, the routing distinguisher is included to indicate | |||
| support traffic filtering within that VPN. Because NVO3 outer | traffic filtering within that VPN. Because NVO3 outer layer | |||
| layer addresses normally belong to a public network, a Route | addresses normally belong to a public network, a Route | |||
| Distinguisher field is normally not needed for NVO3. | Distinguisher field is normally not needed for NVO3. | |||
| Outer Flow-spec / Length - The flow specification for the outer | Outer Flowspec / Length - The flow specification for the outer | |||
| header. The length is encoded as provided in Section 4.1 of | header. The length is encoded as provided in Section 4.1 of | |||
| [RFC5575bis]. The AFI for the outer Flow-spec is that AFI at | [RFC5575bis]. The AFI for the Outer Flowspec is the AFI at the | |||
| the beginning of the BGP multiprotocol MP_REACH_NLRI or | beginning of the BGP multiprotocol MP_REACH_NLRI or | |||
| MP_UNREACH_NLRI containing the tunneled traffic flow | MP_UNREACH_NLRI containing the tunneled traffic flow | |||
| specification NLRI. | specification NLRI. | |||
| Tunnel Header Flow-spec / Length - The flow specification for the | Tunnel Header Flowspec / Length - The flow specification for the | |||
| tunneling header. This can specify matching criterion on tunnel | tunneling header. This specifies matching criterion on tunnel | |||
| header fields. The tunnel type itself is indicated by the | header fields. The tunnel type itself is indicated by the | |||
| Tunnel Type field above. For some types of tunneling, such as | Tunnel Type field above. For some types of tunneling, such as | |||
| IP-in-IP, there may be no tunnel header fields. For other types | IP-in-IP, there may be no tunnel header fields. For other types | |||
| of tunneling, there may be several tunnel header fields on | of tunneling, there may be several tunnel header fields on | |||
| which matching could be specified with this Flow-spec. | which matching can be specified with this flowspec. | |||
| Inner AFI - Depending on the Tunnel Type, there may be an Inner AFI | Inner AFI - Depending on the Tunnel Type, there may be an Inner AFI | |||
| that indicates the address family for the inner flow | that indicates the address family for the inner flow | |||
| specification. There is no need for a SAFI as, in effect, it | specification. There is no need for a SAFI as the treatment of | |||
| is automatically TBD1, the SAFI for a tunneled traffic flow | this inner AFI and following flowspec is indicated by the outer | |||
| specification. | SAFI TBD1, the SAFI for a tunneled traffic flow specification. | |||
| Inner Flow-spec / Length - Depending on the Tunnel Type, there may be | Inner Flowspec / Length - Depending on the Tunnel Type, there may be | |||
| an inner flow specification for the header level encapsulated | an inner flowspec for the header level encapsulated within the | |||
| within the outer header. The length is encoded as provided in | outer header. The length is encoded as provided in Section 4.1 | |||
| Section 4.1 of [RFC5575bis]. | of [RFC5575bis]. | |||
| A Tunneled Traffic Flow-spec matches if the Outer Flow-spec, Tunnel | A Tunneled Traffic Flowspec matches if the Outer Flowspec, Tunnel | |||
| Header Flow-spec, and Inner Flow-spec all match and the Routing | Header Flowspec, and Inner Flowspec, if present, all match and the | |||
| Discriminator applies, if present. An omitted (as can be done for the | Routing Distinguisher applies, if present. An omitted (as can be done | |||
| Inner Flow-spec) or null Flow-spec is considered to always match. | for the Inner Flowspec) or null flowspec is considered to always | |||
| match. | ||||
| 2.1 The SAFI Code Point | 2.1 The SAFI Code Point | |||
| Use of the tunneled traffic flow specification NLRI format is | Use of the tunneled traffic flow specification NLRI format is | |||
| indicated by SAFI=TBD1. This is used in conjunction with the AFI for | indicated by SAFI=TBD1. This is used in conjunction with the AFI for | |||
| the outer header, that is AFI=1 for IPv4, AFI=2 for IPv6, and AFI=6 | ||||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| the outer header, that is AFI=1 for IPv4, AFI=2 for IPv6, and AFI=6 | ||||
| for Layer 2. | for Layer 2. | |||
| 2.2 Tunnel Header Component Code Points | 2.2 Tunnel Header Component Code Points | |||
| For flow specification based on most tunneling headers, there are | For flowspec based on most tunneling, there are tunnel header fields | |||
| additional tunnel header fields that can be tested by components that | that can be tested by components that appear in the Tunnel Header | |||
| appear in the Tunnel Header Flow-spec field. The types for these | Flowspec field. The types for these components are specified in a | |||
| components are specified in a Tunnel Header Flow-spec component | Tunnel Header Flowspec component registry (see Section 6). | |||
| registry (see Section 6). | ||||
| All Tunnel Header field components defined below and all such | All Tunnel Header field components defined below and all such | |||
| components added in the future have a TLV structure as follows: | components added in the future have a TLV structure as follows: | |||
| - one octet of type followed by | - one octet of type followed by | |||
| - one octet giving the length as an unsigned integer number of | - one octet giving the length as an unsigned integer number of | |||
| octets followed by | octets followed by | |||
| - the specific matching operations/values as determined by the | - the specific matching operations/values as determined by the | |||
| type. | type. | |||
| Type 1 - VN ID | Type 1 - VN ID | |||
| Encoding: <type (1 octet), length (1 octet), [op, value]+>. | Encoding: <type (1 octet), length (1 octet), [op, value]+>. | |||
| Defines a list of {operation, value} pairs used to match the | Defines a list of {operation, value} pairs used to match the | |||
| 24-bit VN ID that is used as the tenant identification in some | 24-bit VN ID that is used as the tenant identification in some | |||
| tunneling headers. For VXLAN encapsulation, the VN ID is the | tunneling headers. For VXLAN encapsulation, the VN ID is the | |||
| VNI. For NVGRE encapsulation, the VN ID is the VSID. op is | VNI. For NVGRE encapsulation, the VN ID is the VSID. op is | |||
| encoded as specified in Section 4.2.3 of [RFC5575bis]. Values | encoded as specified in Section 4.2.3 of [RFC5575bis]. Values | |||
| are encoded as a 1, 2, or 4 octet quantity. If value is | are encoded as a 1, 2, or 4 octet quantity. If value is | |||
| 24-bits, they are left-justified in the first 3 octets of the | 24-bits, it is left-justified in the first 3 octets of the | |||
| value and the last value octet MUST be sent as zero and ignored | value and the last value octet MUST be sent as zero and ignored | |||
| on receipt. | on receipt. | |||
| Type 2 - Flow ID | Type 2 - Flow ID | |||
| Encoding: <type (1 octet), length (1 octet), [op, value]+> | Encoding: <type (1 octet), length (1 octet), [op, value]+> | |||
| Defines a list of {operation, value} pairs used to match 8-bit | Defines a list of {operation, value} pairs used to match 8-bit | |||
| Flow ID fields which are currently only useful for NVGRE | Flow ID fields which are currently only useful for NVGRE | |||
| encapsulation. op is encoded as specified in Section 4.2.3 of | encapsulation. op is encoded as specified in Section 4.2.3 of | |||
| [RFC5575bis]. Values are encoded as a 1-octet quantity. | [RFC5575bis]. Values are encoded as a 1-octet quantity. | |||
| Type 3 - Session | Type 3 - Session | |||
| Encoding: <type (1 octet), length (1 octet), [op, value]+> | Encoding: <type (1 octet), length (1 octet), [op, value]+> | |||
| Defines a list of {operation, value} pairs used to match a | Defines a list of {operation, value} pairs used to match a | |||
| 32-bit Session field. This field is called Key in GRE [RFC2890] | 32-bit Session field. This field is called Key in GRE [RFC2890] | |||
| encapsulation and Session ID in L2TPv3 encapsulation. op is | encapsulation and Session ID in L2TPv3 encapsulation. op is | |||
| encoded as specified in Section 4.2.3 of [RFC5575bis]. Values | encoded as specified in Section 4.2.3 of [RFC5575bis]. Values | |||
| are encoded as a 1, 2, or 4 octet quantity. | are encoded as a 1, 2, or 4 octet quantity. | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| Type 4 - Cookie | Type 4 - Cookie | |||
| Encoding: <type (1 octet), length (1 octet), [op, value]+> | Encoding: <type (1 octet), length (1 octet), [op, value]+> | |||
| Defines a list of {operation, value} pairs used to match a | Defines a list of {operation, value} pairs used to match a | |||
| variable length Cookie field. This is only useful in L2TPv3 | variable length Cookie field. This is only useful in L2TPv3 | |||
| encapsulation. op is encoded as specified in Section 4.2.3 of | encapsulation. op is encoded as specified in Section 4.2.3 of | |||
| [RFC5575bis]. Values are encoded as a 1, 2, 4, or 8 octet | [RFC5575bis]. Values are encoded as a 1, 2, 4, or 8 octet | |||
| quantity. If the Cookie does not fit exactly into the value | quantity. If the Cookie does not fit exactly into the value | |||
| length, it is left justified, that is, padded with following | length, it is left justified, that is, padded with following | |||
| skipping to change at page 9, line 42 ¶ | skipping to change at page 9, line 42 ¶ | |||
| The headers on a VXLAN [RFC7348] data packet are an outer Ethernet | The headers on a VXLAN [RFC7348] data packet are an outer Ethernet | |||
| header, an outer IP header, a UDP header, the VXLAN header, and an | header, an outer IP header, a UDP header, the VXLAN header, and an | |||
| inner Ethernet header. This inner Ethernet header is frequently, but | inner Ethernet header. This inner Ethernet header is frequently, but | |||
| not always, followed by an inner IP header. If the tunnel type is | not always, followed by an inner IP header. If the tunnel type is | |||
| VXLAN, the I flag MUST be set. | VXLAN, the I flag MUST be set. | |||
| If the outer Ethernet header is not being matched, the version (IPv4 | If the outer Ethernet header is not being matched, the version (IPv4 | |||
| or IPv6) of the outer IP header is indicated by the AFI at the | or IPv6) of the outer IP header is indicated by the AFI at the | |||
| beginning of the multiprotocol MP_REACH_NLRI or MP_UNREACH_NLRI | beginning of the multiprotocol MP_REACH_NLRI or MP_UNREACH_NLRI | |||
| containing the tunneled traffic flow specification NLRI. The outer | containing the tunneled traffic flow specification NLRI. The outer | |||
| Flow-spec is used to filter the outer headers including, if desired, | Flowspec is used to filter the outer headers including, if desired, | |||
| the UDP header. | the UDP header. | |||
| If the outer Ethernet header is being matched, then the initial AFI | If the outer Ethernet header is being matched, then the initial AFI | |||
| is 6 [FlowSpecL2] and the Outer Flow-spec can match the outer | is 6 [FlowSpecL2] and the Outer Flowspec can match the outer Ethernet | |||
| Ethernet header, specify the IP version of the outer IP header, and | header, specify the IP version of the outer IP header, and match that | |||
| match that IP header including, if desired, the UDP header. | IP header including, if desired, the UDP header. | |||
| The Tunnel Header Flow-spec can be used to filter on the VXLAN header | The Tunnel Header Flowspec can be used to filter on the VXLAN header | |||
| VN ID (VNI). | VN ID (VNI). | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| The inner Flow-spec can be used on the Inner Ethernet header | The Inner Flowspec can be used on the Inner Ethernet header | |||
| [FlowSpecL2] and any following IP header. If the inner AFI is 6, | [FlowSpecL2] and any following IP header. If the inner AFI is 6, | |||
| then the inner Flow-spec provides filtering of the Layer 2 header, | then the inner Flowspec provides filtering of the Layer 2 header, | |||
| indicates whether filtering on a following IPv4 or IPv6 header is | indicates whether filtering on a following IPv4 or IPv6 header is | |||
| desired, and if it is desired provides the Flow-spec components for | desired, and if it is desired provides the Flowspec components for | |||
| that filtering. If the Inner AFI is 1 or 2, the Inner Ethernet | that filtering. If the Inner AFI is 1 or 2, the Inner Ethernet | |||
| header is not matched and to match the Flow-spec the Inner Ethernet | header is not matched and to match the Flowspec the Inner Ethernet | |||
| header must be followed by an IPv4 or IPv6 header, respectively, and | header must be followed by an IPv4 or IPv6 header, respectively, and | |||
| the inner Flow-spec is used to filter that inner IP header. | the inner Flowspec is used to filter that inner IP header. | |||
| The inner MAC/IP address is associated with a VN ID. In the NVO3 | The inner MAC/IP address is associated with the VN ID. In the NVO3 | |||
| terminating into a VPN scenario, if multiple access VN IDs map to one | terminating into a VPN scenario, if multiple access VN IDs map to one | |||
| VPN instance, one shared VN ID can be carried in the Flow-Spec rule | VPN instance, one shared VN ID can be carried in the flowspec rule to | |||
| to enforce the rule on the entire VPN instance and the shared VN ID | enforce the rule on the entire VPN instance and the shared VN ID and | |||
| and VPN correspondence should be configured on each VPN PE | VPN correspondence should be configured on each VPN PE beforehand. In | |||
| beforehand. In this case, the function of the Layer 3 VN ID is the | this case, the function of the Layer 3 VN ID is the same as a Route | |||
| same as a Route Discriminator: it acts as the identification of the | Distinguisher: it acts as the identification of the VPN instance. | |||
| VPN instance. | ||||
| 2.3.2 VXLAN-GPE | 2.3.2 VXLAN-GPE | |||
| VXLAN-GPE [GPE] is similar to VXLAN and the VXLAN-GPE header is the | VXLAN-GPE [GPE] is similar to VXLAN. The VXLAN-GPE header is the same | |||
| same size as the VXLAN header but has been extended from the VXLAN | size as the VXLAN header but has been extended from the VXLAN header | |||
| header by specifying a number of bits that are reserved in the VXLAN | by specifying a number of bits that are reserved in the VXLAN header. | |||
| header. In particular, a number of additional flag bits are specified | In particular, a number of additional flag bits are specified and a | |||
| and a Next Protocol field is added that is valid if the P flag bit is | Next Protocol field is added that is valid if the P flag bit is set. | |||
| set. These flags bits can be tested using the VXLAN-GPE Flags | These flags bits can be tested using the VXLAN-GPE Flags flowspec | |||
| component defined above. VXLAN and VXLAN-GPE are distinguished by the | component defined above. VXLAN and VXLAN-GPE are distinguished by the | |||
| port number in the UDP header the precedes the VXLAN or VXLAN-GPE | port number in the UDP header the precedes the VXLAN or VXLAN-GPE | |||
| headers. | headers. | |||
| If the VXLAN-GPE header P flag is zero, then that header is followed | If the VXLAN-GPE header P flag is zero, then that header is followed | |||
| by the same sequence as for VXLAN and the same Flow-spec choices | by the same sequence as for VXLAN and the same flowspec choices apply | |||
| apply (see Section 2.3.1). | (see Section 2.3.1). | |||
| If the VXLAN-GPE header P flag is one and that header's next protocol | If the VXLAN-GPE header P flag is one and that header's next protocol | |||
| field is 1, then the VXLAN-GPE header is followed by an IPv4 header. | field is 1, then the VXLAN-GPE header is followed by an IPv4 header. | |||
| The inner AFI/Flow-spec match only if the inner AFI is 1 and the | The Inner Flowspec matches only if the Inner AFI is 1 and the Inner | |||
| inner Flow-spec matches. | Flowspec matches. | |||
| If the VXLAN-GPE header P flag is one and that header's next protocol | If the VXLAN-GPE header P flag is one and that header's next protocol | |||
| field is 2, then the VXLAN-GPE header is followed by an IPv6 header. | field is 2, then the VXLAN-GPE header is followed by an IPv6 header. | |||
| The inner AFI/Flow-spec match only if the inner AFI is 2 and the | The Inner Flowspec match only if the Inner AFI is 2 and the Inner | |||
| inner Flow-spec matches. | Flowspec matches. | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| 2.3.3 NVGRE | 2.3.3 NVGRE | |||
| NVGRE [RFC7637] is very similar to VXLAN except that the UDP header | NVGRE [RFC7637] is very similar to VXLAN except that the UDP header | |||
| and VXLAN header immediately after the outer IP header are replaced | and VXLAN header immediately after the outer IP header are replaced | |||
| by a GRE (Generic Router Encapsulation) header. The GRE header as | by a GRE (Generic Router Encapsulation) header. The GRE header as | |||
| used in NVGRE has no Checksum or Reserved1 field as shown in | used in NVGRE has no Checksum or Reserved1 field as shown in | |||
| [RFC2890] but there are Virtual Subnet ID and Flow ID fields in place | [RFC2890] but there are Virtual Subnet ID and Flow ID fields in place | |||
| of what is labeled in [RFC2890] as the Key field. Processing and | of what is labeled in [RFC2890] as the Key field. Processing and | |||
| restrictions for NVGRE are as in Section 2.3.1 eliminating references | restrictions for NVGRE are as in Section 2.3.1 eliminating references | |||
| to a UDP header and replacing references to the VXLAN header and its | to a UDP header and replacing references to the VXLAN header and its | |||
| VN ID with references to the GRE header and its VN ID (VSID) and Flow | VN ID with references to the GRE header and its VN ID (VSID) and Flow | |||
| ID. | ID. | |||
| 2.3.4 L2TPv3 | 2.3.4 L2TPv3 | |||
| The headers on an L2TPv3 [RFC3931] packets are an outer Ethernet | The headers on an L2TPv3 [RFC3931] packets are an outer Ethernet | |||
| header, an outer IP header, the L2TPv3 header, an inner Ethernet | header, an outer IP header, the L2TPv3 header, an inner Ethernet | |||
| header, and possibly an inner IP header if indicated by the inner | header, and possibly an inner IP header if indicated by the inner | |||
| Ethernet header EtherType. The outer Flow-spec operates on the outer | Ethernet header EtherType. The Outer Flowspec operates on the outer | |||
| headers that precede the GRE header. The version of IP is specified | headers that precede the GRE header. The version of IP in the outer | |||
| by the outer AFI at the beginning of the MP_REACH_NLRI or | IP header is specified by either the outer AFI at the beginning of | |||
| MP_UNREACH_NLRI. | the MP_REACH_NLRI or MP_UNREACH_NLRI or, if that AFI is 6 (L2), | |||
| optionally specified by the inner AFI within that L2 flowspec. | ||||
| The L2TPv3 header consists of a 32-bit Session ID followed by a | The L2TPv3 header consists of a 32-bit Session ID followed by a | |||
| variable length Cookie (maximum length 8 octets). The Session ID and | variable length Cookie (maximum length 8 octets). The Session ID and | |||
| Cookie can be filtered for by using the Session and Cookie Flow-spec | Cookie can be filtered for by using the Session and Cookie flowspec | |||
| components in the Tunnel Header Flow-spec. To filter on Cookie or | components in the Tunnel Header Flowspec. To filter on Cookie or even | |||
| even be able to bypass Cookie and parse the remainder of the L2TPv3 | be able to bypass Cookie and parse the remainder of the L2TPv3 | |||
| packet, the node implementing Flow-spec needs to know the length | packet, the node implementing flowspec needs to know the length | |||
| and/or value of the Cookie fields of interest. This is negotiated at | and/or value of the Cookie fields of interest. This is negotiated at | |||
| L2TPv3 session establishment and it is out of scope for this document | L2TPv3 session establishment and it is out of scope for this document | |||
| how the node would learn this information. Of course, if Flow-spec is | how the node would learn this information. Of course, if flowspec is | |||
| being used for DDOS mitigation and the Cookie has a fixed length | being used for DDOS mitigation and the Cookie has a fixed length | |||
| and/or value in the DDOS traffic, this could be learned by inspecting | and/or value in the DDOS traffic, this could be learned by inspecting | |||
| that traffic. | that traffic. | |||
| If the I flag bit is zero, then no filtering is done on data beyond | If the I flag bit is zero, then no filtering is done on data beyond | |||
| the L2TPv3 header. If the I flag is one, indicating the presence of | the L2TPv3 header. If the I flag is one, indicating the presence of | |||
| an inner Flow-spec, and the node implementing Flow-spec does not know | an Inner Flowspec, and the node implementing flowspec does not know | |||
| the length of the L2TPv3 header Cookie, the match fails. If that node | the length of the L2TPv3 header Cookie, the match fails. If that node | |||
| does know the length of that Cookie, the inner Flow-spec if matched | does know the length of that Cookie, the Inner Flowspec if matched | |||
| against the headers at the beginning of that data using the inner | against the headers at the beginning of that data using the Inner | |||
| AFI. If the inner AFI is 1 or 2, then an inner IP header is required | AFI. If that Inner AFI is 1 or 2, then an inner IP header is required | |||
| and filtering can be done on the Ethernet header immediately after | and filtering can be done on the Ethernet header immediately after | |||
| the L2TPv3 header and the following IPv4 or IPv6 headers | the L2TPv3 header and the following IPv4 or IPv6 headers | |||
| respectively. If the inner AFI is 6, filtering SHOULD only be done on | respectively. If the Inner AFI is 6, filtering is done on the inner | |||
| the inner Ethernet header [FlowSpecL2]. | Ethernet header and, if a non-zero inner AFI is specified within the | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| inner L2 flowspec, done on the following IP header [FlowSpecL2]. | ||||
| 2.3.5 GRE | 2.3.5 GRE | |||
| Generic Router Encapsulation (GRE [RFC2890]) is another type of | Generic Router Encapsulation (GRE [RFC2890]) is another type of | |||
| encapsulation. The outer Flow-spec operates on the outer headers that | encapsulation. The Outer Flowspec operates on the outer headers that | |||
| precede the GRE header. The version of IP is specified by the outer | precede the GRE header. The version of IP is specified by the outer | |||
| AFI at the beginning of the MP_REACH_NLRI or MP_UNREACH_NLRI. | AFI at the beginning of the MP_REACH_NLRI or MP_UNREACH_NLRI. | |||
| If the I flag bit is zero, no filtering is done on data after the GRE | If the I flag bit is zero, no filtering is done on data after the GRE | |||
| header. If the I flag bit is one, then there is an inner AFI and | header. If the I flag bit is one, then there is an inner AFI and | |||
| Flow-spec and the Protocol Type field of the GRE header must match | flowspec and the Protocol Type field of the GRE header must match the | |||
| the inner AFI as follows for the Flow-spec to match: | Inner AFI as follows for the Flowspec to match: | |||
| GRE Protocol Type Inner AFI | GRE Protocol Type Inner AFI | |||
| ------------------- ----------- | ------------------- ----------- | |||
| 0x0800 (IPv4) 1 | 0x0800 (IPv4) 1 | |||
| 0x86DD (IPv6) 2 | 0x86DD (IPv6) 2 | |||
| 0x6558 6 | 0x6558 6 | |||
| With the I flag a one and the inner AFI and GRE Protocol Type fields | With the I flag a one and the Inner AFI and GRE Protocol Type fields | |||
| match, the inner Flow-spec is used to filter the inner Ethernet | match, the Inner Flowspec is used to filter the inner IP headers | |||
| header (AFI=6) or the inner IP and Ethernet headers (AFI=1 or 2). | (Inner AFI=1 or 2) or the inner Ethernet header and optionally a | |||
| following IP header (Inner AFI=6). | ||||
| 2.3.6 IP-in-IP | 2.3.6 IP-in-IP | |||
| IP-in-IP encapsulation is shown when the outer IP header indicates an | IP-in-IP encapsulation is indicated when an outer IP header indicates | |||
| inner IP IPv4 or IPv6 header by the value of the outer IP header's | an inner IP IPv4 or IPv6 header by the value of the outer IP header's | |||
| Protocol (IPv4) or Next Protocol (IPv6) field. If the Tunnel Type is | Protocol (IPv4) or Next Protocol (IPv6) field. | |||
| IP-in-IP, the I flag MUST be set. | ||||
| The version of the outer IP header (IPv4 or IPv6) matched is | The IP version of the outer IP header (IPv4 or IPv6) matched is | |||
| indicated by the AFI at the beginning of the MP_REACH_NLRI or | indicated by an AFI of 1 or 2 at the beginning of the MP_REACH_NLRI | |||
| MP_UNREACH_NLRI. The version of the inner IP header is indicated by | or MP_UNREACH_NLRI while if that AFI is 6, it indicates a match on | |||
| the inner AFI. The outer Flow-spec applies to the outer IP header and | the out Ethernet header and, optionally, the following IP Header | |||
| the inner Flow-spec applies to the inner IP header. | [FlowSpecL2]. The IP version of the inner IP header is indicated by | |||
| the Inner AFI and the Inner Flowspec applies to the inner IP header. | ||||
| There are no fields that can be matched by the Tunnel Header Flow- | There are no fields that can be matched by the Tunnel Header Flowspec | |||
| spec in the case of IP-in-IP. | in the case of IP-in-IP. | |||
| INTERNET-DRAFT BGP Tunnel Flowspec | ||||
| 2.4 Tunneled Traffic Actions | 2.4 Tunneled Traffic Actions | |||
| The traffic filtering actions previously specified in [RFC5575bis] | The traffic filtering actions previously specified in [RFC5575bis] | |||
| and [FlowSpecL2] are used for tunneled traffic. For Traffic Marking | and [FlowSpecL2] are used for tunneled traffic. For Traffic Marking | |||
| in NVO3, only the DSCP in the outer header can be modified. | in NVO3, only the DSCP in the outer header can be modified. | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| 3. Order of Traffic Filtering Rules | 3. Order of Traffic Filtering Rules | |||
| In comparing an applicable tunneled traffic flow specification with a | The following rules determine which flowspec takes precedence where | |||
| non-tunneled flow specification, the tunneled specification has | one or more are applicable and at least one of the applicable | |||
| precedence. | flowspecs is a tunneled traffic flowspec: | |||
| If comparing two tunneled traffic flow specifications, if both are | - In comparing an applicable tunneled traffic flow specification | |||
| applicable, the tunnel types will be the same. If only one has a | with an applicable non-tunneled flow specification, the tunneled | |||
| Routing Discriminator, it has precedence. If both have a Routing | specification has precedence. | |||
| Discriminator, then either those Routing Discriminators will be equal | ||||
| or only one of the Flow-specs will be applicable to the packet. | ||||
| If neither has a Routing Discriminator or they have equal Routing | - If comparing tunneled traffic flow specifications, if all are | |||
| Discriminators, the order of precedence is determined by comparing | applicable, the tunnel types will be the same. Any that have a | |||
| the outer Flow-spec. | Routing Distinguisher will take precedence over those without a | |||
| Routing Distinguisher. Of those with a Routing Distinguisher, all | ||||
| applicable flowspecs will have the same Routing Distinguisher. | ||||
| If the outer Flow-specs are equal, then the Tunnel Header Flow-specs | - At this point in the process, all remaining contenders for the | |||
| are compared using the usual component comparison rules. | highest precedence will either not have a Routing Distinguisher or | |||
| have equal Routing Distinguishers. If more than one contender | ||||
| remain, those with an L2 Outer Flowspec take precedence over those | ||||
| with an L3 Outer Flowspec. If the Outer Flowspec AFI is the same, | ||||
| their order of precedence is determined by comparing the Outer | ||||
| Flowspecs as described in [RFC5575bis] and [FlowSpecV6] for AFI | ||||
| for 1 or 2 respectively or [FlowSpecL2] for AFI=6. | ||||
| If the Tunnel Header Flow-specs are equal and the tunnel type calls | - If the Outer Flowspecs are equal, then the Tunnel Header Flowspecs | |||
| for an inner Flow-spec, then the precedence is determined by | are compared using the usual sequential component comparison | |||
| comparing inner AFI as an unsigned integer with the inner AFI having | process [RFC5575bis]. | |||
| the smaller magnitude having precedence. | ||||
| If the inner AFIs are equal, precedence is determined by comparing | - If the Tunnel Header Flowspecs are equal then compare the "I" | |||
| the inner flow specifications. | flag. Those with an Inner Flowspec take precedence over those | |||
| without an Inner Flowspec. If you get to this stage in the | ||||
| ordering process, those without an Inner Flowspec are equal. For | ||||
| those with an Inner Flowspec, check the Inner AFI. An L2 Inner AFI | ||||
| (AFI=6) takes precedence over an L2 Inner AFI. | ||||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | - If the Inner AFIs are equal, precedence is determined by comparing | |||
| the Inner Flowspecs as described in [FlowSpecL2] for L2 or | ||||
| [RFC5575bis] for L3. | ||||
| INTERNET-DRAFT BGP Tunnel Flowspec | ||||
| 4. Flow Spec Validation | 4. Flow Spec Validation | |||
| Flow-specs received over AFI=1/SAFI=TBD1 or AFI=2/SFAI=TBD1 are | Flowspecs received over AFI=1/SAFI=TBD1 or AFI=2/SFAI=TBD1 are | |||
| validated, using only the outer Flow-spec, against routing | validated, using only the Outer Flowspec, against routing | |||
| reachability received over AFI=1/SAFI=133 and AFI=2/SAFI=133 | reachability received over AFI=1/SAFI=133 and AFI=2/SAFI=133 | |||
| respectively, as modified by [FlowSpecOID]. | respectively, as modified by [FlowSpecOID]. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| No new security issues are introduced to the BGP protocol by this | No new security issues are introduced to the BGP protocol by this | |||
| specification. | specification. | |||
| For general Flow-spec security considerations, see [rfc5575bis]. | For general Flowspec security considerations, see [rfc5575bis]. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| IANA is requested to assign a new SAFI as follows: | IANA is requested to assign a new SAFI as follows: | |||
| Value Description Reference | Value Description Reference | |||
| ----- ------------------------------------------ --------------- | ----- ------------------------------------------ --------------- | |||
| TBD1 Tunneled traffic flow specification rules [This document] | TBD1 Tunneled traffic flow specification rules [This document] | |||
| IANA is requested to create a Tunnel Header Flow Spec Component Type | IANA is requested to create a Tunnel Header Flow Spec Component Type | |||
| skipping to change at page 14, line 43 ¶ | skipping to change at page 15, line 43 ¶ | |||
| Name: Tunnel Flow Spec Component Types | Name: Tunnel Flow Spec Component Types | |||
| Reference: [this document] | Reference: [this document] | |||
| Registration Procedures: | Registration Procedures: | |||
| 0 Reserved | 0 Reserved | |||
| 1-127 Specification Required | 1-127 Specification Required | |||
| 128-254 First Come First Served | 128-254 First Come First Served | |||
| 255 Reserved | 255 Reserved | |||
| Initial contents: | Initial contents: | |||
| Type Name Reference | Type Name Reference | |||
| ----- -------------- ----------- | ----- -------------- ----------------- | |||
| 0 reserved | 0 reserved [this document] | |||
| 1 VN ID [this document] | 1 VN ID [this document] | |||
| 2 Flow ID [this document] | 2 Flow ID [this document] | |||
| 3 Session [this document] | 3 Session [this document] | |||
| 4 Cookie [this document] | 4 Cookie [this document] | |||
| 5 VXLAN-GPE Flags [this document] | 5 VXLAN-GPE Flags [this document] | |||
| 6-254 unassigned [this document] | 6-254 unassigned [this document] | |||
| 255 reserved [this document] | 255 reserved [this document] | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| Normative References | Normative References | |||
| [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, | Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, | |||
| March 1997, <https://www.rfc-editor.org/info/rfc2119>. | March 1997, <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2890] - Dommety, G., "Key and Sequence Number Extensions to GRE", | [RFC2890] - Dommety, G., "Key and Sequence Number Extensions to GRE", | |||
| RFC 2890, DOI 10.17487/RFC2890, September 2000, | RFC 2890, DOI 10.17487/RFC2890, September 2000, | |||
| <https://www.rfc-editor.org/info/rfc2890>. | <https://www.rfc-editor.org/info/rfc2890>. | |||
| skipping to change at page 16, line 5 ¶ | skipping to change at page 17, line 5 ¶ | |||
| Specifications", draft-ietf-idr-bgp-flowspec-oid, work in | Specifications", draft-ietf-idr-bgp-flowspec-oid, work in | |||
| progress. | progress. | |||
| [FlowSpecV6] - R. Raszuk, et al, "Dissemination of Flow Specification | [FlowSpecV6] - R. Raszuk, et al, "Dissemination of Flow Specification | |||
| Rules for IPv6", draft-ietf-idr-flow-spec-v6, work in progress. | Rules for IPv6", draft-ietf-idr-flow-spec-v6, work in progress. | |||
| [RFC5575bis] - Hares, S., Loibl, C., Raszuk, R., McPherson, D., | [RFC5575bis] - Hares, S., Loibl, C., Raszuk, R., McPherson, D., | |||
| Bacher, M., "Dissemination of Flow Specification Rules", draft- | Bacher, M., "Dissemination of Flow Specification Rules", draft- | |||
| ietf-idr-rfc5575bis, Work in progress. | ietf-idr-rfc5575bis, Work in progress. | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| Informative References | Informative References | |||
| [RFC8014] - Black, D., Hudson, J., Kreeger, L., Lasserre, M., and T. | [RFC8014] - Black, D., Hudson, J., Kreeger, L., Lasserre, M., and T. | |||
| Narten, "An Architecture for Data-Center Network Virtualization | Narten, "An Architecture for Data-Center Network Virtualization | |||
| over Layer 3 (NVO3)", RFC 8014, DOI 10.17487/RFC8014, December | over Layer 3 (NVO3)", RFC 8014, DOI 10.17487/RFC8014, December | |||
| 2016, <https://www.rfc-editor.org/info/rfc8014>. | 2016, <https://www.rfc-editor.org/info/rfc8014>. | |||
| [GPE] - P. Quinn, et al, "Generic Protocol Extension for VXLAN", | [GPE] - P. Quinn, et al, "Generic Protocol Extension for VXLAN", | |||
| draft-ietf-nvo3-vxlan-gpe, work in progress. | draft-ietf-nvo3-vxlan-gpe, work in progress. | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| Acknowledgments | Acknowledgments | |||
| The authors wish to acknowledge the important contributions of Jeff | The authors wish to acknowledge the important contributions of Jeff | |||
| Haas, Susan Hares, Qiandeng Liang, Nan Wu, Yizhou Li, Robert Raszuk, | Haas, Susan Hares, Qiandeng Liang, Nan Wu, Yizhou Li, Robert Raszuk, | |||
| and Lucy Yong. | and Lucy Yong. | |||
| Authors' Addresses | Authors' Addresses | |||
| Donald Eastlake | Donald Eastlake | |||
| skipping to change at page 18, line 5 ¶ | skipping to change at page 19, line 5 ¶ | |||
| Huawei Bld., No.156 Beiqing Rd. | Huawei Bld., No.156 Beiqing Rd. | |||
| Beijing 100095 China | Beijing 100095 China | |||
| Email: lizhenbin@huawei.com | Email: lizhenbin@huawei.com | |||
| Rong Gu | Rong Gu | |||
| China Mobile | China Mobile | |||
| Email: gurong_cmcc@outlook.com | Email: gurong_cmcc@outlook.com | |||
| INTERNET-DRAFT BGP Tunnel Flow-Spec | INTERNET-DRAFT BGP Tunnel Flowspec | |||
| Copyright, Disclaimer, and Additional IPR Provisions | Copyright, Disclaimer, and Additional IPR Provisions | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| End of changes. 92 change blocks. | ||||
| 171 lines changed or deleted | 192 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||