draft-ietf-idr-flowspec-nvo3-08.txt   draft-ietf-idr-flowspec-nvo3-09.txt 
INTERNET-DRAFT D. Eastlake INTERNET-DRAFT D. Eastlake
Intended Status: Proposed Standard Futurewei Technologies Intended Status: Proposed Standard Futurewei Technologies
W. Hao W. Hao
S. Zhuang S. Zhuang
Z. Li Z. Li
Huawei Technologies Huawei Technologies
R. Gu R. Gu
China Mobil China Mobil
Expires: July 15, 2020 January 16, 2020 Expires: October 11, 2020 April 12, 2020
BGP Dissemination of BGP Dissemination of
Flow Specification Rules for Tunneled Traffic Flow Specification Rules for Tunneled Traffic
draft-ietf-idr-flowspec-nvo3-08 draft-ietf-idr-flowspec-nvo3-09
Abstract Abstract
This draft specifies a Border Gateway Protocol Network Layer This draft specifies a Border Gateway Protocol (BGP) Network Layer
Reachability Information (BGP NLRI) encoding format for flow Reachability Information (NLRI) encoding format for flow
specifications (RFC 5575bis) that can match on a variety of tunneled specifications (RFC 5575bis) that can match on a variety of tunneled
traffic. In addition, flow specification components are specified for traffic. In addition, flow specification components are specified for
certain tunneling header fields. certain tunneling header fields.
Status of This Document Status of This Document
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Distribution of this document is unlimited. Comments should be sent Distribution of this document is unlimited. Comments should be sent
skipping to change at page 2, line 5 skipping to change at page 2, line 5
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft
Shadow Directories can be accessed at Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
Table of Contents Table of Contents
1. Introduction............................................3 1. Introduction............................................3
1.1 Terminology............................................3 1.1 Terminology............................................3
2. Tunneled Traffic Flow Specification NLRI................5 2. Tunneled Traffic Flow Specification NLRI................5
2.1 The SAFI Code Point....................................7 2.1 The SAFI Code Point....................................7
2.2 Tunnel Header Component Code Points....................8 2.2 Tunnel Header Component Code Points....................8
2.3 Specific Tunnel Types..................................9 2.3 Specific Tunnel Types..................................9
2.3.1 VXLAN................................................9 2.3.1 VXLAN................................................9
2.3.2 VXLAN-GPE...........................................10 2.3.2 VXLAN-GPE...........................................10
2.3.3 NVGRE...............................................11 2.3.3 NVGRE...............................................11
2.3.4 L2TPv3..............................................11 2.3.4 L2TPv3..............................................11
2.3.5 GRE.................................................12 2.3.5 GRE.................................................12
2.3.6 IP-in-IP............................................12 2.3.6 IP-in-IP............................................12
2.4 Tunneled Traffic Actions..............................12 2.4 Tunneled Traffic Actions..............................13
3. Order of Traffic Filtering Rules.......................13 3. Order of Traffic Filtering Rules.......................14
4. Flow Spec Validation...................................14 4. Flow Spec Validation...................................15
5. Security Considerations................................14 5. Security Considerations................................15
6. IANA Considerations....................................14 6. IANA Considerations....................................15
Normative References......................................15 Normative References......................................16
Informative References....................................16 Informative References....................................17
Acknowledgments...........................................17 Acknowledgments...........................................18
Authors' Addresses........................................17 Authors' Addresses........................................18
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
1. Introduction 1. Introduction
BGP Flow-spec [RFC5575bis] is an extension to BGP that supports the BGP Flow Specification (flowspec [RFC5575bis]) is an extension to BGP
dissemination of traffic flow specification rules. It uses the BGP that supports the dissemination of traffic flow specification rules.
control plane to simplify the distribution of Access Control Lists It uses the BGP control plane to simplify the distribution of Access
(ACLs) and allows new filter rules to be injected to all BGP peers Control Lists (ACLs) and allows new filter rules to be injected to
simultaneously without changing router configuration. A typical all BGP peers simultaneously without changing router configuration. A
application of BGP Flow-spec is to automate the distribution of typical application of BGP flowspec is to automate the distribution
traffic filter lists to routers for Distributed Denial of Service of traffic filter lists to routers for Distributed Denial of Service
(DDOS) mitigation. (DDOS) mitigation.
BGP Flow-spec defines a BGP Network Layer Reachability Information BGP flowspec defines BGP Network Layer Reachability Information
(NLRI) format used to distribute traffic flow specification rules. (NLRI) formats used to distribute traffic flow specification rules.
AFI=1/SAFI=133 is for IPv4 unicast filtering. AFI=1/SAFI=134 is for AFI=1/SAFI=133 is for IPv4 unicast filtering. AFI=1/SAFI=134 is for
IPv4 BGP/MPLS VPN filtering. [FlowSpecV6] and [FlowSpecL2] extend the IPv4 BGP/MPLS VPN filtering. [FlowSpecV6] and [FlowSpecL2] extend the
flow-spec rules for IPv6 and layer 2 Ethernet packets respectively. flowspec rules for IPv6 and Layer 2 Ethernet packets respectively.
None of these previous flow specifications are suitable for matching None of these previously defined flow specifications are suitable for
in cases of tunneling or encapsulation where there might be matching in cases of tunneling or encapsulation where there might be
duplicates of a layer of header such as two IPv6 headers in IP-in-IP duplicates of a layer of header such as two IPv6 headers in IP-in-IP
or a nested header sequence such as the layer 2 and 3 headers or a nested header sequence such as the Layer 2 and 3 headers
encapsulated in VXLAN [RFC7348]. encapsulated in VXLAN [RFC7348].
In the cloud computing era, multi-tenancy has become a core In the cloud computing era, multi-tenancy has become a core
requirement for data centers. It is increasingly common to see requirement for data centers. It is increasingly common to see
tunneled traffic with a field to distinguish tenants. An example is tunneled traffic with a field to distinguish tenants. An example is
the Network Virtualization Over Layer 3 (NVO3 [RFC8014]) overlay the Network Virtualization Over Layer 3 (NVO3 [RFC8014]) overlay
technology that can satisfy multi-tenancy key requirements. VXLAN technology that can satisfy multi-tenancy key requirements. VXLAN
[RFC7348] and NVGRE [RFC7637] are two typical NVO3 encapsulations. [RFC7348] and NVGRE [RFC7637] are two typical NVO3 encapsulations.
Other encapsulations such as IP-in-IP or GRE may be encountered. Other encapsulations such as IP-in-IP or GRE may be encountered.
Because these tunnel / overlay technologies involving an additional Because these tunnel / overlay technologies involving an additional
level of encapsulation, flow specification that can match on the level of encapsulation, flow specification that can match on the
inner header as well as the outer header are needed. inner header as well as the outer header and fields in any tunneling
header are needed.
In summary, Flow specifications should be able to include inner In summary, Flow Specifications should be able to include inner
nested header information as well as fields specific to the type of nested header information as well as fields specific to the type of
tunneling in use such as virtual network / tenant ID. This draft tunneling in use such as virtual network / tenant ID. This draft
specifies methods for accomplishing this using SAFI=TBD1 and a new specifies methods for accomplishing this using SAFI=TBD1 and a new
NLRI encoding. NLRI encoding.
1.1 Terminology 1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
The reader is assumed to be familiar with BGP terminology. The The reader is assumed to be familiar with BGP terminology. The
following terms and acronyms are used in this document with the following terms and acronyms are used in this document with the
meaning indicated: meaning indicated:
ACL - Access Control List ACL - Access Control List
DDOS - Distributed Denial of Service (Attack) DDoS - Distributed Denial of Service (Attack)
DSCP - Differentiated Services Code Point DSCP - Differentiated Services Code Point
GRE - Generic Router Encapsulation [RFC2890] GRE - Generic Router Encapsulation [RFC2890]
L2TPv3 - Layer Two Tunneling Protocol - Version 3 [RFC3931] L2TPv3 - Layer Two Tunneling Protocol - Version 3 [RFC3931]
NLRI - Network Layer Reachability Information NLRI - Network Layer Reachability Information
NVGRE - Network Virtualization Using Generic Routing Encapsulation NVGRE - Network Virtualization Using Generic Routing Encapsulation
[RFC7637] [RFC7637]
NVO3 - Network Virtual Overlay Layer 3 [RFC8014] NVO3 - Network Virtual Overlay Layer 3 [RFC8014]
PE - Provider Edge
VN - virtual network VN - virtual network
VXLAN - Virtual eXtensible Local Area Network [RFC7348] VXLAN - Virtual eXtensible Local Area Network [RFC7348]
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
2. Tunneled Traffic Flow Specification NLRI 2. Tunneled Traffic Flow Specification NLRI
The Flow-spec rules specified in [RFC5575bis], [FlowSpecV6], and The Flowspec rules specified in [RFC5575bis], [FlowSpecV6], and
[FlowSpecL2] cannot match or filter tunneled traffic based on the [FlowSpecL2] cannot match or filter tunneled traffic based on the
tunnel type, any tunnel header fields, or headers past the tunnel tunnel type, any tunnel header fields, or headers past the tunnel
header. To enable flow specification of tunneled traffic, a new SAFI header. To enable flow specification of tunneled traffic, a new SAFI
(TBD1) and NLRI encoding are introduced. This encoding, shown in (TBD1) and NLRI encoding are introduced. This encoding, shown in
Figure 1, enables flow specification of more than one layer of header Figure 1, enables flow specification of more than one layer of header
when needed. when needed.
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Length 2 octets | | Length 2 octets |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Tunnel Type 2 octets | | Tunnel Type 2 octets |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Flags: Flags:
+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+
| D| I| Reserved | 1 octet | D| I| Reserved | 1 octet
+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+
Optional Routing Discriminator: Optional Routing Distinguisher:
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| | | |
+ + + +
| | | |
+ Routing Discriminator 8 octets + + Routing Distinguisher 8 octets +
| | | |
+ + + +
| | | |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Outer Flow-spec: Outer Flowspec:
+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+
| Outer Flowspec Length : 1 or 2 octets | Outer Flowspec Length : 1 or 2 octets
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Outer Flow-spec variable : | Outer Flowspec variable :
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Tunnel Header Flow-Spec: Tunnel Header Flowspec:
+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+
| Tunnel Flowspec Length: 1 or 2 octets | Tunnel Flowspec Length: 1 or 2 octets
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Tunnel Header Flow-spec variable : | Tunnel Header Flowspec variable :
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Optional Inner Flow-spec: Optional Inner Flowspec:
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Inner AFI 2 octets | | Inner AFI 2 octets |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Inner Flowspec Length : 1 or 2 octets | Inner Flowspec Length : 1 or 2 octets
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Inner Flow-spec variable : | Inner Flowspec variable :
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Figure 1. Tunneled Traffic Flow-spec NLRI Figure 1. Tunneled Traffic Flowspec NLRI
Length - The NLRI Length including the Tunnel Type encoded as an Length - The NLRI Length including the Tunnel Type encoded as an
unsigned integer. unsigned integer.
Tunnel Type - The type of tunnel using a value from the IANA BGP Tunnel Type - The type of tunnel using a value from the IANA BGP
Tunnel Encapsulation Attribute Tunnel Types registry. Tunnel Encapsulation Attribute Tunnel Types registry.
Flags: D bit - Indicates the presence of the Routing Discriminator Flags: D bit - Indicates the presence of the Routing Distinguisher
(see below). (see below).
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
Flags: I bit - Indicates the presence of the Inner AFI and the Inner Flags: I bit - Indicates the presence of the Inner AFI and the Inner
Flow-spec. Flowspec (see below).
Flags: Reserved - Six bits that MUST be sent as zero and ignored on Flags: Reserved - Six bits that MUST be sent as zero and ignored on
receipt. receipt.
Routing Discriminator - If the outer Layer 3 address belongs to a Routing Distinguisher - If the outer Layer 3 address belongs to a
BGP/MPLS VPN, the routing discriminator can be included to BGP/MPLS VPN, the routing distinguisher is included to indicate
support traffic filtering within that VPN. Because NVO3 outer traffic filtering within that VPN. Because NVO3 outer layer
layer addresses normally belong to a public network, a Route addresses normally belong to a public network, a Route
Distinguisher field is normally not needed for NVO3. Distinguisher field is normally not needed for NVO3.
Outer Flow-spec / Length - The flow specification for the outer Outer Flowspec / Length - The flow specification for the outer
header. The length is encoded as provided in Section 4.1 of header. The length is encoded as provided in Section 4.1 of
[RFC5575bis]. The AFI for the outer Flow-spec is that AFI at [RFC5575bis]. The AFI for the Outer Flowspec is the AFI at the
the beginning of the BGP multiprotocol MP_REACH_NLRI or beginning of the BGP multiprotocol MP_REACH_NLRI or
MP_UNREACH_NLRI containing the tunneled traffic flow MP_UNREACH_NLRI containing the tunneled traffic flow
specification NLRI. specification NLRI.
Tunnel Header Flow-spec / Length - The flow specification for the Tunnel Header Flowspec / Length - The flow specification for the
tunneling header. This can specify matching criterion on tunnel tunneling header. This specifies matching criterion on tunnel
header fields. The tunnel type itself is indicated by the header fields. The tunnel type itself is indicated by the
Tunnel Type field above. For some types of tunneling, such as Tunnel Type field above. For some types of tunneling, such as
IP-in-IP, there may be no tunnel header fields. For other types IP-in-IP, there may be no tunnel header fields. For other types
of tunneling, there may be several tunnel header fields on of tunneling, there may be several tunnel header fields on
which matching could be specified with this Flow-spec. which matching can be specified with this flowspec.
Inner AFI - Depending on the Tunnel Type, there may be an Inner AFI Inner AFI - Depending on the Tunnel Type, there may be an Inner AFI
that indicates the address family for the inner flow that indicates the address family for the inner flow
specification. There is no need for a SAFI as, in effect, it specification. There is no need for a SAFI as the treatment of
is automatically TBD1, the SAFI for a tunneled traffic flow this inner AFI and following flowspec is indicated by the outer
specification. SAFI TBD1, the SAFI for a tunneled traffic flow specification.
Inner Flow-spec / Length - Depending on the Tunnel Type, there may be Inner Flowspec / Length - Depending on the Tunnel Type, there may be
an inner flow specification for the header level encapsulated an inner flowspec for the header level encapsulated within the
within the outer header. The length is encoded as provided in outer header. The length is encoded as provided in Section 4.1
Section 4.1 of [RFC5575bis]. of [RFC5575bis].
A Tunneled Traffic Flow-spec matches if the Outer Flow-spec, Tunnel A Tunneled Traffic Flowspec matches if the Outer Flowspec, Tunnel
Header Flow-spec, and Inner Flow-spec all match and the Routing Header Flowspec, and Inner Flowspec, if present, all match and the
Discriminator applies, if present. An omitted (as can be done for the Routing Distinguisher applies, if present. An omitted (as can be done
Inner Flow-spec) or null Flow-spec is considered to always match. for the Inner Flowspec) or null flowspec is considered to always
match.
2.1 The SAFI Code Point 2.1 The SAFI Code Point
Use of the tunneled traffic flow specification NLRI format is Use of the tunneled traffic flow specification NLRI format is
indicated by SAFI=TBD1. This is used in conjunction with the AFI for indicated by SAFI=TBD1. This is used in conjunction with the AFI for
the outer header, that is AFI=1 for IPv4, AFI=2 for IPv6, and AFI=6
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
the outer header, that is AFI=1 for IPv4, AFI=2 for IPv6, and AFI=6
for Layer 2. for Layer 2.
2.2 Tunnel Header Component Code Points 2.2 Tunnel Header Component Code Points
For flow specification based on most tunneling headers, there are For flowspec based on most tunneling, there are tunnel header fields
additional tunnel header fields that can be tested by components that that can be tested by components that appear in the Tunnel Header
appear in the Tunnel Header Flow-spec field. The types for these Flowspec field. The types for these components are specified in a
components are specified in a Tunnel Header Flow-spec component Tunnel Header Flowspec component registry (see Section 6).
registry (see Section 6).
All Tunnel Header field components defined below and all such All Tunnel Header field components defined below and all such
components added in the future have a TLV structure as follows: components added in the future have a TLV structure as follows:
- one octet of type followed by - one octet of type followed by
- one octet giving the length as an unsigned integer number of - one octet giving the length as an unsigned integer number of
octets followed by octets followed by
- the specific matching operations/values as determined by the - the specific matching operations/values as determined by the
type. type.
Type 1 - VN ID Type 1 - VN ID
Encoding: <type (1 octet), length (1 octet), [op, value]+>. Encoding: <type (1 octet), length (1 octet), [op, value]+>.
Defines a list of {operation, value} pairs used to match the Defines a list of {operation, value} pairs used to match the
24-bit VN ID that is used as the tenant identification in some 24-bit VN ID that is used as the tenant identification in some
tunneling headers. For VXLAN encapsulation, the VN ID is the tunneling headers. For VXLAN encapsulation, the VN ID is the
VNI. For NVGRE encapsulation, the VN ID is the VSID. op is VNI. For NVGRE encapsulation, the VN ID is the VSID. op is
encoded as specified in Section 4.2.3 of [RFC5575bis]. Values encoded as specified in Section 4.2.3 of [RFC5575bis]. Values
are encoded as a 1, 2, or 4 octet quantity. If value is are encoded as a 1, 2, or 4 octet quantity. If value is
24-bits, they are left-justified in the first 3 octets of the 24-bits, it is left-justified in the first 3 octets of the
value and the last value octet MUST be sent as zero and ignored value and the last value octet MUST be sent as zero and ignored
on receipt. on receipt.
Type 2 - Flow ID Type 2 - Flow ID
Encoding: <type (1 octet), length (1 octet), [op, value]+> Encoding: <type (1 octet), length (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match 8-bit Defines a list of {operation, value} pairs used to match 8-bit
Flow ID fields which are currently only useful for NVGRE Flow ID fields which are currently only useful for NVGRE
encapsulation. op is encoded as specified in Section 4.2.3 of encapsulation. op is encoded as specified in Section 4.2.3 of
[RFC5575bis]. Values are encoded as a 1-octet quantity. [RFC5575bis]. Values are encoded as a 1-octet quantity.
Type 3 - Session Type 3 - Session
Encoding: <type (1 octet), length (1 octet), [op, value]+> Encoding: <type (1 octet), length (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match a Defines a list of {operation, value} pairs used to match a
32-bit Session field. This field is called Key in GRE [RFC2890] 32-bit Session field. This field is called Key in GRE [RFC2890]
encapsulation and Session ID in L2TPv3 encapsulation. op is encapsulation and Session ID in L2TPv3 encapsulation. op is
encoded as specified in Section 4.2.3 of [RFC5575bis]. Values encoded as specified in Section 4.2.3 of [RFC5575bis]. Values
are encoded as a 1, 2, or 4 octet quantity. are encoded as a 1, 2, or 4 octet quantity.
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
Type 4 - Cookie Type 4 - Cookie
Encoding: <type (1 octet), length (1 octet), [op, value]+> Encoding: <type (1 octet), length (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match a Defines a list of {operation, value} pairs used to match a
variable length Cookie field. This is only useful in L2TPv3 variable length Cookie field. This is only useful in L2TPv3
encapsulation. op is encoded as specified in Section 4.2.3 of encapsulation. op is encoded as specified in Section 4.2.3 of
[RFC5575bis]. Values are encoded as a 1, 2, 4, or 8 octet [RFC5575bis]. Values are encoded as a 1, 2, 4, or 8 octet
quantity. If the Cookie does not fit exactly into the value quantity. If the Cookie does not fit exactly into the value
length, it is left justified, that is, padded with following length, it is left justified, that is, padded with following
skipping to change at page 9, line 42 skipping to change at page 9, line 42
The headers on a VXLAN [RFC7348] data packet are an outer Ethernet The headers on a VXLAN [RFC7348] data packet are an outer Ethernet
header, an outer IP header, a UDP header, the VXLAN header, and an header, an outer IP header, a UDP header, the VXLAN header, and an
inner Ethernet header. This inner Ethernet header is frequently, but inner Ethernet header. This inner Ethernet header is frequently, but
not always, followed by an inner IP header. If the tunnel type is not always, followed by an inner IP header. If the tunnel type is
VXLAN, the I flag MUST be set. VXLAN, the I flag MUST be set.
If the outer Ethernet header is not being matched, the version (IPv4 If the outer Ethernet header is not being matched, the version (IPv4
or IPv6) of the outer IP header is indicated by the AFI at the or IPv6) of the outer IP header is indicated by the AFI at the
beginning of the multiprotocol MP_REACH_NLRI or MP_UNREACH_NLRI beginning of the multiprotocol MP_REACH_NLRI or MP_UNREACH_NLRI
containing the tunneled traffic flow specification NLRI. The outer containing the tunneled traffic flow specification NLRI. The outer
Flow-spec is used to filter the outer headers including, if desired, Flowspec is used to filter the outer headers including, if desired,
the UDP header. the UDP header.
If the outer Ethernet header is being matched, then the initial AFI If the outer Ethernet header is being matched, then the initial AFI
is 6 [FlowSpecL2] and the Outer Flow-spec can match the outer is 6 [FlowSpecL2] and the Outer Flowspec can match the outer Ethernet
Ethernet header, specify the IP version of the outer IP header, and header, specify the IP version of the outer IP header, and match that
match that IP header including, if desired, the UDP header. IP header including, if desired, the UDP header.
The Tunnel Header Flow-spec can be used to filter on the VXLAN header The Tunnel Header Flowspec can be used to filter on the VXLAN header
VN ID (VNI). VN ID (VNI).
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
The inner Flow-spec can be used on the Inner Ethernet header The Inner Flowspec can be used on the Inner Ethernet header
[FlowSpecL2] and any following IP header. If the inner AFI is 6, [FlowSpecL2] and any following IP header. If the inner AFI is 6,
then the inner Flow-spec provides filtering of the Layer 2 header, then the inner Flowspec provides filtering of the Layer 2 header,
indicates whether filtering on a following IPv4 or IPv6 header is indicates whether filtering on a following IPv4 or IPv6 header is
desired, and if it is desired provides the Flow-spec components for desired, and if it is desired provides the Flowspec components for
that filtering. If the Inner AFI is 1 or 2, the Inner Ethernet that filtering. If the Inner AFI is 1 or 2, the Inner Ethernet
header is not matched and to match the Flow-spec the Inner Ethernet header is not matched and to match the Flowspec the Inner Ethernet
header must be followed by an IPv4 or IPv6 header, respectively, and header must be followed by an IPv4 or IPv6 header, respectively, and
the inner Flow-spec is used to filter that inner IP header. the inner Flowspec is used to filter that inner IP header.
The inner MAC/IP address is associated with a VN ID. In the NVO3 The inner MAC/IP address is associated with the VN ID. In the NVO3
terminating into a VPN scenario, if multiple access VN IDs map to one terminating into a VPN scenario, if multiple access VN IDs map to one
VPN instance, one shared VN ID can be carried in the Flow-Spec rule VPN instance, one shared VN ID can be carried in the flowspec rule to
to enforce the rule on the entire VPN instance and the shared VN ID enforce the rule on the entire VPN instance and the shared VN ID and
and VPN correspondence should be configured on each VPN PE VPN correspondence should be configured on each VPN PE beforehand. In
beforehand. In this case, the function of the Layer 3 VN ID is the this case, the function of the Layer 3 VN ID is the same as a Route
same as a Route Discriminator: it acts as the identification of the Distinguisher: it acts as the identification of the VPN instance.
VPN instance.
2.3.2 VXLAN-GPE 2.3.2 VXLAN-GPE
VXLAN-GPE [GPE] is similar to VXLAN and the VXLAN-GPE header is the VXLAN-GPE [GPE] is similar to VXLAN. The VXLAN-GPE header is the same
same size as the VXLAN header but has been extended from the VXLAN size as the VXLAN header but has been extended from the VXLAN header
header by specifying a number of bits that are reserved in the VXLAN by specifying a number of bits that are reserved in the VXLAN header.
header. In particular, a number of additional flag bits are specified In particular, a number of additional flag bits are specified and a
and a Next Protocol field is added that is valid if the P flag bit is Next Protocol field is added that is valid if the P flag bit is set.
set. These flags bits can be tested using the VXLAN-GPE Flags These flags bits can be tested using the VXLAN-GPE Flags flowspec
component defined above. VXLAN and VXLAN-GPE are distinguished by the component defined above. VXLAN and VXLAN-GPE are distinguished by the
port number in the UDP header the precedes the VXLAN or VXLAN-GPE port number in the UDP header the precedes the VXLAN or VXLAN-GPE
headers. headers.
If the VXLAN-GPE header P flag is zero, then that header is followed If the VXLAN-GPE header P flag is zero, then that header is followed
by the same sequence as for VXLAN and the same Flow-spec choices by the same sequence as for VXLAN and the same flowspec choices apply
apply (see Section 2.3.1). (see Section 2.3.1).
If the VXLAN-GPE header P flag is one and that header's next protocol If the VXLAN-GPE header P flag is one and that header's next protocol
field is 1, then the VXLAN-GPE header is followed by an IPv4 header. field is 1, then the VXLAN-GPE header is followed by an IPv4 header.
The inner AFI/Flow-spec match only if the inner AFI is 1 and the The Inner Flowspec matches only if the Inner AFI is 1 and the Inner
inner Flow-spec matches. Flowspec matches.
If the VXLAN-GPE header P flag is one and that header's next protocol If the VXLAN-GPE header P flag is one and that header's next protocol
field is 2, then the VXLAN-GPE header is followed by an IPv6 header. field is 2, then the VXLAN-GPE header is followed by an IPv6 header.
The inner AFI/Flow-spec match only if the inner AFI is 2 and the The Inner Flowspec match only if the Inner AFI is 2 and the Inner
inner Flow-spec matches. Flowspec matches.
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
2.3.3 NVGRE 2.3.3 NVGRE
NVGRE [RFC7637] is very similar to VXLAN except that the UDP header NVGRE [RFC7637] is very similar to VXLAN except that the UDP header
and VXLAN header immediately after the outer IP header are replaced and VXLAN header immediately after the outer IP header are replaced
by a GRE (Generic Router Encapsulation) header. The GRE header as by a GRE (Generic Router Encapsulation) header. The GRE header as
used in NVGRE has no Checksum or Reserved1 field as shown in used in NVGRE has no Checksum or Reserved1 field as shown in
[RFC2890] but there are Virtual Subnet ID and Flow ID fields in place [RFC2890] but there are Virtual Subnet ID and Flow ID fields in place
of what is labeled in [RFC2890] as the Key field. Processing and of what is labeled in [RFC2890] as the Key field. Processing and
restrictions for NVGRE are as in Section 2.3.1 eliminating references restrictions for NVGRE are as in Section 2.3.1 eliminating references
to a UDP header and replacing references to the VXLAN header and its to a UDP header and replacing references to the VXLAN header and its
VN ID with references to the GRE header and its VN ID (VSID) and Flow VN ID with references to the GRE header and its VN ID (VSID) and Flow
ID. ID.
2.3.4 L2TPv3 2.3.4 L2TPv3
The headers on an L2TPv3 [RFC3931] packets are an outer Ethernet The headers on an L2TPv3 [RFC3931] packets are an outer Ethernet
header, an outer IP header, the L2TPv3 header, an inner Ethernet header, an outer IP header, the L2TPv3 header, an inner Ethernet
header, and possibly an inner IP header if indicated by the inner header, and possibly an inner IP header if indicated by the inner
Ethernet header EtherType. The outer Flow-spec operates on the outer Ethernet header EtherType. The Outer Flowspec operates on the outer
headers that precede the GRE header. The version of IP is specified headers that precede the GRE header. The version of IP in the outer
by the outer AFI at the beginning of the MP_REACH_NLRI or IP header is specified by either the outer AFI at the beginning of
MP_UNREACH_NLRI. the MP_REACH_NLRI or MP_UNREACH_NLRI or, if that AFI is 6 (L2),
optionally specified by the inner AFI within that L2 flowspec.
The L2TPv3 header consists of a 32-bit Session ID followed by a The L2TPv3 header consists of a 32-bit Session ID followed by a
variable length Cookie (maximum length 8 octets). The Session ID and variable length Cookie (maximum length 8 octets). The Session ID and
Cookie can be filtered for by using the Session and Cookie Flow-spec Cookie can be filtered for by using the Session and Cookie flowspec
components in the Tunnel Header Flow-spec. To filter on Cookie or components in the Tunnel Header Flowspec. To filter on Cookie or even
even be able to bypass Cookie and parse the remainder of the L2TPv3 be able to bypass Cookie and parse the remainder of the L2TPv3
packet, the node implementing Flow-spec needs to know the length packet, the node implementing flowspec needs to know the length
and/or value of the Cookie fields of interest. This is negotiated at and/or value of the Cookie fields of interest. This is negotiated at
L2TPv3 session establishment and it is out of scope for this document L2TPv3 session establishment and it is out of scope for this document
how the node would learn this information. Of course, if Flow-spec is how the node would learn this information. Of course, if flowspec is
being used for DDOS mitigation and the Cookie has a fixed length being used for DDOS mitigation and the Cookie has a fixed length
and/or value in the DDOS traffic, this could be learned by inspecting and/or value in the DDOS traffic, this could be learned by inspecting
that traffic. that traffic.
If the I flag bit is zero, then no filtering is done on data beyond If the I flag bit is zero, then no filtering is done on data beyond
the L2TPv3 header. If the I flag is one, indicating the presence of the L2TPv3 header. If the I flag is one, indicating the presence of
an inner Flow-spec, and the node implementing Flow-spec does not know an Inner Flowspec, and the node implementing flowspec does not know
the length of the L2TPv3 header Cookie, the match fails. If that node the length of the L2TPv3 header Cookie, the match fails. If that node
does know the length of that Cookie, the inner Flow-spec if matched does know the length of that Cookie, the Inner Flowspec if matched
against the headers at the beginning of that data using the inner against the headers at the beginning of that data using the Inner
AFI. If the inner AFI is 1 or 2, then an inner IP header is required AFI. If that Inner AFI is 1 or 2, then an inner IP header is required
and filtering can be done on the Ethernet header immediately after and filtering can be done on the Ethernet header immediately after
the L2TPv3 header and the following IPv4 or IPv6 headers the L2TPv3 header and the following IPv4 or IPv6 headers
respectively. If the inner AFI is 6, filtering SHOULD only be done on respectively. If the Inner AFI is 6, filtering is done on the inner
the inner Ethernet header [FlowSpecL2]. Ethernet header and, if a non-zero inner AFI is specified within the
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
inner L2 flowspec, done on the following IP header [FlowSpecL2].
2.3.5 GRE 2.3.5 GRE
Generic Router Encapsulation (GRE [RFC2890]) is another type of Generic Router Encapsulation (GRE [RFC2890]) is another type of
encapsulation. The outer Flow-spec operates on the outer headers that encapsulation. The Outer Flowspec operates on the outer headers that
precede the GRE header. The version of IP is specified by the outer precede the GRE header. The version of IP is specified by the outer
AFI at the beginning of the MP_REACH_NLRI or MP_UNREACH_NLRI. AFI at the beginning of the MP_REACH_NLRI or MP_UNREACH_NLRI.
If the I flag bit is zero, no filtering is done on data after the GRE If the I flag bit is zero, no filtering is done on data after the GRE
header. If the I flag bit is one, then there is an inner AFI and header. If the I flag bit is one, then there is an inner AFI and
Flow-spec and the Protocol Type field of the GRE header must match flowspec and the Protocol Type field of the GRE header must match the
the inner AFI as follows for the Flow-spec to match: Inner AFI as follows for the Flowspec to match:
GRE Protocol Type Inner AFI GRE Protocol Type Inner AFI
------------------- ----------- ------------------- -----------
0x0800 (IPv4) 1 0x0800 (IPv4) 1
0x86DD (IPv6) 2 0x86DD (IPv6) 2
0x6558 6 0x6558 6
With the I flag a one and the inner AFI and GRE Protocol Type fields With the I flag a one and the Inner AFI and GRE Protocol Type fields
match, the inner Flow-spec is used to filter the inner Ethernet match, the Inner Flowspec is used to filter the inner IP headers
header (AFI=6) or the inner IP and Ethernet headers (AFI=1 or 2). (Inner AFI=1 or 2) or the inner Ethernet header and optionally a
following IP header (Inner AFI=6).
2.3.6 IP-in-IP 2.3.6 IP-in-IP
IP-in-IP encapsulation is shown when the outer IP header indicates an IP-in-IP encapsulation is indicated when an outer IP header indicates
inner IP IPv4 or IPv6 header by the value of the outer IP header's an inner IP IPv4 or IPv6 header by the value of the outer IP header's
Protocol (IPv4) or Next Protocol (IPv6) field. If the Tunnel Type is Protocol (IPv4) or Next Protocol (IPv6) field.
IP-in-IP, the I flag MUST be set.
The version of the outer IP header (IPv4 or IPv6) matched is The IP version of the outer IP header (IPv4 or IPv6) matched is
indicated by the AFI at the beginning of the MP_REACH_NLRI or indicated by an AFI of 1 or 2 at the beginning of the MP_REACH_NLRI
MP_UNREACH_NLRI. The version of the inner IP header is indicated by or MP_UNREACH_NLRI while if that AFI is 6, it indicates a match on
the inner AFI. The outer Flow-spec applies to the outer IP header and the out Ethernet header and, optionally, the following IP Header
the inner Flow-spec applies to the inner IP header. [FlowSpecL2]. The IP version of the inner IP header is indicated by
the Inner AFI and the Inner Flowspec applies to the inner IP header.
There are no fields that can be matched by the Tunnel Header Flow- There are no fields that can be matched by the Tunnel Header Flowspec
spec in the case of IP-in-IP. in the case of IP-in-IP.
INTERNET-DRAFT BGP Tunnel Flowspec
2.4 Tunneled Traffic Actions 2.4 Tunneled Traffic Actions
The traffic filtering actions previously specified in [RFC5575bis] The traffic filtering actions previously specified in [RFC5575bis]
and [FlowSpecL2] are used for tunneled traffic. For Traffic Marking and [FlowSpecL2] are used for tunneled traffic. For Traffic Marking
in NVO3, only the DSCP in the outer header can be modified. in NVO3, only the DSCP in the outer header can be modified.
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
3. Order of Traffic Filtering Rules 3. Order of Traffic Filtering Rules
In comparing an applicable tunneled traffic flow specification with a The following rules determine which flowspec takes precedence where
non-tunneled flow specification, the tunneled specification has one or more are applicable and at least one of the applicable
precedence. flowspecs is a tunneled traffic flowspec:
If comparing two tunneled traffic flow specifications, if both are - In comparing an applicable tunneled traffic flow specification
applicable, the tunnel types will be the same. If only one has a with an applicable non-tunneled flow specification, the tunneled
Routing Discriminator, it has precedence. If both have a Routing specification has precedence.
Discriminator, then either those Routing Discriminators will be equal
or only one of the Flow-specs will be applicable to the packet.
If neither has a Routing Discriminator or they have equal Routing - If comparing tunneled traffic flow specifications, if all are
Discriminators, the order of precedence is determined by comparing applicable, the tunnel types will be the same. Any that have a
the outer Flow-spec. Routing Distinguisher will take precedence over those without a
Routing Distinguisher. Of those with a Routing Distinguisher, all
applicable flowspecs will have the same Routing Distinguisher.
If the outer Flow-specs are equal, then the Tunnel Header Flow-specs - At this point in the process, all remaining contenders for the
are compared using the usual component comparison rules. highest precedence will either not have a Routing Distinguisher or
have equal Routing Distinguishers. If more than one contender
remain, those with an L2 Outer Flowspec take precedence over those
with an L3 Outer Flowspec. If the Outer Flowspec AFI is the same,
their order of precedence is determined by comparing the Outer
Flowspecs as described in [RFC5575bis] and [FlowSpecV6] for AFI
for 1 or 2 respectively or [FlowSpecL2] for AFI=6.
If the Tunnel Header Flow-specs are equal and the tunnel type calls - If the Outer Flowspecs are equal, then the Tunnel Header Flowspecs
for an inner Flow-spec, then the precedence is determined by are compared using the usual sequential component comparison
comparing inner AFI as an unsigned integer with the inner AFI having process [RFC5575bis].
the smaller magnitude having precedence.
If the inner AFIs are equal, precedence is determined by comparing - If the Tunnel Header Flowspecs are equal then compare the "I"
the inner flow specifications. flag. Those with an Inner Flowspec take precedence over those
without an Inner Flowspec. If you get to this stage in the
ordering process, those without an Inner Flowspec are equal. For
those with an Inner Flowspec, check the Inner AFI. An L2 Inner AFI
(AFI=6) takes precedence over an L2 Inner AFI.
INTERNET-DRAFT BGP Tunnel Flow-Spec - If the Inner AFIs are equal, precedence is determined by comparing
the Inner Flowspecs as described in [FlowSpecL2] for L2 or
[RFC5575bis] for L3.
INTERNET-DRAFT BGP Tunnel Flowspec
4. Flow Spec Validation 4. Flow Spec Validation
Flow-specs received over AFI=1/SAFI=TBD1 or AFI=2/SFAI=TBD1 are Flowspecs received over AFI=1/SAFI=TBD1 or AFI=2/SFAI=TBD1 are
validated, using only the outer Flow-spec, against routing validated, using only the Outer Flowspec, against routing
reachability received over AFI=1/SAFI=133 and AFI=2/SAFI=133 reachability received over AFI=1/SAFI=133 and AFI=2/SAFI=133
respectively, as modified by [FlowSpecOID]. respectively, as modified by [FlowSpecOID].
5. Security Considerations 5. Security Considerations
No new security issues are introduced to the BGP protocol by this No new security issues are introduced to the BGP protocol by this
specification. specification.
For general Flow-spec security considerations, see [rfc5575bis]. For general Flowspec security considerations, see [rfc5575bis].
6. IANA Considerations 6. IANA Considerations
IANA is requested to assign a new SAFI as follows: IANA is requested to assign a new SAFI as follows:
Value Description Reference Value Description Reference
----- ------------------------------------------ --------------- ----- ------------------------------------------ ---------------
TBD1 Tunneled traffic flow specification rules [This document] TBD1 Tunneled traffic flow specification rules [This document]
IANA is requested to create a Tunnel Header Flow Spec Component Type IANA is requested to create a Tunnel Header Flow Spec Component Type
skipping to change at page 14, line 43 skipping to change at page 15, line 43
Name: Tunnel Flow Spec Component Types Name: Tunnel Flow Spec Component Types
Reference: [this document] Reference: [this document]
Registration Procedures: Registration Procedures:
0 Reserved 0 Reserved
1-127 Specification Required 1-127 Specification Required
128-254 First Come First Served 128-254 First Come First Served
255 Reserved 255 Reserved
Initial contents: Initial contents:
Type Name Reference Type Name Reference
----- -------------- ----------- ----- -------------- -----------------
0 reserved 0 reserved [this document]
1 VN ID [this document] 1 VN ID [this document]
2 Flow ID [this document] 2 Flow ID [this document]
3 Session [this document] 3 Session [this document]
4 Cookie [this document] 4 Cookie [this document]
5 VXLAN-GPE Flags [this document] 5 VXLAN-GPE Flags [this document]
6-254 unassigned [this document] 6-254 unassigned [this document]
255 reserved [this document] 255 reserved [this document]
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
Normative References Normative References
[RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119,
March 1997, <https://www.rfc-editor.org/info/rfc2119>. March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2890] - Dommety, G., "Key and Sequence Number Extensions to GRE", [RFC2890] - Dommety, G., "Key and Sequence Number Extensions to GRE",
RFC 2890, DOI 10.17487/RFC2890, September 2000, RFC 2890, DOI 10.17487/RFC2890, September 2000,
<https://www.rfc-editor.org/info/rfc2890>. <https://www.rfc-editor.org/info/rfc2890>.
skipping to change at page 16, line 5 skipping to change at page 17, line 5
Specifications", draft-ietf-idr-bgp-flowspec-oid, work in Specifications", draft-ietf-idr-bgp-flowspec-oid, work in
progress. progress.
[FlowSpecV6] - R. Raszuk, et al, "Dissemination of Flow Specification [FlowSpecV6] - R. Raszuk, et al, "Dissemination of Flow Specification
Rules for IPv6", draft-ietf-idr-flow-spec-v6, work in progress. Rules for IPv6", draft-ietf-idr-flow-spec-v6, work in progress.
[RFC5575bis] - Hares, S., Loibl, C., Raszuk, R., McPherson, D., [RFC5575bis] - Hares, S., Loibl, C., Raszuk, R., McPherson, D.,
Bacher, M., "Dissemination of Flow Specification Rules", draft- Bacher, M., "Dissemination of Flow Specification Rules", draft-
ietf-idr-rfc5575bis, Work in progress. ietf-idr-rfc5575bis, Work in progress.
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
Informative References Informative References
[RFC8014] - Black, D., Hudson, J., Kreeger, L., Lasserre, M., and T. [RFC8014] - Black, D., Hudson, J., Kreeger, L., Lasserre, M., and T.
Narten, "An Architecture for Data-Center Network Virtualization Narten, "An Architecture for Data-Center Network Virtualization
over Layer 3 (NVO3)", RFC 8014, DOI 10.17487/RFC8014, December over Layer 3 (NVO3)", RFC 8014, DOI 10.17487/RFC8014, December
2016, <https://www.rfc-editor.org/info/rfc8014>. 2016, <https://www.rfc-editor.org/info/rfc8014>.
[GPE] - P. Quinn, et al, "Generic Protocol Extension for VXLAN", [GPE] - P. Quinn, et al, "Generic Protocol Extension for VXLAN",
draft-ietf-nvo3-vxlan-gpe, work in progress. draft-ietf-nvo3-vxlan-gpe, work in progress.
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
Acknowledgments Acknowledgments
The authors wish to acknowledge the important contributions of Jeff The authors wish to acknowledge the important contributions of Jeff
Haas, Susan Hares, Qiandeng Liang, Nan Wu, Yizhou Li, Robert Raszuk, Haas, Susan Hares, Qiandeng Liang, Nan Wu, Yizhou Li, Robert Raszuk,
and Lucy Yong. and Lucy Yong.
Authors' Addresses Authors' Addresses
Donald Eastlake Donald Eastlake
skipping to change at page 18, line 5 skipping to change at page 19, line 5
Huawei Bld., No.156 Beiqing Rd. Huawei Bld., No.156 Beiqing Rd.
Beijing 100095 China Beijing 100095 China
Email: lizhenbin@huawei.com Email: lizhenbin@huawei.com
Rong Gu Rong Gu
China Mobile China Mobile
Email: gurong_cmcc@outlook.com Email: gurong_cmcc@outlook.com
INTERNET-DRAFT BGP Tunnel Flow-Spec INTERNET-DRAFT BGP Tunnel Flowspec
Copyright, Disclaimer, and Additional IPR Provisions Copyright, Disclaimer, and Additional IPR Provisions
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
 End of changes. 92 change blocks. 
171 lines changed or deleted 192 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/