draft-ietf-idr-flowspec-nvo3-09.txt   draft-ietf-idr-flowspec-nvo3-10.txt 
INTERNET-DRAFT D. Eastlake INTERNET-DRAFT D. Eastlake
Intended Status: Proposed Standard Futurewei Technologies Intended Status: Proposed Standard Futurewei Technologies
W. Hao W. Hao
S. Zhuang S. Zhuang
Z. Li Z. Li
Huawei Technologies Huawei Technologies
R. Gu R. Gu
China Mobil China Mobil
Expires: October 11, 2020 April 12, 2020 Expires: March 29, 2021 September 30, 2020
BGP Dissemination of BGP Dissemination of
Flow Specification Rules for Tunneled Traffic Flow Specification Rules for Tunneled Traffic
draft-ietf-idr-flowspec-nvo3-09 draft-ietf-idr-flowspec-nvo3-10
Abstract Abstract
This draft specifies a Border Gateway Protocol (BGP) Network Layer This draft specifies a Border Gateway Protocol (BGP) Network Layer
Reachability Information (NLRI) encoding format for flow Reachability Information (NLRI) encoding format for flow
specifications (RFC 5575bis) that can match on a variety of tunneled specifications (RFC 5575bis) that can match on a variety of tunneled
traffic. In addition, flow specification components are specified for traffic. In addition, flow specification components are specified for
certain tunneling header fields. certain tunneling header fields.
Status of This Document Status of This Document
skipping to change at page 2, line 13 skipping to change at page 2, line 13
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
INTERNET-DRAFT BGP Tunnel Flowspec INTERNET-DRAFT BGP Tunnel Flowspec
Table of Contents Table of Contents
1. Introduction............................................3 1. Introduction............................................3
1.1 Terminology............................................3 1.1 Terminology............................................3
2. Tunneled Traffic Flow Specification NLRI................5 2. Tunneled Traffic Flow Specification NLRI................5
2.1 The SAFI Code Point....................................7 2.1 The SAFI Code Point....................................8
2.2 Tunnel Header Component Code Points....................8 2.2 Tunnel Header Component Code Points....................8
2.3 Specific Tunnel Types..................................9 2.3 Specific Tunnel Types.................................10
2.3.1 VXLAN................................................9 2.3.1 VXLAN...............................................10
2.3.2 VXLAN-GPE...........................................10 2.3.2 VXLAN-GPE...........................................11
2.3.3 NVGRE...............................................11 2.3.3 NVGRE...............................................11
2.3.4 L2TPv3..............................................11 2.3.4 L2TPv3..............................................12
2.3.5 GRE.................................................12 2.3.4.1 L2TPv3 Data Messages..............................12
2.3.6 IP-in-IP............................................12 2.3.4.2 L2TPv3 Control Messages...........................13
2.4 Tunneled Traffic Actions..............................13 2.3.5 GRE.................................................13
2.3.6 IP-in-IP............................................13
2.4 Tunneled Traffic Actions..............................14
3. Order of Traffic Filtering Rules.......................14 3. Order of Traffic Filtering Rules.......................15
4. Flow Spec Validation...................................15 4. Flow Spec Validation...................................16
5. Security Considerations................................15 5. Security Considerations................................16
6. IANA Considerations....................................15 6. IANA Considerations....................................17
Normative References......................................16 Normative References......................................18
Informative References....................................17 Informative References....................................19
Acknowledgments...........................................18 Acknowledgments...........................................20
Authors' Addresses........................................18
INTERNET-DRAFT BGP Tunnel Flowspec INTERNET-DRAFT BGP Tunnel Flowspec
1. Introduction 1. Introduction
BGP Flow Specification (flowspec [RFC5575bis]) is an extension to BGP BGP Flow Specification (flowspec [RFC5575bis]) is an extension to BGP
that supports the dissemination of traffic flow specification rules. that supports the dissemination of traffic flow specification rules.
It uses the BGP control plane to simplify the distribution of Access It uses the BGP control plane to simplify the distribution of Access
Control Lists (ACLs) and allows new filter rules to be injected to Control Lists (ACLs) and allows new filter rules to be injected to
all BGP peers simultaneously without changing router configuration. A all BGP peers simultaneously without changing router configuration. A
typical application of BGP flowspec is to automate the distribution typical application of BGP flowspec is to automate the distribution
of traffic filter lists to routers for Distributed Denial of Service of traffic filter lists to routers for Distributed Denial of Service
(DDOS) mitigation. (DDOS) mitigation.
BGP flowspec defines BGP Network Layer Reachability Information BGP flowspec defines BGP Network Layer Reachability Information
(NLRI) formats used to distribute traffic flow specification rules. (NLRI) formats used to distribute traffic flow specification rules.
AFI=1/SAFI=133 is for IPv4 unicast filtering. AFI=1/SAFI=134 is for AFI=1/SAFI=133 is for IPv4 unicast filtering. AFI=1/SAFI=134 is for
IPv4 BGP/MPLS VPN filtering. [FlowSpecV6] and [FlowSpecL2] extend the IPv4 BGP/MPLS VPN filtering [RFC5575bis]. [FlowSpecV6] and
flowspec rules for IPv6 and Layer 2 Ethernet packets respectively. [FlowSpecL2] extend the flowspec rules for IPv6 and Layer 2 Ethernet
None of these previously defined flow specifications are suitable for packets respectively. None of these previously defined flow
matching in cases of tunneling or encapsulation where there might be specifications are suitable for matching in cases of tunneling or
duplicates of a layer of header such as two IPv6 headers in IP-in-IP encapsulation where there might be duplicates of a layer of header
or a nested header sequence such as the Layer 2 and 3 headers such as two IPv6 headers in IP-in-IP [RFC2003] or a nested header
encapsulated in VXLAN [RFC7348]. sequence such as the Layer 2 and 3 headers encapsulated in VXLAN
[RFC7348].
In the cloud computing era, multi-tenancy has become a core In the cloud computing era, multi-tenancy has become a core
requirement for data centers. It is increasingly common to see requirement for data centers. It is increasingly common to see
tunneled traffic with a field to distinguish tenants. An example is tunneled traffic with a field to distinguish tenants. An example is
the Network Virtualization Over Layer 3 (NVO3 [RFC8014]) overlay the Network Virtualization Over Layer 3 (NVO3 [RFC8014]) overlay
technology that can satisfy multi-tenancy key requirements. VXLAN technology that can satisfy multi-tenancy key requirements. VXLAN
[RFC7348] and NVGRE [RFC7637] are two typical NVO3 encapsulations. [RFC7348] and NVGRE [RFC7637] are two typical NVO3 encapsulations.
Other encapsulations such as IP-in-IP or GRE may be encountered. Other encapsulations such as IP-in-IP or GRE may be encountered.
Because these tunnel / overlay technologies involving an additional Because these tunnel / overlay technologies involving an additional
level of encapsulation, flow specification that can match on the level of encapsulation, flow specification that can match on the
skipping to change at page 4, line 7 skipping to change at page 4, line 7
1.1 Terminology 1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
INTERNET-DRAFT BGP Tunnel Flowspec INTERNET-DRAFT BGP Tunnel Flowspec
The reader is assumed to be familiar with BGP terminology. The The reader is assumed to be familiar with BGP terminology [RFC4271]
following terms and acronyms are used in this document with the [RFC4760]. The following terms and acronyms are used in this document
meaning indicated: with the meaning indicated:
ACL - Access Control List ACL - Access Control List
DDoS - Distributed Denial of Service (Attack) DDoS - Distributed Denial of Service (Attack)
DSCP - Differentiated Services Code Point DSCP - Differentiated Services Code Point [RFC2474]
GRE - Generic Router Encapsulation [RFC2890] GRE - Generic Router Encapsulation [RFC2890]
L2TPv3 - Layer Two Tunneling Protocol - Version 3 [RFC3931] L2TPv3 - Layer Two Tunneling Protocol - Version 3 [RFC3931]
NLRI - Network Layer Reachability Information NLRI - Network Layer Reachability Information [RFC4271] [RFC4760]
NVGRE - Network Virtualization Using Generic Routing Encapsulation NVGRE - Network Virtualization Using Generic Routing Encapsulation
[RFC7637] [RFC7637]
NVO3 - Network Virtual Overlay Layer 3 [RFC8014] NVO3 - Network Virtual Overlay Layer 3 [RFC8014]
PE - Provider Edge PE - Provider Edge
VN - virtual network VN - virtual network
VXLAN - Virtual eXtensible Local Area Network [RFC7348] VXLAN - Virtual eXtensible Local Area Network [RFC7348]
INTERNET-DRAFT BGP Tunnel Flowspec INTERNET-DRAFT BGP Tunnel Flowspec
2. Tunneled Traffic Flow Specification NLRI 2. Tunneled Traffic Flow Specification NLRI
The Flowspec rules specified in [RFC5575bis], [FlowSpecV6], and The Flowspec rules specified in [RFC5575bis], [FlowSpecV6], and
[FlowSpecL2] cannot match or filter tunneled traffic based on the [FlowSpecL2] cannot match or filter tunneled traffic based on the
tunnel type, any tunnel header fields, or headers past the tunnel tunnel type, any tunnel header fields, or headers past the tunnel
header. To enable flow specification of tunneled traffic, a new SAFI header. To enable flow specification of tunneled traffic, a new SAFI
(TBD1) and NLRI encoding are introduced. This encoding, shown in (TBD1) and NLRI encoding are specified. This encoding, shown in
Figure 1, enables flow specification of more than one layer of header Figure 1, enables flow specification of more than one layer of header
when needed. when needed.
INTERNET-DRAFT BGP Tunnel Flowspec INTERNET-DRAFT BGP Tunnel Flowspec
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Length 2 octets | | Length 2 octets |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Tunnel Type 2 octets | | Tunnel Type 2 octets |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
skipping to change at page 6, line 28 skipping to change at page 6, line 28
| | | |
+ + + +
| | | |
+ Routing Distinguisher 8 octets + + Routing Distinguisher 8 octets +
| | | |
+ + + +
| | | |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Outer Flowspec: Outer Flowspec:
+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+
| Outer Flowspec Length : 1 or 2 octets | Outer Flowspec Length ... 1 or 2 octets
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Outer Flowspec variable : | Outer Flowspec variable :
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Tunnel Header Flowspec: Tunnel Header Flowspec:
+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+
| Tunnel Flowspec Length: 1 or 2 octets | Tunnel Flowspec Length ... 1 or 2 octets
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Tunnel Header Flowspec variable : | Tunnel Header Flowspec variable :
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Optional Inner Flowspec: Optional Inner Flowspec:
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Inner AFI 2 octets | | Inner AFI 2 octets |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Inner Flowspec Length : 1 or 2 octets | Inner Flowspec Length ... 1 or 2 octets
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Inner Flowspec variable : | Inner Flowspec variable :
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Figure 1. Tunneled Traffic Flowspec NLRI Figure 1. Tunneled Traffic Flowspec NLRI
Length - The NLRI Length including the Tunnel Type encoded as an Length - The NLRI Length including the Tunnel Type encoded as an
unsigned integer. unsigned integer.
Tunnel Type - The type of tunnel using a value from the IANA BGP Tunnel Type - The type of tunnel using a value from the IANA BGP
skipping to change at page 7, line 28 skipping to change at page 7, line 28
Outer Flowspec / Length - The flow specification for the outer Outer Flowspec / Length - The flow specification for the outer
header. The length is encoded as provided in Section 4.1 of header. The length is encoded as provided in Section 4.1 of
[RFC5575bis]. The AFI for the Outer Flowspec is the AFI at the [RFC5575bis]. The AFI for the Outer Flowspec is the AFI at the
beginning of the BGP multiprotocol MP_REACH_NLRI or beginning of the BGP multiprotocol MP_REACH_NLRI or
MP_UNREACH_NLRI containing the tunneled traffic flow MP_UNREACH_NLRI containing the tunneled traffic flow
specification NLRI. specification NLRI.
Tunnel Header Flowspec / Length - The flow specification for the Tunnel Header Flowspec / Length - The flow specification for the
tunneling header. This specifies matching criterion on tunnel tunneling header. This specifies matching criterion on tunnel
header fields. The tunnel type itself is indicated by the header fields as well as, implicitly, on the tunnel type which
Tunnel Type field above. For some types of tunneling, such as is indicated by the Tunnel Type field above. For some types of
IP-in-IP, there may be no tunnel header fields. For other types tunneling, such as IP-in-IP, there may be no tunnel header
of tunneling, there may be several tunnel header fields on fields. For other types of tunneling, there may be several
which matching can be specified with this flowspec. tunnel header fields on which matching can be specified with
this flowspec.
Inner AFI - Depending on the Tunnel Type, there may be an Inner AFI Inner AFI - Depending on the Tunnel Type, there may be an Inner AFI
that indicates the address family for the inner flow that indicates the address family for the inner flow
specification. There is no need for a SAFI as the treatment of specification. There is no need for a SAFI as the treatment of
this inner AFI and following flowspec is indicated by the outer this inner AFI and following flowspec is indicated by the outer
SAFI TBD1, the SAFI for a tunneled traffic flow specification. SAFI TBD1, the SAFI for a tunneled traffic flow specification.
Inner Flowspec / Length - Depending on the Tunnel Type, there may be Inner Flowspec / Length - Depending on the Tunnel Type, there may be
an inner flowspec for the header level encapsulated within the an inner flowspec for the header level encapsulated within the
outer header. The length is encoded as provided in Section 4.1 outer header. The length is encoded as provided in Section 4.1
of [RFC5575bis]. of [RFC5575bis].
A Tunneled Traffic Flowspec matches if the Outer Flowspec, Tunnel A Tunneled Traffic Flowspec matches if the Outer Flowspec, Tunnel
Header Flowspec, and Inner Flowspec, if present, all match and the Type, and Tunnel Header Flowspec match and, in addition, each of the
Routing Distinguisher applies, if present. An omitted (as can be done following optional items that is present matches:
for the Inner Flowspec) or null flowspec is considered to always - Inner Flowspec, and
match. - Routing Distinguisher.
An omitted (as can be done for the Inner Flowspec) or null flowspec
is considered to always match.
INTERNET-DRAFT BGP Tunnel Flowspec
2.1 The SAFI Code Point 2.1 The SAFI Code Point
Use of the tunneled traffic flow specification NLRI format is Use of the tunneled traffic flow specification NLRI format is
indicated by SAFI=TBD1. This is used in conjunction with the AFI for indicated by SAFI=TBD1. This is used in conjunction with the AFI for
INTERNET-DRAFT BGP Tunnel Flowspec
the outer header, that is AFI=1 for IPv4, AFI=2 for IPv6, and AFI=6 the outer header, that is AFI=1 for IPv4, AFI=2 for IPv6, and AFI=6
for Layer 2. for Layer 2.
2.2 Tunnel Header Component Code Points 2.2 Tunnel Header Component Code Points
For flowspec based on most tunneling, there are tunnel header fields For most cases of tunneled traffic, there are tunnel header fields
that can be tested by components that appear in the Tunnel Header that can be tested by components that appear in the Tunnel Header
Flowspec field. The types for these components are specified in a Flowspec field. The types for these components are specified in a
Tunnel Header Flowspec component registry (see Section 6). Tunnel Header Flowspec component registry (see Section 6) and the
initial entries in this registry are specified below.
All Tunnel Header field components defined below and all such All Tunnel Header field components defined below and all such
components added in the future have a TLV structure as follows: components added in the future have a TLV structure as follows:
- one octet of type followed by - one octet of type followed by
- one octet giving the length as an unsigned integer number of - one octet giving the length as an unsigned integer number of
octets followed by octets followed by
- the specific matching operations/values as determined by the - the specific matching operations/values as determined by the
type. type.
Type 1 - VN ID Type 1 - VN ID
Encoding: <type (1 octet), length (1 octet), [op, value]+>. Encoding: <type (1 octet), length (1 octet), [op, value]+>.
Defines a list of {operation, value} pairs used to match the Defines a list of {operation, value} pairs used to match the
24-bit VN ID that is used as the tenant identification in some 24-bit VN ID that is used as the tenant identification in some
tunneling headers. For VXLAN encapsulation, the VN ID is the tunneling headers. For VXLAN encapsulation, the VN ID is the
VNI. For NVGRE encapsulation, the VN ID is the VSID. op is VNI. For NVGRE encapsulation, the VN ID is the VSID. op is
encoded as specified in Section 4.2.3 of [RFC5575bis]. Values encoded as specified in Section 4.2.3 of [RFC5575bis]. Values
are encoded as a 1, 2, or 4 octet quantity. If value is are encoded as a 1, 2, or 4 octet quantity. If value is
24-bits, it is left-justified in the first 3 octets of the 24-bits, it is left-justified in the first 3 octets of the
value and the last value octet MUST be sent as zero and ignored value and the last value octet MUST be sent as zero and ignored
on receipt. on receipt.
Type 2 - Flow ID Type 2 - Flow ID
Encoding: <type (1 octet), length (1 octet), [op, value]+> Encoding: <type (1 octet), length (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match 8-bit Defines a list of {operation, value} pairs used to match 8-bit
Flow ID fields which are currently only useful for NVGRE Flow ID fields which are currently only useful for NVGRE
encapsulation. op is encoded as specified in Section 4.2.3 of encapsulation. op is encoded as specified in Section 4.2.3 of
[RFC5575bis]. Values are encoded as a 1-octet quantity. [RFC5575bis]. Values are encoded as a 1-octet quantity.
Type 3 - Session Type 3 - Session
Encoding: <type (1 octet), length (1 octet), [op, value]+> Encoding: <type (1 octet), length (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match a Defines a list of {operation, value} pairs used to match a
INTERNET-DRAFT BGP Tunnel Flowspec
32-bit Session field. This field is called Key in GRE [RFC2890] 32-bit Session field. This field is called Key in GRE [RFC2890]
encapsulation and Session ID in L2TPv3 encapsulation. op is encapsulation and Session ID in L2TPv3 encapsulation. op is
encoded as specified in Section 4.2.3 of [RFC5575bis]. Values encoded as specified in Section 4.2.3 of [RFC5575bis]. Values
are encoded as a 1, 2, or 4 octet quantity. are encoded as a 1, 2, or 4 octet quantity.
INTERNET-DRAFT BGP Tunnel Flowspec Type 4 - Cookie
Type 4 - Cookie
Encoding: <type (1 octet), length (1 octet), [op, value]+> Encoding: <type (1 octet), length (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match a Defines a list of {operation, value} pairs used to match a
variable length Cookie field. This is only useful in L2TPv3 variable length Cookie field. This is only useful in L2TPv3
encapsulation. op is encoded as specified in Section 4.2.3 of encapsulation. op is encoded as specified in Section 4.2.3 of
[RFC5575bis]. Values are encoded as a 1, 2, 4, or 8 octet [RFC5575bis]. Values are encoded as a 1, 2, 4, or 8 octet
quantity. If the Cookie does not fit exactly into the value quantity. If the Cookie does not fit exactly into the value
length, it is left justified, that is, padded with following length, it is left justified and padded with following octets
octets the MUST be sent as zero and ignored on receipt. that MUST be sent as zero and ignored on receipt.
Type 5 - VXLAN-GPE Flags Type 5 - Tunnel Header Flags
Encoding: <type (1 octet), length (1 octet), [op, bitmask]+> Encoding: <type (1 octet), length (1 octet), [op, bitmask]+>
Defines a list of {operation, value} pairs used to match Defines a list of {operation, value} pairs used to match
against the VXLAN-GPE flags field. op is encoded as in Section against the tunnel header flags field. op is encoded as in
4.2.9 of [RFC5575bis]. bitmask is encoded as 1 octet. Section 4.2.9 of [RFC5575bis]. bitmask is encoded as 1 octet
for VXLAN-GPE and 2 octets for L2TP control messages. When
matching on L2TP control message flags, the 3-bit Version
subfield is treated as if it was zero.
Type 6 - L2TP Control Version
Encoding: <type (1 octet), length (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match
against the L2TPv3 Control Message Version. op is encoded as in
Section 4.2.3 of [RFC5575bis]. Value is encoded as 1 octet.
Type 7 - L2TPv3 Control Connection ID
Encoding: <type (1 octet), length (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match
against the L2TPv3 Control Connection ID. op is encoded as in
Section 4.2.3 of [RFC5575bis]. Value is encoded as 4 octets.
Type 8 - L2TPv3 Ns
Encoding: <type (1 octet), length (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match
against the L2TPv3 control message Ns field. op is encoded as
in Section 4.2.3 of [RFC5575bis]. Value is encoded as 2 octets.
Type 9 - L2TPv3 Nr
Encoding: <type (1 octet), length (1 octet), [op, value]+>
INTERNET-DRAFT BGP Tunnel Flowspec
Defines a list of {operation, value} pairs used to match
against the L2TPv3 control message Nr field. op is encoded as
in Section 4.2.3 of [RFC5575bis]. Value is encoded as 2 octets.
2.3 Specific Tunnel Types 2.3 Specific Tunnel Types
The following subsections describe how to handle flow specification The following subsections describe how to handle flow specification
for several specific tunnel types. for several specific tunnel types.
2.3.1 VXLAN 2.3.1 VXLAN
The headers on a VXLAN [RFC7348] data packet are an outer Ethernet The headers on a VXLAN [RFC7348] data packet are an outer Ethernet
header, an outer IP header, a UDP header, the VXLAN header, and an header, an outer IP header, a UDP header, the VXLAN header, and an
inner Ethernet header. This inner Ethernet header is frequently, but inner Ethernet header. This inner Ethernet header is frequently, but
not always, followed by an inner IP header. If the tunnel type is not always, followed by an inner IP header. If the tunnel type is
VXLAN, the I flag MUST be set. VXLAN, the I flag MUST be set in the Tunneled Traffic Flow
Specification.
If the outer Ethernet header is not being matched, the version (IPv4 If the outer Ethernet header is not being matched, the version (IPv4
or IPv6) of the outer IP header is indicated by the AFI at the or IPv6) of the outer IP header is indicated by the AFI at the
beginning of the multiprotocol MP_REACH_NLRI or MP_UNREACH_NLRI beginning of the multiprotocol MP_REACH_NLRI or MP_UNREACH_NLRI
containing the tunneled traffic flow specification NLRI. The outer containing the Tunneled Traffic Flow Specification NLRI. The outer
Flowspec is used to filter the outer headers including, if desired, Flowspec is used to filter the outer headers including, if desired,
the UDP header. the UDP header.
If the outer Ethernet header is being matched, then the initial AFI If the outer Ethernet header is being matched, then the initial AFI
is 6 [FlowSpecL2] and the Outer Flowspec can match the outer Ethernet is 6 [FlowSpecL2] and the Outer Flowspec can match the outer Ethernet
header, specify the IP version of the outer IP header, and match that header, specify the IP version of the outer IP header, and match that
IP header including, if desired, the UDP header. IP header including, if desired, the UDP header.
The Tunnel Header Flowspec can be used to filter on the VXLAN header The Tunnel Header Flowspec can be used to filter on the VXLAN header
VN ID (VNI). VN ID (VNI).
INTERNET-DRAFT BGP Tunnel Flowspec
The Inner Flowspec can be used on the Inner Ethernet header The Inner Flowspec can be used on the Inner Ethernet header
[FlowSpecL2] and any following IP header. If the inner AFI is 6, [FlowSpecL2] and any following IP header. If the inner AFI is 6,
then the inner Flowspec provides filtering of the Layer 2 header, then the inner Flowspec provides filtering of the Layer 2 header,
indicates whether filtering on a following IPv4 or IPv6 header is indicates whether filtering on a following IPv4 or IPv6 header is
desired, and if it is desired provides the Flowspec components for desired, and if it is desired provides the Flowspec components for
that filtering. If the Inner AFI is 1 or 2, the Inner Ethernet that filtering. If the Inner AFI is 1 or 2, the Inner Ethernet
header is not matched and to match the Flowspec the Inner Ethernet header is not matched and to match the Flowspec the Inner Ethernet
header must be followed by an IPv4 or IPv6 header, respectively, and header must be followed by an IPv4 or IPv6 header, respectively, and
the inner Flowspec is used to filter that inner IP header. the inner Flowspec is used to filter that inner IP header.
The inner MAC/IP address is associated with the VN ID. In the NVO3 The inner MAC/IP address is associated with the VN ID. In the NVO3
terminating into a VPN scenario, if multiple access VN IDs map to one terminating into a VPN scenario, if multiple access VN IDs map to one
VPN instance, one shared VN ID can be carried in the flowspec rule to VPN instance, one shared VN ID can be carried in the flowspec rule to
INTERNET-DRAFT BGP Tunnel Flowspec
enforce the rule on the entire VPN instance and the shared VN ID and enforce the rule on the entire VPN instance and the shared VN ID and
VPN correspondence should be configured on each VPN PE beforehand. In VPN correspondence should be configured on each VPN PE beforehand. In
this case, the function of the Layer 3 VN ID is the same as a Route this case, the function of the Layer 3 VN ID is the same as a Route
Distinguisher: it acts as the identification of the VPN instance. Distinguisher: it acts as the identification of the VPN instance.
2.3.2 VXLAN-GPE 2.3.2 VXLAN-GPE
VXLAN-GPE [GPE] is similar to VXLAN. The VXLAN-GPE header is the same VXLAN-GPE [GPE] is similar to VXLAN. The VXLAN-GPE header is the same
size as the VXLAN header but has been extended from the VXLAN header size as the VXLAN header but has been extended from the VXLAN header
by specifying a number of bits that are reserved in the VXLAN header. by specifying a number of bits that are reserved in the VXLAN header.
In particular, a number of additional flag bits are specified and a In particular, a number of additional flag bits are specified and a
Next Protocol field is added that is valid if the P flag bit is set. Next Protocol field is added that is valid if the P flag bit is set
These flags bits can be tested using the VXLAN-GPE Flags flowspec in the VXLAN-GPE header. These flags bits can be tested using the
component defined above. VXLAN and VXLAN-GPE are distinguished by the Tunnel Header Flags flowspec component defined above. VXLAN and
port number in the UDP header the precedes the VXLAN or VXLAN-GPE VXLAN-GPE are distinguished by the port number in the UDP header the
headers. precedes the VXLAN or VXLAN-GPE headers.
If the VXLAN-GPE header P flag is zero, then that header is followed If the VXLAN-GPE header P flag is zero, then that header is followed
by the same sequence as for VXLAN and the same flowspec choices apply by the same sequence as for VXLAN and the same flowspec choices apply
(see Section 2.3.1). (see Section 2.3.1).
If the VXLAN-GPE header P flag is one and that header's next protocol If the VXLAN-GPE header P flag is one and that header's next protocol
field is 1, then the VXLAN-GPE header is followed by an IPv4 header. field is 1, then the VXLAN-GPE header is followed by an IPv4 header
The Inner Flowspec matches only if the Inner AFI is 1 and the Inner (there is no Inner Ethernet header). The Inner Flowspec matches only
Flowspec matches. if the Inner AFI is 1 and the Inner Flowspec matches.
If the VXLAN-GPE header P flag is one and that header's next protocol If the VXLAN-GPE header P flag is one and that header's next protocol
field is 2, then the VXLAN-GPE header is followed by an IPv6 header. field is 2, then the VXLAN-GPE header is followed by an IPv6 header
The Inner Flowspec match only if the Inner AFI is 2 and the Inner (there is no Inner Ethernet header). The Inner Flowspec match only
Flowspec matches. if the Inner AFI is 2 and the Inner Flowspec matches.
INTERNET-DRAFT BGP Tunnel Flowspec
2.3.3 NVGRE 2.3.3 NVGRE
NVGRE [RFC7637] is very similar to VXLAN except that the UDP header NVGRE [RFC7637] is similar to VXLAN except that the UDP header and
and VXLAN header immediately after the outer IP header are replaced VXLAN header immediately after the outer IP header are replaced by a
by a GRE (Generic Router Encapsulation) header. The GRE header as GRE (Generic Router Encapsulation) header. The GRE header as used in
used in NVGRE has no Checksum or Reserved1 field as shown in NVGRE has no Checksum or Reserved1 field as shown in [RFC2890] but
[RFC2890] but there are Virtual Subnet ID and Flow ID fields in place there are Virtual Subnet ID and Flow ID fields in place of what is
of what is labeled in [RFC2890] as the Key field. Processing and labeled in [RFC2890] as the Key field. Processing and restrictions
restrictions for NVGRE are as in Section 2.3.1 eliminating references for NVGRE are as in Section 2.3.1 eliminating references to a UDP
to a UDP header and replacing references to the VXLAN header and its header and replacing references to the VXLAN header and its VN ID
VN ID with references to the GRE header and its VN ID (VSID) and Flow with references to the GRE header and its VN ID (VSID) and Flow ID.
ID.
INTERNET-DRAFT BGP Tunnel Flowspec
2.3.4 L2TPv3 2.3.4 L2TPv3
The headers on an L2TPv3 [RFC3931] packets are an outer Ethernet The headers on an L2TPv3 [RFC3931] packets are an outer Ethernet
header, an outer IP header, the L2TPv3 header, an inner Ethernet header, an outer IP header, the L2TPv3 header, an inner Ethernet
header, and possibly an inner IP header if indicated by the inner header, and possibly an inner IP header if indicated by the inner
Ethernet header EtherType. The Outer Flowspec operates on the outer Ethernet header EtherType. The Outer Flowspec operates on the outer
headers that precede the GRE header. The version of IP in the outer headers that precede the L2TP Session Header. The version of IP in
IP header is specified by either the outer AFI at the beginning of the outer IP header is specified by either the outer AFI at the
the MP_REACH_NLRI or MP_UNREACH_NLRI or, if that AFI is 6 (L2), beginning of the MP_REACH_NLRI or MP_UNREACH_NLRI or, if that AFI is
optionally specified by the inner AFI within that L2 flowspec. 6 (L2), optionally specified by the inner AFI within that L2
flowspec.
The L2TPv3 header consists of a 32-bit Session ID followed by a L2TPv3 data messages and control messages both start with a Session
variable length Cookie (maximum length 8 octets). The Session ID and ID and are distinguished by whether the Session ID is non-zero or
Cookie can be filtered for by using the Session and Cookie flowspec zero, respectively. Data message filtering is further specified in
components in the Tunnel Header Flowspec. To filter on Cookie or even Section 2.3.4.1 and control message filtering is further specified in
be able to bypass Cookie and parse the remainder of the L2TPv3 Section 2.3.4.2.
packet, the node implementing flowspec needs to know the length
and/or value of the Cookie fields of interest. This is negotiated at 2.3.4.1 L2TPv3 Data Messages
L2TPv3 session establishment and it is out of scope for this document
how the node would learn this information. Of course, if flowspec is For data messages, the L2TPv3 Session Header consists of a 32-bit
being used for DDOS mitigation and the Cookie has a fixed length non-zero Session ID followed by a variable length Cookie (maximum
and/or value in the DDOS traffic, this could be learned by inspecting length 8 octets). A Tunnel Header flowspec is assumed to apply to
that traffic. data messages unless the first component requires a zero Session ID.
The Session ID and Cookie can be filtered on by using the Session and
Cookie flowspec components in the Tunnel Header Flowspec. To filter
on Cookie or even be able to bypass Cookie and parse the remainder of
the L2TPv3 packet, the node implementing flowspec needs to know the
length and/or value of the Cookie fields of interest. This is
negotiated at L2TPv3 session establishment and it is out of scope for
this document how the node would learn this information. Of course,
if flowspec is being used for DDOS mitigation and the Cookie has a
fixed length and/or value in the DDOS traffic, this could be learned
by inspecting that traffic.
If the I flag bit is zero, then no filtering is done on data beyond If the I flag bit is zero, then no filtering is done on data beyond
the L2TPv3 header. If the I flag is one, indicating the presence of the L2TPv3 header. If the I flag is one, indicating the presence of
an Inner Flowspec, and the node implementing flowspec does not know an Inner Flowspec, and the node implementing flowspec does not know
the length of the L2TPv3 header Cookie, the match fails. If that node the length of the L2TPv3 header Cookie, the match fails. If that node
does know the length of that Cookie, the Inner Flowspec if matched does know the length of that Cookie, the Inner Flowspec if matched
against the headers at the beginning of that data using the Inner against the headers at the beginning of that data using the Inner
AFI. If that Inner AFI is 1 or 2, then an inner IP header is required AFI. If that Inner AFI is 1 or 2, then an inner IP header is required
and filtering can be done on the Ethernet header immediately after and filtering can be done on that IPv4 or IPv6 header respectively.
the L2TPv3 header and the following IPv4 or IPv6 headers If the Inner AFI is 6, filtering is done on the inner Ethernet header
respectively. If the Inner AFI is 6, filtering is done on the inner and, if an IPv4 or IPv6 inner AFI is specified within the inner L2
Ethernet header and, if a non-zero inner AFI is specified within the flowspec, done on the following IP header [FlowSpecL2].
INTERNET-DRAFT BGP Tunnel Flowspec INTERNET-DRAFT BGP Tunnel Flowspec
inner L2 flowspec, done on the following IP header [FlowSpecL2]. 2.3.4.2 L2TPv3 Control Messages
Control messages are distinguished by starting with a zero 32-bit
Session ID. L2TPv3 control message flowspecs MUST start with a
Session component that requires Session to be zero. For L2TPv3
control messages, there is no Cookie but there are L2TPv3 flags, a
3-bit Version field, a 32-bit Control Connection ID, and 16-bit Ns
and Nr sequence numbers. These can be tested using the Tunnel Header
Flags, L2TP Control Version, L2TPv3 Control Connection ID, L2TPv3 Ns,
and L2TPv3 Nr flowspec components for the Tunnel Header Flowspec.
2.3.5 GRE 2.3.5 GRE
Generic Router Encapsulation (GRE [RFC2890]) is another type of Generic Router Encapsulation (GRE [RFC2890]) is another type of
encapsulation. The Outer Flowspec operates on the outer headers that encapsulation. The Outer Flowspec operates on the outer headers that
precede the GRE header. The version of IP is specified by the outer precede the GRE header. The version of IP is specified by the outer
AFI at the beginning of the MP_REACH_NLRI or MP_UNREACH_NLRI. AFI at the beginning of the MP_REACH_NLRI or MP_UNREACH_NLRI.
If the I flag bit is zero, no filtering is done on data after the GRE If the I flag bit is zero, no filtering is done on data after the GRE
header. If the I flag bit is one, then there is an inner AFI and header. If the I flag bit is one in the tunnel flowspec, then there
flowspec and the Protocol Type field of the GRE header must match the is an inner AFI and inner flowspec and the Protocol Type field of the
Inner AFI as follows for the Flowspec to match: GRE header must match the Inner AFI as follows for the tunnel
Flowspec to match:
GRE Protocol Type Inner AFI GRE Protocol Type Inner AFI
------------------- ----------- ------------------- -----------
0x0800 (IPv4) 1 0x0800 (IPv4) 1
0x86DD (IPv6) 2 0x86DD (IPv6) 2
0x6558 6 0x6558 6
With the I flag a one and the Inner AFI and GRE Protocol Type fields With the I flag a one and the Inner AFI and GRE Protocol Type fields
match, the Inner Flowspec is used to filter the inner IP headers match, the Inner Flowspec is used to filter the inner IP headers
(Inner AFI=1 or 2) or the inner Ethernet header and optionally a (Inner AFI=1 or 2) or the inner Ethernet header and optionally a
following IP header (Inner AFI=6). following IP header (Inner AFI=6).
2.3.6 IP-in-IP 2.3.6 IP-in-IP
IP-in-IP encapsulation is indicated when an outer IP header indicates IP-in-IP encapsulation [RFC2003] is indicated when an outer IP header
an inner IP IPv4 or IPv6 header by the value of the outer IP header's indicates an inner IP IPv4 or IPv6 header by the value of the outer
Protocol (IPv4) or Next Protocol (IPv6) field. IP header's Protocol (IPv4) or Next Protocol (IPv6) field.
The IP version of the outer IP header (IPv4 or IPv6) matched is The IP version of the outer IP header (IPv4 or IPv6) matched is
indicated by an AFI of 1 or 2 at the beginning of the MP_REACH_NLRI indicated by an AFI of 1 or 2 at the beginning of the MP_REACH_NLRI
or MP_UNREACH_NLRI while if that AFI is 6, it indicates a match on or MP_UNREACH_NLRI while if that AFI is 6, it indicates a match on
the out Ethernet header and, optionally, the following IP Header the out Ethernet header and, optionally, the following IP Header
[FlowSpecL2]. The IP version of the inner IP header is indicated by [FlowSpecL2]. The IP version of the inner IP header is indicated by
INTERNET-DRAFT BGP Tunnel Flowspec
the Inner AFI and the Inner Flowspec applies to the inner IP header. the Inner AFI and the Inner Flowspec applies to the inner IP header.
There are no fields that can be matched by the Tunnel Header Flowspec There are no fields that can be matched by the Tunnel Header Flowspec
in the case of IP-in-IP. in the case of IP-in-IP.
INTERNET-DRAFT BGP Tunnel Flowspec
2.4 Tunneled Traffic Actions 2.4 Tunneled Traffic Actions
The traffic filtering actions previously specified in [RFC5575bis] The traffic filtering actions previously specified in [RFC5575bis]
and [FlowSpecL2] are used for tunneled traffic. For Traffic Marking and [FlowSpecL2] are used for tunneled traffic. For Traffic Marking
in NVO3, only the DSCP in the outer header can be modified. in NVO3, only the DSCP in the outer header can be modified.
INTERNET-DRAFT BGP Tunnel Flowspec INTERNET-DRAFT BGP Tunnel Flowspec
3. Order of Traffic Filtering Rules 3. Order of Traffic Filtering Rules
skipping to change at page 14, line 41 skipping to change at page 15, line 41
- If the Outer Flowspecs are equal, then the Tunnel Header Flowspecs - If the Outer Flowspecs are equal, then the Tunnel Header Flowspecs
are compared using the usual sequential component comparison are compared using the usual sequential component comparison
process [RFC5575bis]. process [RFC5575bis].
- If the Tunnel Header Flowspecs are equal then compare the "I" - If the Tunnel Header Flowspecs are equal then compare the "I"
flag. Those with an Inner Flowspec take precedence over those flag. Those with an Inner Flowspec take precedence over those
without an Inner Flowspec. If you get to this stage in the without an Inner Flowspec. If you get to this stage in the
ordering process, those without an Inner Flowspec are equal. For ordering process, those without an Inner Flowspec are equal. For
those with an Inner Flowspec, check the Inner AFI. An L2 Inner AFI those with an Inner Flowspec, check the Inner AFI. An L2 Inner AFI
(AFI=6) takes precedence over an L2 Inner AFI. (AFI=6) takes precedence over an L3 Inner AFI.
- If the Inner AFIs are equal, precedence is determined by comparing - If the Inner AFIs are equal, precedence is determined by comparing
the Inner Flowspecs as described in [FlowSpecL2] for L2 or the Inner Flowspecs as described in [FlowSpecL2] for L2 or
[RFC5575bis] for L3. [RFC5575bis] for L3.
INTERNET-DRAFT BGP Tunnel Flowspec INTERNET-DRAFT BGP Tunnel Flowspec
4. Flow Spec Validation 4. Flow Spec Validation
Flowspecs received over AFI=1/SAFI=TBD1 or AFI=2/SFAI=TBD1 are Flowspecs received over AFI=1/SAFI=TBD1 or AFI=2/SFAI=TBD1 are
skipping to change at page 15, line 21 skipping to change at page 17, line 5
reachability received over AFI=1/SAFI=133 and AFI=2/SAFI=133 reachability received over AFI=1/SAFI=133 and AFI=2/SAFI=133
respectively, as modified by [FlowSpecOID]. respectively, as modified by [FlowSpecOID].
5. Security Considerations 5. Security Considerations
No new security issues are introduced to the BGP protocol by this No new security issues are introduced to the BGP protocol by this
specification. specification.
For general Flowspec security considerations, see [rfc5575bis]. For general Flowspec security considerations, see [rfc5575bis].
INTERNET-DRAFT BGP Tunnel Flowspec
6. IANA Considerations 6. IANA Considerations
IANA is requested to assign a new SAFI as follows: IANA is requested to assign a new SAFI as follows:
Value Description Reference Value Description Reference
----- ------------------------------------------ --------------- ----- ------------------------------------------ ---------------
TBD1 Tunneled traffic flow specification rules [This document] TBD1 Tunneled traffic flow specification rules [This document]
IANA is requested to create a Tunnel Header Flow Spec Component Type IANA is requested to create a Tunnel Header Flow Spec Component Type
registry on the Flow Spec Component Types registries web page as registry on the Flow Spec Component Types registries web page as
skipping to change at page 15, line 42 skipping to change at page 17, line 28
Name: Tunnel Flow Spec Component Types Name: Tunnel Flow Spec Component Types
Reference: [this document] Reference: [this document]
Registration Procedures: Registration Procedures:
0 Reserved 0 Reserved
1-127 Specification Required 1-127 Specification Required
128-254 First Come First Served 128-254 First Come First Served
255 Reserved 255 Reserved
Initial contents: Initial contents:
Type Name Reference Type Name Reference
----- -------------- ----------------- ----- -------------- -----------------
0 reserved [this document] 0 reserved [this document]
1 VN ID [this document] 1 VN ID [this document]
2 Flow ID [this document] 2 Flow ID [this document]
3 Session [this document] 3 Session [this document]
4 Cookie [this document] 4 Cookie [this document]
5 VXLAN-GPE Flags [this document] 5 Tunnel Header Flags [this document]
6-254 unassigned [this document] 6 L2TP Control Version [this document]
255 reserved [this document] 7 L2TPv3 Control Connection ID
[this document]
8 L2TPv3 Ns [this document]
9 L2TPv3 Nr [this document]
10-254 unassigned [this document]
255 reserved [this document]
INTERNET-DRAFT BGP Tunnel Flowspec INTERNET-DRAFT BGP Tunnel Flowspec
Normative References Normative References
[RFC2003] - Perkins, C., "IP Encapsulation within IP", RFC 2003, DOI
10.17487/RFC2003, October 1996, <https://www.rfc-
editor.org/info/rfc2003>.
[RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119,
March 1997, <https://www.rfc-editor.org/info/rfc2119>. March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2474] - Nichols, K., Blake, S., Baker, F., and D. Black,
"Definition of the Differentiated Services Field (DS Field) in
the IPv4 and IPv6 Headers", RFC 2474, DOI 10.17487/RFC2474,
December 1998, <https://www.rfc-editor.org/info/rfc2474>.
[RFC2890] - Dommety, G., "Key and Sequence Number Extensions to GRE", [RFC2890] - Dommety, G., "Key and Sequence Number Extensions to GRE",
RFC 2890, DOI 10.17487/RFC2890, September 2000, RFC 2890, DOI 10.17487/RFC2890, September 2000,
<https://www.rfc-editor.org/info/rfc2890>. <https://www.rfc-editor.org/info/rfc2890>.
[RFC3931] - Lau, J., Ed., Townsley, M., Ed., and I. Goyret, Ed., [RFC3931] - Lau, J., Ed., Townsley, M., Ed., and I. Goyret, Ed.,
"Layer Two Tunneling Protocol - Version 3 (L2TPv3)", RFC 3931, "Layer Two Tunneling Protocol - Version 3 (L2TPv3)", RFC 3931,
DOI 10.17487/RFC3931, March 2005, <https://www.rfc- DOI 10.17487/RFC3931, March 2005, <https://www.rfc-
editor.org/info/rfc3931>. editor.org/info/rfc3931>.
[RFC4271] - Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI
10.17487/RFC4271, January 2006, <https://www.rfc-
editor.org/info/rfc4271>.
[RFC4760] - Bates, T., Chandra, R., Katz, D., and Y. Rekhter,
"Multiprotocol Extensions for BGP-4", RFC 4760, DOI
10.17487/RFC4760, January 2007, <https://www.rfc-
editor.org/info/rfc4760>.
[RFC7348] - Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, [RFC7348] - Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger,
L., Sridhar, T., Bursell, M., and C. Wright, "Virtual L., Sridhar, T., Bursell, M., and C. Wright, "Virtual
eXtensible Local Area Network (VXLAN): A Framework for eXtensible Local Area Network (VXLAN): A Framework for
Overlaying Virtualized Layer 2 Networks over Layer 3 Networks", Overlaying Virtualized Layer 2 Networks over Layer 3 Networks",
RFC 7348, DOI 10.17487/RFC7348, August 2014, <https://www.rfc- RFC 7348, DOI 10.17487/RFC7348, August 2014, <https://www.rfc-
editor.org/info/rfc7348>. editor.org/info/rfc7348>.
[RFC7637] - Garg, P., Ed., and Y. Wang, Ed., "NVGRE: Network [RFC7637] - Garg, P., Ed., and Y. Wang, Ed., "NVGRE: Network
Virtualization Using Generic Routing Encapsulation", RFC 7637, Virtualization Using Generic Routing Encapsulation", RFC 7637,
DOI 10.17487/RFC7637, September 2015, <https://www.rfc- DOI 10.17487/RFC7637, September 2015, <https://www.rfc-
editor.org/info/rfc7637>. editor.org/info/rfc7637>.
[RFC8174] - Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] - Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May
2017, <https://www.rfc-editor.org/info/rfc8174>. 2017, <https://www.rfc-editor.org/info/rfc8174>.
INTERNET-DRAFT BGP Tunnel Flowspec
[FlowSpecL2] - W. Hao, et al, "Dissemination of Flow Specification [FlowSpecL2] - W. Hao, et al, "Dissemination of Flow Specification
Rules for L2 VPN", draft-ietf-idr-flowspec-l2vpn, work in Rules for L2 VPN", draft-ietf-idr-flowspec-l2vpn, work in
progress. progress.
[FlowSpecOID] - J. Uttaro, J. Alcaide, C. Filsfils, D. Smith, P. [FlowSpecOID] - J. Uttaro, J. Alcaide, C. Filsfils, D. Smith, P.
Mohapatra, "Revised Validation Procedure for BGP Flow Mohapatra, "Revised Validation Procedure for BGP Flow
Specifications", draft-ietf-idr-bgp-flowspec-oid, work in Specifications", draft-ietf-idr-bgp-flowspec-oid, work in
progress. progress.
[FlowSpecV6] - R. Raszuk, et al, "Dissemination of Flow Specification [FlowSpecV6] - R. Raszuk, et al, "Dissemination of Flow Specification
Rules for IPv6", draft-ietf-idr-flow-spec-v6, work in progress. Rules for IPv6", draft-ietf-idr-flow-spec-v6, work in progress.
[RFC5575bis] - Hares, S., Loibl, C., Raszuk, R., McPherson, D., [RFC5575bis] - Hares, S., Loibl, C., Raszuk, R., McPherson, D.,
Bacher, M., "Dissemination of Flow Specification Rules", draft- Bacher, M., "Dissemination of Flow Specification Rules",
ietf-idr-rfc5575bis, Work in progress. draft-ietf-idr-rfc5575bis, work in progress.
INTERNET-DRAFT BGP Tunnel Flowspec
Informative References Informative References
[RFC8014] - Black, D., Hudson, J., Kreeger, L., Lasserre, M., and T. [RFC8014] - Black, D., Hudson, J., Kreeger, L., Lasserre, M., and T.
Narten, "An Architecture for Data-Center Network Virtualization Narten, "An Architecture for Data-Center Network Virtualization
over Layer 3 (NVO3)", RFC 8014, DOI 10.17487/RFC8014, December over Layer 3 (NVO3)", RFC 8014, DOI 10.17487/RFC8014, December
2016, <https://www.rfc-editor.org/info/rfc8014>. 2016, <https://www.rfc-editor.org/info/rfc8014>.
[GPE] - P. Quinn, et al, "Generic Protocol Extension for VXLAN", [GPE] - P. Quinn, et al, "Generic Protocol Extension for VXLAN",
draft-ietf-nvo3-vxlan-gpe, work in progress. draft-ietf-nvo3-vxlan-gpe, work in progress.
 End of changes. 54 change blocks. 
130 lines changed or deleted 220 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/