| draft-ietf-idr-flowspec-path-redirect-04.txt | draft-ietf-idr-flowspec-path-redirect-05.txt | |||
|---|---|---|---|---|
| IDR Working Group G. Van de Velde, Ed. | IDR Working Group G. Van de Velde, Ed. | |||
| Internet-Draft Nokia | Internet-Draft Nokia | |||
| Intended status: Standards Track K. Patel | Intended status: Standards Track K. Patel | |||
| Expires: November 16, 2018 Arrcus | Expires: November 17, 2018 Arrcus | |||
| Z. Li | Z. Li | |||
| Huawei Technologies | Huawei Technologies | |||
| May 15, 2018 | May 16, 2018 | |||
| Flowspec Indirection-id Redirect | Flowspec Indirection-id Redirect | |||
| draft-ietf-idr-flowspec-path-redirect-04 | draft-ietf-idr-flowspec-path-redirect-05 | |||
| Abstract | Abstract | |||
| This document defines a new extended community known as "FlowSpec | This document defines a new extended community known as "FlowSpec | |||
| Redirect to indirection-id Extended Community". This extended | Redirect to indirection-id Extended Community". This extended | |||
| community triggers advanced redirection capabilities to flowspec | community triggers advanced redirection capabilities to flowspec | |||
| clients. When activated, this flowspec extended community is used by | clients. When activated, this flowspec extended community is used by | |||
| a flowspec client to retrieve the corresponding next-hop and encoding | a flowspec client to retrieve the corresponding next-hop and encoding | |||
| information within a localised indirection-id mapping table. | information within a localised indirection-id mapping table. | |||
| skipping to change at page 1, line 48 ¶ | skipping to change at page 1, line 48 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 16, 2018. | This Internet-Draft will expire on November 17, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 27 ¶ | skipping to change at page 3, line 27 ¶ | |||
| Each indirection-id serves as anchor point, for policy-based | Each indirection-id serves as anchor point, for policy-based | |||
| forwarding onto an explicit path by a flowspec client. | forwarding onto an explicit path by a flowspec client. | |||
| 2. indirection-id and indirection-id table | 2. indirection-id and indirection-id table | |||
| The indirection-id is a 32-bit unsigned number, used as anchor point | The indirection-id is a 32-bit unsigned number, used as anchor point | |||
| on a flowspec client for policy-based forwarding onto an explicit | on a flowspec client for policy-based forwarding onto an explicit | |||
| path by a flowspec client. | path by a flowspec client. | |||
| The indirection-id table is the table construct of indirection-id | The indirection-id table is the table construct of indirection-id | |||
| values, grouped by indirection-id "Context Type". Each entry in this | values, grouped by indirection-id "ID-Type". Each entry in this | |||
| table contains policy-based forwarding and encoding instructions. | table contains policy-based forwarding and encoding instructions. | |||
| The configuration of the indirection-id table on a flowspec client is | The configuration of the indirection-id table on a flowspec client is | |||
| a localised operation on each router, and MAY happen out-of-band from | a localised operation on each router, and MAY happen out-of-band from | |||
| BGP flowspec. For some use-case scenarios the indirection-id | BGP flowspec. For some use-case scenarios the indirection-id "ID- | |||
| "Context Type" provides additional (maybe even fully sufficient) | Type" provides additional (maybe even fully sufficient) context for a | |||
| context for a flowspec client for policy based forwarding, making a | flowspec client for policy based forwarding, making a localised | |||
| localised indirection-id table obsolete. For example, when the | indirection-id table obsolete. For example, when the indirection-id | |||
| indirection-id refers to a MPLS segment routing node-id [6], then the | refers to a MPLS segment routing node-id [6], then the indirection-id | |||
| indirection-id provides sufficient information for a segment routing | provides sufficient information for a segment routing lookup on the | |||
| lookup on the flowspec client. | flowspec client. | |||
| 3. Use Case Scenarios | 3. Use Case Scenarios | |||
| This section describes a few use-case scenarios when deploying | This section describes a few use-case scenarios when deploying | |||
| "Redirect to indirection-id". | "Redirect to indirection-id". | |||
| 3.1. Redirection shortest Path tunnel | 3.1. Redirection shortest Path tunnel | |||
| Description: | Description: | |||
| The first use-case describes an example where a single flowspec route | The first use-case describes an example where a single flowspec route | |||
| is sent from a BGP flowspec controller to many BGP flowspec clients. | is sent from a BGP flowspec controller to many BGP flowspec clients. | |||
| This BGP flowspec route carries the "Redirect to indirection-id" to | This BGP flowspec route carries the "Redirect to indirection-id" to | |||
| all flowspec clients with intent to redirect matching dataflows onto | all flowspec clients with intent to redirect matching dataflows onto | |||
| a shortest-path tunnel pointing towards a single remote destination. | a shortest-path tunnel pointing towards a single remote destination. | |||
| In this first use-case scenario, each flowspec client receives | In this first use-case scenario, each flowspec client receives | |||
| flowspec routes. The received flowspec routes have the extended | flowspec routes. The received flowspec routes have the extended | |||
| "Redirect to indirection-id" community attached. Each "Redirect to | "Redirect to indirection-id" community attached. Each "Redirect to | |||
| indirection-id" community embeds two relevant components: (1) 32-bit | indirection-id" community embeds two relevant components: (1) 32-bit | |||
| indirection-id and (2) context type. These two components provide | indirection-id and (2) ID-type. These two components provide the | |||
| the flowspec client with sufficient information for policy based | flowspec client with sufficient information for policy based | |||
| forwarding, with intent to steer and encapsulate the data-packet | forwarding, with intent to steer and encapsulate the data-packet | |||
| accordingly upon a shortest path tunnel to a single remote end-point. | accordingly upon a shortest path tunnel to a single remote end-point. | |||
| Requirements: | Requirements: | |||
| For redirect to shortest path tunnel it is required that the tunnel | For redirect to shortest path tunnel it is required that the tunnel | |||
| MUST be operational and allow packets to flow between tunnel head- | MUST be operational and allow packets to flow between tunnel head- | |||
| and tail-end. | and tail-end. | |||
| Example: Indirection-ID community "Context Type" which can be used: | Example: Indirection-ID community "ID-Type" which can be used: | |||
| o 0 (localised ID): When the intent is to use a localised | o 0 (localised ID): When the intent is to use a localised | |||
| Indirection-id table, configured through out-of-band procedures. | Indirection-id table, configured through out-of-band procedures. | |||
| o 1 or 2 (Node ID's): This type can be used when the goal is to use | o 1 or 2 (Node ID's): This type can be used when the goal is to use | |||
| MPLS based Segment Routing towards a remote destination. In this | MPLS based Segment Routing towards a remote destination. In this | |||
| use-case scenario the flowspec rule contains a SR (Segment | use-case scenario the flowspec rule contains a SR (Segment | |||
| Routing) node SID to steer traffic towards. | Routing) node SID to steer traffic towards. | |||
| 3.2. Redirection to path-engineered tunnels | 3.2. Redirection to path-engineered tunnels | |||
| skipping to change at page 4, line 45 ¶ | skipping to change at page 4, line 45 ¶ | |||
| The second use-case describes an example where a single flowspec | The second use-case describes an example where a single flowspec | |||
| route is sent from a BGP flowspec controller to many BGP flowspec | route is sent from a BGP flowspec controller to many BGP flowspec | |||
| clients. This BGP flowspec route carries policy information to steer | clients. This BGP flowspec route carries policy information to steer | |||
| traffic upon a path-engineered tunnel. It is assumed that the path | traffic upon a path-engineered tunnel. It is assumed that the path | |||
| engineered tunnels are configured using out-of-band from BGP | engineered tunnels are configured using out-of-band from BGP | |||
| flowspec. | flowspec. | |||
| Segment Routing Example: | Segment Routing Example: | |||
| For this example the indirection-id "Context Type" points towards a | For this example the indirection-id "ID-Type" points towards a | |||
| Segment Routing Binding SID. The Binding SID is a segment identifier | Segment Routing Binding SID. The Binding SID is a segment identifier | |||
| value (as per segment routing definitions in [I-D.draft-ietf-spring- | value (as per segment routing definitions in [I-D.draft-ietf-spring- | |||
| segment-routing] [6]) used to associate an explicit path. The | segment-routing] [6]) used to associate an explicit path. The | |||
| Binding SID and the associated path engineered tunnel may for example | Binding SID and the associated path engineered tunnel may for example | |||
| be setup by a controller using BGP as specified in [I-D.sreekantiah- | be setup by a controller using BGP as specified in [I-D.sreekantiah- | |||
| idr-segment-routing-te] [5] or alternatly by using PCEP as detailed | idr-segment-routing-te] [5] or alternately by using PCEP as detailed | |||
| in draft-ietf-pce-segment-routing [7]. To conclude, when a BGP | in draft-ietf-pce-segment-routing [7]. To conclude, when a BGP | |||
| speaker at some point in time receives a flowspec route with an | speaker at some point in time receives a flowspec route with an | |||
| extended "Redirect to indirection-id' community, it installs a | extended "Redirect to indirection-id' community, it installs a | |||
| policy-based forwarding rule to redirect packets onto an explicit | policy-based forwarding rule to redirect packets onto an explicit | |||
| path, associated with the corresponding Binding SID. The encoding of | path, associated with the corresponding Binding SID. The encoding of | |||
| the Binding SID within the "Redirect to indirection-id" extended | the Binding SID within the "Redirect to indirection-id" extended | |||
| community is specified in section 4. | community is specified in section 4. | |||
| Requirements: | Requirements: | |||
| For redirect to path engineered tunnels it is required that the | For redirect to path engineered tunnels it is required that the | |||
| tunnel MUST be operational and allow packets to flow over the | tunnel MUST be operational and allow packets to flow over the | |||
| engineered path between tunnel head- and tail-end. | engineered path between tunnel head- and tail-end. | |||
| Example: Indirection-ID community "Context Type" to be used: | Example: Indirection-ID community "ID-Type" to be used: | |||
| o 0 (localised ID): When the intent is to policy-based steer traffic | o 0 (localised ID): When the intent is to policy-based steer traffic | |||
| using Indirection. The engineered path is configured through out- | using Indirection. The engineered path is configured through out- | |||
| of-band procedures and uses the 32-bit Indirection-id as local | of-band procedures and uses the 32-bit Indirection-id as local | |||
| anchor point on the local flowspec client. | anchor point on the local flowspec client. | |||
| o 3 or 4 (Binding Segment ID's): This type can be used when the goal | o 3 or 4 (Binding Segment ID's): This type can be used when the goal | |||
| is to use MPLS based Segment Routing towards an out-of-band | is to use MPLS based Segment Routing towards an out-of-band | |||
| configured explicit path. | configured explicit path. | |||
| skipping to change at page 6, line 25 ¶ | skipping to change at page 6, line 25 ¶ | |||
| Requirements: | Requirements: | |||
| To achieve redirection towards complex dynamically constructed | To achieve redirection towards complex dynamically constructed | |||
| tunnels, multiple "Redirect to indirection-id" communities are | tunnels, multiple "Redirect to indirection-id" communities are | |||
| imposed upon the flowspec route. The "Redirect to indirection-id" | imposed upon the flowspec route. The "Redirect to indirection-id" | |||
| communities should be sequenced using the Sequence ID (S-ID). For | communities should be sequenced using the Sequence ID (S-ID). For | |||
| redirect to complex dynamic engineered tunnels the tunnel MUST be | redirect to complex dynamic engineered tunnels the tunnel MUST be | |||
| operational and allow packets to flow over the engineered path | operational and allow packets to flow over the engineered path | |||
| between tunnel head- and tail-end. | between tunnel head- and tail-end. | |||
| Example: Indirection-ID community "Context Type" to be used: | Example: Indirection-ID community "ID-Type" to be used: | |||
| o 0 (localised ID) with S-ID: When the intent is to construct a | o 0 (localised ID) with S-ID: When the intent is to construct a | |||
| dynamic engineered tunnel, then a sequence of localised | dynamic engineered tunnel, then a sequence of localised | |||
| indirection-ids may be used. The Sequence ID (S-ID) MUST be used | indirection-ids may be used. The Sequence ID (S-ID) MUST be used | |||
| to sequence multiple "Redirect to indirection-id" actions to | to sequence multiple "Redirect to indirection-id" actions to | |||
| construct a more complex engineered tunnel. The creation of the | construct a more complex engineered tunnel. The creation of the | |||
| localised indirection-id table is operationalised out-of-band and | localised indirection-id table is operationalised out-of-band and | |||
| is outside scope of this document. | is outside scope of this document. | |||
| 4. Redirect to indirection-id Community | 4. Redirect to indirection-id Community | |||
| This document defines a new transitive BGP extended community known | This document defines a new transitive BGP extended community known | |||
| as "FlowSpec Redirect to indirection-id Extended Community" with the | as "FlowSpec Redirect to indirection-id Extended Community" with the | |||
| Type and the Sub-Type field to be assigned by IANA. The format of | Type and the Sub-Type field to be assigned by IANA. The format of | |||
| this extended community is show in Figure 1. | this extended community is show in Figure 1. | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Sub-Type | Flags(1 octet)| Context Type | | | Type | Sub-Type | Flags(1 octet)| ID-Type | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Generalized indirection_id | | | Generalized indirection_id | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 1 | Figure 1 | |||
| The meaning of the extended community fields are as follows: | The meaning of the extended community fields are as follows: | |||
| Type: 1 octet to be assigned by IANA. | Type: 1 octet to be assigned by IANA. | |||
| skipping to change at page 7, line 36 ¶ | skipping to change at page 7, line 36 ¶ | |||
| used to provide a flowspec client an indication how and where to | used to provide a flowspec client an indication how and where to | |||
| sequence the received indirection-ids. The Sequence ID value 0 | sequence the received indirection-ids. The Sequence ID value 0 | |||
| indicates that Sequence ID field is NOT set and SHOULD be ignored. A | indicates that Sequence ID field is NOT set and SHOULD be ignored. A | |||
| single flowspec rule MUST NOT have more as one indirection-id per | single flowspec rule MUST NOT have more as one indirection-id per | |||
| S-ID. On a flowspec client the indirection-id with lowest S-ID MUST | S-ID. On a flowspec client the indirection-id with lowest S-ID MUST | |||
| be imposed first for any given flowspec entry. | be imposed first for any given flowspec entry. | |||
| All bits other than the 'C' and 'S-ID' bits MUST be set to 0 by the | All bits other than the 'C' and 'S-ID' bits MUST be set to 0 by the | |||
| originating BGP speaker and ignored by receiving BGP speakers. | originating BGP speaker and ignored by receiving BGP speakers. | |||
| Context Type: 1 octet value. This draft defines following Context | ID-Type: 1 octet value. This draft defines following Context Types: | |||
| Types: | ||||
| 0 - Localised ID (The flowspec client uses the received 32-bit | 0 - Localised ID (The flowspec client uses the received 32-bit | |||
| indirection-id to lookup forwarding information within the | indirection-id to lookup forwarding information within the | |||
| localised indirection-id table. The allocation and programming of | localised indirection-id table. The allocation and programming of | |||
| the localised indirection-id table is outside scope of the | the localised indirection-id table is outside scope of the | |||
| document) | document) | |||
| 1 - Node ID with SID/index in MPLS-based Segment Routing (This | 1 - Node ID with SID/index in MPLS-based Segment Routing (This | |||
| means the 32-bit indirection-id is mapped to an MPLS label using | means the 32-bit indirection-id is mapped to an MPLS label using | |||
| the index as a global offset in the SID/label space) | the index as a global offset in the SID/label space) | |||
| skipping to change at page 8, line 20 ¶ | skipping to change at page 8, line 20 ¶ | |||
| binding label using the indirection-id as index for global offset | binding label using the indirection-id as index for global offset | |||
| in the SID/label space) [I-D.draft-ietf-spring-segment-routing] | in the SID/label space) [I-D.draft-ietf-spring-segment-routing] | |||
| [6] | [6] | |||
| 4 - Binding Segment ID with SID/label in MPLS-based Segment | 4 - Binding Segment ID with SID/label in MPLS-based Segment | |||
| Routing (This means 32-bit indirection-id is mapped to an MPLS | Routing (This means 32-bit indirection-id is mapped to an MPLS | |||
| binding label using the 32-bit indirection-id as global label) [I- | binding label using the 32-bit indirection-id as global label) [I- | |||
| D.draft-ietf-spring-segment-routing] [6] | D.draft-ietf-spring-segment-routing] [6] | |||
| 5 - Tunnel ID (Tunnel ID is within a single administrative domain | 5 - Tunnel ID (Tunnel ID is within a single administrative domain | |||
| a 32-bit global tunnel identifier. The allocation and programming | a 32-bit globally unique tunnel identifier. The allocation and | |||
| of the Tunnel ID within the localised indirection-id table is | programming of the Tunnel ID within the localised indirection-id | |||
| outside scope of the document) | table is outside scope of the document) | |||
| Generalized indirection_id: 32-bit identifier used as indirection_id | ||||
| 5. Redirect using localised indirection-id mapping table | 5. Redirect using localised indirection-id mapping table | |||
| When a BGP flowspec client receives a flowspec policy route with a | When a BGP flowspec client receives a flowspec policy route with a | |||
| "Redirect to indirection-id" extended community attached, and the | "Redirect to indirection-id" extended community attached, and the | |||
| route represents the best BGP path, it will install a flowspec | route represents the best BGP path, it will install a flowspec | |||
| policy-based forwarding rule matching the tupples described by the | policy-based forwarding rule matching the tupples described by the | |||
| flowpsec NLRI field and consequently redirects the flow (C=0) or | flowpsec NLRI field and consequently redirects the flow (C=0) or | |||
| copies the flow (C=1) using the information identified by the | copies the flow (C=1) using the information identified by the | |||
| "Redirect to indirection-id" community. | "Redirect to indirection-id" community. | |||
| End of changes. 15 change blocks. | ||||
| 25 lines changed or deleted | 26 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||