--- 1/draft-ietf-idr-flowspec-path-redirect-08.txt 2019-08-19 22:13:11.482515921 -0700 +++ 2/draft-ietf-idr-flowspec-path-redirect-09.txt 2019-08-19 22:13:11.510516630 -0700 @@ -1,21 +1,21 @@ IDR Working Group G. Van de Velde, Ed. Internet-Draft Nokia Intended status: Standards Track K. Patel -Expires: December 20, 2019 Arrcus +Expires: February 20, 2020 Arrcus Z. Li Huawei Technologies - June 18, 2019 + August 19, 2019 Flowspec Indirection-id Redirect - draft-ietf-idr-flowspec-path-redirect-08 + draft-ietf-idr-flowspec-path-redirect-09 Abstract This document defines a new extended community known as "FlowSpec Redirect to indirection-id Extended Community". This extended community triggers advanced redirection capabilities to flowspec clients. When activated, this flowspec extended community is used by a flowspec client to retrieve the corresponding next-hop and encoding information within a localised indirection-id mapping table. @@ -37,21 +37,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 20, 2019. + This Internet-Draft will expire on February 20, 2020. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -80,34 +80,34 @@ 11.1. Normative References . . . . . . . . . . . . . . . . . . 11 11.2. Informative References . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction Flowspec is an extension to BGP that allows for the dissemination of traffic flow specification rules. This has many possible applications but the primary one for many network operators is the distribution of traffic filtering actions for DDoS mitigation. The - flowspec standard RFC5575 [2] defines a redirect-to-VRF action for + flowspec standard rfc5575bis [3] defines a redirect-to-VRF action for policy-based forwarding, but this mechanism is not always sufficient, particularly if the redirected traffic needs to be steered onto an explicit path. Every flowspec policy route is effectively a rule, consisting of two parts. The first part, encoded in the NLRI field, provides information about the traffic matching the policy rule. the second part, encoded in one or more BGP extended communities, provides policy instructions for traffic handling on the flowspec client. The - flowspec standard RFC5575 [2] defines widely-used filter actions such - as discard and rate limit; it also defines a redirect-to-VRF action - for policy-based forwarding. Using the redirect-to-VRF action to - steer traffic towards an alternate destination is useful for DDoS + flowspec standard rfc5575bis [3] defines widely-used filter actions + such as discard and rate limit; it also defines a redirect-to-VRF + action for policy-based forwarding. Using the redirect-to-VRF action + to steer traffic towards an alternate destination is useful for DDoS mitigation, however using this methodology can be cumbersome when there is need to steer the traffic onto an explicitely defined traffic path. This draft specifies a "Redirect to indirection-id" flowspec action making use of a 32-bit indirection-id using a new extended community. Each indirection-id serves as anchor point, for policy-based forwarding onto an explicit path by a flowspec client. 2. indirection-id and indirection-id table @@ -354,41 +354,40 @@ When a BGP flowspec client receives a flowspec policy route with a "Redirect to indirection-id" extended community attached, and the route represents the best BGP path, it will install a flowspec policy-based forwarding rule matching the tupples described by the flowpsec NLRI field and consequently redirects the flow (C=0) or copies the flow (C=1) using the information identified by the "Redirect to indirection-id" community. 6. Validation Procedures - The validation check described in RFC5575 [2] and revised in [3] + The validation check described in rfc5575bis [3] and revised in [2] SHOULD be applied by default by a flowspec client, for received flowspec policy routes containing a "Redirect to indirection-id" extended community. This results that a flowspec route with a destination prefix subcomponent SHOULD NOT be accepted from an EBGP peer unless that peer also advertised the best path for the matching unicast route. While it MUST NOT happen, and is seen as invalid combination, it is possible from a semantics perspective to have multiple clashing redirect actions defined within a single flowspec rule. For best and consistant compatibility with legacy implementations, the redirect - functionality as documented by RFC5575 MUST NOT be broken, and hence - when a clash occurs, then RFC5575 based redirect MUST take priority. - - Additionally, if the "Redirect to indirection-id" does not result in - a valid redirection, then the flowspec rule MUST be processed as if - the "Redirect to indirection-id" community was not attached to the - flowspec route. In addition the flowspec client MUST provide an - indication that the respective "'Redirect to indirection-id" resulted - in an invalid redirection action. + functionality as documented by rfc5575bis MUST NOT be broken, and + hence when a clash occurs, then rfc5575bis based redirect MUST take + priority. Additionally, if the "Redirect to indirection-id" does not + result in a valid redirection, then the flowspec rule MUST be + processed as if the "Redirect to indirection-id" community was not + attached to the flowspec route. In addition the flowspec client MUST + provide an indication that the respective "'Redirect to indirection- + id" resulted in an invalid redirection action. 7. Security Considerations A system using "Redirect to indirection-id" extended community can cause during the redirect mitigation of a DDoS attack overflow of traffic received by the mitigation infrastructure. 8. Acknowledgements This document received valuable comments and input from IDR working @@ -460,31 +459,30 @@ Figure 4 11. References 11.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, . - [2] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., - and D. McPherson, "Dissemination of Flow Specification - Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, - . - 11.2. Informative References - [3] Uttaro, J., Filsfils, C., Alcaide, J., and P. Mohapatra, + [2] Uttaro, J., Filsfils, C., Alcaide, J., and P. Mohapatra, "Revised Validation Procedure for BGP Flow Specifications", January 2014. + [3] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M. + Bacher, "Dissemination of Flow Specification Rules", June + 2019. + [4] Filsfils, C., Previdi, S., Aries, E., Ginsburg, D., and D. Afanasiev, "Segment Routing Centralized Egress Peer Engineering", October 2015. [5] Sreekantiah, A., Filsfils, C., Previdi, S., Sivabalan, S., Mattes, P., and S. Lin, "Segment Routing Traffic Engineering Policy using BGP", October 2015. [6] Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., Shakir, R., Bashandy, A., Horneffer, M., Henderickx, W.,