| draft-ietf-idr-rfc5575bis-19.txt | draft-ietf-idr-rfc5575bis-20.txt | |||
|---|---|---|---|---|
| IDR Working Group C. Loibl | IDR Working Group C. Loibl | |||
| Internet-Draft Next Layer Communications | Internet-Draft Next Layer Communications | |||
| Obsoletes: 5575,7674 (if approved) S. Hares | Obsoletes: 5575,7674 (if approved) S. Hares | |||
| Intended status: Standards Track Huawei | Intended status: Standards Track Huawei | |||
| Expires: July 20, 2020 R. Raszuk | Expires: September 11, 2020 R. Raszuk | |||
| Bloomberg LP | Bloomberg LP | |||
| D. McPherson | D. McPherson | |||
| Verisign | Verisign | |||
| M. Bacher | M. Bacher | |||
| T-Mobile Austria | T-Mobile Austria | |||
| January 17, 2020 | March 10, 2020 | |||
| Dissemination of Flow Specification Rules | Dissemination of Flow Specification Rules | |||
| draft-ietf-idr-rfc5575bis-19 | draft-ietf-idr-rfc5575bis-20 | |||
| Abstract | Abstract | |||
| This document defines a Border Gateway Protocol Network Layer | This document defines a Border Gateway Protocol Network Layer | |||
| Reachability Information (BGP NLRI) encoding format that can be used | Reachability Information (BGP NLRI) encoding format that can be used | |||
| to distribute traffic Flow Specifications. This allows the routing | to distribute traffic Flow Specifications. This allows the routing | |||
| system to propagate information regarding more specific components of | system to propagate information regarding more specific components of | |||
| the traffic aggregate defined by an IP destination prefix. | the traffic aggregate defined by an IP destination prefix. | |||
| It also specifies BGP Extended Community encoding formats, that can | It also specifies BGP Extended Community encoding formats, that can | |||
| skipping to change at page 2, line 20 ¶ | skipping to change at page 2, line 20 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 20, 2020. | This Internet-Draft will expire on September 11, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 43 ¶ | skipping to change at page 2, line 43 ¶ | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Definitions of Terms Used in This Memo . . . . . . . . . . . 5 | 2. Definitions of Terms Used in This Memo . . . . . . . . . . . 5 | |||
| 3. Flow Specifications . . . . . . . . . . . . . . . . . . . . . 5 | 3. Flow Specifications . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Dissemination of IPv4 Flow Specification Information . . . . 6 | 4. Dissemination of IPv4 Flow Specification Information . . . . 6 | |||
| 4.1. Length Encoding . . . . . . . . . . . . . . . . . . . . . 7 | 4.1. Length Encoding . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.2. NLRI Value Encoding . . . . . . . . . . . . . . . . . . . 7 | 4.2. NLRI Value Encoding . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2.1. Operators . . . . . . . . . . . . . . . . . . . . . . 8 | 4.2.1. Operators . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2.2. Components . . . . . . . . . . . . . . . . . . . . . 9 | 4.2.2. Components . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.3. Examples of Encodings . . . . . . . . . . . . . . . . . . 14 | 4.3. Examples of Encodings . . . . . . . . . . . . . . . . . . 13 | |||
| 5. Traffic Filtering . . . . . . . . . . . . . . . . . . . . . . 16 | 5. Traffic Filtering . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5.1. Ordering of Flow Specifications . . . . . . . . . . . . . 17 | 5.1. Ordering of Flow Specifications . . . . . . . . . . . . . 17 | |||
| 6. Validation Procedure . . . . . . . . . . . . . . . . . . . . 18 | 6. Validation Procedure . . . . . . . . . . . . . . . . . . . . 18 | |||
| 7. Traffic Filtering Actions . . . . . . . . . . . . . . . . . . 19 | 7. Traffic Filtering Actions . . . . . . . . . . . . . . . . . . 19 | |||
| 7.1. Traffic Rate in Bytes (traffic-rate-bytes) sub-type 0x06 20 | 7.1. Traffic Rate in Bytes (traffic-rate-bytes) sub-type 0x06 20 | |||
| 7.2. Traffic Rate in Packets (traffic-rate-packets) sub-type | 7.2. Traffic Rate in Packets (traffic-rate-packets) sub-type | |||
| TBD . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | TBD . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 7.3. Traffic-action (traffic-action) sub-type 0x07 . . . . . . 21 | 7.3. Traffic-action (traffic-action) sub-type 0x07 . . . . . . 21 | |||
| 7.4. RT Redirect (rt-redirect) sub-type 0x08 . . . . . . . . . 22 | 7.4. RT Redirect (rt-redirect) sub-type 0x08 . . . . . . . . . 22 | |||
| 7.5. Traffic Marking (traffic-marking) sub-type 0x09 . . . . . 22 | 7.5. Traffic Marking (traffic-marking) sub-type 0x09 . . . . . 22 | |||
| 7.6. Interaction with other Filtering Mechanisms in Routers . 23 | 7.6. Interaction with other Filtering Mechanisms in Routers . 23 | |||
| 7.7. Considerations on Traffic Filtering Action Interference . 23 | 7.7. Considerations on Traffic Filtering Action Interference . 23 | |||
| 8. Dissemination of Traffic Filtering in BGP/MPLS VPN Networks . 24 | 8. Dissemination of Traffic Filtering in BGP/MPLS VPN Networks . 24 | |||
| 9. Traffic Monitoring . . . . . . . . . . . . . . . . . . . . . 25 | 9. Traffic Monitoring . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 10. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 25 | 10. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 11. Future NLRI Extensions . . . . . . . . . . . . . . . . . . . 25 | 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 | 11.1. AFI/SAFI Definitions . . . . . . . . . . . . . . . . . . 25 | |||
| 12.1. AFI/SAFI Definitions . . . . . . . . . . . . . . . . . . 26 | 11.2. Flow Component Definitions . . . . . . . . . . . . . . . 26 | |||
| 12.2. Flow Component Definitions . . . . . . . . . . . . . . . 26 | 11.3. Extended Community Flow Specification Actions . . . . . 27 | |||
| 12.3. Extended Community Flow Specification Actions . . . . . 27 | 12. Security Considerations . . . . . . . . . . . . . . . . . . . 29 | |||
| 13. Security Considerations . . . . . . . . . . . . . . . . . . . 30 | 13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 32 | 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 32 | 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 | 15.1. Normative References . . . . . . . . . . . . . . . . . . 31 | |||
| 16.1. Normative References . . . . . . . . . . . . . . . . . . 32 | 15.2. Informative References . . . . . . . . . . . . . . . . . 33 | |||
| 16.2. Informative References . . . . . . . . . . . . . . . . . 34 | 15.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 16.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | Appendix A. Python code: flow_rule_cmp . . . . . . . . . . . . . 34 | |||
| Appendix A. Python code: flow_rule_cmp . . . . . . . . . . . . . 35 | Appendix B. Comparison with RFC 5575 . . . . . . . . . . . . . . 35 | |||
| Appendix B. Comparison with RFC 5575 . . . . . . . . . . . . . . 36 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37 | ||||
| 1. Introduction | 1. Introduction | |||
| This document obsoletes both | This document obsoletes both | |||
| "Dissemination of Flow Specification Rules" [RFC5575] and | "Dissemination of Flow Specification Rules" [RFC5575] and | |||
| "Clarification of the Flowspec Redirect Extended Community"[RFC7674]. | "Clarification of the Flowspec Redirect Extended Community"[RFC7674]. | |||
| Modern IP routers contain both the capability to forward traffic | Modern IP routers contain both the capability to forward traffic | |||
| according to IP prefixes as well as to classify, shape, rate limit, | according to IP prefixes as well as to classify, shape, rate limit, | |||
| filter, or redirect packets based on administratively defined | filter, or redirect packets based on administratively defined | |||
| skipping to change at page 4, line 43 ¶ | skipping to change at page 4, line 42 ¶ | |||
| While it is certainly possible to address this problem using other | While it is certainly possible to address this problem using other | |||
| mechanisms, this solution has been utilized in deployments because of | mechanisms, this solution has been utilized in deployments because of | |||
| the substantial advantage of being an incremental addition to already | the substantial advantage of being an incremental addition to already | |||
| deployed mechanisms. | deployed mechanisms. | |||
| In current deployments, the information distributed by this extension | In current deployments, the information distributed by this extension | |||
| is originated both manually as well as automatically. The latter by | is originated both manually as well as automatically. The latter by | |||
| systems that are able to detect malicious traffic flows. When | systems that are able to detect malicious traffic flows. When | |||
| automated systems are used, care should be taken to ensure their | automated systems are used, care should be taken to ensure their | |||
| correctness as well as the limitations of the systems that receive | correctness as well as the limitations of the systems that receive | |||
| and process the advertised Flow Specifications (see also Section 13). | and process the advertised Flow Specifications (see also Section 12). | |||
| This specification defines required protocol extensions to address | This specification defines required protocol extensions to address | |||
| most common applications of IPv4 unicast and VPNv4 unicast filtering. | most common applications of IPv4 unicast and VPNv4 unicast filtering. | |||
| The same mechanism can be reused and new match criteria added to | The same mechanism can be reused and new match criteria added to | |||
| address similar filtering needs for other BGP address families such | address similar filtering needs for other BGP address families such | |||
| as IPv6 families [I-D.ietf-idr-flow-spec-v6]. | as IPv6 families [I-D.ietf-idr-flow-spec-v6]. | |||
| 2. Definitions of Terms Used in This Memo | 2. Definitions of Terms Used in This Memo | |||
| AFI - Address Family Identifier. | AFI - Address Family Identifier. | |||
| skipping to change at page 6, line 47 ¶ | skipping to change at page 6, line 47 ¶ | |||
| Figure 1: Flow Specification NLRI for IPv4 | Figure 1: Flow Specification NLRI for IPv4 | |||
| Implementations wishing to exchange Flow Specification MUST use BGP's | Implementations wishing to exchange Flow Specification MUST use BGP's | |||
| Capability Advertisement facility to exchange the Multiprotocol | Capability Advertisement facility to exchange the Multiprotocol | |||
| Extension Capability Code (Code 1) as defined in [RFC4760]. The | Extension Capability Code (Code 1) as defined in [RFC4760]. The | |||
| (AFI, SAFI) pair carried in the Multiprotocol Extension Capability | (AFI, SAFI) pair carried in the Multiprotocol Extension Capability | |||
| MUST be (AFI=1, SAFI=133) for IPv4 Flow Specification, and (AFI=1, | MUST be (AFI=1, SAFI=133) for IPv4 Flow Specification, and (AFI=1, | |||
| SAFI=134) for VPNv4 Flow Specification. | SAFI=134) for VPNv4 Flow Specification. | |||
| The Flow Specification NLRI is considered a Typed NLRI in the sense | ||||
| of Section 5.4 of [RFC7606]. See also Section 4.2 on unknown | ||||
| component type handling. | ||||
| 4.1. Length Encoding | 4.1. Length Encoding | |||
| o If the NLRI length is smaller than 240 (0xf0 hex) octets, the | o If the NLRI length is smaller than 240 (0xf0 hex) octets, the | |||
| length field can be encoded as a single octet. | length field can be encoded as a single octet. | |||
| o Otherwise, it is encoded as an extended-length 2-octet value in | o Otherwise, it is encoded as an extended-length 2-octet value in | |||
| which the most significant nibble of the first byte is all ones. | which the most significant nibble of the first octet is all ones. | |||
| In Figure 1 above, values less-than 240 are encoded using two hex | In Figure 1 above, values less-than 240 are encoded using two hex | |||
| digits (0xnn). Values above 239 are encoded using 3 hex digits | digits (0xnn). Values above 239 are encoded using 3 hex digits | |||
| (0xfnnn). The highest value that can be represented with this | (0xfnnn). The highest value that can be represented with this | |||
| encoding is 4095. For example the length value of 239 is encoded as | encoding is 4095. For example the length value of 239 is encoded as | |||
| 0xef (single octet) while 240 is encoded as 0xf0f0 (2-octet). | 0xef (single octet) while 240 is encoded as 0xf0f0 (2-octet). | |||
| 4.2. NLRI Value Encoding | 4.2. NLRI Value Encoding | |||
| The Flow Specification NLRI value consists of a list of optional | The Flow Specification NLRI value consists of a list of optional | |||
| skipping to change at page 7, line 40 ¶ | skipping to change at page 7, line 35 ¶ | |||
| Components MUST follow strict type ordering by increasing numerical | Components MUST follow strict type ordering by increasing numerical | |||
| order. A given component type may (exactly once) or may not be | order. A given component type may (exactly once) or may not be | |||
| present in the Flow Specification. If present, it MUST precede any | present in the Flow Specification. If present, it MUST precede any | |||
| component of higher numeric type value. | component of higher numeric type value. | |||
| All combinations of components within a single Flow Specification are | All combinations of components within a single Flow Specification are | |||
| allowed. However, some combinations cannot match any packets (e.g. | allowed. However, some combinations cannot match any packets (e.g. | |||
| "ICMP Type AND Port" will never match any packets), and thus SHOULD | "ICMP Type AND Port" will never match any packets), and thus SHOULD | |||
| NOT be propagated by BGP. | NOT be propagated by BGP. | |||
| An advertisement containing an unknown Flow Specification component | A NLRI value not encoded as specified in Section 4.2 is considered | |||
| type should be discarded as specified in Section 5.4 of [RFC7606]. | malformed and error handling according to Section 10 is performed. | |||
| It needs to be pointed out that the encoding of the NLRI as a 2-tuple | ||||
| <length, NLRI value> allows to skip over a NLRI value (the NLRI that | ||||
| value should be discarded). | ||||
| Except for an unknown component type (see above), a NLRI value not | ||||
| encoded as specified in Section 4.2 is considered malformed and error | ||||
| handling according to Section 10 is performed. | ||||
| 4.2.1. Operators | 4.2.1. Operators | |||
| Most of the components described below make use of comparison | Most of the components described below make use of comparison | |||
| operators. Which of the two operators is used is defined by the | operators. Which of the two operators is used is defined by the | |||
| components in Section 4.2.2. The operators are encoded as a single | components in Section 4.2.2. The operators are encoded as a single | |||
| octet. | octet. | |||
| 4.2.1.1. Numeric Operator (numeric_op) | 4.2.1.1. Numeric Operator (numeric_op) | |||
| skipping to change at page 8, line 27 ¶ | skipping to change at page 8, line 16 ¶ | |||
| +---+---+---+---+---+---+---+---+ | +---+---+---+---+---+---+---+---+ | |||
| | e | a | len | 0 |lt |gt |eq | | | e | a | len | 0 |lt |gt |eq | | |||
| +---+---+---+---+---+---+---+---+ | +---+---+---+---+---+---+---+---+ | |||
| Figure 2: Numeric Operator (numeric_op) | Figure 2: Numeric Operator (numeric_op) | |||
| e - end-of-list bit: Set in the last {op, value} pair in the list. | e - end-of-list bit: Set in the last {op, value} pair in the list. | |||
| a - AND bit: If unset, the previous term is logically ORed with the | a - AND bit: If unset, the previous term is logically ORed with the | |||
| current one. If set, the operation is a logical AND. In the | current one. If set, the operation is a logical AND. In the | |||
| first operator byte of a sequence it SHOULD be encoded as unset | first operator octet of a sequence it SHOULD be encoded as unset | |||
| and and MUST be treated as always unset on decoding. The AND | and and MUST be treated as always unset on decoding. The AND | |||
| operator has higher priority than OR for the purposes of | operator has higher priority than OR for the purposes of | |||
| evaluating logical expressions. | evaluating logical expressions. | |||
| len - length: The length of the value field for this operator given | len - length: The length of the value field for this operator given | |||
| as (1 << len). This encodes 1 (len=00), 2 (len=01), 4 (len=10), 8 | as (1 << len). This encodes 1 (len=00), 2 (len=01), 4 (len=10), 8 | |||
| (len=11) bytes. | (len=11) octets. | |||
| 0 - SHOULD be set to 0 on NLRI encoding, and MUST be ignored during | 0 - SHOULD be set to 0 on NLRI encoding, and MUST be ignored during | |||
| decoding | decoding | |||
| lt - less than comparison between data and value. | lt - less than comparison between data and value. | |||
| gt - greater than comparison between data and value. | gt - greater than comparison between data and value. | |||
| eq - equality between data and value. | eq - equality between data and value. | |||
| skipping to change at page 10, line 24 ¶ | skipping to change at page 10, line 10 ¶ | |||
| Encoding: <type (1 octet), length (1 octet), prefix (variable)> | Encoding: <type (1 octet), length (1 octet), prefix (variable)> | |||
| Defines the source prefix to match. The length and prefix fields are | Defines the source prefix to match. The length and prefix fields are | |||
| encoded as in BGP UPDATE messages [RFC4271] | encoded as in BGP UPDATE messages [RFC4271] | |||
| 4.2.2.3. Type 3 - IP Protocol | 4.2.2.3. Type 3 - IP Protocol | |||
| Encoding: <type (1 octet), [numeric_op, value]+> | Encoding: <type (1 octet), [numeric_op, value]+> | |||
| Contains a list of {numeric_op, value} pairs that are used to match | Contains a list of {numeric_op, value} pairs that are used to match | |||
| the IP protocol value byte in IP packet header (see [RFC0791] | the IP protocol value octet in IP packet header (see [RFC0791] | |||
| Section 3.1). | Section 3.1). | |||
| This component uses the Numeric Operator (numeric_op) described in | This component uses the Numeric Operator (numeric_op) described in | |||
| Section 4.2.1.1. Type 3 component values SHOULD be encoded as single | Section 4.2.1.1. Type 3 component values SHOULD be encoded as single | |||
| byte (numeric_op len=00). | octet (numeric_op len=00). | |||
| 4.2.2.4. Type 4 - Port | 4.2.2.4. Type 4 - Port | |||
| Encoding: <type (1 octet), [numeric_op, value]+> | Encoding: <type (1 octet), [numeric_op, value]+> | |||
| Defines a list of {numeric_op, value} pairs that matches source OR | Defines a list of {numeric_op, value} pairs that matches source OR | |||
| destination TCP/UDP ports (see [RFC0793] Section 3.1 and [RFC0768] | destination TCP/UDP ports (see [RFC0793] Section 3.1 and [RFC0768] | |||
| Section "Format"). This component matches if either the destination | Section "Format"). This component matches if either the destination | |||
| port OR the source port of a IP packet matches the value. | port OR the source port of a IP packet matches the value. | |||
| This component uses the Numeric Operator (numeric_op) described in | This component uses the Numeric Operator (numeric_op) described in | |||
| Section 4.2.1.1. Type 4 component values SHOULD be encoded as 1- or | Section 4.2.1.1. Type 4 component values SHOULD be encoded as 1- or | |||
| 2-byte quantities (numeric_op len=00 or len=01). | 2-octet quantities (numeric_op len=00 or len=01). | |||
| In case of the presence of the port (destination-port, source-port) | In case of the presence of the port (destination-port, source-port) | |||
| component only TCP or UDP packets can match the entire Flow | component only TCP or UDP packets can match the entire Flow | |||
| Specification. The port component, if present, never matches when | Specification. The port component, if present, never matches when | |||
| the packet's IP protocol value is not 6 (TCP) or 17 (UDP), if the | the packet's IP protocol value is not 6 (TCP) or 17 (UDP), if the | |||
| packet is fragmented and this is not the first fragment, or if the | packet is fragmented and this is not the first fragment, or if the | |||
| system is unable to locate the transport header. Different | system is unable to locate the transport header. Different | |||
| implementations may or may not be able to decode the transport header | implementations may or may not be able to decode the transport header | |||
| in the presence of IP options or Encapsulating Security Payload (ESP) | in the presence of IP options or Encapsulating Security Payload (ESP) | |||
| NULL [RFC4303] encryption. | NULL [RFC4303] encryption. | |||
| skipping to change at page 11, line 15 ¶ | skipping to change at page 10, line 50 ¶ | |||
| 4.2.2.5. Type 5 - Destination Port | 4.2.2.5. Type 5 - Destination Port | |||
| Encoding: <type (1 octet), [numeric_op, value]+> | Encoding: <type (1 octet), [numeric_op, value]+> | |||
| Defines a list of {numeric_op, value} pairs used to match the | Defines a list of {numeric_op, value} pairs used to match the | |||
| destination port of a TCP or UDP packet (see also [RFC0793] | destination port of a TCP or UDP packet (see also [RFC0793] | |||
| Section 3.1 and [RFC0768] Section "Format"). | Section 3.1 and [RFC0768] Section "Format"). | |||
| This component uses the Numeric Operator (numeric_op) described in | This component uses the Numeric Operator (numeric_op) described in | |||
| Section 4.2.1.1. Type 5 component values SHOULD be encoded as 1- or | Section 4.2.1.1. Type 5 component values SHOULD be encoded as 1- or | |||
| 2-byte quantities (numeric_op len=00 or len=01). | 2-octet quantities (numeric_op len=00 or len=01). | |||
| The last paragraph of Section 4.2.2.4 also applies to this component. | The last paragraph of Section 4.2.2.4 also applies to this component. | |||
| 4.2.2.6. Type 6 - Source Port | 4.2.2.6. Type 6 - Source Port | |||
| Encoding: <type (1 octet), [numeric_op, value]+> | Encoding: <type (1 octet), [numeric_op, value]+> | |||
| Defines a list of {numeric_op, value} pairs used to match the source | Defines a list of {numeric_op, value} pairs used to match the source | |||
| port of a TCP or UDP packet (see also [RFC0793] Section 3.1 and | port of a TCP or UDP packet (see also [RFC0793] Section 3.1 and | |||
| [RFC0768] Section "Format"). | [RFC0768] Section "Format"). | |||
| This component uses the Numeric Operator (numeric_op) described in | This component uses the Numeric Operator (numeric_op) described in | |||
| Section 4.2.1.1. Type 6 component values SHOULD be encoded as 1- or | Section 4.2.1.1. Type 6 component values SHOULD be encoded as 1- or | |||
| 2-byte quantities (numeric_op len=00 or len=01). | 2-octet quantities (numeric_op len=00 or len=01). | |||
| The last paragraph of Section 4.2.2.4 also applies to this component. | The last paragraph of Section 4.2.2.4 also applies to this component. | |||
| 4.2.2.7. Type 7 - ICMP type | 4.2.2.7. Type 7 - ICMP type | |||
| Encoding: <type (1 octet), [numeric_op, value]+> | Encoding: <type (1 octet), [numeric_op, value]+> | |||
| Defines a list of {numeric_op, value} pairs used to match the type | Defines a list of {numeric_op, value} pairs used to match the type | |||
| field of an ICMP packet (see also [RFC0792] Section "Message | field of an ICMP packet (see also [RFC0792] Section "Message | |||
| Formats"). | Formats"). | |||
| This component uses the Numeric Operator (numeric_op) described in | This component uses the Numeric Operator (numeric_op) described in | |||
| Section 4.2.1.1. Type 7 component values SHOULD be encoded as single | Section 4.2.1.1. Type 7 component values SHOULD be encoded as single | |||
| byte (numeric_op len=00). | octet (numeric_op len=00). | |||
| In case of the presence of the ICMP type (code) component only ICMP | In case of the presence of the ICMP type (code) component only ICMP | |||
| packets can match the entire Flow Specification. The ICMP type | packets can match the entire Flow Specification. The ICMP type | |||
| (code) component, if present, never matches when the packet's IP | (code) component, if present, never matches when the packet's IP | |||
| protocol value is not 1 (ICMP), if the packet is fragmented and this | protocol value is not 1 (ICMP), if the packet is fragmented and this | |||
| is not the first fragment, or if the system is unable to locate the | is not the first fragment, or if the system is unable to locate the | |||
| transport header. Different implementations may or may not be able | transport header. Different implementations may or may not be able | |||
| to decode the transport header in the presence of IP options or | to decode the transport header in the presence of IP options or | |||
| Encapsulating Security Payload (ESP) NULL [RFC4303] encryption. | Encapsulating Security Payload (ESP) NULL [RFC4303] encryption. | |||
| 4.2.2.8. Type 8 - ICMP code | 4.2.2.8. Type 8 - ICMP code | |||
| Encoding: <type (1 octet), [numeric_op, value]+> | Encoding: <type (1 octet), [numeric_op, value]+> | |||
| Defines a list of {numeric_op, value} pairs used to match the code | Defines a list of {numeric_op, value} pairs used to match the code | |||
| field of an ICMP packet (see also [RFC0792] Section "Message | field of an ICMP packet (see also [RFC0792] Section "Message | |||
| Formats"). | Formats"). | |||
| This component uses the Numeric Operator (numeric_op) described in | This component uses the Numeric Operator (numeric_op) described in | |||
| Section 4.2.1.1. Type 8 component values SHOULD be encoded as single | Section 4.2.1.1. Type 8 component values SHOULD be encoded as single | |||
| byte (numeric_op len=00). | octet (numeric_op len=00). | |||
| The last paragraph of Section 4.2.2.7 also applies to this component. | The last paragraph of Section 4.2.2.7 also applies to this component. | |||
| 4.2.2.9. Type 9 - TCP flags | 4.2.2.9. Type 9 - TCP flags | |||
| Encoding: <type (1 octet), [bitmask_op, bitmask]+> | Encoding: <type (1 octet), [bitmask_op, bitmask]+> | |||
| Defines a list of {bitmask_op, bitmask} pairs used to match TCP | Defines a list of {bitmask_op, bitmask} pairs used to match TCP | |||
| Control Bits (see also [RFC0793] Section 3.1). | Control Bits (see also [RFC0793] Section 3.1). | |||
| This component uses the Bitmask Operator (bitmask_op) described in | This component uses the Bitmask Operator (bitmask_op) described in | |||
| Section 4.2.1.2. Type 9 component bitmasks MUST be encoded as 1- or | Section 4.2.1.2. Type 9 component bitmasks MUST be encoded as 1- or | |||
| 2-byte bitmask (bitmask_op len=00 or len=01). | 2-octet bitmask (bitmask_op len=00 or len=01). | |||
| When a single byte (bitmask_op len=00) is specified, it matches byte | When a single octet (bitmask_op len=00) is specified, it matches | |||
| 14 of the TCP header (see also [RFC0793] Section 3.1), which contains | octet 14 of the TCP header (see also [RFC0793] Section 3.1), which | |||
| the TCP Control Bits. When a 2-byte (bitmask_op len=01) encoding is | contains the TCP Control Bits. When a 2-octet (bitmask_op len=01) | |||
| used, it matches bytes 13 and 14 of the TCP header with the data | encoding is used, it matches octets 13 and 14 of the TCP header with | |||
| offset (leftmost 4 bits) always treated as 0. | the data offset (leftmost 4 bits) always treated as 0. | |||
| In case of the presence of the TCP flags component only TCP packets | In case of the presence of the TCP flags component only TCP packets | |||
| can match the entire Flow Specification. The TCP flags component, if | can match the entire Flow Specification. The TCP flags component, if | |||
| present, never matches when the packet's IP protocol value is not 6 | present, never matches when the packet's IP protocol value is not 6 | |||
| (TCP), if the packet is fragmented and this is not the first | (TCP), if the packet is fragmented and this is not the first | |||
| fragment, or if the system is unable to locate the transport header. | fragment, or if the system is unable to locate the transport header. | |||
| Different implementations may or may not be able to decode the | Different implementations may or may not be able to decode the | |||
| transport header in the presence of IP options or Encapsulating | transport header in the presence of IP options or Encapsulating | |||
| Security Payload (ESP) NULL [RFC4303] encryption. | Security Payload (ESP) NULL [RFC4303] encryption. | |||
| 4.2.2.10. Type 10 - Packet length | 4.2.2.10. Type 10 - Packet length | |||
| Encoding: <type (1 octet), [numeric_op, value]+> | Encoding: <type (1 octet), [numeric_op, value]+> | |||
| Defines a list of {numeric_op, value} pairs used to match on the | Defines a list of {numeric_op, value} pairs used to match on the | |||
| total IP packet length (excluding Layer 2 but including IP header). | total IP packet length (excluding Layer 2 but including IP header). | |||
| This component uses the Numeric Operator (numeric_op) described in | This component uses the Numeric Operator (numeric_op) described in | |||
| Section 4.2.1.1. Type 10 component values SHOULD be encoded as 1- or | Section 4.2.1.1. Type 10 component values SHOULD be encoded as 1- or | |||
| 2-byte quantities (numeric_op len=00 or len=01). | 2-octet quantities (numeric_op len=00 or len=01). | |||
| 4.2.2.11. Type 11 - DSCP (Diffserv Code Point) | 4.2.2.11. Type 11 - DSCP (Diffserv Code Point) | |||
| Encoding: <type (1 octet), [numeric_op, value]+> | Encoding: <type (1 octet), [numeric_op, value]+> | |||
| Defines a list of {numeric_op, value} pairs used to match the 6-bit | Defines a list of {numeric_op, value} pairs used to match the 6-bit | |||
| DSCP field (see also [RFC2474]). | DSCP field (see also [RFC2474]). | |||
| This component uses the Numeric Operator (numeric_op) described in | This component uses the Numeric Operator (numeric_op) described in | |||
| Section 4.2.1.1. Type 11 component values MUST be encoded as single | Section 4.2.1.1. Type 11 component values MUST be encoded as single | |||
| byte (numeric_op len=00). | octet (numeric_op len=00). | |||
| The six least significant bits contain the DSCP value. All other | The six least significant bits contain the DSCP value. All other | |||
| bits SHOULD be treated as 0. | bits SHOULD be treated as 0. | |||
| 4.2.2.12. Type 12 - Fragment | 4.2.2.12. Type 12 - Fragment | |||
| Encoding: <type (1 octet), [bitmask_op, bitmask]+> | Encoding: <type (1 octet), [bitmask_op, bitmask]+> | |||
| Defines a list of {bitmask_op, bitmask} pairs used to match specific | Defines a list of {bitmask_op, bitmask} pairs used to match specific | |||
| IP fragments. | IP fragments. | |||
| This component uses the Bitmask Operator (bitmask_op) described in | This component uses the Bitmask Operator (bitmask_op) described in | |||
| Section 4.2.1.2. The Type 12 component bitmask MUST be encoded as | Section 4.2.1.2. The Type 12 component bitmask MUST be encoded as | |||
| single byte bitmask (bitmask_op len=00). | single octet bitmask (bitmask_op len=00). | |||
| 0 1 2 3 4 5 6 7 | 0 1 2 3 4 5 6 7 | |||
| +---+---+---+---+---+---+---+---+ | +---+---+---+---+---+---+---+---+ | |||
| | 0 | 0 | 0 | 0 |LF |FF |IsF|DF | | | 0 | 0 | 0 | 0 |LF |FF |IsF|DF | | |||
| +---+---+---+---+---+---+---+---+ | +---+---+---+---+---+---+---+---+ | |||
| Figure 4: Fragment Bitmask Operand | Figure 4: Fragment Bitmask Operand | |||
| Bitmask values: | Bitmask values: | |||
| skipping to change at page 20, line 7 ¶ | skipping to change at page 20, line 7 ¶ | |||
| The default action for a matching Flow Specification is to accept the | The default action for a matching Flow Specification is to accept the | |||
| packet (treat the packet according to the normal forwarding behaviour | packet (treat the packet according to the normal forwarding behaviour | |||
| of the system). | of the system). | |||
| This document defines the following extended communities values shown | This document defines the following extended communities values shown | |||
| in Table 2 in the form 0xttss where tt indicates the type and ss | in Table 2 in the form 0xttss where tt indicates the type and ss | |||
| indicates the sub-type of the extended community. Encodings for | indicates the sub-type of the extended community. Encodings for | |||
| these extended communities are described below. | these extended communities are described below. | |||
| +--------------+--------------------------+-------------------------+ | +-------------+---------------------------+-------------------------+ | |||
| | community | action | encoding | | | community | action | encoding | | |||
| | 0xttss | | | | | 0xttss | | | | |||
| +--------------+--------------------------+-------------------------+ | +-------------+---------------------------+-------------------------+ | |||
| | 0x8006 | traffic-rate-bytes | 2-byte ASN, 4-byte | | | 0x8006 | traffic-rate-bytes | 2-octet ASN, 4-octet | | |||
| | | (Section 7.1) | float | | | | (Section 7.1) | float | | |||
| | TBD | traffic-rate-packets | 2-byte ASN, 4-byte | | | TBD | traffic-rate-packets | 2-octet ASN, 4-octet | | |||
| | | (Section 7.1) | float | | | | (Section 7.1) | float | | |||
| | 0x8007 | traffic-action (Section | bitmask | | | 0x8007 | traffic-action | bitmask | | |||
| | | 7.3) | | | | | (Section 7.3) | | | |||
| | 0x8008 | rt-redirect AS-2byte | 2-octet AS, 4-octet | | | 0x8008 | rt-redirect AS-2octet | 2-octet AS, 4-octet | | |||
| | | (Section 7.4) | value | | | | (Section 7.4) | value | | |||
| | 0x8108 | rt-redirect IPv4 | 4-octet IPv4 address, | | | 0x8108 | rt-redirect IPv4 | 4-octet IPv4 address, | | |||
| | | (Section 7.4) | 2-octet value | | | | (Section 7.4) | 2-octet value | | |||
| | 0x8208 | rt-redirect AS-4byte | 4-octet AS, 2-octet | | | 0x8208 | rt-redirect AS-4octet | 4-octet AS, 2-octet | | |||
| | | (Section 7.4) | value | | | | (Section 7.4) | value | | |||
| | 0x8009 | traffic-marking (Section | DSCP value | | | 0x8009 | traffic-marking | DSCP value | | |||
| | | 7.5) | | | | | (Section 7.5) | | | |||
| +--------------+--------------------------+-------------------------+ | +-------------+---------------------------+-------------------------+ | |||
| Table 2: Traffic Filtering Action Extended Communities | Table 2: Traffic Filtering Action Extended Communities | |||
| Multiple Traffic Filtering Actions defined in this document may be | Multiple Traffic Filtering Actions defined in this document may be | |||
| present for a single Flow Specification and SHOULD be applied to the | present for a single Flow Specification and SHOULD be applied to the | |||
| traffic flow (for example traffic-rate-bytes and rt-redirect can be | traffic flow (for example traffic-rate-bytes and rt-redirect can be | |||
| applied to packets at the same time). If not all of the Traffic | applied to packets at the same time). If not all of the Traffic | |||
| Filtering Actions can be applied to a traffic flow they should be | Filtering Actions can be applied to a traffic flow they should be | |||
| treated as interfering Traffic filtering actions (see below). | treated as interfering Traffic filtering actions (see below). | |||
| skipping to change at page 21, line 6 ¶ | skipping to change at page 21, line 6 ¶ | |||
| All Traffic Filtering Actions are specified as transitive BGP | All Traffic Filtering Actions are specified as transitive BGP | |||
| Extended Communities. | Extended Communities. | |||
| 7.1. Traffic Rate in Bytes (traffic-rate-bytes) sub-type 0x06 | 7.1. Traffic Rate in Bytes (traffic-rate-bytes) sub-type 0x06 | |||
| The traffic-rate-bytes extended community uses the following extended | The traffic-rate-bytes extended community uses the following extended | |||
| community encoding: | community encoding: | |||
| The first two octets carry the 2-octet id, which can be assigned from | The first two octets carry the 2-octet id, which can be assigned from | |||
| a 2-byte AS number. When a 4-byte AS number is locally present, the | a 2-octet AS number. When a 4-octet AS number is locally present, | |||
| 2 least significant bytes of such an AS number can be used. This | the 2 least significant octets of such an AS number can be used. | |||
| value is purely informational and SHOULD NOT be interpreted by the | This value is purely informational and SHOULD NOT be interpreted by | |||
| implementation. | the implementation. | |||
| The remaining 4 octets carry the maximum rate information in IEEE | The remaining 4 octets carry the maximum rate information in IEEE | |||
| floating point [IEEE.754.1985] format, units being bytes per second. | floating point [IEEE.754.1985] format, units being bytes per second. | |||
| A traffic-rate of 0 should result on all traffic for the particular | A traffic-rate of 0 should result on all traffic for the particular | |||
| flow to be discarded. On encoding the traffic-rate MUST NOT be | flow to be discarded. On encoding the traffic-rate MUST NOT be | |||
| negative. On decoding negative values MUST be treated as zero | negative. On decoding negative values MUST be treated as zero | |||
| (discard all traffic). | (discard all traffic). | |||
| Interferes with: No other BGP Flow Specification Traffic Filtering | Interferes with: No other BGP Flow Specification Traffic Filtering | |||
| Action in this document. | Action in this document. | |||
| skipping to change at page 21, line 36 ¶ | skipping to change at page 21, line 36 ¶ | |||
| rate-packets of 0 should result in all traffic for the particular | rate-packets of 0 should result in all traffic for the particular | |||
| flow to be discarded. On encoding the traffic-rate-packets MUST NOT | flow to be discarded. On encoding the traffic-rate-packets MUST NOT | |||
| be negative. On decoding negative values MUST be treated as zero | be negative. On decoding negative values MUST be treated as zero | |||
| (discard all traffic). | (discard all traffic). | |||
| Interferes with: No other BGP Flow Specification Traffic Filtering | Interferes with: No other BGP Flow Specification Traffic Filtering | |||
| Action in this document. | Action in this document. | |||
| 7.3. Traffic-action (traffic-action) sub-type 0x07 | 7.3. Traffic-action (traffic-action) sub-type 0x07 | |||
| The traffic-action extended community consists of 6 bytes of which | The traffic-action extended community consists of 6 octets of which | |||
| only the 2 least significant bits of the 6th byte (from left to | only the 2 least significant bits of the 6th octet (from left to | |||
| right) are defined by this document as shown in Figure 5. | right) are defined by this document as shown in Figure 5. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Traffic Action Field | | | Traffic Action Field | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Tr. Action Field (cont.) |S|T| | | Tr. Action Field (cont.) |S|T| | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| skipping to change at page 22, line 14 ¶ | skipping to change at page 22, line 14 ¶ | |||
| o T: Terminal Action (bit 47): When this bit is set, the traffic | o T: Terminal Action (bit 47): When this bit is set, the traffic | |||
| filtering engine will evaluate any subsequent Flow Specifications | filtering engine will evaluate any subsequent Flow Specifications | |||
| (as defined by the ordering procedure Section 5.1). If not set, | (as defined by the ordering procedure Section 5.1). If not set, | |||
| the evaluation of the traffic filters stops when this Flow | the evaluation of the traffic filters stops when this Flow | |||
| Specification is evaluated. | Specification is evaluated. | |||
| o S: Sample (bit 46): Enables traffic sampling and logging for this | o S: Sample (bit 46): Enables traffic sampling and logging for this | |||
| Flow Specification (only effective when set). | Flow Specification (only effective when set). | |||
| o Traffic Action Field: Other Traffic Action Field (see Section 12) | o Traffic Action Field: Other Traffic Action Field (see Section 11) | |||
| bits unused in this specification. These bits SHOULD be set to 0 | bits unused in this specification. These bits SHOULD be set to 0 | |||
| on encoding, and MUST be ignored during decoding. | on encoding, and MUST be ignored during decoding. | |||
| The use of the Terminal Action (bit 47) may result in more than one | The use of the Terminal Action (bit 47) may result in more than one | |||
| Flow Specification matching a particular traffic flow. All the | Flow Specification matching a particular traffic flow. All the | |||
| Traffic Filtering Actions from these Flow Specifications shall be | Traffic Filtering Actions from these Flow Specifications shall be | |||
| collected and applied. In case of interfering Traffic Filtering | collected and applied. In case of interfering Traffic Filtering | |||
| Actions it is an implementation decision which Traffic Filtering | Actions it is an implementation decision which Traffic Filtering | |||
| Actions are selected. See also Section 7.7. | Actions are selected. See also Section 7.7. | |||
| skipping to change at page 24, line 10 ¶ | skipping to change at page 24, line 10 ¶ | |||
| If a Flow Specification associated with interfering Traffic Filtering | If a Flow Specification associated with interfering Traffic Filtering | |||
| Actions is selected for packet forwarding, it is an implementation | Actions is selected for packet forwarding, it is an implementation | |||
| decision which of the interfering Traffic Filtering Actions are | decision which of the interfering Traffic Filtering Actions are | |||
| selected. Implementors of this specification SHOULD document the | selected. Implementors of this specification SHOULD document the | |||
| behaviour of their implementation in such cases. | behaviour of their implementation in such cases. | |||
| Operators are encouraged to make use of the BGP policy framework | Operators are encouraged to make use of the BGP policy framework | |||
| supported by their implementation in order to achieve a predictable | supported by their implementation in order to achieve a predictable | |||
| behaviour (ie. match - replace - delete communities on administrative | behaviour (ie. match - replace - delete communities on administrative | |||
| boundaries). See also Section 13. | boundaries). See also Section 12. | |||
| 8. Dissemination of Traffic Filtering in BGP/MPLS VPN Networks | 8. Dissemination of Traffic Filtering in BGP/MPLS VPN Networks | |||
| Provider-based Layer 3 VPN networks, such as the ones using a BGP/ | Provider-based Layer 3 VPN networks, such as the ones using a BGP/ | |||
| MPLS IP VPN [RFC4364] control plane, may have different traffic | MPLS IP VPN [RFC4364] control plane, may have different traffic | |||
| filtering requirements than Internet service providers. But also | filtering requirements than Internet service providers. But also | |||
| Internet service providers may use those VPNs for scenarios like | Internet service providers may use those VPNs for scenarios like | |||
| having the Internet routing table in a VRF, resulting in the same | having the Internet routing table in a VRF, resulting in the same | |||
| traffic filtering requirements as defined for the global routing | traffic filtering requirements as defined for the global routing | |||
| table environment within this document. This document defines an | table environment within this document. This document defines an | |||
| additional BGP NLRI type (AFI=1, SAFI=134) value, which can be used | additional BGP NLRI type (AFI=1, SAFI=134) value, which can be used | |||
| to propagate Flow Specification in a BGP/MPLS VPN environment. | to propagate Flow Specification in a BGP/MPLS VPN environment. | |||
| The NLRI format for this address family consists of a fixed-length | The NLRI format for this address family consists of a fixed-length | |||
| Route Distinguisher field (8 bytes) followed by the Flow | Route Distinguisher field (8 octets) followed by the Flow | |||
| Specification NLRI value (Section 4.2). The NLRI length field shall | Specification NLRI value (Section 4.2). The NLRI length field shall | |||
| include both the 8 bytes of the Route Distinguisher as well as the | include both the 8 octets of the Route Distinguisher as well as the | |||
| subsequent Flow Specification NLRI value. The resulting encoding is | subsequent Flow Specification NLRI value. The resulting encoding is | |||
| shown in Figure 7. | shown in Figure 7. | |||
| +------------------------------+ | +--------------------------------+ | |||
| | length (0xnn or 0xfn nn) | | | length (0xnn or 0xfn nn) | | |||
| +------------------------------+ | +--------------------------------+ | |||
| | Route Distinguisher (8 bytes)| | | Route Distinguisher (8 octets) | | |||
| +------------------------------+ | +--------------------------------+ | |||
| | NLRI value (variable) | | | NLRI value (variable) | | |||
| +------------------------------+ | +--------------------------------+ | |||
| Figure 7: Flow Specification NLRI for MPLS | Figure 7: Flow Specification NLRI for MPLS | |||
| Propagation of this NLRI is controlled by matching Route Target | Propagation of this NLRI is controlled by matching Route Target | |||
| extended communities associated with the BGP path advertisement with | extended communities associated with the BGP path advertisement with | |||
| the VRF import policy, using the same mechanism as described in BGP/ | the VRF import policy, using the same mechanism as described in BGP/ | |||
| MPLS IP VPNs [RFC4364]. | MPLS IP VPNs [RFC4364]. | |||
| Flow Specifications received via this NLRI apply only to traffic that | Flow Specifications received via this NLRI apply only to traffic that | |||
| belongs to the VRF(s) in which it is imported. By default, traffic | belongs to the VRF(s) in which it is imported. By default, traffic | |||
| skipping to change at page 25, line 33 ¶ | skipping to change at page 25, line 33 ¶ | |||
| 10. Error Handling | 10. Error Handling | |||
| Error handling according to [RFC7606] and [RFC4760] applies to this | Error handling according to [RFC7606] and [RFC4760] applies to this | |||
| specification. | specification. | |||
| This document introduces Traffic Filtering Action Extended | This document introduces Traffic Filtering Action Extended | |||
| Communities. Malformed Traffic Filtering Action Extended Communities | Communities. Malformed Traffic Filtering Action Extended Communities | |||
| in the sense of [RFC7606] Section 7.14. are Extended Community values | in the sense of [RFC7606] Section 7.14. are Extended Community values | |||
| that cannot be decoded according to Section 7 of this document. | that cannot be decoded according to Section 7 of this document. | |||
| 11. Future NLRI Extensions | 11. IANA Considerations | |||
| Future Flow Specification extensions may introduce new Flow | ||||
| Specification components. If a receiving BGP speaker decodes an | ||||
| unknown Flow Specification component type it is unable to continue | ||||
| decoding the following Flow Specification components in the same NLRI | ||||
| value and MUST discard this NLRI value and all its components as | ||||
| described in Section 4.2 for further processing. Since the NLRI | ||||
| field encoding (Section 4) is defined in the form of a 2-tuple | ||||
| <length, NLRI value> message decoding can skip over the NLRI value | ||||
| and continue with subsequent NLRI and message decoding. | ||||
| The specification of a new Flow Specification Component Type MUST | ||||
| clearly identify what the criteria used to match packets forwarded by | ||||
| the router is. This criteria should be meaningful across router hops | ||||
| and not depend on values that change hop-by-hop such as TTL or Layer | ||||
| 2 encapsulation. | ||||
| Such extensions SHOULD also specify a way to encode an "always-match" | ||||
| match condition within the newly introduced components (this is a | ||||
| match condition, encoded with the newly introduced components: If | ||||
| present on its own, matches all flows). This match condition can be | ||||
| used to propagate (and apply) certain Flow Specifications only if a | ||||
| specific extension is known to the implementation. | ||||
| 12. IANA Considerations | ||||
| This section complies with [RFC7153]. | This section complies with [RFC7153]. | |||
| 12.1. AFI/SAFI Definitions | 11.1. AFI/SAFI Definitions | |||
| IANA maintains a registry entitled "SAFI Values". For the purpose of | IANA maintains a registry entitled "SAFI Values". For the purpose of | |||
| this work, IANA is requested to update the following SAFIs to read | this work, IANA is requested to update the following SAFIs to read | |||
| according to the table below (Note: This document obsoletes both | according to the table below (Note: This document obsoletes both | |||
| RFC7674 and RFC5575 and all references to those documents should be | RFC7674 and RFC5575 and all references to those documents should be | |||
| deleted from the registry below): | deleted from the registry below): | |||
| +-------+------------------------------------------+----------------+ | +-------+------------------------------------------+----------------+ | |||
| | Value | Name | Reference | | | Value | Name | Reference | | |||
| +-------+------------------------------------------+----------------+ | +-------+------------------------------------------+----------------+ | |||
| | 133 | Dissemination of Flow Specification | [this | | | 133 | Dissemination of Flow Specification | [this | | |||
| | | rules | document] | | | | rules | document] | | |||
| | 134 | L3VPN Dissemination of Flow | [this | | | 134 | L3VPN Dissemination of Flow | [this | | |||
| | | Specification rules | document] | | | | Specification rules | document] | | |||
| +-------+------------------------------------------+----------------+ | +-------+------------------------------------------+----------------+ | |||
| Table 3: Registry: SAFI Values | Table 3: Registry: SAFI Values | |||
| 12.2. Flow Component Definitions | 11.2. Flow Component Definitions | |||
| A Flow Specification consists of a sequence of flow components, which | A Flow Specification consists of a sequence of flow components, which | |||
| are identified by a an 8-bit component type. IANA has created and | are identified by a an 8-bit component type. IANA has created and | |||
| maintains a registry entitled "Flow Spec Component Types". IANA is | maintains a registry entitled "Flow Spec Component Types". IANA is | |||
| requested to update the reference for this registry to [this | requested to update the reference for this registry to [this | |||
| document]. Furthermore the references to the values should be | document]. Furthermore the references to the values should be | |||
| updated according to the table below (Note: This document obsoletes | updated according to the table below (Note: This document obsoletes | |||
| both RFC7674 and RFC5575 and all references to those documents should | both RFC7674 and RFC5575 and all references to those documents should | |||
| be deleted from the registry below). | be deleted from the registry below). | |||
| skipping to change at page 27, line 38 ¶ | skipping to change at page 27, line 16 ¶ | |||
| | Type Values | Policy | | | Type Values | Policy | | |||
| +--------------+-------------------------------+ | +--------------+-------------------------------+ | |||
| | 0 | Reserved | | | 0 | Reserved | | |||
| | [1 .. 12] | Defined by this specification | | | [1 .. 12] | Defined by this specification | | |||
| | [13 .. 127] | Specification required | | | [13 .. 127] | Specification required | | |||
| | [128 .. 255] | First Come First Served | | | [128 .. 255] | First Come First Served | | |||
| +--------------+-------------------------------+ | +--------------+-------------------------------+ | |||
| Table 5: Flow Spec Component Types Policies | Table 5: Flow Spec Component Types Policies | |||
| 12.3. Extended Community Flow Specification Actions | 11.3. Extended Community Flow Specification Actions | |||
| The Extended Community Flow Specification Action types defined in | The Extended Community Flow Specification Action types defined in | |||
| this document consist of two parts: | this document consist of two parts: | |||
| Type (BGP Transitive Extended Community Type) | Type (BGP Transitive Extended Community Type) | |||
| Sub-Type | Sub-Type | |||
| For the type-part, IANA maintains a registry entitled "BGP Transitive | For the type-part, IANA maintains a registry entitled "BGP Transitive | |||
| Extended Community Types". For the purpose of this work (Section 7), | Extended Community Types". For the purpose of this work (Section 7), | |||
| skipping to change at page 28, line 43 ¶ | skipping to change at page 28, line 21 ¶ | |||
| | Sub-Type | Name | Reference | | | Sub-Type | Name | Reference | | |||
| | Value | | | | | Value | | | | |||
| +----------+--------------------------------------------+-----------+ | +----------+--------------------------------------------+-----------+ | |||
| | 0x06 | Flow spec traffic-rate-bytes | [this | | | 0x06 | Flow spec traffic-rate-bytes | [this | | |||
| | | | document] | | | | | document] | | |||
| | TBD | Flow spec traffic-rate-packets | [this | | | TBD | Flow spec traffic-rate-packets | [this | | |||
| | | | document] | | | | | document] | | |||
| | 0x07 | Flow spec traffic-action (Use | [this | | | 0x07 | Flow spec traffic-action (Use | [this | | |||
| | | of the "Value" field is defined in the | document] | | | | of the "Value" field is defined in the | document] | | |||
| | | "Traffic Action Fields" registry) | | | | | "Traffic Action Fields" registry) | | | |||
| | 0x08 | Flow spec rt-redirect AS-2byte | [this | | | 0x08 | Flow spec rt-redirect | [this | | |||
| | | format | document] | | | | AS-2octet format | document] | | |||
| | 0x09 | Flow spec traffic-remarking | [this | | | 0x09 | Flow spec traffic-remarking | [this | | |||
| | | | document] | | | | | document] | | |||
| +----------+--------------------------------------------+-----------+ | +----------+--------------------------------------------+-----------+ | |||
| Table 7: Registry: Generic Transitive Experimental Use Extended | Table 7: Registry: Generic Transitive Experimental Use Extended | |||
| Community Sub-Types | Community Sub-Types | |||
| +------------+----------------------------------------+-------------+ | +------------+----------------------------------------+-------------+ | |||
| | Sub-Type | Name | Reference | | | Sub-Type | Name | Reference | | |||
| | Value | | | | | Value | | | | |||
| +------------+----------------------------------------+-------------+ | +------------+----------------------------------------+-------------+ | |||
| | 0x08 | Flow spec rt-redirect IPv4 | [this | | | 0x08 | Flow spec rt-redirect IPv4 | [this | | |||
| | | format | document] | | | | format | document] | | |||
| +------------+----------------------------------------+-------------+ | +------------+----------------------------------------+-------------+ | |||
| Table 8: Registry: Generic Transitive Experimental Use Extended | Table 8: Registry: Generic Transitive Experimental Use Extended | |||
| Community Part 2 Sub-Types | Community Part 2 Sub-Types | |||
| +------------+----------------------------------------+-------------+ | +------------+-----------------------------------------+------------+ | |||
| | Sub-Type | Name | Reference | | | Sub-Type | Name | Reference | | |||
| | Value | | | | | Value | | | | |||
| +------------+----------------------------------------+-------------+ | +------------+-----------------------------------------+------------+ | |||
| | 0x08 | Flow spec rt-redirect AS- | [this | | | 0x08 | Flow spec rt-redirect | [this | | |||
| | | 4byte format | document] | | | | AS-4octet format | document] | | |||
| +------------+----------------------------------------+-------------+ | +------------+-----------------------------------------+------------+ | |||
| Table 9: Registry: Generic Transitive Experimental Use Extended | Table 9: Registry: Generic Transitive Experimental Use Extended | |||
| Community Part 3 Sub-Types | Community Part 3 Sub-Types | |||
| Furthermore IANA is requested to update the reference for the | Furthermore IANA is requested to update the reference for the | |||
| registries "Generic Transitive Experimental Use Extended Community | registries "Generic Transitive Experimental Use Extended Community | |||
| Part 2 Sub-Types" and "Generic Transitive Experimental Use Extended | Part 2 Sub-Types" and "Generic Transitive Experimental Use Extended | |||
| Community Part 3 Sub-Types" to [this document]. | Community Part 3 Sub-Types" to [this document]. | |||
| The "traffic-action" extended community (Section 7.3) defined in this | The "traffic-action" extended community (Section 7.3) defined in this | |||
| skipping to change at page 30, line 5 ¶ | skipping to change at page 29, line 29 ¶ | |||
| +-----+-----------------+-----------------+ | +-----+-----------------+-----------------+ | |||
| | Bit | Name | Reference | | | Bit | Name | Reference | | |||
| +-----+-----------------+-----------------+ | +-----+-----------------+-----------------+ | |||
| | 47 | Terminal Action | [this document] | | | 47 | Terminal Action | [this document] | | |||
| | 46 | Sample | [this document] | | | 46 | Sample | [this document] | | |||
| +-----+-----------------+-----------------+ | +-----+-----------------+-----------------+ | |||
| Table 10: Registry: Traffic Action Fields | Table 10: Registry: Traffic Action Fields | |||
| 13. Security Considerations | 12. Security Considerations | |||
| As long as Flow Specifications are restricted to match the | As long as Flow Specifications are restricted to match the | |||
| corresponding unicast routing paths for the relevant prefixes | corresponding unicast routing paths for the relevant prefixes | |||
| (Section 6), the security characteristics of this proposal are | (Section 6), the security characteristics of this proposal are | |||
| equivalent to the existing security properties of BGP unicast | equivalent to the existing security properties of BGP unicast | |||
| routing. Any relaxation of the validation procedure described in | routing. Any relaxation of the validation procedure described in | |||
| Section 6 may allow unwanted Flow Specifications to be propagated and | Section 6 may allow unwanted Flow Specifications to be propagated and | |||
| thus unwanted Traffic Filtering Actions may be applied to flows. | thus unwanted Traffic Filtering Actions may be applied to flows. | |||
| Where the above mechanisms are not in place, this could open the door | Where the above mechanisms are not in place, this could open the door | |||
| skipping to change at page 30, line 52 ¶ | skipping to change at page 30, line 27 ¶ | |||
| extend the AS_PATH. In such cases it is not possible to enforce the | extend the AS_PATH. In such cases it is not possible to enforce the | |||
| left-most AS in the AS_PATH to be the neighbor AS (the AS of the | left-most AS in the AS_PATH to be the neighbor AS (the AS of the | |||
| route server). Since the validation of Flow Specification | route server). Since the validation of Flow Specification | |||
| (Section 6) depends on this, additional care must be taken. It is | (Section 6) depends on this, additional care must be taken. It is | |||
| advised to use a strict inbound route policy in such scenarios. | advised to use a strict inbound route policy in such scenarios. | |||
| Enabling firewall-like capabilities in routers without centralized | Enabling firewall-like capabilities in routers without centralized | |||
| management could make certain failures harder to diagnose. For | management could make certain failures harder to diagnose. For | |||
| example, it is possible to allow TCP packets to pass between a pair | example, it is possible to allow TCP packets to pass between a pair | |||
| of addresses but not ICMP packets. It is also possible to permit | of addresses but not ICMP packets. It is also possible to permit | |||
| packets smaller than 900 or greater than 1000 bytes to pass between a | packets smaller than 900 or greater than 1000 octets to pass between | |||
| pair of addresses, but not packets whose length is in the range 900- | a pair of addresses, but not packets whose length is in the range | |||
| 1000. Such behavior may be confusing and these capabilities should | 900- 1000. Such behavior may be confusing and these capabilities | |||
| be used with care whether manually configured or coordinated through | should be used with care whether manually configured or coordinated | |||
| the protocol extensions described in this document. | through the protocol extensions described in this document. | |||
| Flow Specification BGP speakers (e.g. automated DDoS controllers) not | Flow Specification BGP speakers (e.g. automated DDoS controllers) not | |||
| properly programmed, algorithms that are not performing as expected, | properly programmed, algorithms that are not performing as expected, | |||
| or simply rogue systems may announce unintended Flow Specifications, | or simply rogue systems may announce unintended Flow Specifications, | |||
| send updates at a high rate or generate a high number of Flow | send updates at a high rate or generate a high number of Flow | |||
| Specifications. This may stress the receiving systems, exceed their | Specifications. This may stress the receiving systems, exceed their | |||
| maximum capacity or may lead to unwanted Traffic Filtering Actions | maximum capacity or may lead to unwanted Traffic Filtering Actions | |||
| being applied to flows. | being applied to flows. | |||
| When BGP decodes an unknown Flow Specification component type, as of | ||||
| Section 4.2 it needs to discard the NLRI and skip over the remaining | ||||
| undecoded octets to the following NLRI or to the end of the list. | ||||
| Skipping over unknown octets of the to be discarded NLRI is the | ||||
| specified behaviour for a Type NLRI in Section 5.4 [RFC7606]. While | ||||
| this is not intrinsic to the Flow Specification NLRI in particular, | ||||
| it needs to be pointed out that, carefully crafted wrong NLRI length | ||||
| fields may lead to synchronisation issues between BGP senders and | ||||
| receivers. | ||||
| While the general verification of the Flow Specification NLRI is | While the general verification of the Flow Specification NLRI is | |||
| specified in this document (Section 6) the Traffic Filtering Actions | specified in this document (Section 6) the Traffic Filtering Actions | |||
| received by a third party may need custom verification or filtering. | received by a third party may need custom verification or filtering. | |||
| In particular all non traffic-rate actions may allow a third party to | In particular all non traffic-rate actions may allow a third party to | |||
| modify packet forwarding properties and potentially gain access to | modify packet forwarding properties and potentially gain access to | |||
| other routing-tables/VPNs or undesired queues. This can be avoided | other routing-tables/VPNs or undesired queues. This can be avoided | |||
| by proper filtering/screening of the Traffic Filtering Action | by proper filtering/screening of the Traffic Filtering Action | |||
| communities at network borders and only exposing a predefined subset | communities at network borders and only exposing a predefined subset | |||
| of Traffic Filtering Actions (see Section 7) to third parties. One | of Traffic Filtering Actions (see Section 7) to third parties. One | |||
| way to achieve this is by mapping user-defined communities, that can | way to achieve this is by mapping user-defined communities, that can | |||
| skipping to change at page 32, line 5 ¶ | skipping to change at page 31, line 14 ¶ | |||
| accepting Traffic Filtering Action extended communities from third | accepting Traffic Filtering Action extended communities from third | |||
| parties. | parties. | |||
| This extension adds additional information to Internet routers. | This extension adds additional information to Internet routers. | |||
| These are limited in terms of the maximum number of data elements | These are limited in terms of the maximum number of data elements | |||
| they can hold as well as the number of events they are able to | they can hold as well as the number of events they are able to | |||
| process in a given unit of time. Service providers need to consider | process in a given unit of time. Service providers need to consider | |||
| the maximum capacity of their devices and may need to limit the | the maximum capacity of their devices and may need to limit the | |||
| number of Flow Specifications accepted and processed. | number of Flow Specifications accepted and processed. | |||
| 14. Contributors | 13. Contributors | |||
| Barry Greene, Pedro Marques, Jared Mauch and Nischal Sheth were | Barry Greene, Pedro Marques, Jared Mauch and Nischal Sheth were | |||
| authors on [RFC5575], and therefore are contributing authors on this | authors on [RFC5575], and therefore are contributing authors on this | |||
| document. | document. | |||
| 15. Acknowledgements | 14. Acknowledgements | |||
| The authors would like to thank Yakov Rekhter, Dennis Ferguson, Chris | The authors would like to thank Yakov Rekhter, Dennis Ferguson, Chris | |||
| Morrow, Charlie Kaufman, and David Smith for their comments for the | Morrow, Charlie Kaufman, and David Smith for their comments for the | |||
| comments on the original [RFC5575]. Chaitanya Kodeboyina helped | comments on the original [RFC5575]. Chaitanya Kodeboyina helped | |||
| design the flow validation procedure; and Steven Lin and Jim Washburn | design the flow validation procedure; and Steven Lin and Jim Washburn | |||
| ironed out all the details necessary to produce a working | ironed out all the details necessary to produce a working | |||
| implementation in the original [RFC5575]. | implementation in the original [RFC5575]. | |||
| A packet rate Traffic Filtering Action was also described in a Flow | A packet rate Traffic Filtering Action was also described in a Flow | |||
| Specification extension draft and the authors like to thank Wesley | Specification extension draft and the authors like to thank Wesley | |||
| Eddy, Justin Dailey and Gilbert Clark for their work. | Eddy, Justin Dailey and Gilbert Clark for their work. | |||
| Additionally, the authors would like to thank Alexander Mayrhofer, | Additionally, the authors would like to thank Alexander Mayrhofer, | |||
| Nicolas Fevrier, Job Snijders, Jeffrey Haas and Adam Chappell for | Nicolas Fevrier, Job Snijders, Jeffrey Haas and Adam Chappell for | |||
| their comments and review. | their comments and review. | |||
| 16. References | 15. References | |||
| 16.1. Normative References | 15.1. Normative References | |||
| [IEEE.754.1985] | [IEEE.754.1985] | |||
| IEEE, "Standard for Binary Floating-Point Arithmetic", | IEEE, "Standard for Binary Floating-Point Arithmetic", | |||
| IEEE 754-1985, August 1985. | IEEE 754-1985, August 1985. | |||
| [ISO_IEC_9899] | [ISO_IEC_9899] | |||
| ISO, "Information technology -- Programming languages -- | ISO, "Information technology -- Programming languages -- | |||
| C", ISO/IEC 9899:2018, June 2018. | C", ISO/IEC 9899:2018, June 2018. | |||
| [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | |||
| skipping to change at page 34, line 19 ¶ | skipping to change at page 33, line 28 ¶ | |||
| [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
| Writing an IANA Considerations Section in RFCs", BCP 26, | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
| RFC 8126, DOI 10.17487/RFC8126, June 2017, | RFC 8126, DOI 10.17487/RFC8126, June 2017, | |||
| <https://www.rfc-editor.org/info/rfc8126>. | <https://www.rfc-editor.org/info/rfc8126>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 16.2. Informative References | 15.2. Informative References | |||
| [I-D.ietf-idr-flow-spec-v6] | [I-D.ietf-idr-flow-spec-v6] | |||
| Loibl, C., Raszuk, R., and S. Hares, "Dissemination of | Loibl, C., Raszuk, R., and S. Hares, "Dissemination of | |||
| Flow Specification Rules for IPv6", draft-ietf-idr-flow- | Flow Specification Rules for IPv6", draft-ietf-idr-flow- | |||
| spec-v6-10 (work in progress), November 2019. | spec-v6-10 (work in progress), November 2019. | |||
| [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", | [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", | |||
| RFC 4303, DOI 10.17487/RFC4303, December 2005, | RFC 4303, DOI 10.17487/RFC4303, December 2005, | |||
| <https://www.rfc-editor.org/info/rfc4303>. | <https://www.rfc-editor.org/info/rfc4303>. | |||
| skipping to change at page 34, line 48 ¶ | skipping to change at page 34, line 9 ¶ | |||
| <https://www.rfc-editor.org/info/rfc6811>. | <https://www.rfc-editor.org/info/rfc6811>. | |||
| [RFC7674] Haas, J., Ed., "Clarification of the Flowspec Redirect | [RFC7674] Haas, J., Ed., "Clarification of the Flowspec Redirect | |||
| Extended Community", RFC 7674, DOI 10.17487/RFC7674, | Extended Community", RFC 7674, DOI 10.17487/RFC7674, | |||
| October 2015, <https://www.rfc-editor.org/info/rfc7674>. | October 2015, <https://www.rfc-editor.org/info/rfc7674>. | |||
| [RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol | [RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol | |||
| Specification", RFC 8205, DOI 10.17487/RFC8205, September | Specification", RFC 8205, DOI 10.17487/RFC8205, September | |||
| 2017, <https://www.rfc-editor.org/info/rfc8205>. | 2017, <https://www.rfc-editor.org/info/rfc8205>. | |||
| 16.3. URIs | 15.3. URIs | |||
| [1] https://github.com/stoffi92/flowspec-cmp | [1] https://github.com/stoffi92/flowspec-cmp | |||
| Appendix A. Python code: flow_rule_cmp | Appendix A. Python code: flow_rule_cmp | |||
| <CODE BEGINS> | <CODE BEGINS> | |||
| """ | """ | |||
| Copyright (c) 2019 IETF Trust and the persons identified as authors of | Copyright (c) 2019 IETF Trust and the persons identified as authors of | |||
| the code. All rights reserved. | the code. All rights reserved. | |||
| skipping to change at page 36, line 35 ¶ | skipping to change at page 35, line 44 ¶ | |||
| This document includes numerous editorial changes to [RFC5575]. It | This document includes numerous editorial changes to [RFC5575]. It | |||
| also completely incorporates the redirect action clarification | also completely incorporates the redirect action clarification | |||
| document [RFC7674]. It is recommended to read the entire document. | document [RFC7674]. It is recommended to read the entire document. | |||
| The authors, however want to point out the following technical | The authors, however want to point out the following technical | |||
| changes to [RFC5575]: | changes to [RFC5575]: | |||
| Section 1 introduces the Flow Specification NLRI. In [RFC5575] | Section 1 introduces the Flow Specification NLRI. In [RFC5575] | |||
| this NLRI was defined as an opaque-key in BGPs database. This | this NLRI was defined as an opaque-key in BGPs database. This | |||
| specification has removed all references to a opaque-key property. | specification has removed all references to a opaque-key property. | |||
| BGP is able to understand the NLRI encoding. This change also | BGP is able to understand the NLRI encoding. | |||
| resulted in a new section regarding error handling and | ||||
| extensibility (Section 10 and Section 11). | ||||
| Section 4.2.2.3 defines a numeric operator and comparison bit | Section 4.2.1.1 defines a numeric operator and comparison bit | |||
| combinations. In [RFC5575] the meaning of those bit combination | combinations. In [RFC5575] the meaning of those bit combination | |||
| was not explicitly defined and left open to the reader. | was not explicitly defined and left open to the reader. | |||
| Section 4.2.2.3 - Section 4.2.2.8, Section 4.2.2.10, | Section 4.2.2.3 - Section 4.2.2.8, Section 4.2.2.10, | |||
| Section 4.2.2.11 make use of the above numeric operator. The | Section 4.2.2.11 make use of the above numeric operator. The | |||
| allowed length of the comparison value was not consistently | allowed length of the comparison value was not consistently | |||
| defined in [RFC5575]. | defined in [RFC5575]. | |||
| Section 7 defines all Traffic Filtering Action Extended | Section 7 defines all Traffic Filtering Action Extended | |||
| communities as transitive extended communities. [RFC5575] defined | communities as transitive extended communities. [RFC5575] defined | |||
| skipping to change at page 37, line 23 ¶ | skipping to change at page 36, line 29 ¶ | |||
| route-target. This section also completely incorporates the | route-target. This section also completely incorporates the | |||
| [RFC7674] clarifications of the Flowspec Redirect Extended | [RFC7674] clarifications of the Flowspec Redirect Extended | |||
| Community. | Community. | |||
| Section 7.7 contains general considerations on interfering traffic | Section 7.7 contains general considerations on interfering traffic | |||
| actions. Section 7.3 also cross-references this section. | actions. Section 7.3 also cross-references this section. | |||
| [RFC5575] did not mention this. | [RFC5575] did not mention this. | |||
| Section 10 contains new error handling. | Section 10 contains new error handling. | |||
| Section 11 describes graceful handling of unknown Flow | ||||
| Specification components to allow future extensions. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Christoph Loibl | Christoph Loibl | |||
| Next Layer Communications | Next Layer Communications | |||
| Mariahilfer Guertel 37/7 | Mariahilfer Guertel 37/7 | |||
| Vienna 1150 | Vienna 1150 | |||
| AT | AT | |||
| Phone: +43 664 1176414 | Phone: +43 664 1176414 | |||
| Email: cl@tix.at | Email: cl@tix.at | |||
| End of changes. 52 change blocks. | ||||
| 158 lines changed or deleted | 106 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||