--- 1/draft-vandevelde-idr-flowspec-path-redirect-02.txt 2016-07-08 09:16:21.252914934 -0700 +++ 2/draft-vandevelde-idr-flowspec-path-redirect-03.txt 2016-07-08 09:16:21.276915534 -0700 @@ -1,41 +1,49 @@ IDR Working Group G. Van de Velde, Ed. Internet-Draft W. Henderickx -Intended status: Standards Track Alcatel-Lucent -Expires: September 18, 2016 K. Patel +Intended status: Standards Track Nokia +Expires: January 9, 2017 K. Patel A. Sreekantiah Cisco Systems - March 17, 2016 + Z. Li + S. Zhuang + N. Wu + Huawei Technologies + July 8, 2016 Flowspec Indirection-id Redirect - draft-vandevelde-idr-flowspec-path-redirect-02 + draft-vandevelde-idr-flowspec-path-redirect-03 Abstract - Flow-spec is an extension to BGP that allows for the dissemination of + Flowspec is an extension to BGP that allows for the dissemination of traffic flow specification rules. This has many possible applications but the primary one for many network operators is the distribution of traffic filtering actions for DDoS mitigation. The flow-spec standard RFC5575 [2] defines a redirect-to-VRF action for policy-based forwarding but this mechanism is not always sufficient, - particular if the redirected traffic needs to be steered into an + particularly if the redirected traffic needs to be steered into an engineered path or into a service plane. - This document defines a new redirect-to-INDIRECTION_ID (32-bit or - 128-bit) flow-spec action to provide advanced redirection - capabilities. When activated, the flowspec Indirection-id is used to - identify the next-hop redirect information within a router locallized - Indirection-id table. This allows a flowspec controller to signal - redirection towards a next-hop IP address, a shortest path tunnel, a - traffic engineered tunnel or a next-next-hop engineered tunnel - interface. + This document defines a new extended community known as redirect-to- + indirection-id (32-bit) flowspec action to provide advanced + redirection capabilities on flowspec clients. When activated, the + flowspec extended community is used by a flowspec client to find the + correct next-hop entry within a localised indirection-id mapping + table. + + The functionality present in this draft allows a network controller + to decouple flowspec functionality from the creation and maintainance + of the network's service plane itself including the setup of tunnels + and other service constructs that could be managed by other network + devices. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1]. Status of This Memo This Internet-Draft is submitted in full conformance with the @@ -44,342 +52,370 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 18, 2016. + This Internet-Draft will expire on January 9, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 - 2. INDIRECTION_ID and INDIRECTION_ID Table . . . . . . . . . . . 3 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. indirection-id and indirection-id table . . . . . . . . . . . 3 3. Use Case Scenarios . . . . . . . . . . . . . . . . . . . . . 4 3.1. Redirection shortest Path tunnel . . . . . . . . . . . . 4 3.2. Redirection to path-engineered tunnels . . . . . . . . . 4 3.3. Redirection to Next-next-hop tunnels . . . . . . . . . . 5 - 4. Redirect to INDIRECTION-ID Communities . . . . . . . . . . . 6 - 5. Redirect using locallized INDIRECTION_ID Router Mapping . . . 7 + 4. Redirect to indirection-id Community . . . . . . . . . . . . 6 + 5. Redirect using localised indirection-id mapping table . . . . 8 6. Validation Procedures . . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 - 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 - 10.1. Normative References . . . . . . . . . . . . . . . . . . 9 - 10.2. Informative References . . . . . . . . . . . . . . . . . 9 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 + 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 + 10.1. Normative References . . . . . . . . . . . . . . . . . . 10 + 10.2. Informative References . . . . . . . . . . . . . . . . . 10 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction - Flow-spec RFC5575 [2] is an extension to BGP that allows for the + Flowspec RFC5575 [2] is an extension to BGP that allows for the dissemination of traffic flow specification rules. This has many - possible applications but the primary one for many network operators - is the distribution of traffic filtering actions for DDoS mitigation. + possible applications, however the primary one for many network + operators is the distribution of traffic filtering actions for DDoS + mitigation. - Every flow-spec route is effectively a rule, consisting of a matching - part (encoded in the NLRI field) and an action part (encoded in one - or more BGP extended community). The flow-spec standard RFC5575 [2] - defines widely-used filter actions such as discard and rate limit; it - also defines a redirect-to-VRF action for policy-based forwarding. - Using the redirect-to-VRF action for redirecting traffic towards an - alternate destination is useful for DDoS mitigation but using this - technology can be cumbersome when there is need to redirect the - traffic onto an engineered traffic path. + Every flowspec policy route is effectively a rule, consisting of a + matching part (encoded in the NLRI field) and an action part (encoded + in one or more BGP extended communities). The flow-spec standard + RFC5575 [2] defines widely-used filter actions such as discard and + rate limit; it also defines a redirect-to-VRF action for policy-based + forwarding. Using the redirect-to-VRF action to steer traffic + towards an alternate destination is useful for DDoS mitigation but + using this technology can be cumbersome when there is need to steer + the traffic onto an engineered traffic path. - This draft proposes a new redirect-to-Indirection-id flow-spec action + This draft proposes a new redirect-to-indirection-id flowspec action facilitating an anchor point for policy-based forwarding onto an - engineered path or into a service plane. The router consuming and - utilizing the flowspec rule makes a local mapping between the - flowspec signalled redirect Indirection-id and locally available - redirection information referenced by the Indirection-id. This - locally available redirection information is derived from out-of-band - programming or signalling. + engineered path or into a service plane. The flowspec client + consuming and utilizing the new flowspec indirection-id extended- + community finds the redirection information within a localised + indirection-id mapping table. The localised mapping table is a table + construct providing at one side the table key and at the other side + next-hop information. The table key consists out the combination of + indirection-id type and indirection-id 32-bit value. - The redirect-to-Indirection-id is encoded in a newly defined BGP - extended Indirection_ID community. + The redirect-to-indirection-id flowspec action is encoded in a newly + defined BGP extended community. In addition, the type of redirection + can be configured as an extended community indirection-id type field. - The construction of the Indirection-id redirect table and the - technology used to create an engineered path are out-of-scope of this + This draft defines the indirection-id extended-community and the + wellknown indirection-id types. The specific solution to construct + the localised indirection-id mapping table are out-of-scope of this document. -2. INDIRECTION_ID and INDIRECTION_ID Table +2. indirection-id and indirection-id table - An INDIRECTION_ID is an abstract number (32-bit or 128-bit value) - used as identifier for a localised redirection decision. e.g. When a - BGP flowspec controller intends to redirect a flow using te redirect- - to-INDIRECTION_ID action then it has the ability to redirect the flow - to a destination abstracted as the INDIRECTION_ID. The device - receiving the BGP flowspec rule will use the INDIRECTION_ID to - identify the next-hop and the relevant tunnel encapsulations that - need to be pushed by a localised recursive lookup using information - located within the INDIRECTION_ID table. + An indirection-id is an abstract number (32-bit value) used as + identifier for a localised indirection decision. The indirection-id + will allow a flowspec client to redirect traffic into a service plane + or onto an engineered traffic path. e.g. When a BGP flowspec + controller signals a flowspec client the indirection-id extended + community, then the flowspec client uses the indirection-id to make a + recursive lookup to retrieve next-hop information found in a + localised indirection mapping table. - The INDIRECTION_ID Table is a router localised table. The table - content is constructed out of INDIRECTION_IDs and corresponding - redirect information which may be of rescursive or non-recursive - nature. When the redirect information is non-recursive, then the - represented information MUST be sufficient to identify the local - egress interface and the corresponding required encapsulations. - However, if the information is recursive, then the represented - information MUST be sufficient to identify the local egress interface - and corresponding encapsulations using additional recursions. + The indirection-id table is a router localised table. The + indirection-id table is constructed out of table keys mapped to + flowspec client localised redirection information. The table key is + created by the combination of the indirection-id type and the + indirection-id 32-bit value. Each entry in the indirection-table key + maps to sufficient information (parameters regarding encapsulation, + interface, QoS, etc...) to successfully redirect traffic. 3. Use Case Scenarios This section describes use-case scenarios when deploying redirect-to- - INDIRECTION_ID. + indirection-id. 3.1. Redirection shortest Path tunnel - A first use-case is allowing a BGP Flowspec controller send a single - flowspec policy message (redirect-to-INDIRECTION_ID#1) to many BGP - flowspec consuming routers. This message is instructing the Flowspec - recipient routers to redirect traffic onto a tunnel to a single IP - destination address. + A first use-case is allowing a BGP Flowspec controller to send a + single flowspec policy route (i.e. flowspec_route#1) to many BGP + flowspec clients. This flowspec route signals the Flowspec clients + to redirect traffic onto a tunnel towards a single IP destination + address. - For this use-case scenario, each flowspec recipient router has a - tunnel configured following the shortest path towards a tunnel IP - destination address. Each tunnel can have its own unique - encapsulation associated. Each tunnel is associated with an - INDIRECTION_ID, and for this example it is on all recipient routers - INDIRECTION_ID#1. Both manual and orchestrated tunnel provisioning - is supported, however for large scale deployment automation is - advisable. + For this first use-case scenario, the flowspec client receives from + the flowspec controller a flowspec route (i.e. flowspec_route#1) + including the redirect-to-indirection-id extended community. The + redirect-to-indirection-id extended community contains the key + (indirection-id type + indirection-id 32-bit value) to select the + corresponding next-hop information from the flowpsec client localised + indirection-id table. The resulting next-hop information for this + use-case is a remote tunnel end-point IP address with accordingly + sufficient tunnel encapsulation information to forward the packet + accordingly. - When using this setup, a BGP flowspec controller can send a single - BGP Flowspec NLRI with redirect-to-INDIRECTION_ID#1. This BGP - Flowspec NLRI is received by all recipient routers. Each of the - recipient routers performs a locallised recursive lookup for - INDIRECTION_ID#1 in the INDIRECTION_ID Table and identifies the - corresponding locallised tunnel redirect information. This - locallised tunnel information is now used to redirect traffic - matching the Flowspec policy towards a tunnel, each potentially using - its own unique tunnel encapsulation. + For redirect to shortest path tunnel it is required that the tunnel + MUST be operational and allow packets to be exchanged between tunnel + head- and tail-end. 3.2. Redirection to path-engineered tunnels - A second use-case is allowing a BGP Flowspec controller send a single - flowspec policy message (redirect-to-INDIRECTION_ID#2) to many BGP - flowspec consuming routers. This message is instructing the Flowspec - recipient routers to redirect traffic onto a path engineered tunnel. - - For this use-case scenario, each flowspec recipient router has a path - engineered tunnel configured. Each tunnel can have its own unique - encapsulation and engineered path associated. Each tunnel is - associated with an INDIRECTION_ID, and for this example it is on all - recipient routers INDIRECTION_ID#2. Both manual and orchestrated - tunnel provisioning is supported, however for large scale deployment - automation is advisable. + For a second use-case, it is expected that the flowspec client + redirect traffic matches the flowspec rule, onto a path engineered + tunnel. The path engineered tunnel on the flowspec client SHOULD be + created by out-of-band mechanisms. Each path engineered tunnel + deployed for flowspec redirection, has a unque key as an identifier. + consequently, the key (=indirection-id type and indirection-id 32-bit + value) uniquely identifies a single path engineered tunnel on the + flowspec client. The localised indirection-id mapping table is the + collection of all keys corresponding all path engineered tunnels on + the flowspec client. - A first example using this setup, is when a BGP flowspec controller - sends a single BGP Flowspec NLRI with redirect-to-INDIRECTION_ID#2. - This BGP Flowspec NLRI is received by all recipient routers. Each of - the recipient routers performs a locallised recursive lookup for - INDIRECTION_ID#2 in the INDIRECTION_ID Table and identifies the - corresponding locallised tunnel redirect information. This - locallised tunnel information is now used to redirect traffic - matching the Flowspec policy towards a path engineered tunnel. + For this second use-case scenario, the flowspec controller sends a + flowspec route (i.e. flowspec_route#2) to the flowspec clients. The + flowspec clients, respectively receive the flowspec route. The + redirect-to-indirection-id extended community contains the key + (indirection type + indirection-id 32-bit value) to select the + corresponding next-hop information from the flowpsec client localised + indirection-id table. The resulting next-hop information for this + use-case is path engineered tunnel information and has sufficient + tunnel encapsulation information to forward the packet according the + expectations of the flowspec controller. - A second example can be found in segment routed networks where path - engineered tunnels can be setup by means of a controller signaling - explicit paths to peering routers. In such a case, the - INDIRECTION_ID references to a Segment Routing Binding SID. The - Binding SID is a segment identifier value (as per segment routing + A concrete example of this use-case can be found in segment routed + networks where path engineered tunnels can be setup by means of a + controller signaling explicit paths to peering routers. In such a + case, the indirection-id references to a Segment Routing Binding SID, + while the indirection-id type references the Bindging SID semantic. + The Binding SID is a segment identifier value (as per segment routing definitions in [I-D.draft-ietf-spring-segment-routing] [6]) used to - associate with a explicit path and can be setup by a controller using - BGP as specified in [I-D.sreekantiah-idr-segment-routing-te] [5] or - using PCE as detailed in draft-ietf-pce-segment-routing [7]. When a - BGP speaker receives a flow-spec route with a 'redirect to Binding - SID' extended community, it installs a traffic filtering rule that - matches the packets described by the NLRI field and redirects them to - the explicit path associated with the Binding SID. The explicit path - is specified as a set/stack of segment identifiers as detailed in the - previous documents. The stack of segment identifiers is now imposed - on packets matching the flow-spec rule to perform redirection as per - the explicit path setup prior. The encoding of the Binding SID value - is specified in section 4, with the indirection field now encoding - the associated value for the binding SID. + associate with an explicit path and can be setup by a controller + using BGP as specified in [I-D.sreekantiah-idr-segment-routing-te] + [5] or using PCE as detailed in draft-ietf-pce-segment-routing [7]. + When a BGP speaker receives a flow-spec route with a 'redirect to + Binding SID' extended community, it installs a traffic filtering rule + that matches the packets described by the NLRI field and redirects + them to the explicit path associated with the Binding SID. The + explicit path is specified as a set/stack of segment identifiers as + detailed in the previous documents. The stack of segment identifiers + is now imposed on packets matching the flow-spec rule to perform + redirection as per the explicit path setup prior. The encoding of + the Binding SID value is specified in section 4, with the + indirection-id field now encoding the associated value for the + binding SID. 3.3. Redirection to Next-next-hop tunnels - A Third use-case is allowing a BGP Flowspec controller send a single - flowspec policy message (redirect-to-INDIRECTION_ID#3) to many BGP - flowspec consuming routers. This message is instructing the Flowspec - recipient routers to redirect traffic onto a shortest or engineered - path to a tunnel end-point and onwards to the next-hop-interface on - this end-point. This type of tunnel is used for example for Segment - Routing Central Egress Path Engineering [4]. + A Third use-case is when a BGP Flowspec controller sends a single + flowspec policy route to flowpsec clients to signal redirection + towards next-next-hop tunnels. In this use-case The flowspec rule is + instructing the Flowspec client to redirect traffic using a sequence + of indirection-id extended communities. The sequence of indirection- + ids is managed using Tunnel IDs (TID). i.e. a classic example would + be DDoS mitigation towards Segment Routing Central Egress Path + Engineering [4]. To steer DDoS traffic towards egress peer + engineering paths, a first indirection-id will steer traffic onto a + tunnel to an egress router, while a second indirection-id is used + steer the traffic at this egress router onto a particular interface + or towards a peer. The flowspec client will for this use-case + dynamically append all segment routing segments to steer the DDoS + traffic through the EPE path. - For this use-case scenario, each flowspec recipient router constructs - redirect information using two tunnel components. The first - component is a shortest or engineered path towards a network egress - router. The second component is the interface used on this network - egress router to which the redirected traffic needs to be steered - upon. The combination of these two components allows steering - towards the next-hop of the egress router, allowing for example the - Central Egress Path Engineering using BGP Flowspec [4]. + To achieve this type of redirection to next-next-hop tunnels, + multiple indirection-ids, each using a unique Tunnel ID are imposed + upon a the flowspec policy rule. The Tunnel ID will allow the + flowspec client to sequence the indirection-ids for correct next- + next-hop tunnel constructs. - The redirection towards a next-next-hop tunnel can be done by using - either a single INDIRECTION_ID representing the combined path to the - egress router and steering the traffic to the egress interface, or by - using individual INDIRECTION_IDs each representing a tunnel component - (One INDIRECTION_ID value to identify the path towards the egress - router and another INDIRECTION_ID value to identify the egress - interface on this egress router towards the next-next-hop). When - using individual INDIRECTION_IDs it is required to use INDIRECTION_ID - community Tunnel IDs (TID) each identifying a component of the - complete redirect path attached to the NLRI. +4. Redirect to indirection-id Community - i.e. when using next-next-hop tunnels, a BGP flowspec controller can - send a single BGP Flowspec NLRI with redirect-to-INDIRECTION_ID#3. - This BGP Flowspec NLRI is received by all recipient routers. Each of - the recipient routers performs a locallised recursive lookup for - INDIRECTION_ID#3 in the INDIRECTION_ID Table and identifies the - corresponding locallised tunnel redirect information (=path to the - egress router and the next-hop egress interface on this router). - Traffic matching the flowspec policy is redirected towards the - recursively found redirection information. + This document defines a new BGP extended community known as a + Redirect-to-indirection-id extended community. This extended + community is a new transitive extended community with the Type and + the Sub-Type field to be assigned by IANA. The format of this + extended community is show in Figure 1. -4. Redirect to INDIRECTION-ID Communities + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Sub-Type | Flags(1 octet)| Indirection ID| + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Generalized indirection_id | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - This document defines a new BGP extended community. The extended - communities have a type indicating they are transitive and IPv4- - address-specific or IPv6-address-specific, depending on whether the - INDIRECTION_ID is 32-bit or 128-bit. The sub-type value [to be - assigned by IANA] indicates that the global administrator and local - administrator fields encode a flow-spec 'redirect to INDIRECTION_ID' - action. In the new extended community the 4-byte or 16-byte global - administrator field encodes the 32-bit or 128-bit INDIRECTION_ID's - providing the INDIRECTION_ID to allow a local to the router mapping - reference to an engineered Path. The 2-byte local administrator - field is formatted as shown in Figure 1. + Figure 1 + + The meaning of the extended community fields are as follows: + + Type: 1 octet to be assigned by IANA. + + Sub-Type: 1 octet to be assigned by IANA. + + Flags: 1 octet field. Following Flags are defined. 0 1 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Reserved |B|TID|C| - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 0 1 2 3 4 5 6 7 + +-+-+-+-+-+-+-+-+ + | RES | TID |C| + +-+-+-+-+-+-+-+-+ - Figure 1 + Figure 2 - In the local administrator field the least-significant bit is defined - as the 'C' (or copy) bit. When the 'C' bit is set the redirection - applies to copies of the matching packets and not to the original - traffic stream. + The least-significant Flag bit is defined as the 'C' (or copy) bit. + When the 'C' bit is set the redirection applies to copies of the + matching packets and not to the original traffic stream. - The 'TID' field identifies a 2 bit Table-id field. This field is - used to provide the router consuming the flowspec rule an indication - how and where to use the INDIRECTION_ID when redirecting traffic. + The 'TID' field identifies a 4 bit Table-id field. This field is + used to provide the flowspec client an indication how and where to + sequence the received indirection-ids to redirecting traffic. TID + value 0 indicates that Table-id field is NOT set and SHOULD be + ignored. - Bit 2 is defined to be the 'B' (Binding) bit. When the 'B' bit is - set, the value encoded in the global administrator field is a Binding - Segment Identifier value the use of which is detailed in section 3.2. + All bits other than the 'C' and 'TID' bits MUST be set to 0 by the + originating BGP speaker and ignored by receiving BGP speakers. - All bits other than the 'C', 'TID' and 'B' bits in the local - administrator field MUST be set to 0 by the originating BGP speaker - and ignored by receiving BGP speakers. + Indirection ID: 1 octet value. This draft defines following + indirection_id Types: -5. Redirect using locallized INDIRECTION_ID Router Mapping + 0 - Localised ID - When a BGP speaker receives a flow-spec route with a 'redirect to - INDIRECTION_ID' extended community and this route represents the one - and only best path, it installs a traffic filtering rule that matches - the packets described by the NLRI field and redirects them (C=0) or - copies them (C=1) towards the INDIRECTION_ID local recursed Path. - The BGP speaker is expected to do a local INDIRECTION_ID Table lookup - to identify the redirection information. + 1 - Node ID - The router local INDIRECTION_ID table contains a list of - INDIRECTION_ID's each mapped to redirect information. The redirect - information can be non-recursive (i.e. there is only one option - available in the INDIRECTION_ID Table) or recursive (i.e. L3 VPN, L2 - VPN, a pre-programmed routing topology, etc... ). + 2 - Agency ID - o When the redirect information is non-recursive then the packet is - redirected based upon the information found in the Table. + 3 - AS (Autonomous System) ID - o In case of a next-hop tunnel, the traffic matching the flowspec - rule is redirected to the next-hop tunnel. This tunnel could be - instantiated through various means (i.e. manual configuration, - PCEP, RSVP-TE, WAN Controller, Segment Routing, etc...). + 4 - Anycast ID - o In case of redirection to a local next-hop interface, the traffic - matching the flowspec rule is redirected to the local next-hop - interface. + 5 - Multicast ID - o In case the INDIRECTION_ID Table lookup results in redirect - information identifying an additional layer of recursion, then - this will trigger the flow to be redirected based upon an - additional routing lookup within the realm of the additional layer - of recursion. + 6 - Tunnel ID (Tunnel Binding ID ) + + 7 - VPN ID + + 8 - OAM ID + + 9 - ECMP (Equal Cost Multi-Path) ID + + 10 - QoS ID + + 11 - Bandwidth-Guarantee ID + 12 - Security ID + + 13 - Multi-Topology ID + +5. Redirect using localised indirection-id mapping table + + When a BGP speaker receives a flowspec policy route with a 'redirect + to indirection-id' extended community and this route represents the + one and only best path or an equal cost multipath, it installs a + traffic filtering rule that matches the packets described by the NLRI + field and redirects them (C=0) or copies them (C=1) towards the + indirection-id local recursed path. To construct the local recursed + path, the flowspec client does a local indirection-id mapping table + lookup using the key comprised of the indirection-id 32-bit value and + indirection-id type to retrieve the correct redirection information. 6. Validation Procedures The validation check described in RFC5575 [2] and revised in [3] SHOULD be applied by default to received flow-spec routes with a - 'redirect to INDIRECTION_ID' extended community. This means that a + 'redirect to indirection-id' extended community. This means that a flow-spec route with a destination prefix subcomponent SHOULD NOT be accepted from an EBGP peer unless that peer also advertised the best path for the matching unicast route. It is possible from a semenatics perspective to have multiple redirect actions defined within a single flowspec rule. When a BGP - flowspec NLRI has a 'redirect to INDIRECTION_ID' extended community + flowspec NLRI has a 'redirect to indirection-id' extended community attached resulting in valid redirection then it MUST take priority above all other redirect actions emposed. However, if the 'redirect - to INDIRECTION_ID' does not result in a valid redirection, then the - flowspec rule must be processed as if the 'redirect to - INDIRECTION_ID' community was not attached to the flowspec route and - MUST provide an indication within the BGP routing table that the - 'redirect to INDIRECTION_ID' resulted in an invalid redirection + to indirection-id' does not result in a valid redirection, then the + flowspec rule must be processed as if the 'redirect to indirection- + id' community was not attached to the flowspec route and MUST provide + an indication within the BGP routing table that the respective + 'redirect to indirection-id' resulted in an invalid redirection action. 7. Security Considerations - A system using 'redirect-to-INDIRECTION_ID' extended community can - cause during the redirect mitigation of a DDoS attack result in an - overflow of traffic being received by the mitigation infrastructure. + A system using 'redirect-to-indirection-id' extended community can + cause during the redirect mitigation of a DDoS attack result in + overflow of traffic received by the mitigation infrastructure. 8. Acknowledgements This document received valuable comments and input from IDR working group including Adam Simpson, Mustapha Aissaoui, Jan Mertens, Robert Raszuk, Jeff Haas, Susan Hares and Lucy Yong 9. IANA Considerations - This document requests a new sub-type from the "Transitive IPv4- - Address-Specific" extended community registry. The sub-type name - shall be 'Flow-spec Redirect to 32-bit Path-id'. + This document requests a new type and sub-type for the Redirect to + indirection-id Extended community from the "Transitive Extended + community" registry. The Type name shall be "Redirect to + indirection-id Extended Community" and the Sub-type name shall be + 'Flow-spec Redirect to 32-bit Path-id'. - This document requests a new sub-type from the "Transitive IPv6- - Address-Specific" extended community registry. The sub-type name - shall be 'Flow-spec Redirect to 128-bit Path-id'. + In addition, this document requests IANA to create a new registry for + Redirect to indirection-id Extended Community INDIRECTION-IDs as + follows: + + Under "Transitive Extended Community:" + + Registry: "Redirect Extended Community indirection_id" + + Reference: [RFC-To-Be] + + Registration Procedure(s): First Come, First Served + + Registry: "Redirect Extended Community indirection_id" + + Value Code Reference + + 0 Localised ID [RFC-To-Be] + 1 Node ID [RFC-To-Be] + 2 Agency ID [RFC-To-Be] + 3 AS (Autonomous System) ID [RFC-To-Be] + 4 Anycast ID [RFC-To-Be] + 5 Multicast ID [RFC-To-Be] + 6 Tunnel ID (Tunnel Binding ID ) [RFC-To-Be] + 7 VPN ID [RFC-To-Be] + 8 OAM ID [RFC-To-Be] + 9 ECMP (Equal Cost Multi-Path) ID [RFC-To-Be] + 10 QoS ID [RFC-To-Be] + 11 Bandwidth-Guarantee ID [RFC-To-Be] + 12 Security ID [RFC-To-Be] + 13 Multi-Topology ID [RFC-To-Be] + + Figure 3 10. References 10.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, . [2] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., and D. McPherson, "Dissemination of Flow Specification @@ -406,37 +442,60 @@ "Segment Routing Architecture", December 2015. [7] Sivabalan, S., Medved, M., Filsfils, C., Litkowski, S., Raszuk, R., Bashandy, A., Lopez, V., Tantsura, J., Henderickx, W., Hardwick, J., Milojevic, I., and S. Ytti, "PCEP Extensions for Segment Routing", December 2015. Authors' Addresses Gunter Van de Velde (editor) - Alcatel-Lucent + Nokia Antwerp BE - Email: gunter.van_de_velde@alcatel-lucent.com + Email: gunter.van_de_velde@nokia.com Wim Henderickx - Alcatel-Lucent + Nokia Antwerp BE - Email: wim.henderickx@alcatel-lucent.com + Email: wim.henderickx@nokia.com Keyur Patel Cisco Systems 170 W. Tasman Drive San Jose, CA 95134 USA Email: keyupate@cisco.com Arjun Sreekantiah Cisco Systems 170 W. Tasman Drive San Jose, CA 95134 USA Email: asreekan@cisco.com + + Zhenbin Li + Huawei Technologies + Huawei Bld., No. 156 Beiquing Rd + Beijing 100095 + China + + Email: lizhenbin@huawei.com + + Shunwan Zhuang + Huawei Technologies + Huawei Bld., No. 156 Beiquing Rd + Beijing 100095 + China + + Email: zhuangshunwan@huawei.com + Nan Wu + Huawei Technologies + Huawei Bld., No. 156 Beiquing Rd + Beijing 100095 + China + + Email: eric.wu@huawei.com