Destination-IP-Origin-AS
Filter for BGP Flow SpecificationHuawei156 Beiqing RoadBeijing100095P.R. Chinarainsword.wang@huawei.comChina TelecomBeiqijia Town, Changping DistrictBeijing102209P.R. Chinawangaj3@chinatelecom.cnHuawei156 Beiqing RoadBeijing100095P.R. Chinazhuangshunwan@huawei.comBGP Flowspec mechanism (BGP-FS) propogates both traffic Flow Specifications and
Traffic Filtering Actions by making use of the BGP NLRI and the BGP
Extended Community encoding formats. This document specifies a new
BGP-FS component type to support AS-level filtering. The match field is
the origin AS number of the destination IP address that is encoded in
the Flowspec NLRI. This function is applied in a single administrative
domain.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .BGP Flow Specification (BGP-FS) defines a new BGP NLRI to distribute traffic flow
specification rules via BGP (). BGP-FS policies
have a match condition that may be n-tuple match in a policy, and an
action that modifies the packet and forwards/drops the packet. Via BGP,
new filter rules can be sent to all BGP peers simultaneously without
changing router configuration, and the BGP peer can install these routes
in the forwarding table. BGP-FS defines Network Layer Reachability
Information (NLRI) format used to distribute traffic flow specification
rules. NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI
(AFI=1, SAFI=134) is for BGP/MPLS VPN filtering.[I-D.ietf-idr-flowspec-l2vpn]
extends the flow-spec rules for layer 2 Ethernet packets.This document specifies a new BGP-FS component type to support
AS-level filtering. The match field is the origin AS number of the
destination IP address that is encoded in the Flowspec NLRI. This
function is applied in a single administrative domain.FS: Flow SpecificationDestination-IP-Origin-AS: The origin AS number of the destination
IP addressThis document proposes a new flow specification component type that
is encoded in the BGP Flowspec NLRI. The following new component type is
defined.Destination-IP-Origin-ASType TBD1 - Destination-IP-Origin-ASEncoding: <type (1 octet), [op, value]+>Contains a set of {operator, value} pairs that are used to match the
Destination-IP-Origin-AS (i.e. the origin AS number of the destination
IP address).The operator byte is encoded as:Where:e - end-of-list bit. Set in the last {op, value} pair in the
list.a - AND bit. If unset, the previous term is logically ORed with the
current one. If set, the operation is a logical AND. It MUST be unset in
the Destination-IP-Origin-AS filter.len - The length of the value field for this operator given as (1
<< len). This encodes 1 (len=00), 2 (len=01), 4 (len=10), and 8
(len=11) octets.lt - less than comparison between data and value.gt - greater than comparison between data and value.eq - equality between data and value.The bits lt, gt, and eq can be combined to produce match the
Destination-IP-Origin-AS filter or a range of Destination-IP-Origin-AS
filter(e.g. less than AS1 and greater than AS2).The value field is encoded as:Per section 10 of , If a receiving BGP
speaker cannot support this new Flow Specification component type, it
MUST discard the NLRI value field that contains such unknown components.
Since the NLRI field encoding (Section 4 of ) is
defined in the form of a 2-tuple <length, NLRI value>, message
decoding can skip over the unknown NLRI value and continue with
subsequent remaining NLRI.This section describes how to use this function in a simple scenario.
Considering the topology shown in Figure 1. In AS64597's R1, if the ISP
AS64597 wants to redirect all packets originating from IP Prefix 61 to
AS64598, first goto to R3, then forward them to AS64598", the ISP
AS64597 can use the traditional method or the method defining in this
draft.Using the traditional method, the ISP AS64597 needs to setup multiple
"Destination Prefix + Source Prefix" rules in Router R1 as
following:Using the method defining in this draft, the ISP AS64597 needs to
setup only one "Destination Origin AS + Source Prefix" rule in Router R1
as following:Obviously, the new method defining in this draft saves a lot of entry
spaces on the control plane and forwarding plane, and it would greatly
simplify the operation of the control plane, and the more destination
prefixes an AS has, the more obvious the benefit.No new security issues are introduced to the BGP protocol by this
specification.IANA is requested to a new entry in "Flow Spec component types
registry" with the following values:TBDThe authors would like to acknowledge the review and inputs from Gang
Yan, Zhenbin Li, Rainbow Wu, Jie Dong and Ziqing Cao.