Isis Working Group J. You Internet-Draft Q. Liang Intended status: Standards Track Huawei Expires: March 29, 2015 September 25, 2014 IS-IS Extensions for Flow Specification draft-you-isis-flowspec-extensions-00 Abstract This document discusses the use cases why IS-IS distributing flow specification (FlowSpec) routes is necessary. One advantage is to mitigate the impacts of Denial-of-Service (DoS) attacks. This document also defines a new IS-IS FlowSpec reachability TLV encoding format that can be used to distribute the FlowSpec routes. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 29, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of You & Liang Expires March 29, 2015 [Page 1] Internet-Draft ISIS FlowSpec September 2014 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Use Cases for IS-IS based FlowSpec Distribution . . . . . . . 3 3.1. BGP/MPLS VPN . . . . . . . . . . . . . . . . . . . . . . 3 3.1.1. Traffic Analyzer Deployed in Provider Network . . . . 3 3.1.2. Traffic Analyzer Deployed in Customer Network . . . . 4 3.2. IS-IS Campus Network . . . . . . . . . . . . . . . . . . 5 4. IS-IS Extensions for FlowSpec Routes . . . . . . . . . . . . 6 4.1. FlowSpec Filters sub-TLV . . . . . . . . . . . . . . . . 7 4.2. FlowSpec Action sub-TLV . . . . . . . . . . . . . . . . . 7 5. Import-policy Extended Community . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6.1. FlowSpec reachability TLV . . . . . . . . . . . . . . . . 8 6.2. FlowSpec Filters sub-TLV . . . . . . . . . . . . . . . . 8 6.3. FlowSpec Action sub-TLV . . . . . . . . . . . . . . . . . 9 7. Security considerations . . . . . . . . . . . . . . . . . . . 9 8. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 9.2. Informative References . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction [RFC5575] defines a new Border Gateway Protocol Network Layer Reachability Information (BGP NLRI) encoding format that can be used to distribute traffic flow specifications. One application of that encoding format is to automate inter-domain coordination of traffic filtering, such as what is required in order to mitigate (distributed) DoS attacks. [RFC5575] allows flow specifications received from an external autonomous system to be forwarded to a given BGP peer. However, in order to block the attack traffic more effectively, it is better to distribute the BGP FlowSpec routes to the customer network, which is much closer to the attacker. For the network not deploying BGP or the internal nodes in an AS (Autonomous System), it is expected to extend IGP (Interior Gateway Protocol) to distribute FlowSpec routes. This document discusses the use cases why IS-IS distributing FlowSpec routes is necessary. One You & Liang Expires March 29, 2015 [Page 2] Internet-Draft ISIS FlowSpec September 2014 advantage is to mitigate the impact of Denial-of-Service (DoS) attacks. This document also defines a new IS-IS FlowSpec reachability TLV encoding format that can be used to distribute the FlowSpec routes. 2. Terminology This section contains definitions for terms used frequently throughout this document. However, many additional definitions can be found in [RFC1142] and [RFC5575]. Flow Specification (FlowSpec): A flow specification is an n-tuple consisting of several matching criteria that can be applied to IP traffic, including filters and actions. Each FlowSpec consists of a set of filters and a set of actions. 3. Use Cases for IS-IS based FlowSpec Distribution For the network not deploying BGP or the internal nodes in an AS, it is expected to extend IGP to distribute FlowSpec routes, because when the FlowSpec routes are installed in the customer network, it would be closer to the attacker than when they are installed in the provider network. Consequently, the attack traffic could be blocked or the suspicious traffic could be limited to a low rate as early as possible. The following sub-sections discuss the use cases for IS-IS based FlowSpec routes distribution. 3.1. BGP/MPLS VPN [RFC5575] defines a BGP NLRI encoding format to distribute traffic flow specifications in BGP deployed network. However in the BGP/MPLS VPN scenario, the IGP (e.g. IS-IS, OSPF) is used between PE (Provider Edge) and CE (Customer Edge) for many deployments. In order to distribute the FlowSpec routes to the customer network, the IGP needs to support the FlowSpec route distribution. The FlowSpec routes are usually generated by the traffic policy center or the traffic analyzer in the network. Depending on the location of the traffic analyzer deployment, two different distribution scenarios will be discussed below. 3.1.1. Traffic Analyzer Deployed in Provider Network The traffic analyzer (also acting as the traffic policy center) could be deployed in the provider network as shown in Figure 1. If the traffic analyzer detects attack traffic from the customer network VPN1, it would generate the FlowSpec routes for preventing DoS You & Liang Expires March 29, 2015 [Page 3] Internet-Draft ISIS FlowSpec September 2014 attacks. The FlowSpec routes with a route distinguisher information corresponding to VPN1 are distributed from the traffic analyzer to the PE1 which the traffic analyzer is the attached to. If the traffic analyzer is also a BGP speaker, it can distribute the FlowSpec routes based on the BGP [RFC5575]. Then the PE1 distributes the FlowSpec routes further to the PE2. Finally, the FlowSpec routes need to be distributed from the PE2 to the CE2 based on IS-IS, i.e. to the customer network VPN1. As the attacker is more likely in the customer network, if the FlowSpec routes installed on the CE2, it could mitigate the impacts of DoS attacks better. +--------+ |Traffic | +---+Analyzer| ----------- | +--------+ //- -\\ | /// \\\ |FlowSpec / \ | // \\ | | | +--+--+ +-----+ | +-----+ +--------+ | | PE1 +-------+ PE2 +-------+--+ CE2 +-------+Attacker| | +-----+ +-----+ | +-----+ +--------+ | | | | | | | | | | BGP FlowSpec | ISIS FlowSpec | Attack Traffic| | | | \\ | | // \ / \\\ VPN1 /// \\-- --// --------- Figure 1: Traffic Analyzer deployed in Provider Network 3.1.2. Traffic Analyzer Deployed in Customer Network The traffic analyzer (also acting as the traffic policy center) could be deployed in the customer network as shown in Figure 2. If the traffic analyzer detects attack traffic, it would generate FlowSpec routes for preventing DoS attacks. Then the FlowSpec routes would be distributed from the traffic analyzer to the CE1 based on IS-IS or other policy protocol (e.g. RESTful API over HTTP). Further, the FlowSpec routes need to be distributed through the provider network via the PE1/PE2 to the CE2, i.e. to the remote customer network VPN1 Site1. If the FlowSpec routes installed on the CE2, it could block the attack traffic as close to the source of the attack as possible. You & Liang Expires March 29, 2015 [Page 4] Internet-Draft ISIS FlowSpec September 2014 +--------+ |Traffic | +---+Analyzer| | +--------+ -------- | //-- --\\ |FlowSpec // \\ | / \ | // \\ +--+--+ +-----+ +-----+ | +-----+ +--------+ | | CE1 +--------+ PE1 +-------+ PE2 +--------+-+ CE2 +-------+Attacker| | +-----+ +-----+ +-----+ | +-----+ +--------+ | | | | | | | | | | | ISIS FlowSpec | BGP FlowSpec| ISIS FlowSpec | Attack Traffic | | | | | | | | | | | \\ // \ VPN1 Site1 / \\ // \\-- --// -------- Figure 2: Traffic Analyzer deployed in Customer Network 3.2. IS-IS Campus Network For the network not deploying BGP, for example, the campus network using IS-IS, it is expected to extend IS-IS to distribute FlowSpec routes as shown in Figure 3. In this kind of network, the traffic analyzer could be deploy with a router, then the FlowSpec routes from the traffic analyzer need to be distributed to the other routers in this domain based on IS-IS. You & Liang Expires March 29, 2015 [Page 5] Internet-Draft ISIS FlowSpec September 2014 +--------+ |Traffic | +---+Analyzer| | +--------+ | |FlowSpec | | +--+-------+ +----------+ +--------+ | Router A +-----------+ Router B +--------+Attacker| +----------+ +----------+ +--------+ | | | | ISIS FlowSpec | Attack Traffic | | | | Figure 3: IS-IS Campus Network 4. IS-IS Extensions for FlowSpec Routes This document defines a new IS-IS TLV, i.e. the FlowSpec reachability TLV (TLV type: TBD1), which would be carried in an LSP (Link State Protocol) Data Unit [RFC1142], to describe the FlowSpec routes. The FlowSpec reachability TLV carries one or more FlowSpec entries. Each FlowSpec entry consists of FlowSpec filters (FlowSpec filters sub-TLVs) and corresponding FlowSpec actions (FlowSpec Action sub- TLVs). The FlowSpec reachability TLV is defined below in Figure 4: 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type (TBD1) | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length 1 | FlowSpec | +-+-+-+-+-+-+-+-+ + | Entry 1 (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length 2 | FlowSpec | +-+-+-+-+-+-+-+-+ + | Entry 2 (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Figure 4: FlowSpec Reachability TLV You & Liang Expires March 29, 2015 [Page 6] Internet-Draft ISIS FlowSpec September 2014 Type: 1 octet. Type code is TBD1. Length: 1 octet. The length field defines the length of the value portion in octets (thus a TLV with no value portion would have a length of 0). Value: variable. The value field contains one or more 2-tuples consisting of the Length and the FlowSpec entry. Each 2-tuple starts with 1 octet of Length, and followed by a variable length FlowSpec entry, which consists of FlowSpec filters sub-TLVs and corresponding FlowSpec action sub-TLVs. The length specifies the number of bytes of the FlowSpec entry. 4.1. FlowSpec Filters sub-TLV IS-IS FlowSpec filters sub-TLV is one component of FlowSpec entry, carried in the FlowSpec reachability TLV. It is defined below in Figure 5. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type (TBD2) | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Filters (variable) | + + | ... | Figure 5: IS-IS FlowSpec Filters sub-TLV Type: the TLV type (Type Code: TBD2) Length: the size of the value field (typically in bytes) Filters: the same as "flow-spec NLRI value" defined in [RFC5575]. 4.2. FlowSpec Action sub-TLV IS-IS FlowSpec Action sub-TLV is the other component of FlowSpec entry. There would be one or more FlowSpec Action sub-TLVs associated with a FlowSpec Filters sub-TLV. Meanwhile, different FlowSpec Filters sub-TLV could have the same FlowSpec Action sub-TLV/ s. The following IS-IS FlowSpec action sub-TLVs are the same as defined in [RFC5575]. You & Liang Expires March 29, 2015 [Page 7] Internet-Draft ISIS FlowSpec September 2014 Table 1: Traffic Filtering Actions in [RFC5575] +---------+---------------------+--------------------------+ | type | FlowSpec Action | encoding | +---------+---------------------+--------------------------+ | TBD3 | traffic-rate | 2-byte as#, 4-byte float | | TBD4 | traffic-action | bitmask | | TBD5 | redirect | 6-byte Route Target | | TBD6 | traffic-marking | DSCP value | +---------+---------------------+--------------------------+ 5. Import-policy Extended Community When FlowSpec routes are from the BGP protocol, these FlowSpec routes need to be imported to the IGP protocol. This document defines a new filtering action that it standardizes as a BGP extended community value [RFC4360]. This extended community is used to specify a particular action, i.e. importing the FlowSpec routes to the IGP protocol. This import-policy extended community is the same as defined in [I-D.liang-ospf-flowspec-extensions]. 6. IANA Considerations This document defines the following new IS-IS TLV types, which need to be reflected in the ISIS TLV codepoint registry. 6.1. FlowSpec reachability TLV +------+---------------------------------+-----+-----+-----+ | Type | Description | IIH | LSP | SNP | +------+---------------------------------+-----+-----+-----+ | TBD1 | The FlowSpec reachability TLV | n | y | n | +------+---------------------------------+-----+-----+-----+ 6.2. FlowSpec Filters sub-TLV +--------+-----------------------+--------------------------+ | Type | Description | encoding | +--------+-----------------------+--------------------------+ | TBD2 |The FlowSpec filters | flow-spec NLRI value | | | sub-TLV | [RFC5575] | +--------+-----------------------+--------------------------+ You & Liang Expires March 29, 2015 [Page 8] Internet-Draft ISIS FlowSpec September 2014 6.3. FlowSpec Action sub-TLV +---------+----------------------------+--------------------------+ | Type | Description | encoding | | |----------------------------+ | | |The FlowSpec action sub-TLVs| | +---------+----------------------------+--------------------------+ | TBD3 | traffic-rate | 2-byte as#, 4-byte float | | TBD4 | traffic-action | bitmask | | TBD5 | redirect | 6-byte Route Target | | TBD6 | traffic-marking | DSCP value | +---------+----------------------------+--------------------------+ 7. Security considerations This extension to IS-IS does not change the underlying security issues inherent in the existing IS-IS. 8. Acknowledgement TBD. 9. References 9.1. Normative References [RFC1142] Oran, D., "OSI IS-IS Intra-domain Routing Protocol", RFC 1142, February 1990. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended Communities Attribute", RFC 4360, February 2006. [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., and D. McPherson, "Dissemination of Flow Specification Rules", RFC 5575, August 2009. 9.2. Informative References [I-D.liang-ospf-flowspec-extensions] Liang, Q. and J. You, "OSPF Extensions for Flow Specification", draft-liang-ospf-flowspec-extensions-00 (work in progress), September 2014. You & Liang Expires March 29, 2015 [Page 9] Internet-Draft ISIS FlowSpec September 2014 Authors' Addresses Jianjie You Huawei 101 Software Avenue, Yuhuatai District Nanjing, 210012 China Email: youjianjie@huawei.com Qiandeng Liang Huawei 101 Software Avenue, Yuhuatai District Nanjing, 210012 China Email: liuweihang@huawei.com You & Liang Expires March 29, 2015 [Page 10]