wdiff draft-raza-mpls-ldp-olf-00.txt draft-raza-mpls-ldp-olf-01.txt

Network Working Group Kamran Raza
Internet Draft Sami Boutros
Intended status: Standards Track Pradosh Mohapatra
Expires: December 2, 2011 October 30, 2012
Cisco Systems, Inc.

June 3, 2011

May 1, 2012

LDP Outbound Label Bindings Filtering

draft-raza-mpls-ldp-olf-00.txt

Abstract

The Label Distribution Protocol (LDP) allows one Label Switching
Router (LSR) to advertise to another a set of "bindings" between
MPLS labels and "Forwarding Equivalence Classes" (FECs). Suppose
LSR2 is advertising a set of label bindings to LSR1. Frequently,
LSR1 does not need to know all of LSR2's label bindings, and LSR1
may be configured to disregard bindings in which it has no interest.
This document defines an "Outbound Label Filtering" (OLF) mechanism
that allows LSR1 to inform LSR2 dynamically of the set of FECs for
which it needs to receive label bindings. LSR2 then applies this
filter before sending its label bindings to LSR1. In addition to the
generic aspects of this mechanism, this document also specifies
outbound label filter for the "Address Prefix FEC" type.

draft-raza-mpls-ldp-olf-01.txt

Status of this Memo

This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.

Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html

This Internet-Draft will expire on December 2, 2011. October 30, 2012.

This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.

Abstract

The Label Distribution Protocol (LDP) allows one Label Switching
Router (LSR) to advertise to another a set of "bindings" between
MPLS labels and "Forwarding Equivalence Classes" (FECs). Suppose
LSR2 is advertising a set of label bindings to LSR1. Frequently,
LSR1 does not need to know all of LSR2's label bindings, and LSR1
may be configured to disregard bindings in which it has no interest.
This document defines an "Outbound Label Bindings Filtering" (OLF)
mechanism that allows LSR1 to inform LSR2 dynamically of the set of
FECs for which it needs to receive label bindings. LSR2 then
applies this filter before sending its label bindings to LSR1. In
addition to the generic aspects of this mechanism, this document
also specifies the format for the outbound label binding filter for
the "Address Prefix FEC" type.

Table of Contents

1. Introduction 3
2. Conventions used in this document 3
3. FEC Label Bindings 3 4
4. Outbound Label Filter 4
4.1. Constructs 4
4.1.1. FEC-Type 4
4.1.2. OLF Policy 5
4.2. OLF Signaling 6
4.2.1. OLF Policy Status TLV 6
4.2.2. OLF Element Format 7
4.2.3. OLF Entry Format 8
Rules for OLF Element and OLF Entry 9
4.2.4. 9
4.3. OLF Capability negotiation 10
4.4. OLF Procedures 12
4.4.1. OLF Capability Negotiation At Session Estab. Time 12 13
4.4.2. OLF Capability Dynamic Changes 13 14
4.4.3. OLF Policy Updates 15
5. Address Prefix FEC OLF Type Specification for "Address Prefix FEC" 16
5.1. Matching Address Prefixes to OLF Entries 17 18
6. Operational Examples 18 19
6.1. Label Filtering at Area Border Router 18 19
6.2. LSR with limited LIB size 19
6.3. Label Filtering an Address Family in an IP Dual-Stack LSR 19
7. Security Considerations 19 20
8. IANA Considerations 19 20
9. References 20
9.1. Normative References 20
9.2. Informative References 20 21
10. Acknowledgments 20 21

1. Introduction

The Label Distribution Protocol (LDP) allows one Label Switching
Router (LSR) to advertise to another a set of "bindings" between MPLS
labels and "Forwarding Equivalence Classes" (FECs). When LDP's
"Downstream Unsolicited" mode [RFC5036] is in use, use for a LDP session,
an LSR may receive unsolicited label bindings for FECs in which it
has no interest. The receiving LSR typically filters out these
unwanted label bindings based on its local policy. Since the
advertisement of label binding updates by the sender, as well as the
processing of these updates by the receiver, consume network
bandwidth and LSR resources, it may be beneficial if the
advertisement of such label bindings can be avoided at the source
itself under the control of the receiver.

This document defines a label filtering mechanism that allows an LDP
speaker to send to its LDP peer a set of FEC-based Outbound Label
Filters (OLFs). The peer would apply these filters, in addition to
any local outbound filtering policy, to constrain/filter its outbound
label binding updates to the speaker.

This document also defines the Outbound Label Filter (OLF) type Bindings Filter, named
"Address Prefix FEC Outbound Label Filter" Filter", for "Address Prefix FEC"
type, which Prefix" FEC
type. This filter, thus, can be used to perform outbound label
filtering for IP Prefix label bindings.

This specification is modeled on [RFC5291] and [RFC5292].

2. Conventions used in this document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119].

The term "FEC-Type" is used to refer to a tuple consisting of <FEC
Element Type, Address Family>.

3. FEC Label Bindings

MPLS

LDP [RFC5036] associates a FEC with each Label Switched Path (LSP)
it
creates [RFC5036]. creates. This means that a label is assigned for 1 one or more
FEC(s) and label bindings advertised to peers are bound to FEC(s).
To define an LDP OLF, filters need to be defined for label bindings.
These filter definitions need to include both FEC Element type, as
well as address family, Address Family, if/as applicable, for a given FEC type.

Following is a list of most commonly used LDP FEC elements at (at the
time of writing of this document: document):

LDP FEC Element Type Address Family Specification
----------------
-------------------- ------------- -------------
Wildcard N/A [RFC5036]
Address Prefix IPv4, IPv6 [RFC5036]
Typed Wildcard AF of Sub-FEC [RFC5918]
P2MP IPv4, IPv6 [mLDP] [RFC6388]
MP2MP-Upstream IPv4, IPv6 [mLDP] [RFC6388]
MP2MP-Downstream IPv4, IPv6 [mLDP] [RFC6388]
PWid N/A [RFC4447]
Generalized PWid N/A [RFC4447]
P2MP PW Upstream N/A [P2MP-PW]
P2P PW Downstream N/A [P2MP-PW]

Table 1: LDP FEC Types

This document defines a framework for label filtering that applies
to all of the FEC types listed under Table 1, except "Wildcard" and
"Typed Wildcard" FEC types. The framework is also easily extensible
for new FEC types that may get defined in the future.

4. Outbound Label Filter

4.1. Constructs

4.1.1. FEC-Type

In the context of this document, we define "FEC-Type" as a construct
that uniquely identifies (or maps to) a FEC. This is defined as a
tuple of the following form:

As shown in Table 1, not all FEC elements require qualification are qualified with an
Address Family. For those types, the address family is not specified
(set to a reserved value).

Following are some example of FEC-Types:

<PWid,

4.1.2. OLF Policy

We define an Outbound Label Filtering (OLF) OLF Policy as a set of one or more OLF Elements Elements, each
corresponding to a given FEC-Type. Where, an OLF Element itself
comprises one or more OLF Entries.

4.1.2.1. OLF Element

An OLF Element is identified by a FEC-Type and consists of one or
more OLF entries that have a common FEC-Type. The "FEC-Type" FEC-Type component
uniquely identifies a FEC and is used to provide a coarse
granularity control by limiting an OLF to only those FECs that match
the FEC-Type component.

To define an OLF Element for a given FEC-Type, precise conditions and
rules need to be specified under which the given FEC is considered to
match a particular OLF entry.

4.1.2.2. OLF Entry

An OLF entry is a tuple of the form:

<Action, OLF-value>

The "Action" component specifies how the OLF filter is to be handled
by the receiving LSR. The specified values for Action "Action" include
"PERMIT", "DENY", and "PERMIT-ALL". PERMIT action indicates to
receiving LSR to allow advertisement of label bindings for the set
of FECs that match the OLF entry, DENY is opposite of PERMIT and
disallows (i.e. filters) the advertisement of label bindings for the
set of FECs that match the OLF entry. PERMIT-ALL is the wildcard
equivalent of PERMIT, and hence apply to all FECs associated with
the FEC-Type of the OLF Element corresponding to OLF entry.

The "OLF-value" component is FEC-specific and provides the
specification of FEC for matching. This component is not mandatory
and is not present when Action component is PERMIT-ALL. The format
of the OLF-value for a given FEC element type is to be defined by
the designer of the given FEC element. This document defines the format of OLF-
Value
OLF-value for FEC-Types corresponding to "Address Prefix" FEC
Element type [RFC5036].

4.2. OLF Signaling

4.2.1. OLF Policy Status TLV

An OLF is signaled to a peer through an LDP Notification messages. message. A
new status TLV, named "OLF Policy Status", is introduced to carry
the OLF specifications. This TLV is carried in the optional
parameter section of the LDP Notification message. Moreover, a new
LDP Status Code, "OLF Status", is defined for use in LDP Status TLV
to indicate the presence of "OLF Policy Status" TLV in a given
Notification message.

A single OLF Policy Status TLV may contain one or more OLF Element
sub-TLVs. Each
sub-TLVs, where each OLF Element TLV represents a single FEC-Type
and consists of one or more "OLF Entry" sub-TLVs.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|U|F| OLF Policy Status(IANA) | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M| Reserved | |
+-+-+-+-+-+-+-+-+ |
| |
~ OLF Element(s) ~
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-++-+-+-+-+-+-+-+
Figure 1: OLF Policy Status TLV
Where:

U/F bits: U-bit/F-bit MUST be set to 1/0 respectively so that a
receiver MUST silently ignore this TLV if unknown to it, and
continue processing the rest of the message.

Length: Total length (in octets) of "OLF Policy Status TLV" Status" TLV
following the "Length" field. There is no padding requirement at
the end of this TLV in case TLV does not end at Word boundary.

OLF Element(s): One or more OLF Element sub-TLVs. In a given OLF
Policy Status TLV, only one OLF Element for a given FEC-Type is
allowed. If more than one OLF Element is present for a given
FEC-Type, then receiving LSR MUST pick the first occurrence of
such an element and ignore the other occurrences corresponding
to the given FEC-Type.

M-bit: "More" bit specifying if there are more/further OLF Policy
Status to follow for the given update set. The bit is set to 1
if there are further portion of policy that will follow in
subsequent message(s), and set to 0 if the TLV alone constitutes
the policy, or is the last update for the given update set.

Reserved bits: Reserved for future use. MUST be set to zero on
transmit and MUST be ignored on receipt.

An LSR MAY also update its OLF with a peer by sending subsequent
"OLF OLF Policy Status" Status'
TLVs in an LDP Notification messages. message. The receipt of an OLF Policy
update from a peer for a given FEC-Type is meant to replace
(overwrite) the previously installed FEC-Type OLF policy
corresponding to the peer, if any, at the receiving LSR.

A complete OLF policy can be splitted across more than one OLF
policy updates -- e.g. if the given OLF policy is big enough to fit
in a single Notification message (due to LDP PDU size limitation
[RFC5036]). In such cases, the sender LSR sends MAY send more than one LDP
Notification message(s) with "OLF Policy Status" TLV, splitting the
policy on OLF Element boundaries (i.e. an OLF Element MUST NOT span
across more than one message). The Using M-bit, the sender also
indicates if more than single Policy message will be sent for the
given OLF update, as well as indicates the last message in the given
update set. The
receiver LSR, upon Upon receiving OLF updates that span across more than
one message, the receiver LSR stores them the received policy update(s)
in the order of receipt and processes them
only after once complete policy set
has been received. If an LSR receives an incomplete/partial update
set, and does not receive an end of update (i.e. last message in the
given set with M bit be set to 0), it keeps these partial updates in
its temporary buffer until one of the following events occur:

1. End of [policy] update received (OLF Policy Status TLV with M=0)
2. Session terminates
3. OLF capability changes

4.2.2. OLF Element Format

As shown in Figure 2, an OLF Element comprises one or more OLF
entries grouped by FEC-Type <FEC Element Type, Address Family>:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FEC-Elem-Type | Address-Family | Length ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... | |
+-+-+-+-+-+-+-+-+ |
| |
~ OLF Entries ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-++-+-+-+-+-+-+-+
Figure 2: OLF Element format

Where:

FEC-Elem-Type/Address-Family: These fields jointly represent a
FEC-Type. For the FEC element types listed in Table 1 which do are
not require qualified with an Address Family qualification, Family, Address-Family field MUST
be set to zero on transmit and MUST be ignored on receipt.

Length: Length (in octets) of the OLF Element sub-TLV following
the "Length" field; i.e. total length of OLF entries that follow
in the given OLF Element sub-TLV. There is no padding
requirement at the end of this TLV in case TLV does not end at
Word boundary.

4.2.3. OLF Entry Format

Each OLF Entry is encoded as follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Common part | |
+-+-+-+-+-+-+-+-+ |
~ Type-specific part ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-++-+-+-+-+-+-+-+
Figure 3: OLF Entry format

Where:

Common part: Common definition that is applicable to all types of
OLF entries.
Type-specific part: Type FEC-Type specific (variable) definition
corresponding definition; This
field corresponds to FEC-Type; also called the "OLF-value" under section 4.1.2.2.

The "Common part" is one-octet field defined as following:

0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+
|Action | Rsvd |
+-+-+-+-+-+-+-+-+

Where:

Action: Indicates the desired action (operation) to be performed
by receiving LSR on received OLF entry, if FEC enclosed value (i.e.
FEC) matches. The possible values for Action are

0: PERMIT
1: DENY
2: PERMIT-ALL
4-15: Reserved (for future use).

Rsvd: Reserved for future use. MUST be set to 0 on transmit and
MUST be ignored on the receipt.

4.2.4. Rules for OLF Element Elements and OLF Entry Entries

Following rules apply to an OLF Element and Entries: OLF Entry:

o When the Action component of an OLF entry specifies a wildcard
operation (PERMIT-ALL), then the OLF entry MUST consist of only
the Common part.

o When an OLF Element contains more than one OLF entry, then
receiving LSR MUST process the OLF entries in the same order as
they are specified inside the OLF element.

o When processing a received OLF Element, an policy for a given FEC-Type, the
receiving LSR MUST assume an implicit "DENY-ALL" "DENY" as the last
rule/entry. This assumption means that LSR denies all those FECs
[of given FEC-Type] that have not already been matched in any of
the specified OLF entries. This also means that the sender LSR
needs to construct an OLF Element while keeping in mind an
implicit DENY-ALL as the last rule.

4.3. OLF Capability negotiation

When a session has been negotiated to operate in Downstream
Unsolicited mode, LDP speakers exchange all of their label bindings.
If it is desired/required to exchange only selected label bindings
between peers, the "Outbound Label Filtering Capability" (OLF) is
negotiated at session establishment time or at a later time.

An LDP speaker advertises the OLF Capability to announce to its peer
its capability [and desire] to either send send, or receive receive, or both
send/receive send
and receive the OLF filters. The OLF feature will, however, work
only when at least one LSR is able to compute and send the policy,
and other is able to receive and process the OLF filters. The OLF
Capability can be sent either in an Initialization message
(Capability TLV's S-bit MUST be set to 1) or in a Capability message
(Capability TLV's S-bit set to 1 or 0 to advertise or withdraw this
capability respectively).

"Outbound Label Filtering" (OLF) capability Filtering Capability" TLV is a new LDP capability,
defined in accordance with LDP Capability definition guidelines
[RFC5561]. An LDP speaker that advertises OLF capability MUST
support "OLF Policy Status" TLV and "OLF Status" Status Code.

The format of "Outbound Label Filtering" capability Filtering Capability" TLV is as
follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|U|F| OLF Capability(IANA) | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|S| Reserved | |
+-+-+-+-+-+-+-+-+ |
| |
~ OLF Capability Element(s) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-++-+-+-+-+-+-+-+

Figure 5: OLF Capability TLV

Where:

U/F-bits: The U-bit/F-bit for the TLV MUST be set to 1/0
respectively so that a receiver MUST silently ignore this TLV if
unknown to it, and continue processing the rest of the message.

Length: The length (in octets) of TLV following the "Length"
field. The value of this field is variable because it depends on
Capability-specific data [RFC5561] that follows in the TLV.
There is no padding requirement at the end of this TLV in case
TLV does not end at Word boundary.

S-bit: The value of S-bit [RFC5561] is set to 1 or 0 to advertise or
withdraw the capability respectively. respectively as specified in [RFC5561].

OLF Capability Element(s): This is the Capability-specific data
[RFC5561] that is defined for OLF Capability, and consists of
one or more "OLF Capability Element" types (defined below).

An LDP speaker that advertises OLF capability MUST support "OLF
Policy Status" and "OLF Status" Status Code.

The format of an "OLF Capability Element" sub-TLV is specified as
follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FEC Elem Type | Address Family |T|R| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Figure 6: OLF Capability Element

Where:

FEC Elem Type / Address Family: These fields jointly represent a
FEC-Type. For the FEC element types listed in Table 1 which do are
not require qualified with an Address Family qualification, Family, Address-Family field MUST
be set to zero on transmit and MUST be ignored on receipt.

T-bit: Transmit/Send capability; set to 1 when the by an LDP speaker that is
able/willing to send push/send its OLF filters policy/filters to its peer, peer;
set to zero otherwise.

R-bit: Receive capability; set to 1 when the by an LDP speaker that is
able/willing to receive OLF filters policy/filters from its peer, peer; set to
zero otherwise.

Reserved: 6-bits reserved Reserved for future use. MUST be set to zero on transmit
and MUST be ignored on receipt.

An LDP speaker SHOULD NOT send an "OLF Capability Element" with both
T/R bits set to zero. zero when advertising the capability. If an LSR
receives an OLF Capability Element with both T/R bits set to zero, zero in
an Initialization message or in a Capability message (with S-bit set
to 1), then the receiving LSR SHOULD ignore the corresponding OLF
Capability Element and continue processing the rest of the TLV. The
semantics and usage of T/R-bits is elaborated more in the following
sections.

There MUST be one and only one OLF Capability Element specified for a
given FEC-Type in an OLF Capability TLV. Upon receiving more than one
OLF Capability Element for a given FEC-Type in the same "OLF
Capability TLV", the receiving LSR MUST send an LDP Notification
message towards the sender with "Malformed TLV" status code, and
abort the processing of entire message.

An LSR MAY update/withdraw its OLF capability for a given FEC-Type
towards a peer by sending an OLF Capability TLV in a LDP Capability
message if both the LSR and peer support "Dynamic Capability
Announcement" capability. To update its OLF capability, the S-bit of
OLF Capability is set to 1 and OLF Capability Element is encoded
accordingly and sent to the peer. The receipt of a new OLF Capability
Element corresponding to a FEC-Type MUST be treated as overwrite of
any previously advertised capability. To withdraw its OLF capability,
the S-bit of OLF Capability is set to 0 and OLF Capability Element is
encoded with both T/R bits set to 0. The receipt of a withdrawal of a
OLF Capability Element corresponding to a FEC-Type removes any filter
installed by the sender on the receiver LSR.

4.4. OLF Procedures

To describe the OLF procedures in the following subsections, let us
consider LDP speaker LSR1 that is capable of sending OLF policy
filters (for one or more FEC types), and LSR2 that is capable of
receiving (and processing) them. Let us assume that the supported
FEC-Types for OLF are IPv4/IPv6 "Address Prefix FEC" Prefix" OLF types.
Henceforth, both LSRs are configured respectively to send/receive
OLF filters for "IPv4/IPv6 Address Prefix" OLF types to/from its
peer. Let us also assume that the LSR1 is configured with an OLF
filtering policy for "IPv4/IPv6 Address Prefix" FEC-Types that needs
to be pushed to LSR2.

Moreover, assume that both LSR1 and LSR2 support "Dynamic Capability
Announcement" capability TLV [RFC5561] and hence are capable of
handling dynamic capability changes.

4.4.1. OLF Capability Negotiation At Session Establishment Time

At the session initialization time, LSR1 constructs an "OLF
Capability TLV" with S-bit set to 1. The TLV also contains two OLF
Capability Elements corresponding to FEC-Types "IPv4 Address Prefix"
(FEC Elem Type=0x2, Type=2, Address Family=0x1) Family=1) and "IPv6 Address Prefix" (FEC
Elem Type=0x2, Type=2, Address Family=0x2). Family=2). The LSR also sets T-bit/R-
bit T-bit/R-bit of
these OLF Capability Elements to 1/0 respectively.

LSR1 then includes this "OLF Capability TLV" Capability" TLV in the LDP
Initialization message to towards LSR2.

LSR2, on the other hand, constructs/sends the "OLF Capability TLV" Capability" TLV
in the same manner as done by LSR1; the only difference being that
LSR2 sets T-bit/R-bit of its OLF Capability Elements to 0/1
respectively.

Having exchanged/negotiated the "OLF Capability TLVs" successfully, Capability" TLVs successfully
at session establishment time, LSR2 treats this as an implicit DENY
for all label bindings for given FEC-Types (IPv4/IPv6 Prefix) and
blocks any label binding advertisements towards LSR1 corresponding
to these FEC-Types. LSR2 now waits for subsequent OLF filters/policy
(via LDP Notification messages) from LSR1. LSR1 also understands
that LSR2 is capable of receiving the OLF filters and hence it
constructs OLF filters using its configured OLF policy for LSR2, and
sends these filters to LSR2 via "OLF Policy Status TLV" Status" TLV in an LDP
Notification message (Status code set to OLF Status). "OLF Status"). Upon the
receipt of such an OLF policy, LSR2 reacts and applies the received
outbound policy in addition to any locally configured outbound
policy, and advertises towards LSR1
the only those label bindings corresponding to the matching that
are "permitted"
prefixes. by the installed OLF policy.

Since LSR2 is operating only in Receive "R" (Receive) mode for given OLF
with LSR1, LSR1 does not block the advertisements and advertises all
its label bindings for given IP Prefix FECs (in accordance with its
locally configured outbound policy) towards LSR2.

4.4.1.1. Peer Incapable of "Receive" OLF

Consider a case where LSR2 is not OLF "Receive" capable as OLF receiver for given
FEC-Types. This means that LSR2 either does not send any "OLF
Capability" TLV corresponding to given FEC-Type, or "OLF Capability"
TLV for given FEC-Type does not have R-bit set. Having negotiated
the "OLF Capability" for given FEC-Types, LSR1 realizes that LSR2 is
not capable of receiving OLF filters for given FEC-Type(s), and
hence LSR1 does not send any OLF filters (via LDP Notification
message). In this case, LSR2 sends label bindings corresponding to
given FEC-
Type(s) FEC-Type(s) towards LSR1 in unsolicited manner after session
establishment, at which point, LSR1 may chose to discard them by
applying the filtering policy in inbound direction.

4.4.2. OLF Capability Dynamic Changes

It is possible that OLF capability is enabled on an LSR after
session has already been established with the peer. To signal and
negotiate OLF Capability dynamically, both peers MUST support
"Dynamic Capability Announcement" TLV [RFC5561].

4.4.2.1. "Send" OLF capability changes

Let's

Let us consider a case when LSR2 is initially configured to be able
to receive the OLF filters for IPv4/IPv6 Prefix FEC-Types, but LSR1
is not configured to be able to "send" the same. Now, a user enables
and configures LSR1 to send OLF filters for given FECs towards LSR2.
This triggers LSR1 to construct an "OLF Capability" TLV in the same
manner as described in section 4.4.1. The constructed "OLF
Capability" is sent in a Capability message (with S-bit set to 1)
towards LSR2. Upon receipt of this Capability message, LSR2
withdraws all label bindings from LSR1 corresponding to given FEC-
Type(s). Later on, LSR1 sends its OLF filters via "OLF Policy
Status" and duly applied by LSR2.

Assuming both LSR1 and LSR2 are already engaged in OLF filtering in
sender and receiver roles respectively for given FEC-Types. Now
consider that LSR1 configuration is changed to remove "send"
capability for one FEC type (say IPv4 Prefix) towards LSR2. This
triggers LSR1 to construct an "OLF Capability" TLV that includes
only one OLF Capability Element corresponding to "IPv4 Prefix" FEC
type. The constructed "OLF Capability" is sent in a Capability
message (with S-bit set to 0) towards LSR2. Upon receipt of this
Capability [withdrawal] message, LSR2 removes any existing OLF
filter
filters towards LSR1 corresponding to given FEC-Type "IPv4 Prefix",
and re-advertises to LSR1 its entire label bindings database for
given FEC-Type.

4.4.2.2. "Receive" OLF capability changes

Let's

Let us consider a case when LSR1 is initially configured to be able
to send OLF filters for IPv4/IPv6 Prefix FEC-Types, but LSR2 is not
configured to be able to "receive" the same. Now, a user enables and
configures LSR2 to be able to receive OLF filters for IPv4/IPv6
Prefix FECs from LSR1. This triggers LSR2 to construct an "OLF
Capability" TLV in the same manner as described in section 4.4.1.
The constructed "OLF Capability" is sent in a Capability message
(with S-bit set to 1) towards LSR1. Upon receipt of this Capability
message, LSR1 realizes that LSR2 is now capable to receive OLF
filters for IPv4/IPv6 Prefix FEC types. As described in earlier
section, LSR1 now proceeds by constructing "OLF Policy Status" using
its configured filters for LSR2, and sends them in an LDP
Notification message towards LSR2. Upon receipt of this message,
LSR2 applies the received OLF policy and withdraws any label
bindings corresponding to matching FEC (prefixes) that are no more
permitted for advertisement. Later on, LSR1 can also update its OLF
filters by pushing updates to LSR2 as/when any change in LSR1's OLF
policy occurs.

Assuming both LSR1 and LSR2 are already engaged in OLF filtering in
sender and receiver roles respectively for given FEC-Types. Now
consider that LSR2 configuration is changed to remove the "receive"
capability for one FEC-Type (say IPv4 Prefix) from LSR1. This
triggers LSR2 to construct an "OLF Capability" TLV that includes
only one OLF Capability Element corresponding to "IPv4 Prefix" FEC
type. The constructed "OLF Capability" is sent in a Capability
message (with S-bit set to 0) towards LSR1. Upon receipt of this
Capability [withdrawal] message, LSR1 marks LSR2 as IPv4 Prefix FEC
OLF "receive" incapable peer, peer and makes sure that no more OLF filter
updates (via LDP Notification messages) are sent to LSR2. LSR2,
after sending the Capability [withdrawal] message, now deletes any
installed OLF filter corresponding to LSR1 for "IPv4 Prefix" FEC,
and re advertises its entire label bindings database for "IPv4
Prefix" FEC to LSR1. Upon receipt of unwanted label bindings, LSR1
may chose to discard them by applying the filtering policy in
inbound direction.

4.4.3. OLF Policy Updates

After successful negotiation of "OLF Capability" for a FEC-Type with
the peer as the receiver and self as the sender, an LSR SHOULD now
send its OLF policy to its peer via "OLF Policy Status" TLV in an
LDP Notification message. The LSR MAY also update its OLF policy
towards its peer by sending further updates, if/when its locally
configuration/policy changes.

Consider LSR1 as sender and LSR2 as receiver of OLF filters for
IPv4/IPv6 Prefix FEC types. After successful negotiation of OLF
capabilities, LSR1 proceeds by sending its OLF filters towards LSR2
via LDP Notification message. LSR1 first constructs Status TLV and
sets its status code to "OLF Status", and adds the "OLF Policy
Status" TLV in the optional parameter section of the Notification
message. The contents of "OLF Policy Status" TLV are constructed as
set of OLF filters as defined by local configuration and policy for
one or more OLF types. The sender MUST only include those OLF types
in this TLV for which it has successfully negotiated the OLF
capability with the peer. In our example, LSR1 constructs two OLF
Elements for IPv4 and IPv6 Prefix FEC types. Each OLF Element is
constructed with one ore more OLF Entries, as defined by or mapped
to locally configured OLF policy corresponding to LSR2. LSR1 then
sends the constructed "OLF Policy Status" TLV, alongwith Status TLV
(with status set to "OLF Status") in a LDP Notification message to
LSR2.

The receiver LDP speaker LSR2 MUST honor the receipt of this TLV in
a Notification message because it had successfully negotiated the
capability as the receiver for one or more OLF types. If an LDP
speaker receives a "OLF Policy Status" TLV in a Notification message
without prior OLF Capability(ies) exchange and negotiation, or if
negotiated OLF Capability as sender-only role, it MUST ignore the
received "OLF Policy Status" TLV, send a "Unknown TLV" Notification
back to the peer, and continue processing rest of the message.
Similarly, LSR2 behaves the same way on receipt of this TLV in a
Notification message with status code other than "OLF Status", and
respond back with "Malformed TLV" Notification.

If the receiver LSR2 does not understand or does not support the
FEC-Type (FEC Element type and/or Address Family) specified in an
"OLF Element", it MUST respond with a LDP Notification with status
code set to "Unknown FEC" or "Unsupported Address Family" as
applicable, and abort processing of the entire message.

If LSR1's configured OLF policy changes, LSR1 sends further updates
using "OLF Policy Status" in a LDP Notification message. Upon
receipt of such an update for given FEC-Type, LSR2 treats this as an
overwrite of the previously installed OLF filters corresponding to
LSR1, and re-applies the policy. As the result of policy re-
application, LSR2 advertises any new [matching] prefix being
permitted now, and withdraws any previously advertised prefixes
which are no longer permitted as per matching rules.

5. Address Prefix FEC OLF Type Specification for "Address Prefix FEC"

Using the earlier OLF framework defined in this document, this
section defines the OLF type for the "Address Prefix" FEC Element
type. The OLF types for other FEC Element types are beyond the scope
of this document.

The "Address Prefix FEC" OLF type allows one a user to express OLFs in
terms of address prefixes. That is, it provides filtering based on
address prefixes, including prefix length or range based matching.

To define an OLF for "Address Prefix FEC" type of given address
family, the FEC-Elem-Type and Address-Family fields of an OLF
Element are defined as follows:

FEC-Elem-Type: 0x2 2 ("Address Prefix")
Address-Family: 1 (IPv4) or 2 (IPv6)

Conceptually, an "Address Prefix FEC" OLF entry for a given Address
Family consists of the fields <Action, Prefix Length, Prefix,
Minlen, Maxlen>, and hence the "Address Prefix FEC" OLF entry within
an "Address Prefix FEC" OLF element is encoded as follows:

Figure 7: Format of OLF Entry for Address Prefix FEC OLF Entry

With reference to Fig 3, the first octet of the above OLF Entry
belongs to the "Common part" and the rest of the fields belong to
the "Type-specific part" (as defined for Address Prefix FEC Element
type).

As per OLF Entry rules defined earlier, if the Action component of
the entry specifies wildcard operation ("PERMIT-ALL"), then Address
Prefix FEC OLF Entry does not specify any type-specific data (i.e.
OLF entry size is 1 octet only).

The "Minlen" and "Maxlen" fields indicate respectively the minimum
and the maximum prefix length in bits that is used for "matching".
Either the Minlen or Maxlen field or both may have the value 0; this
means 0 to
indicate that the value of the field is "unspecified". The Maxlen "Maxlen"
value must not be more than the maximum length (in bits) of a host
address for the given address family.

The "Prefix Len" field indicates the length in bits of the address
prefix. This field MUST NOT be specified as zero.

The "Prefix" field contains an address prefix encoded according to
the given address family.

This document imposes that values of these fields MUST satisfy the
following rule, assuming Minlen and Maxlen are specified:

0 < Prefix Len <= Minlen <= Maxlen

5.1. Matching Address Prefixes to OLF Entries

Consider an Address Prefix FEC OLF entry, and an IP route maintained
by an LDP speaker in the form of <Prefix, Prefix Length>. Following
are the matching rules defined for Address Prefix OLF specific
matching.

o The IP route is considered as "no match" to the OLF entry if the
route prefix is neither more specific than, nor equal to, the
<Prefix, Prefix Len> fields of the OLF entry.

o When the IP route is either more specific than, or equal to, the
<Prefix, Prefix Len> fields of the OLF entry, the route is
considered as a match to the OLF entry only if the match conditions
as listed in Table 2 are satisfied (where un-spec refers to a value
of zero).

OLF Entry Route Prefix
Minlen Maxlen Match Condition
+------------------------------------------------------------------+
+-----------+------------+------------------------------------+
| un-spec. | un-spec. | Route.Prefix Len == OLF.Prefix Len |
| specified | un-spec. | Route.Prefix Len >= OLF.Minlen |
| un-spec. | specified | Route.Prefix Len <= OLF.Maxlen |
| specified | specified | Route.Prefix Len >= OLF.Minlen AND |
| | | AND Route.Prefix Len <= OLF.Maxlen |
+------------------------------------------------------------------+
+-----------+------------+------------------------------------+
Table 2: Matching Rules for an Address Prefix OLF Entry Matching Rules

o When more than one Address Prefix OLF entry matches the route, the
"first-match" rule applies. That is, the OLF entry that is specified
(and processed) first in a given OLF update (among all the matching
OLF entries) is considered as the sole match, and it would determine
whether the route should be permitted or denied.

6. Operational Examples

6.1. Label Filtering at Area Border Router

A typical service provider core network is designed with two or more
levels of IGP hierarchy. In OSPF parlance, a backbone area is
connected to multiple islands of non-zero areas. Similarly, in an
IS-IS network, core L2 areas are connected to L1 areas. When LDP is
enabled in such a network, an ABR (or a L2 router) that connects
multiple non-zero areas to the backbone will advertise LDP label
bindings for all prefixes (non-zero area as well as backbone area).
However, depending on the MPLS hierarchy, each ABR may want label
bindings for only the backbone area prefixes. The OLF scheme
specified in this document provides a mechanism to do so
efficiently.

6.2. LSR with limited LIB size

Assume an LSR (LSR1) is not capable of storing all IPv4 label
bindings from its peer (LSR2) in its IPv4 Label Information Base
(LIB), and it is desirable to receive and store only handful of
remote label bindings from its peer. One approach of solving this
issue is to use Downstream on Demand mode of label distribution so
that LSR2 does not send its entire label database unsolicitedly
towards LSR1. Instead, LSR1 uses Label Request mechanics to request
labels for [handful of] interested FECs from its peer LSR2. This
approach has few drawbacks:

a. This forces Downstream On Demand label distribution mode on both
LSRs (LSR1 and LSR2) engaged in the session, although this mode is
really required by LSR1 due to its limitation.

b. The control plane signaling convergence for Downstream On Demand
label distribution mode is slower than Downstream Unsolicited.

An alternate approach to meet LSR1 requirement is to use OLF
mechanics while using Downstream Unsolicited distribution mode. In
this approach, LSR1 and LSR2 will negotiate OLF Capability as
sender/receiver respectively, and LSR1 will install OLF filters to
limit the IPv4 label bindings sent by LSR2 to the only IPv4 prefixes
in which LSR1 is interested in.

6.3. Label Filtering an Address Family in an IP Dual-Stack LSR

The OLF mechanism specified in this document can be useful in cases
when an operator wants to filter entire address family to/from peer
in (IP) dual-stack environment. Consider that LSR2 is locally
enabled for label switching for both IPv4 and IPv6 address families,
whereas LSR1 is enabled for label switching for IPv4 address family
only. Without any filtering mechanics, LSR2 may advertise all its
label bindings for both IPv4 and IPv6 address families towards LSR1
although LSR1 is an IPv4-only LDP peer with whom hello adjacencies
and transport connection is formed using IPv4 only. In this case,
the advertisement of IPv6 addresses and labels to the peer is
unnecessary, as well as wasteful from LSR memory/CPU and network
resource consumption point of view.

To avoid this unnecessary label advertisement (for IPv6 address
family, in this example), OLF mechanics could be useful -- i.e. If
LSR1 and LSR2 supported "send" and receive OLF capability for ("IP
Prefix" FEC, IPv6 Address Family), the OLF capability could be
exchanged at the session establishment time, blocking any IPv6 label
bindings to be advertised to LSR1 until any further OLF policy
changes/updates are received and installed at LSR2. In this case,
LSR1 will not send any OLF Policy to LSR2 for IPv6 Prefix FEC type,
leaving the IPv6 label advertisement blocked/filtered (due to
implicit DENY ALL) for entire IPV6 LIB on LSR2 side.

7. Security Considerations

The proposal introduced in this document does not introduce any new
security considerations beyond that already apply to the base LDP
specification [RFC5036] and [RFC5920].

8. IANA Considerations

The document introduces following new protocol elements that require
code point assignment by IANA:

o "Outbound Label Filter "OLF Capability" TLV (requested code point: 0x50E)

o "Outbound Label Filter "OLF Policy Status" TLV (requested code point: 0x50F)

o "Outbound Label Filter "OLF Status" status code (requested code point: 0x00000050)

9. References

9.1. Normative References

[RFC5036] L. Andersson, L., Menei, I., I. Mine, and B. Thomas, B., Editors, "LDP Specification",
RFC 5036, September 2007.

[RFC5561] B. Thomas, B., K. Raza, K., S. Aggarwal, S., R. Aggarwal, R., and JL. Le
Roux, JL., "LDP Capabilities", RFC 5561, July 2009.

[RFC2119] S. Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC2119, March 1997.

9.2. Informative References

[RFC5920] Fang, L. Fang, et al., "Security Framework for MPLS and GMPLS
Networks", RFC 5920, July 2010.

[RFC5291] E. Chen, E., Y. Rekhter, Y., "Outbound Route Filtering Capability
for BGP-4", RFC 5291, August 2008.

[RFC5292] E. Chen, E., S. Sangli, S., "Address-Prefix-Based Outbound Route
Filter for BGP-4", RFC 5292, August 2008.

[RFC5918] R. Asati, R., I. Minei, I., and Thomas, B. Thomas, "Label Distribution
Protocol Typed Wildcard FEC", RFC 5918, August 2010.

[RFC4447] L. Martini, Editor, E. Rosen, El-Aawar, T. Smith, and G. Heron,
"Pseudowire Setup and Maintenance using the Label
Distribution Protocol", RFC 4447, April 2006.

[mLDP]

[RFC6388] I. Minei, I., I. Wijnand, K. Kompella, K., Wijnands, I., and B. Thomas, B., "LDP
Extensions for Point-to-Multipoint P2MP and Multipoint-to-
Multipoint Label Switched Paths", draft-ietf-mpls-ldp-p2mp
-10.txt, Work in Progress, July 2010. MP2MP LSPs", RFC 6388, November
2011.

[P2MP-PW] L. Martini, L., Boutros, S., Sivabalan, S., Konstantynowicz,
M., Del Vecchio, G., Nadeau, T., Jounay, F., Niger, P.,
Kamite, Y., Jin, L., Vigoureux, M., Ciavaglia, L., and
Delord, S., et. al, "Signaling Root-Initiated Point-to-Multipoint Point-to-
Multipoint Pseudowires using LDP", draft-ietf-pwe3-p2mp-pw-02.txt, draft-ietf-pwe3-p2mp-
pw-04.txt, Work in Progress, March 2011. 2012.

10. Acknowledgments

The authors would like to thank Eric Rosen for his valuable input
and comments.

This document was prepared using 2-Word-v2.0.template.dot.

Authors' Addresses

Kamran Raza
Cisco Systems, Inc.,
2000 Innovation Drive,
Kanata,
Ottawa, ON K2K-3E8, Canada.
E-mail: skraza@cisco.com
Sami Boutros
Cisco Systems, Inc.
3750 Cisco Way,
San Jose, CA 95134, USA.
E-mail: sboutros@cisco.com

Pradosh Mohapatra
Cisco Systems, Inc.
3750 Cisco Way,
San Jose, CA 95134, USA.
E-mail: pmohapat@cisco.com