idnits 2.17.1 draft-gao-bess-evpn-blackhole-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet has text resembling RFC 2119 boilerplate text. -- The document date (January 16, 2019) is 1926 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2119' is defined on line 166, but no explicit reference was found in the text == Unused Reference: 'RFC7432' is defined on line 171, but no explicit reference was found in the text Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 BESS Workgroup Yuan Gao 2 Internet-Draft Haibo Wang 3 Intended status: Standards Track Huawei Technologies 4 Expires: July 20, 2019 January 16, 2019 6 EVPN blackhole community extention for Blackholing 7 draft-gao-bess-evpn-blackhole-01 9 Abstract 11 Ethernet Virtual Private Networks (EVPN) is becoming the de-facto 12 standard-based control plane solution for Data Center and layer-2 13 Service Provider applications.The risk of hacking and DDos attacks 14 within the EVPN network is general common concern.Blackhole mac is a 15 method used to block hacking or DDos attacks, The network device 16 discard the packets where destionation match the blackhole 17 mac.Normally blackhole mac is mannually configured on the 18 networkdevic,Configure blackhole mac is complex and error-prone task 19 for network operators.This document introduces a blackhole community 20 extension for evpn mac route to distribute the blackhole mac in the 21 EVPN networks.The evpn mac route with blackhole community allows the 22 bgp speaker to notify the recipients the specific mac is a blackhole 23 mac. 25 Requirements Language 27 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 28 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 29 document are to be interpreted as described in . 31 Status of This Memo 33 This Internet-Draft is submitted in full conformance with the 34 provisions of BCP 78 and BCP 79. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF). Note that other groups may also distribute 38 working documents as Internet-Drafts. The list of current Internet- 39 Drafts is at https://datatracker.ietf.org/drafts/current/. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 This Internet-Draft will expire on July 20, 2019. 48 Copyright Notice 50 Copyright (c) 2019 IETF Trust and the persons identified as the 51 document authors. All rights reserved. 53 This document is subject to BCP 78 and the IETF Trust's Legal 54 Provisions Relating to IETF Documents 55 (https://trustee.ietf.org/license-info) in effect on the date of 56 publication of this document. Please review these documents 57 carefully, as they describe your rights and restrictions with respect 58 to this document. Code Components extracted from this document must 59 include Simplified BSD License text as described in Section 4.e of 60 the Trust Legal Provisions and are provided without warranty as 61 described in the Simplified BSD License. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 66 2. Blackhole Extended Community Attribute . . . . . . . . . . . 3 67 3. Control Plane Processing . . . . . . . . . . . . . . . . . . 3 68 4. Data Packets Processing . . . . . . . . . . . . . . . . . . . 4 69 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 70 6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 71 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 72 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4 75 1. Introduction 77 Hacking attacks are a serious threat to the network infrastructure.In 78 order to prevent a hacker from using a MAC address to attack a user 79 device or network, the MAC address of an untrusted user is configured 80 as blackhole mac on the network device. 82 DDoS attacks targeting a certain mac may cause congestion of links,In 83 order to block DDoS attacks, the mac being attacked could be 84 congfigured as blackhole mac on the network device, The network 85 device directly discards the received packets where the destination 86 MAC address is the blackhole MAC address. 88 Normally blackhole mac address entrys are manually configured on the 89 device. After blackhole mac entrys are configured, the device 90 discards packets destined for the blackhole mac address. Configure 91 blackhole mac is complex and error-prone task for network operators. 92 Therefore a well-known BGP community for blackholing based on evpn 93 route is defined for operational ease. 95 This document introduces a blackhole community extension for evpn mac 96 route, The BGP speaker advertise evpn mac route with this community 97 indicate that the specific mac is a blackhole mac, the recipients 98 install the mac address as blackhole mac address entry and discard 99 the packet corresponds to the blackhole mac address. 101 2. Blackhole Extended Community Attribute 103 MAC Mobility Extended Community can be used to carry the blackhole 104 mac attribute. MAC Mobility Extended Community may be advertised 105 along with MAC/IP Advertisement routes. The thirdly octet of the 106 first word is Flags octect. The Flag bit 7(B Bit) of the flags 107 octect is defined as the "blackhole" bit . A value of 1 means that 108 the MAC address is blackhole mac . The semantics of this attribute is 109 to allow a network to interpret the presence of this community as an 110 advisory qualification to drop any traffic being sent towards or from 111 this mac. 113 When the Mac Mobility Extended Community's B bit is set to 1, the 114 sequence number is meaningless and should be set to zero. 116 The MAC Mobility extended community is encoded as an 8-octet value, 117 as follows: 119 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 120 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 121 | Type=0x06 | Sub-Type=0x00 |R|R|R|R|R|R|B|S| Reserved=0 | 122 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 123 | Sequence Number | 124 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 126 3. Control Plane Processing 128 When a network device is under DDos attack, it may announce the 129 victim's mac address as blackhole mac address for the purpose of 130 signaling to neighboring networks any traffic destinated to the mac 131 address should be discard. In such a scenarior, the victim's mac 132 route should attach Blackhole Extended Community. The network device 133 will install the victim's mac address as blackhole mac entry. Then 134 the network device advertise the victim's mac address in evpn mac 135 route with MAC Mobility Extended Community, the MAC Mobility Extended 136 Community set the "blackhole" flag . The recipients install the mac 137 address as blackhole mac address entry. 139 4. Data Packets Processing 141 When the network device received packets where the destination MAC 142 address match the blackhole MAC address. The network device discards 143 the packet directly. 145 5. IANA Considerations 147 TBD. 149 6. Security Considerations 151 Unauthorized addition of the BLACKHOLE BGP community to a mac route 152 by the forwarding agent may cause a unexpected packet discard. BGP 153 have to support the mechanism to prevent the unauthorized 154 modification of information by the forwarding agent.Recipients of 155 routing information have the ability to to detect the unauthorized 156 modification. Howto prevent the unauthorized modification is out of 157 the scope of this document. 159 7. Acknowledgements 161 The authors of this document would like to thank zhuangshunwan for 162 his comments and review of this document. 164 8. References 166 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 167 Requirement Levels", BCP 14, RFC 2119, 168 DOI 10.17487/RFC2119, March 1997, 169 . 171 [RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., 172 Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based 173 Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February 174 2015, . 176 Authors' Addresses 178 Yuan Gao 179 Huawei Technologies 180 101 Software Avenue, Yuhua District 181 Nanjing 210012 182 P.R. China 184 Email: sean.gao@huawei.com 185 Haibo Wang 186 Huawei Technologies 187 Huawei Bld., No.156 Beiqing Rd. 188 Beijing 100095 189 P.R. China 191 Email: rainsword.wang@huawei.com