idnits 2.17.1 draft-hao-idr-flowspec-evpn-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- -- The document has an IETF Trust Provisions (28 Dec 2009) Section 6.c(ii) Publication Limitation clause. If this document is intended for submission to the IESG for publication, this constitutes an error. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 19, 2014) is 3504 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: 'RFC5575' on line 214 -- Looks like a reference, but probably isn't: 'EVPN' on line 119 -- Looks like a reference, but probably isn't: 'RFC4761' on line 120 -- Looks like a reference, but probably isn't: 'RFC4762' on line 120 -- Looks like a reference, but probably isn't: 'RFC 6074' on line 121 == Missing Reference: '4761' is mentioned on line 125, but not defined == Missing Reference: '4762' is mentioned on line 125, but not defined == Missing Reference: '6074' is mentioned on line 126, but not defined -- Looks like a reference, but probably isn't: 'EVPN-OVERLAY' on line 198 == Unused Reference: '1' is defined on line 284, but no explicit reference was found in the text == Unused Reference: '2' is defined on line 287, but no explicit reference was found in the text == Unused Reference: '3' is defined on line 291, but no explicit reference was found in the text == Unused Reference: '4' is defined on line 274, but no explicit reference was found in the text == Unused Reference: '5' is defined on line 278, but no explicit reference was found in the text == Outdated reference: A later version (-11) exists of draft-ietf-l2vpn-evpn-07 -- Possible downref: Normative reference to a draft: ref. '2' -- Possible downref: Non-RFC (?) normative reference: ref. '3' Summary: 0 errors (**), 0 flaws (~~), 10 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 IDR Weiguo Hao 2 Qiandeng Liang 3 Shunwan Zhuang 4 Internet Draft Huawei 5 Jim Uttaro 6 AT&T 7 S. Litkowski 8 Orange Business Service 9 Intended status: Standards Track September 19, 2014 10 Expires: March 2015 12 Dissemination of Flow Specification Rules for L2 VPN 13 draft-hao-idr-flowspec-evpn-01.txt 15 Abstract 17 This document defines BGP flow-spec extension for Ethernet traffic 18 filtering in L2 VPN network. A new BGP NLRI type (AFI=25, SAFI=TBD) 19 value is proposed to identify L2 VPN flow-spec application. A new 20 subset of component types and extended community also are defined. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. This document may not be modified, 29 and derivative works of it may not be created, and it may not be 30 published except as an Internet-Draft. 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. This document may not be modified, 34 and derivative works of it may not be created, except to publish it 35 as an RFC and to translate it into languages other than English. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF), its areas, and its working groups. Note that 39 other groups may also distribute working documents as Internet- 40 Drafts. 42 Internet-Drafts are draft documents valid for a maximum of six 43 months and may be updated, replaced, or obsoleted by other documents 44 at any time. It is inappropriate to use Internet-Drafts as 45 reference material or to cite them other than as "work in progress." 47 The list of current Internet-Drafts can be accessed at 48 http://www.ietf.org/ietf/1id-abstracts.txt 49 The list of Internet-Draft Shadow Directories can be accessed at 50 http://www.ietf.org/shadow.html 52 This Internet-Draft will expire on March 19,2015. 54 Copyright Notice 56 Copyright (c) 2014 IETF Trust and the persons identified as the 57 document authors. All rights reserved. 59 This document is subject to BCP 78 and the IETF Trust's Legal 60 Provisions Relating to IETF Documents 61 (http://trustee.ietf.org/license-info) in effect on the date of 62 publication of this document. Please review these documents 63 carefully, as they describe your rights and restrictions with 64 respect to this document. Code Components extracted from this 65 document must include Simplified BSD License text as described in 66 Section 4.e of the Trust Legal Provisions and are provided without 67 warranty as described in the Simplified BSD License. 69 This document is subject to BCP 78 and the IETF Trust's Legal 70 Provisions Relating to IETF Documents 71 (http://trustee.ietf.org/license-info) in effect on the date of 72 publication of this document. Please review these documents 73 carefully, as they describe your rights and restrictions with 74 respect to this document. 76 Table of Contents 78 1. Introduction ................................................ 2 79 2. Ethernet Flow Specification encoding in BGP.................. 3 80 3. Ethernet Flow Specification Traffic Actions.................. 5 81 4. Security Considerations...................................... 5 82 5. IANA Considerations ......................................... 6 83 5.1. Normative References.................................... 6 84 5.2. Informative References.................................. 7 85 6. Acknowledgments ............................................. 7 87 1. Introduction 89 BGP Flow-spec is an extension to BGP that allows for the 90 dissemination of traffic flow specification rules. It leverages the 91 BGP Control Plane to simplify the distribution of ACLs, new filter 92 rules can be injected to all BGP peers simultaneously without 93 changing router configuration. The typical application of BGP Flow- 94 spec is to automate the distribution of traffic filter lists to 95 routers for DDOS mitigation. 97 RFC5575 defines a new BGP Network Layer Reachability Information 98 (NLRI) format used to distribute traffic flow specification rules. 99 NLRI (AFI=1, SAFI=133)is for IPv4 unicast filtering. NLRI (AFI=1, 100 SAFI=134)is for BGP/MPLS VPN filtering. The Flow specification match 101 part only includes L3/L4 information like source/destination prefix, 102 protocol, ports, and etc, so traffic flows can only be selectively 103 filtered based on L3/L4 information. 105 Layer 2 Virtual Private Networks L2VPNs have already been deployed 106 in an increasing number of networks today. In L2VPN network, we also 107 have requirement to deploy BGP Flow-spec to mitigate DDoS attack 108 traffic. Within L2VPN network, both IP and non-IP Ethernet traffic 109 maybe exist. For IP traffic filtering, the Flow specification rules 110 defined in [RFC5575] which include match criteria and actions can 111 still be used, flow specification rules received via new NLRI format 112 apply only to traffic that belongs to the VPN instance(s) in which 113 it is imported. For non-IP Ethernet traffic filtering, Layer 2 114 related information like source/destination MAC and VLAN should be 115 considered. But the flow specification match criteria defined in 116 RFC5575 only include layer 3 and layer 4 IP information, layer 2 117 Ethernet information haven't been included. 119 There are different kinds of L2VPN networks like EVPN [EVPN], BGP 120 VPLS [RFC4761], LDP VPLS [RFC4762] and border gateway protocol (BGP) 121 auto discovery [RFC 6074]. Because the flow-spec feature relies on 122 BGP protocol to distribute traffic filtering rules, so it can only 123 be incrementally deployed in those L2VPN networks where BGP is used 124 for auto discovery and/or signaling purposes such as BGP-based VPLS 125 [4761], EVPN and LDP-based VPLS [4762] with BGP auto-discovery 126 [6074]. 128 This document proposes a new BGP NLRI type (AFI=25, SAFI=TBD) value, 129 which can be used to propagate traffic filtering information in an 130 L2VPN environment. The new specific (AFI, SAFI) pair is to identify 131 L2VPN flow-spec application. A new subset of component types and 132 extended community also are defined. 134 2. Ethernet Flow Specification encoding in BGP 136 A new BGP NLRI type (AFI=25, SAFI=TBD) value is proposed to identify 137 L2VPN flow-spec application. 139 The NLRI format for this address family consists of a fixed-length 140 Route Distinguisher field (8 bytes) followed by a flow specification, 141 following the encoding defined in this document. The NLRI length 142 field shall include both the 8 bytes of the Route Distinguisher as 143 well as the subsequent flow specification. 145 Flow specification rules received via this NLRI apply only to 146 traffic that belongs to the VPN instance(s) in which it is imported. 147 Flow rules are accepted by default, when received from remote PE 148 routers. 150 Besides the component types defined in [RFC5575], this document 151 proposes the following additional component types for L2VPN Ethernet 152 traffic filtering: 154 Type 13 - Source MAC 156 Encoding: 158 Defines a list of {operation, value} pairs used to match source MAC. 159 Values are encoded as 6-byte quantities. 161 Type 14 - Destination MAC 163 Encoding: 165 Defines a list of {operation, value} pairs used to match destination 166 MAC. Values are encoded as 6-byte quantities. 168 Type 15 - Ethernet Type 170 Encoding: 172 Defines a list of {operation, value} pairs used to match two-octet 173 field. Values are encoded as 1- or 2-byte quantities. 175 Type 16 - VLAN ID 177 Encoding: 179 Defines a list of {operation, value} pairs used to match VLAN ID. 180 Values are encoded as 1- or 2-byte quantities. 182 Type 17 - VLAN COS 184 Encoding: 186 Defines a list of {operation, value} pairs used to match 3-bit VLAN 187 COS fields [802.1p]. Values are encoded using a single byte, where 188 the five most significant bits are zero and the three least 189 significant bits contain the VLAN COS value. 191 Type 18 - VN ID 193 Encoding: 195 Defines a list of {operation, value} pairs used to match 24-bit VNID 196 fields. Values are encoded as 1- to 3-byte quantities. 198 In [EVPN-OVERLAY], EVPN can be deployed within a data center using 199 layer 2 overlays like VXLAN, NVGRE, and etc. VN ID is tenant 200 identification in NVO3 network. 202 3. Ethernet Flow Specification Traffic Actions 204 +--------+--------------------+--------------------------+ 205 | type | extended community | encoding | 206 +--------+--------------------+--------------------------+ 207 | 0x8006 | traffic-rate | 2-byte as#, 4-byte float | 208 | 0x8007 | traffic-action | bitmask | 209 | 0x8008 | redirect | 6-byte Route Target | 210 | 0x8009 | traffic-marking | DSCP value | 211 +--------+--------------------+--------------------------+ 212 Besides to support the above extended communities per RFC5575, this 213 document also proposes the following BGP extended communities 214 specifications for Ethernet flow to extend [RFC5575]: 216 +--------+--------------------+--------------------------+ 217 | type | extended community | encoding | 218 +--------+--------------------+--------------------------+ 219 | 0x800A | VLAN COS marking | COS value | 220 +--------+--------------------+--------------------------+ 221 The VLAN COS marking extended community instructs a system to modify 222 the COS bits of a transiting Ethernet packet to the corresponding 223 value. This extended community is encoded as a sequence of 5 zero 224 bytes followed by the VLAN COS value encoded in the 3 least 225 significant bits of 6th byte. 227 4. Security Considerations 229 No new security issues are introduced to the BGP protocol by this 230 specification. 232 5. IANA Considerations 234 IANA is requested to allocate a new SAFI to identify EVPN flow-spec 235 application. 237 IANA is requested to create and maintain a new registry entitled: 238 "Flow spec L2VPN Component Types": 240 Type 13 - Source MAC 242 Type 14 - Destination MAC 244 Type 15 - Ethernet Type 246 Type 16 - VLAN ID 248 Type 17 - VLAN COS 250 IANA is requested to update the reference for the following 251 assignment in the "BGP Extended Communities Type - extended, 252 transitive" registry: 254 Type value Name Reference 256 ---------- ---------------------------------------- --------- 258 0x080A Flow spec VLAN COS marking [this document] 260 5.1. Normative References 262 [1] [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 264 Requirement Levels", BCP 14, RFC 2119, March 1997. 266 [2] [RFC5575] P. Marques, N. Sheth, R. Raszuk, B. Greene, J.Mauch, 267 D. McPherson, "Dissemination of Flow Specification Rules", RFC 268 5575, August 2009. 270 [3] [RFC4761] K. Kompella, Ed., Y. Rekhter, Ed., "Virtual Private 271 LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling", 272 RFC4761, January 2007. 274 [4] [RFC4762] M. Lasserre, Ed., V. Kompella, Ed., "Virtual Private 275 LAN Service (VPLS) Using Label Distribution Protocol (LDP) 276 Signaling", RFC4762, January 2007. 278 [5] [RFC6074] E. Rosen, B. Davie, V. Radoaca, "Provisioning, Auto- 279 Discovery, and Signaling in Layer 2 Virtual Private Networks 280 (L2VPNs)", RFC6074, January 2011. 282 5.2. Informative References 284 [1] [EVPN] Sajassi et al., "BGP MPLS Based Ethernet VPN", draft- 285 ietf-l2vpn-evpn-07.txt, work in progress, May, 2014. 287 [2] [EVPN-OVERLAY] A. Sajassi,etc, ''A Network Virtualization 288 Overlay Solution using EVPN'', draft-sd-l2vpn-evpn-overlay-03, 289 June, 2014 291 [3] [IEEE 802.1p] Javin, et.al. "IEEE 802.1p: LAN Layer 2 QoS/CoS 292 Protocol for Traffic Prioritization", 2012-02-15 294 6. Acknowledgments 296 The authors wish to acknowledge the important contributions of 297 Xiaohu Xu, Lucy Yong. 299 Authors' Addresses 301 Weiguo Hao 302 Huawei Technologies 303 101 Software Avenue, 304 Nanjing 210012 305 China 306 Email: haoweiguo@huawei.com 308 Qiandeng Liang 309 Huawei Technologies 310 101 Software Avenue, 311 Nanjing 210012 312 China 313 Email: liuweihang@huawei.com 315 Shunwan Zhuang 316 Huawei Technologies 317 Huawei Bld., No.156 Beiqing Rd. 318 Beijing 100095 319 China 320 Email: zhuangshunwan@huawei.com 322 James Uttaro 323 AT&T 324 EMail: uttaro@att.com 326 Stephane Litkowski 327 Orange 328 stephane.litkowski@orange.com