idnits 2.17.1 draft-hao-idr-flowspec-evpn-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- -- The document has an IETF Trust Provisions (28 Dec 2009) Section 6.c(ii) Publication Limitation clause. If this document is intended for submission to the IESG for publication, this constitutes an error. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC5575]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 258: '..., the component type MUST not be used....' RFC 2119 keyword, line 270: '..., the component type MUST not be used....' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: In single VLAN case, the component type MUST not be used. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: In single VLAN case, the component type MUST not be used. -- The document date (January 16, 2015) is 3380 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: 'RFC5575' on line 314 -- Looks like a reference, but probably isn't: 'EVPN' on line 121 -- Looks like a reference, but probably isn't: 'RFC4761' on line 122 -- Looks like a reference, but probably isn't: 'RFC4762' on line 122 -- Looks like a reference, but probably isn't: 'RFC 6074' on line 123 == Missing Reference: '4761' is mentioned on line 127, but not defined == Missing Reference: '4762' is mentioned on line 127, but not defined == Missing Reference: '6074' is mentioned on line 128, but not defined == Unused Reference: '1' is defined on line 381, but no explicit reference was found in the text == Unused Reference: '2' is defined on line 384, but no explicit reference was found in the text == Unused Reference: '3' is defined on line 367, but no explicit reference was found in the text == Unused Reference: '4' is defined on line 371, but no explicit reference was found in the text == Unused Reference: '5' is defined on line 375, but no explicit reference was found in the text == Outdated reference: A later version (-11) exists of draft-ietf-l2vpn-evpn-07 -- Possible downref: Non-RFC (?) normative reference: ref. '2' Summary: 2 errors (**), 0 flaws (~~), 12 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 IDR Weiguo Hao 2 Qiandeng Liang 3 Shunwan Zhuang 4 Internet Draft Huawei 5 Jim Uttaro 6 AT&T 7 S. Litkowski 8 Orange Business Service 9 Intended status: Standards Track January 16, 2015 10 Expires: July 2015 12 Dissemination of Flow Specification Rules for L2 VPN 13 draft-hao-idr-flowspec-evpn-02.txt 15 Abstract 17 This document defines BGP flow-spec extension for Ethernet traffic 18 filtering in L2 VPN network. SAFI=134 in [RFC5575] is redefined for 19 dissemination traffic filtering information in an L2VPN environment. 20 A new subset of component types and extended community also are 21 defined. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. This document may not be modified, 30 and derivative works of it may not be created, and it may not be 31 published except as an Internet-Draft. 33 This Internet-Draft is submitted in full conformance with the 34 provisions of BCP 78 and BCP 79. This document may not be modified, 35 and derivative works of it may not be created, except to publish it 36 as an RFC and to translate it into languages other than English. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF), its areas, and its working groups. Note that 40 other groups may also distribute working documents as Internet- 41 Drafts. 43 Internet-Drafts are draft documents valid for a maximum of six 44 months and may be updated, replaced, or obsoleted by other documents 45 at any time. It is inappropriate to use Internet-Drafts as 46 reference material or to cite them other than as "work in progress." 47 The list of current Internet-Drafts can be accessed at 48 http://www.ietf.org/ietf/1id-abstracts.txt 50 The list of Internet-Draft Shadow Directories can be accessed at 51 http://www.ietf.org/shadow.html 53 This Internet-Draft will expire on July 16,2015. 55 Copyright Notice 57 Copyright (c) 2014 IETF Trust and the persons identified as the 58 document authors. All rights reserved. 60 This document is subject to BCP 78 and the IETF Trust's Legal 61 Provisions Relating to IETF Documents 62 (http://trustee.ietf.org/license-info) in effect on the date of 63 publication of this document. Please review these documents 64 carefully, as they describe your rights and restrictions with 65 respect to this document. Code Components extracted from this 66 document must include Simplified BSD License text as described in 67 Section 4.e of the Trust Legal Provisions and are provided without 68 warranty as described in the Simplified BSD License. 70 This document is subject to BCP 78 and the IETF Trust's Legal 71 Provisions Relating to IETF Documents 72 (http://trustee.ietf.org/license-info) in effect on the date of 73 publication of this document. Please review these documents 74 carefully, as they describe your rights and restrictions with 75 respect to this document. 77 Table of Contents 79 1. Introduction ................................................ 2 80 2. Layer 2 Flow Specification encoding in BGP................... 3 81 3. Ethernet Flow Specification encoding in BGP.................. 4 82 4. Ethernet Flow Specification Traffic Actions.................. 7 83 5. Security Considerations...................................... 7 84 6. IANA Considerations ......................................... 7 85 6.1. Normative References.................................... 8 86 6.2. Informative References.................................. 9 87 7. Acknowledgments ............................................. 9 89 1. Introduction 91 BGP Flow-spec is an extension to BGP that allows for the 92 dissemination of traffic flow specification rules. It leverages the 93 BGP Control Plane to simplify the distribution of ACLs, new filter 94 rules can be injected to all BGP peers simultaneously without 95 changing router configuration. The typical application of BGP Flow- 96 spec is to automate the distribution of traffic filter lists to 97 routers for DDOS mitigation. 99 RFC5575 defines a new BGP Network Layer Reachability Information 100 (NLRI) format used to distribute traffic flow specification rules. 101 NLRI (AFI=1, SAFI=133)is for IPv4 unicast filtering. NLRI (AFI=1, 102 SAFI=134)is for BGP/MPLS VPN filtering. The Flow specification match 103 part only includes L3/L4 information like source/destination prefix, 104 protocol, ports, and etc, so traffic flows can only be selectively 105 filtered based on L3/L4 information. 107 Layer 2 Virtual Private Networks L2VPNs have already been deployed 108 in an increasing number of networks today. In L2VPN network, we also 109 have requirement to deploy BGP Flow-spec to mitigate DDoS attack 110 traffic. Within L2VPN network, both IP and non-IP Ethernet traffic 111 maybe exist. For IP traffic filtering, the Flow specification rules 112 defined in [RFC5575] which include match criteria and actions can 113 still be used, flow specification rules received via new NLRI format 114 apply only to traffic that belongs to the VPN instance(s) in which 115 it is imported. For non-IP Ethernet traffic filtering, Layer 2 116 related information like source/destination MAC and VLAN should be 117 considered. But the flow specification match criteria defined in 118 RFC5575 only include layer 3 and layer 4 IP information, layer 2 119 Ethernet information haven't been included. 121 There are different kinds of L2VPN networks like EVPN [EVPN], BGP 122 VPLS [RFC4761], LDP VPLS [RFC4762] and border gateway protocol (BGP) 123 auto discovery [RFC 6074]. Because the flow-spec feature relies on 124 BGP protocol to distribute traffic filtering rules, so it can only 125 be incrementally deployed in those L2VPN networks where BGP is used 126 for auto discovery and/or signaling purposes such as BGP-based VPLS 127 [4761], EVPN and LDP-based VPLS [4762] with BGP auto-discovery 128 [6074]. 130 This draft proposes a new subset of component types and extended 131 community to support L2VPN flow-spec application. SAFI=134 in 132 [RFC5575] is redefined for dissemination traffic filtering 133 information in an L2VPN environment. 135 2. Layer 2 Flow Specification encoding in BGP 137 The [RFC5575] defines SAFI 133 and SAFI 134 for "dissemination of 138 IPv4 flow specification rules" and "dissemination of VPNv4 flow 139 specification rules" respectively. [draft-ietf-idr-flow-spec-v6-06] 140 redefines the [RFC5575] SAFIs in order to make them applicable to 141 both IPv4 and IPv6 applications. This document will further redefine 142 the SAFI 134 in order to make them applicable to L2VPN applications. 144 The following changes are defined: 146 "SAFI 134 for dissemination of L3VPN flow specification rules" to 147 now be defined as "SAFI 134 for dissemination of VPN flow 148 specification rules" 150 For SAFI 134 the indication to which address family it is referring 151 to will be recognized by AFI value (AFI=1 for VPNv4, AFI=2 VPNv6 and 152 AFI=25 for L2VPN). Such modification is fully backwards compatible 153 with existing implementation and production deployments. 155 3. Ethernet Flow Specification encoding in BGP 157 The NLRI format for this address family consists of a fixed-length 158 Route Distinguisher field (8 bytes) followed by a flow specification, 159 following the encoding defined in this document. The NLRI length 160 field shall include both the 8 bytes of the Route Distinguisher as 161 well as the subsequent flow specification. 163 Flow specification rules received via this NLRI apply only to 164 traffic that belongs to the VPN instance(s) in which it is imported. 165 Flow rules are accepted by default, when received from remote PE 166 routers. 168 Besides the component types defined in [RFC5575] and [draft-ietf- 169 idr-flow-spec-v6-06], this document proposes the following 170 additional component types for L2VPN Ethernet traffic filtering: 172 Type 14 - Source MAC 174 Encoding: 176 Defines a list of {operation(op), value} pairs used to match source 177 MAC. Values are encoded as 6-byte quantities. The operation field is 178 encoded as ''Numeric operator'' defined in [RFC5575]. 180 Type 15 - Destination MAC 182 Encoding: 184 Defines a list of {operation, value} pairs used to match destination 185 MAC. Values are encoded as 6-byte quantities. 187 Type 16 - - Ethernet Type 189 Encoding: 191 Defines a list of {operation, value} pairs used to match two-octet 192 field. Values are encoded as 2-byte quantities. 194 Ethernet II framing defines the two-octet EtherType field in an 195 Ethernet frame, preceded by destination and source MAC addresses, 196 that identifies an upper layer protocol encapsulating the frame data. 198 Type 17 - DSAP(Destination Service Access Point) in LLC 200 Encoding: 202 Defines a list of {operation, value} pairs used to match 1-octet 203 DSAP in the 802.2 LLC(Logical Link Control Header). Values are 204 encoded as 1-byte quantities. 206 Type 18 - SSAP(Source Service Access Point) in LLC 208 Encoding: 210 Defines a list of {operation, value} pairs used to match 1-octet 211 SSAP in the 802.2 LLC. Values are encoded as 1-byte quantities. 213 Type 19 - Control field in LLC 215 Encoding: 217 Defines a list of {operation, value} pairs used to match 1-octet 218 control field in the 802.2 LLC. Values are encoded as 1-byte 219 quantities. 221 Type 20 - SNAP 223 Encoding: 225 Defines a list of {operation, value} pairs used to match 5-octet 226 SNAP(Sub-Network Access Protocol) field. Values are encoded as 5- 227 byte quantities. 229 Type 21 - VLAN ID 231 Encoding: 232 Defines a list of {operation, value} pairs used to match VLAN ID. 233 Values are encoded as 1- or 2-byte quantities. 235 In virtual local-area network (VLAN) stacking case, the VLAN ID is 236 outer VLAN ID. 238 Type 22 - VLAN COS 240 Encoding: 242 Defines a list of {operation, value} pairs used to match 3-bit VLAN 243 COS fields [802.1p]. Values are encoded using a single byte, where 244 the five most significant bits are zero and the three least 245 significant bits contain the VLAN COS value. 247 In virtual local-area network (VLAN) stacking case, the VLAN COS is 248 outer VLAN COS. 250 Type 23 - Inner VLAN ID 252 Encoding: 254 Defines a list of {operation, value} pairs used to match inner VLAN 255 ID using for virtual local-area network (VLAN) stacking or Q in Q 256 case. Values are encoded as 1- or 2-byte quantities. 258 In single VLAN case, the component type MUST not be used. 260 Type 24 - Inner VLAN COS 262 Encoding: 264 Defines a list of {operation, value} pairs used to match 3-bit inner 265 VLAN COS fields [802.1p] using for virtual local-area network (VLAN) 266 stacking or Q in Q case. Values are encoded using a single byte, 267 where the five most significant bits are zero and the three least 268 significant bits contain the VLAN COS value. 270 In single VLAN case, the component type MUST not be used. 272 4. Ethernet Flow Specification Traffic Actions 274 +--------+--------------------+--------------------------+ 275 | type | extended community | encoding | 276 +--------+--------------------+--------------------------+ 277 | 0x8006 | traffic-rate | 2-byte as#, 4-byte float | 278 | 0x8007 | traffic-action | bitmask | 279 | 0x8008 | redirect | 6-byte Route Target | 280 | 0x8009 | traffic-marking | DSCP value | 281 +--------+--------------------+--------------------------+ 282 Besides to support the above extended communities per RFC5575, this 283 document also proposes the following BGP extended communities 284 specifications for Ethernet flow to extend [RFC5575]: 286 +--------+--------------------+--------------------------+ 287 | type | extended community | encoding | 288 +--------+--------------------+--------------------------+ 289 | 0x800A | VLAN COS marking | COS value | 290 +--------+--------------------+--------------------------+ 291 The VLAN COS marking extended community instructs a system to modify 292 the COS bits of a transiting Ethernet packet to the corresponding 293 value. This extended community is encoded as a sequence of 5 zero 294 bytes followed by the VLAN COS value encoded in the 3 least 295 significant bits of 6th byte. 297 In virtual local-area network (VLAN) stacking case, the VLAN COS is 298 outer VLAN COS. 300 5. Security Considerations 302 No new security issues are introduced to the BGP protocol by this 303 specification. 305 6. IANA Considerations 307 IANA is requested to rename currently defined SAFI 134 per [RFC5575] 308 to read: 310 134 VPN dissemination of flow specification rules 312 IANA is requested to create and maintain a new registry for "Flow 313 spec L2VPN Component Types". For completeness, the types defined in 314 [RFC5575] and [draft-ietf-idr-flow-spec-v6-06] also are listed here. 316 +--------+-------------------------------+--------------------------+ 317 | type | RFC or Draft | discription | 318 +--------+-------------------------------+--------------------------+ 319 | 1 |RFC5575 | Destination Prefix | 320 | 1 |draft-ietf-idr-flow-spec-v6-06 | Destination IPv6 Prefix | 321 | 2 |RFC5575 | Source Prefix | 322 | 2 |draft-ietf-idr-flow-spec-v6-06 | Source IPv6 Prefix | 323 | 3 |RFC5575 | IP Protocol | 324 | 3 |draft-ietf-idr-flow-spec-v6-06 | Next Header | 325 | 4 |RFC5575 | Port | 326 | 5 |RFC5575 | Destination port | 327 | 6 |RFC5575 | Source port | 328 | 7 |RFC5575 | ICMP type | 329 | 8 |RFC5575 | ICMP code | 330 | 9 |RFC5575 | TCP flags | 331 | 10 |RFC5575 | Packet length | 332 | 11 |RFC5575 | DSCP | 333 | 12 |RFC5575 | Fragment | 334 | 13 |draft-ietf-idr-flow-spec-v6-06 | Flow Label | 335 | 14 |This draft | Source MAC | 336 | 15 |This draft | Destination MAC | 337 | 16 |This draft | Ethernet Type | 338 | 17 |This draft | DSAP in LLC | 339 | 18 |This draft | SSAP in LLC | 340 | 19 |This draft | Control field in LLC | 341 | 20 |This draft | SNAP | 342 | 21 |This draft | VLAN ID | 343 | 22 |This draft | VLAN COS | 344 | 23 |This draft | Inner VLAN ID | 345 | 24 |This draft | Inner VLAN COS | 346 +--------+-------------------------------+--------------------------+ 347 IANA is requested to update the reference for the following 348 assignment in the "BGP Extended Communities Type - extended, 349 transitive" registry: 351 Type value Name Reference 353 ---------- ---------------------------------------- --------- 355 0x080A Flow spec VLAN COS marking [this document] 357 6.1. Normative References 359 [1] [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 361 Requirement Levels", BCP 14, RFC 2119, March 1997. 363 [2] [RFC5575] P. Marques, N. Sheth, R. Raszuk, B. Greene, J.Mauch, 364 D. McPherson, "Dissemination of Flow Specification Rules", RFC 365 5575, August 2009. 367 [3] [RFC4761] K. Kompella, Ed., Y. Rekhter, Ed., "Virtual Private 368 LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling", 369 RFC4761, January 2007. 371 [4] [RFC4762] M. Lasserre, Ed., V. Kompella, Ed., "Virtual Private 372 LAN Service (VPLS) Using Label Distribution Protocol (LDP) 373 Signaling", RFC4762, January 2007. 375 [5] [RFC6074] E. Rosen, B. Davie, V. Radoaca, "Provisioning, Auto- 376 Discovery, and Signaling in Layer 2 Virtual Private Networks 377 (L2VPNs)", RFC6074, January 2011. 379 6.2. Informative References 381 [1] [EVPN] Sajassi et al., "BGP MPLS Based Ethernet VPN", draft- 382 ietf-l2vpn-evpn-07.txt, work in progress, May, 2014. 384 [2] [IEEE 802.1p] Javin, et.al. "IEEE 802.1p: LAN Layer 2 QoS/CoS 385 Protocol for Traffic Prioritization", 2012-02-15 387 7. Acknowledgments 389 The authors wish to acknowledge the important contributions of 390 Xiaohu Xu, Lucy Yong. 392 Authors' Addresses 394 Weiguo Hao 395 Huawei Technologies 396 101 Software Avenue, 397 Nanjing 210012 398 China 399 Email: haoweiguo@huawei.com 401 Qiandeng Liang 402 Huawei Technologies 403 101 Software Avenue, 404 Nanjing 210012 405 China 406 Email: liangqiandeng@huawei.com 408 Shunwan Zhuang 409 Huawei Technologies 410 Huawei Bld., No.156 Beiqing Rd. 411 Beijing 100095 412 China 413 Email: zhuangshunwan@huawei.com 415 James Uttaro 416 AT&T 417 EMail: uttaro@att.com 419 Stephane Litkowski 420 Orange 421 stephane.litkowski@orange.com