idnits 2.17.1 draft-ietf-idr-flow-spec-v6-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC5575]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (November 15, 2017) is 2344 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '137' on line 217 -- Looks like a reference, but probably isn't: '139' on line 217 == Unused Reference: 'RFC2119' is defined on line 342, but no explicit reference was found in the text == Unused Reference: 'RFC4271' is defined on line 357, but no explicit reference was found in the text == Unused Reference: 'RFC5492' is defined on line 362, but no explicit reference was found in the text == Unused Reference: 'RFC6437' is defined on line 375, but no explicit reference was found in the text == Unused Reference: 'RFC5095' is defined on line 386, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 5575 (Obsoleted by RFC 8955) Summary: 3 errors (**), 0 flaws (~~), 7 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IDR Working Group D. McPherson 3 Internet-Draft Verisign, Inc. 4 Intended status: Standards Track R. Raszuk, Ed. 5 Expires: May 19, 2018 Bloomberg LP 6 B. Pithawala 7 Individual 8 A. Karch 9 Cisco Systems 10 S. Hares, Ed. 11 Huawei 12 November 15, 2017 14 Dissemination of Flow Specification Rules for IPv6 15 draft-ietf-idr-flow-spec-v6-09.txt 17 Abstract 19 Dissemination of Flow Specification Rules [RFC5575] provides a 20 protocol extension for propagation of traffic flow information for 21 the purpose of rate limiting or filtering. The [RFC5575] specifies 22 those extensions for IPv4 protocol data packets. 24 This specification extends the current [RFC5575] and defines changes 25 to the original document in order to make it also usable and 26 applicable to IPv6 data packets. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at https://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on May 19, 2018. 45 Copyright Notice 47 Copyright (c) 2017 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (https://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 2. IPv6 Flow Specification encoding in BGP . . . . . . . . . . . 3 64 3. IPv6 Flow Specification types changes . . . . . . . . . . . . 3 65 3.1. Order of Traffic Filtering Rules . . . . . . . . . . . . 5 66 4. IPv6 Flow Specification Traffic Filtering Action changes . . 6 67 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 68 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 69 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 70 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 71 8.1. Normative References . . . . . . . . . . . . . . . . . . 8 72 8.2. Informative References . . . . . . . . . . . . . . . . . 9 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 75 1. Introduction 77 The growing amount of IPv6 traffic in private and public networks 78 requires the extension of tools used in the IPv4 only networks to be 79 also capable of supporting IPv6 data packets. 81 In this document authors analyze the differences of IPv6 [RFC2460] 82 flows description from those of traditional IPv4 packets and propose 83 subset of new encoding formats to enable Dissemination of Flow 84 Specification Rules [RFC5575] for IPv6. 86 This specification should be treated as an extension of base 87 [RFC5575] specification and not its replacement. It only defines the 88 delta changes required to support IPv6 while all other definitions 89 and operation mechanisms of Dissemination of Flow Specification Rules 90 will remain in the main specification and will not be repeated here. 92 2. IPv6 Flow Specification encoding in BGP 94 The [RFC5575] defines a new SAFIs (133 for IPv4) and (134 for VPNv4) 95 applications in order to carry corresponding to each such application 96 flow specification. 98 This document will redefine the [RFC5575] SAFIs in order to make them 99 AFI specific and applicable to both IPv4 and IPv6 applications. 101 The following changes are defined: 103 "SAFI 133 for IPv4 dissemination of flow specification rules" to 104 now be defined as "SAFI 133 for dissemination of unicast flow 105 specification rules" 107 "SAFI 134 for VPNv4 dissemination of flow specification rules" to 108 now be defined as "SAFI 134 for dissemination of L3VPN flow 109 specification rules" 111 For both SAFIs the indication to which address family they are 112 referring to will be recognized by AFI value (AFI=1 for IPv4 or 113 VPNv4, AFI=2 for IPv6 and VPNv6 respectively). Such modification is 114 fully backwards compatible with existing implementation and 115 production deployments. 117 It needs to be observed that such choice of proposed encoding is 118 compatible with filter validation against routing reachability 119 information as described in section 6 of RFC5575. Validation tables 120 will now be performed according to the following rules. 122 Flow specification received over AFI/SAFI=1/133 will be validated 123 against routing reachability received over AFI/SAFI=1/1 125 Flow specification received over AFI/SAFI=1/134 will be validated 126 against routing reachability received over AFI/SAFI=1/128 128 Flow specification received over AFI/SAFI=2/133 will be validated 129 against routing reachability received over AFI/SAFI=2/1 131 Flow specification received over AFI/SAFI=2/134 will be validated 132 against routing reachability received over AFI/SAFI=2/128 134 3. IPv6 Flow Specification types changes 136 The following component types are redefined or added for the purpose 137 of accommodating new IPv6 header encoding. Unless otherwise stated 138 all other types as defined in [RFC5575] apply to IPv6 packets as is. 140 Type 1 - Destination IPv6 Prefix 142 Encoding: 145 Function: Defines the destination prefix to match. Prefix 146 offset has been defined to allow for flexible matching on part 147 of the IPv6 address where we want to skip (don't care) of N 148 first bits of the address. This can be especially useful where 149 part of the IPv6 address consists of an embedded IPv4 address 150 and matching needs to happen only on the embedded IPv4 address. 151 The encoded prefix contains enough octets for the bits used in 152 matching (length minus offset bits). 154 Type 2 - Source IPv6 Prefix 156 Encoding: 159 Function: Defines the source prefix to match. Prefix offset 160 has been defined to allow for flexible matching on part of the 161 IPv6 address where we want to skip (don't care) of N first bits 162 of the address. This can be especially useful where part of 163 the IPv6 address consists of an embedded IPv4 address and 164 matching needs to happen only on the embedded IPv4 address. 165 The encoded prefix contains enough octets for the bits used in 166 matching (length minus offset bits) 168 Type 3 - Next Header 170 Encoding: 172 Function: Contains a set of {operator, value} pairs that are 173 used to match the last Next Header value octet in IPv6 packets. 174 The operator byte is encoded as specified in component type 3 175 of [RFC5575]. 177 Note: While IPv6 allows for more then one Next Header field in 178 the packet the main goal of Type 3 flow specification component 179 is to match on the subsequent IP protocol value. Therefor the 180 definition is limited to match only on last Next Header field 181 in the packet. 183 Type 12 - Fragment 185 Encoding: 186 Uses bitmask operand format defined above. Bit-7 is not used 187 and MUST be 0 to provide backwards-compatibility with the 188 definition in [RFC5575] 190 Bitmast operand format: 192 0 1 2 3 4 5 6 7 193 +---+---+---+---+---+---+---+---+ 194 | Reserved |LF |FF |IsF| 0 | 195 +---+---+---+---+---+---+---+---+ 197 Bitmask values: 199 + Bit 6 - Is a fragment (IsF) 201 + Bit 5 - First fragment (FF) 203 + Bit 4 - Last fragment (LF) 205 Type 13 - Flow Label (New type) 207 Encoding: 209 Function: Contains a set of {operator, value} pairs that are 210 used to match the 20-bit Flow Label field [RFC2460]. The 211 operator byte is encoded as specified in the component type 3 212 of [RFC5575]. Values are encoded as 1-, 2-, or 4- byte 213 quantities. 215 The following example demonstrates the new prefix encoding for: "all 216 packets to ::1234:5678:9A00:0/64-104 from 192::/8 and port {range 217 [137, 139] or 8080}". In the destination prefix, "80-" represents 218 the prefix offset of 80 bits. In this exmaple, the 0 offset is 219 omitted from the printed source prefix. 221 +-------------------------+------------+-----------------------+ 222 | destination | source | port | 223 +-------------------------+----------- +-----------------------+ 224 |0x01 68 50 12 34 56 78 9A| 02 00 08 c0|04 03 89 45 8b 91 1f 90| 225 +-------------------------+------------+-----------------------+ 227 3.1. Order of Traffic Filtering Rules 229 The orignal definition for the order of traffic filtering rules can 230 be reused with new consideration for the IPv6 prefix offset. As long 231 as the offsets are equal, the comparison is the same, retaining 232 longest-prefix-match semantics. If the offsets are not equal, the 233 lowest offset has precedence, as this flow matches the most 234 significant bit. 236 Pseudocode 237 flow_rule_v6_cmp (a, b) 238 { 239 comp1 = next_component(a); 240 comp2 = next_component(b); 241 while (comp1 || comp2) { 242 // component_type returns infinity on end-of-list 243 if (component_type(comp1) < component_type(comp2)) { 244 return A_HAS_PRECEDENCE; 245 } 246 if (component_type(comp1) > component_type(comp2)) { 247 return B_HAS_PRECEDENCE; 248 } 250 if (component_type(comp1) == IPV6_DESTINATION || IPV6_SOURCE) { 251 // offset not equal, lowest offset has precedence 252 // offset equal ... 253 common_len = MIN(prefix_length(comp1), prefix_length(comp2)); 254 cmp = prefix_compare(comp1, comp2, offset, common_len); 255 // not equal, lowest value has precedence 256 // equal, longest match has precedence 257 } else { 258 common = 259 MIN(component_length(comp1), component_length(comp2)); 260 cmp = memcmp(data(comp1), data(comp2), common); 261 // not equal, lowest value has precedence 262 // equal, longest string has precedence 263 } 264 } 266 return EQUAL; 267 } 269 4. IPv6 Flow Specification Traffic Filtering Action changes 271 One of the traffic filtering actions which can be expressed by BGP 272 extended community is defined in [RFC5575] as traffic-marking. 273 Another traffic filtering action defined in [RFC5575] as a BGP 274 extended community is redirect. To allow an IPv6 address specific 275 route-target, a new traffic action IPv6 address specific extended 276 community is provided. 278 Therefore, for the purpose of making it compatible with IPv6 header 279 action expressed by presence of the extended community the following 280 text in [RFC5575] has been modified to read: 282 Traffic Marking (0x8009): The traffic marking extended community 283 instructs a system to modify first 6 bits of Traffic Class field 284 as (recommended by [RFC2474]) of a transiting IPv6 packet to the 285 corresponding value. This extended community is encoded as a 286 sequence of 42 zero bits followed by the 6 bits overwriting DSCP 287 portion of Traffic Class value. 289 Redirect-IPv6 (0x800B): redirect IPv6 address specific extended 290 community allows the traffic to be redirected to a VRF routing 291 instance that lists the specified IPv6 address specific route- 292 target in its import policy. If several local instances match 293 this criteria, the choice between them is a local matter (for 294 example, the instance with the lowest Route Distinguisher value 295 can be elected). This extended community uses the same encoding 296 as the IPv6 address specific Route Target extended community 297 [RFC5701]. 299 5. Security Considerations 301 No new security issues are introduced to the BGP protocol by this 302 specification over the security concerins in [RFC5575] 304 6. IANA Considerations 306 This section complies with [RFC7153] 308 IANA is requested to rename currently defined SAFI 133 and SAFI 134 309 per [RFC5575] to read: 311 133 Dissemination of flow specification rules 312 134 L3VPN dissemination of flow specification rules 314 IANA is requested to create and maintain a new registry entitled: 315 "Flow Spec IPv6 Component Types". The initial values are: 317 Type Description RFC 318 --------------------------------- --------- 319 Type 1 - Destination IPv6 Prefix [this draft] 320 Type 2 - Source IPv6 Prefix [this draft] 321 Type 3 - Next Header [this draft] 322 Type 4 - Port [this draft] 323 Type 5 - Destination port [this draft] 324 Type 6 - Source port [this draft] 325 Type 7 - ICMP type [this draft] 326 Type 8 - ICMP code [this draft] 327 Type 9 - TCP flags [this draft] 328 Type 10 - Packet length [this draft] 329 Type 11 - DSCP [this draft] 330 Type 12 - Fragment [this draft] 331 Type 13 - Flow Label [this draft] 333 7. Acknowledgements 335 Authors would like to thank Pedro Marques, Hannes Gredler and Bruno 336 Rijsman, Brian Carpenter, and Thomas Mangin for their valuable input. 338 8. References 340 8.1. Normative References 342 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 343 Requirement Levels", BCP 14, RFC 2119, 344 DOI 10.17487/RFC2119, March 1997, 345 . 347 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 348 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 349 December 1998, . 351 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 352 "Definition of the Differentiated Services Field (DS 353 Field) in the IPv4 and IPv6 Headers", RFC 2474, 354 DOI 10.17487/RFC2474, December 1998, 355 . 357 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 358 Border Gateway Protocol 4 (BGP-4)", RFC 4271, 359 DOI 10.17487/RFC4271, January 2006, 360 . 362 [RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement 363 with BGP-4", RFC 5492, DOI 10.17487/RFC5492, February 364 2009, . 366 [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., 367 and D. McPherson, "Dissemination of Flow Specification 368 Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, 369 . 371 [RFC5701] Rekhter, Y., "IPv6 Address Specific BGP Extended Community 372 Attribute", RFC 5701, DOI 10.17487/RFC5701, November 2009, 373 . 375 [RFC6437] Amante, S., Carpenter, B., Jiang, S., and J. Rajahalme, 376 "IPv6 Flow Label Specification", RFC 6437, 377 DOI 10.17487/RFC6437, November 2011, 378 . 380 [RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP 381 Extended Communities", RFC 7153, DOI 10.17487/RFC7153, 382 March 2014, . 384 8.2. Informative References 386 [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation 387 of Type 0 Routing Headers in IPv6", RFC 5095, 388 DOI 10.17487/RFC5095, December 2007, 389 . 391 Authors' Addresses 393 Danny McPherson 394 Verisign, Inc. 396 Email: dmcpherson@verisign.com 398 Robert Raszuk (editor) 399 Bloomberg LP 400 731 Lexington Ave 401 New York City, NY 10022 402 USA 404 Email: robert@raszuk.net 406 Burjiz Pithawala 407 Individual 409 Email: burjizp@gmail.com 410 Andy Karch 411 Cisco Systems 412 170 West Tasman Drive 413 San Jose, CA 95134 414 USA 416 Email: akarch@cisco.com 418 Susan Hares (editor) 419 Huawei 420 7453 Hickory Hill 421 Saline, MI 48176 422 USA 424 Email: shares@ndzh.com