idnits 2.17.1 draft-ietf-idr-flowspec-l2vpn-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 3 characters in excess of 72. ** The abstract seems to contain references ([RFC5575]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 239: '..., the component type MUST not be used....' RFC 2119 keyword, line 251: '..., the component type MUST not be used....' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: In single VLAN case, the component type MUST not be used. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: In single VLAN case, the component type MUST not be used. -- The document date (November 16, 2015) is 3084 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: 'RFC5575' on line 424 -- Looks like a reference, but probably isn't: 'EVPN' on line 104 -- Looks like a reference, but probably isn't: 'RFC4761' on line 105 -- Looks like a reference, but probably isn't: 'RFC4762' on line 105 -- Looks like a reference, but probably isn't: 'RFC 6074' on line 106 == Missing Reference: '4761' is mentioned on line 110, but not defined == Missing Reference: '4762' is mentioned on line 110, but not defined == Missing Reference: '6074' is mentioned on line 111, but not defined == Unused Reference: '1' is defined on line 493, but no explicit reference was found in the text == Unused Reference: '2' is defined on line 496, but no explicit reference was found in the text == Unused Reference: '3' is defined on line 479, but no explicit reference was found in the text == Unused Reference: '4' is defined on line 483, but no explicit reference was found in the text == Unused Reference: '5' is defined on line 487, but no explicit reference was found in the text == Outdated reference: A later version (-11) exists of draft-ietf-l2vpn-evpn-07 -- Possible downref: Non-RFC (?) normative reference: ref. '2' Summary: 3 errors (**), 0 flaws (~~), 12 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 IDR W. Hao 2 Q. Liang 3 Internet Draft Huawei 4 Intended status: Standards Track Jim Uttaro 5 AT&T 6 S. Litkowski 7 Orange Business Service 8 S. Zhuang 9 Huawei 10 Expires: May 2016 November 16, 2015 12 Dissemination of Flow Specification Rules for L2 VPN 13 draft-ietf-idr-flowspec-l2vpn-03.txt 15 Abstract 17 This document defines BGP flow-spec extension for Ethernet traffic 18 filtering in L2 VPN network. SAFI=134 in [RFC5575] is redefined for 19 dissemination traffic filtering information in an L2VPN environment. 20 A new subset of component types and extended community also are 21 defined. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF), its areas, and its working groups. Note that 30 other groups may also distribute working documents as Internet- 31 Drafts. 33 Internet-Drafts are draft documents valid for a maximum of six 34 months and may be updated, replaced, or obsoleted by other documents 35 at any time. It is inappropriate to use Internet-Drafts as 36 reference material or to cite them other than as "work in progress." 38 The list of current Internet-Drafts can be accessed at 39 http://www.ietf.org/1id-abstracts.html 41 The list of Internet-Draft Shadow Directories can be accessed at 42 http://www.ietf.org/shadow.html. 44 Copyright Notice 46 Copyright (c) 2015 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (http://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with 54 respect to this document. Code Components extracted from this 55 document must include Simplified BSD License text as described in 56 Section 4.e of the Trust Legal Provisions and are provided without 57 warranty as described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction ................................................ 2 62 2. Layer 2 Flow Specification encoding in BGP................... 3 63 3. Ethernet Flow Specification encoding in BGP.................. 4 64 3.1. Order of Traffic Filtering Rules........................ 6 65 4. Ethernet Flow Specification Traffic Actions.................. 7 66 5. Security Considerations..................................... 10 67 6. IANA Considerations ........................................ 10 68 6.1. Normative References................................... 12 69 6.2. Informative References................................. 12 70 7. Acknowledgments ............................................ 12 72 1. Introduction 74 BGP Flow-spec is an extension to BGP that allows for the 75 dissemination of traffic flow specification rules. It leverages the 76 BGP Control Plane to simplify the distribution of ACLs, new filter 77 rules can be injected to all BGP peers simultaneously without 78 changing router configuration. The typical application of BGP Flow- 79 spec is to automate the distribution of traffic filter lists to 80 routers for DDOS mitigation, access control, etc. 82 RFC5575 defines a new BGP Network Layer Reachability Information 83 (NLRI) format used to distribute traffic flow specification rules. 84 NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1, 85 SAFI=134)is for BGP/MPLS VPN filtering. The Flow specification match 86 part only includes L3/L4 information like source/destination prefix, 87 protocol, ports, and etc, so traffic flows can only be selectively 88 filtered based on L3/L4 information. 90 Layer 2 Virtual Private Networks L2VPNs have already been deployed 91 in an increasing number of networks today. In L2VPN network, we also 92 have requirement to deploy BGP Flow-spec to mitigate DDoS attack 93 traffic. Within L2VPN network, both IP and non-IP Ethernet traffic 94 maybe exist. For IP traffic filtering, the Flow specification rules 95 defined in [RFC5575] which include match criteria and actions can 96 still be used, flow specification rules received via new NLRI format 97 apply only to traffic that belongs to the VPN instance(s) in which 98 it is imported. For non-IP Ethernet traffic filtering, Layer 2 99 related information like source/destination MAC and VLAN should be 100 considered. But the flow specification match criteria defined in 101 RFC5575 only include layer 3 and layer 4 IP information, layer 2 102 Ethernet information haven't been included. 104 There are different kinds of L2VPN networks like EVPN [EVPN], BGP 105 VPLS [RFC4761], LDP VPLS [RFC4762] and border gateway protocol (BGP) 106 auto discovery [RFC 6074]. Because the flow-spec feature relies on 107 BGP protocol to distribute traffic filtering rules, so it can only 108 be incrementally deployed in those L2VPN networks where BGP has 109 already been used for auto discovery and/or signaling purposes such 110 as BGP-based VPLS [4761], EVPN and LDP-based VPLS [4762] with BGP 111 auto-discovery [6074]. 113 This draft proposes a new subset of component types and extended 114 community to support L2VPN flow-spec application. The flow-spec 115 rules can be enforced on all border routers or on some interface 116 sets of the border routers. SAFI=134 in [RFC5575] is redefined for 117 dissemination traffic filtering information in an L2VPN environment. 119 2. Layer 2 Flow Specification encoding in BGP 121 The [RFC5575] defines SAFI 133 and SAFI 134 for ''dissemination of 122 IPv4 flow specification rules'' and ''dissemination of VPNv4 flow 123 specification rules'' respectively. [draft-ietf-idr-flow-spec-v6-06] 124 redefines the [RFC5575] SAFIs in order to make them applicable to 125 both IPv4 and IPv6 applications. This document will further redefine 126 the SAFI 134 in order to make them applicable to L2VPN applications. 128 The following changes are defined: 130 ''SAFI 134 for dissemination of L3VPN flow specification rules'' to 131 now be defined as ''SAFI 134 for dissemination of VPN flow 132 specification rules'' 134 For SAFI 134 the indication to which address family it is referring 135 to will be recognized by AFI value (AFI=1 for VPNv4, AFI=2 VPNv6 and 136 AFI=25 for L2VPN). Such modification is fully backwards compatible 137 with existing implementation and production deployments. 139 3. Ethernet Flow Specification encoding in BGP 141 The NLRI format for this address family consists of a fixed-length 142 Route Distinguisher field (8 bytes) followed by a flow specification, 143 following the encoding defined in this document. The NLRI length 144 field shall include both the 8 bytes of the Route Distinguisher as 145 well as the subsequent flow specification. 147 Flow specification rules received via this NLRI apply only to 148 traffic that belongs to the VPN instance(s) in which it is imported. 149 Flow rules are accepted by default, when received from remote PE 150 routers. 152 Besides the component types defined in [RFC5575] and [draft-ietf- 153 idr-flow-spec-v6-06], this document proposes the following 154 additional component types for L2VPN Ethernet traffic filtering: 156 Type 14 - Ethernet Type 158 Encoding: 160 Defines a list of {operation, value} pairs used to match two-octet 161 field. Values are encoded as 2-byte quantities. Ethernet II framing 162 defines the two-octet Ethernet Type field in an Ethernet frame, 163 preceded by destination and source MAC addresses, that identifies an 164 upper layer protocol encapsulating the frame data. 166 Type 15 - Source MAC 168 Encoding: 170 Defines the source MAC Address to match. 172 Type 16 - Destination MAC 174 Encoding: 176 Defines the destination MAC Address to match. 178 Type 17 - DSAP(Destination Service Access Point) in LLC 180 Encoding: 182 Defines a list of {operation, value} pairs used to match 1-octet 183 DSAP in the 802.2 LLC(Logical Link Control Header). Values are 184 encoded as 1-byte quantities. The operation field is encoded as 185 'Numeric operator' defined in [RFC5575]. 187 Type 18 - SSAP(Source Service Access Point) in LLC 189 Encoding: 191 Defines a list of {operation, value} pairs used to match 1-octet 192 SSAP in the 802.2 LLC. Values are encoded as 1-byte quantities. 194 Type 19 - Control field in LLC 196 Encoding: 198 Defines a list of {operation, value} pairs used to match 1-octet 199 control field in the 802.2 LLC. Values are encoded as 1-byte 200 quantities. 202 Type 20 - SNAP 204 Encoding: 206 Defines a list of {operation, value} pairs used to match 5-octet 207 SNAP(Sub-Network Access Protocol) field. Values are encoded as 5- 208 byte quantities. 210 Type 21 - VLAN ID 212 Encoding: 214 Defines a list of {operation, value} pairs used to match VLAN ID. 215 Values are encoded as 1- or 2-byte quantities. 217 In virtual local-area network (VLAN) stacking case, the VLAN ID is 218 outer VLAN ID. 220 Type 22 - VLAN COS 222 Encoding: 224 Defines a list of {operation, value} pairs used to match 3-bit VLAN 225 COS fields [802.1p]. Values are encoded using a single byte, where 226 the five most significant bits are zero and the three least 227 significant bits contain the VLAN COS value. 229 In virtual local-area network (VLAN) stacking case, the VLAN COS is 230 outer VLAN COS. 232 Type 23 - Inner VLAN ID 233 Encoding: 235 Defines a list of {operation, value} pairs used to match inner VLAN 236 ID using for virtual local-area network (VLAN) stacking or Q in Q 237 case. Values are encoded as 1- or 2-byte quantities. 239 In single VLAN case, the component type MUST not be used. 241 Type 24 - Inner VLAN COS 243 Encoding: 245 Defines a list of {operation, value} pairs used to match 3-bit inner 246 VLAN COS fields [802.1p] using for virtual local-area network (VLAN) 247 stacking or Q in Q case. Values are encoded using a single byte, 248 where the five most significant bits are zero and the three least 249 significant bits contain the VLAN COS value. 251 In single VLAN case, the component type MUST not be used. 253 3.1. Order of Traffic Filtering Rules 255 The original definition for the order of traffic filtering rules can 256 be reused with new consideration for the MAC Address offset. As long 257 as the offsets are equal, the comparison is the same, retaining 258 longest-prefix-match semantics. If the offsets are not equal, the 259 lowest offset has precedence, as this flow matches the most 260 significant bit. 262 Pseudocode: 263 flow_rule_L2_cmp (a, b) 264 { 265 comp1 = next_component(a); 266 comp2 = next_component(b); 267 while (comp1 || comp2) { 268 // component_type returns infinity on end-of-list 269 if (component_type(comp1) < component_type(comp2)) { 270 return A_HAS_PRECEDENCE; 271 } 272 if (component_type(comp1) > component_type(comp2)) { 273 return B_HAS_PRECEDENCE; 274 } 276 if (component_type(comp1) == MAC_DESTINATION || MAC_SOURCE) { 277 common = MIN(MAC Address length (comp1), 278 MAC Address length (comp2)); 279 cmp = MAC Address compare(comp1, comp2, common); 280 // not equal, lowest value has precedence 281 // equal, longest match has precedence 282 } else { 283 common = 284 MIN(component_length(comp1), component_length(comp2)); 285 cmp = memcmp(data(comp1), data(comp2), common); 286 // not equal, lowest value has precedence 287 // equal, longest string has precedence 288 } 289 } 290 return EQUAL; 291 } 293 4. Ethernet Flow Specification Traffic Actions 295 The default action for a layer 2 traffic filtering flow 296 specification is to accept traffic that matches that particular rule. 297 The following extended community values per RFC5575 can be used to 298 specify particular actions in L2VPN network: 300 +--------+--------------------+--------------------------+ 301 | type | extended community | encoding | 302 +--------+--------------------+--------------------------+ 303 | 0x8006 | traffic-rate | 2-byte as#, 4-byte float | 304 | 0x8007 | traffic-action | bitmask | 305 | 0x8008 | redirect | 6-byte Route Target | 306 | 0x8009 | traffic-marking | DSCP value | 307 +--------+--------------------+--------------------------+ 308 Redirect: The action should be redefined to allow the traffic to be 309 redirected to a MAC or IP VRF routing instance that lists the 310 specified route-target in its import policy. 312 Besides the above extended communities, this document also proposes 313 the following BGP extended communities specifications for Ethernet 314 flow to extend [RFC5575]: 316 +--------+------------------------+--------------------------+ 317 | type | extended community | encoding | 318 +--------+------------------------+--------------------------+ 319 | TBD1 | VLAN-action | bitmask | 320 | TBD2 | TPID-action | bitmask | 321 +--------+------------------------+--------------------------+ 323 VLAN-action: The VLAN-action extended community consists of 6 bytes 324 which include the fields of action Flags, two VLAN IDs and the 325 associating COS value. The action Flags fields are further divided 326 into two parts which corresponds to the first action and the second 327 action respectively, bit 0 to bit 7 belong to the first action part 328 while bit 8 to bit 15 belong to the second part. The bits of PO, PU, 329 SW, RI and RO in each part represent Pop, Push, Swap, Rewrite inner 330 VLAN and Rewrite outer VLAN respectively. Through this method, more 331 complicated actions also can be represented in a single VLAN-action 332 extend community, such as SwapPop, PushSwap, etc. For example, 333 SwapPop action is the concatenation of two actions, the first action 334 is Swap and the second action is Pop. 336 0 7 15 337 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 338 |PO1|PU1|SW1|RI1|RO1|...|PO2|PU2|SW2|RI2|RO2|...| 339 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 340 | VLAN ID1 |COS1 |R1| 341 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 342 | VLAN ID2 |COS2 |R2| 343 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 345 PO1: Pop action. If the PO1 flag is one it indicates the outmost 346 VLAN should be removed. 348 PU1: Push action. If PU1 is one it indicates VLAN ID1 will be added, 349 the associated COS is COS1. 351 SW1: Swap action. If the SW1 flag is one it indicates the outer VLAN 352 and inner VLAN should be swapped. 354 PO2: Pop action. If the PO2 flag is one it indicates the outmost 355 VLAN should be removed. 357 PU2: Push action. If PU2 is one it indicates VLAN ID2 will be added, 358 the associated COS is COS2. 360 SW2: Swap action. If the SW2 flag is one it indicates the outer VLAN 361 and inner VLAN should be swapped. 363 RI1 and RI2: Rewrite inner VLAN action. If the RI flag is one it 364 indicates the inner VLAN should be replaced by a new VLAN, the new 365 VLAN is VLAN ID1, the associated COS is COS1. If the VLAN ID1 is 0, 366 the action is to only modify the COS value of inner VLAN. 368 RO1 and RO2: Rewrite outer VLAN action. If the RO flag is one it 369 indicates the outer VLAN should be replaced by a new VLAN, the new 370 VLAN is VLAN ID2, the associated COS is COS2. If the VLAN ID2 is 0, 371 the action is to only modify the COS value of outer VLAN. 373 R1 and R2: Reserved for future use. 375 Giving an example, if the action of PUSH Inner VLAN 10 with COS 376 value 5 and Outer VLAN 20 with COS value 6 is needed, the format of 377 the VLAN-action extended community is as follows: 379 0 7 15 380 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 381 |0 |1 |0 |0 |0 |0 |0 |0 |0 |1 |0 |0 |0 |0 |0 |0 | 382 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 383 | 10 |1 |0 |1 |0 | 384 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 385 | 20 |1 |1 |0 |0 | 386 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 388 TPID-action: The TPID-action extended community consists of 6 bytes 389 which includes the fields of action Flags, TPID1 and TPID2. 391 0 15 392 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 393 |TI|TO| Resv | 394 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 395 | TP ID1 | 396 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 397 | TP ID2 | 398 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 400 TI: Mapping inner TP ID action. If the TI flag is one it indicates 401 the inner TP ID should be replaced by a new TP ID, the new TP ID is 402 TP ID1. 404 TO: Mapping outer TP ID action. If the TO flag is one it indicates 405 the outer TP ID should be replaced by a new TP ID, the new TP ID is 406 TP ID2. 408 Resv: Reserved for future use. 410 5. Security Considerations 412 No new security issues are introduced to the BGP protocol by this 413 specification. 415 6. IANA Considerations 417 IANA is requested to rename currently defined SAFI 134 per [RFC5575] 418 to read: 420 134 VPN dissemination of flow specification rules 422 IANA is requested to create and maintain a new registry for "Flow 423 spec L2VPN Component Types". For completeness, the types defined in 424 [RFC5575] and [draft-ietf-idr-flow-spec-v6-06] also are listed here. 426 +--------+-------------------------------+--------------------------+ 427 | type | RFC or Draft | discription | 428 +--------+-------------------------------+--------------------------+ 429 | 1 |RFC5575 | Destination Prefix | 430 | 1 |draft-ietf-idr-flow-spec-v6-06 | Destination IPv6 Prefix | 431 | 2 |RFC5575 | Source Prefix | 432 | 2 |draft-ietf-idr-flow-spec-v6-06 | Source IPv6 Prefix | 433 | 3 |RFC5575 | IP Protocol | 434 | 3 |draft-ietf-idr-flow-spec-v6-06 | Next Header | 435 | 4 |RFC5575 | Port | 436 | 5 |RFC5575 | Destination port | 437 | 6 |RFC5575 | Source port | 438 | 7 |RFC5575 | ICMP type | 439 | 8 |RFC5575 | ICMP code | 440 | 9 |RFC5575 | TCP flags | 441 | 10 |RFC5575 | Packet length | 442 | 11 |RFC5575 | DSCP | 443 | 12 |RFC5575 | Fragment | 444 | 13 |draft-ietf-idr-flow-spec-v6-06 | Flow Label | 445 | 14 |This draft | Ethernet Type | 446 | 15 |This draft | Source MAC | 447 | 16 |This draft | Destination MAC | 448 | 17 |This draft | DSAP in LLC | 449 | 18 |This draft | SSAP in LLC | 450 | 19 |This draft | Control field in LLC | 451 | 20 |This draft | SNAP | 452 | 21 |This draft | VLAN ID | 453 | 22 |This draft | VLAN COS | 454 | 23 |This draft | Inner VLAN ID | 455 | 24 |This draft | Inner VLAN COS | 456 +--------+-------------------------------+--------------------------+ 457 IANA is requested to update the reference for the following 458 assignment in the "BGP Extended Communities Type - extended, 459 transitive" registry: 461 Type value Name Reference 463 ---------- ---------------------------------------- --------- 465 0x080A Flow spec VLAN action [this document] 467 0x080B Flow spec TPID action [this document] 469 6.1. Normative References 471 [1] [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 473 Requirement Levels", BCP 14, RFC 2119, March 1997. 475 [2] [RFC5575] P. Marques, N. Sheth, R. Raszuk, B. Greene, J.Mauch, 476 D. McPherson, "Dissemination of Flow Specification Rules", RFC 477 5575, August 2009. 479 [3] [RFC4761] K. Kompella, Ed., Y. Rekhter, Ed., "Virtual Private 480 LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling", 481 RFC4761, January 2007. 483 [4] [RFC4762] M. Lasserre, Ed., V. Kompella, Ed., "Virtual Private 484 LAN Service (VPLS) Using Label Distribution Protocol (LDP) 485 Signaling", RFC4762, January 2007. 487 [5] [RFC6074] E. Rosen, B. Davie, V. Radoaca, "Provisioning, Auto- 488 Discovery, and Signaling in Layer 2 Virtual Private Networks 489 (L2VPNs)", RFC6074, January 2011. 491 6.2. Informative References 493 [1] [EVPN] Sajassi et al., "BGP MPLS Based Ethernet VPN", draft- 494 ietf-l2vpn-evpn-07.txt, work in progress, May, 2014. 496 [2] [IEEE 802.1p] Javin, et.al. "IEEE 802.1p: LAN Layer 2 QoS/CoS 497 Protocol for Traffic Prioritization", 2012-02-15 499 7. Acknowledgments 501 The authors wish to acknowledge the important contributions of 502 Hannes Gredler, Xiaohu Xu, Zhenbin Li and Lucy Yong. 504 Authors' Addresses 506 Weiguo Hao 507 Huawei Technologies 508 101 Software Avenue, 509 Nanjing 210012 510 China 511 Email: haoweiguo@huawei.com 513 Qiandeng Liang 514 Huawei Technologies 515 101 Software Avenue, 516 Nanjing 210012 517 China 518 Email: liangqiandeng@huawei.com 520 James Uttaro 521 AT&T 522 Email: uttaro@att.com 524 Stephane Litkowski 525 Orange 526 Email: stephane.litkowski@orange.com 528 Shunwan Zhuang 529 Huawei Technologies 530 Huawei Bld., No.156 Beiqing Rd. 531 Beijing 100095 532 China 533 Email: zhuangshunwan@huawei.com