idnits 2.17.1 draft-ietf-idr-flowspec-l2vpn-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 8, 2019) is 1753 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-22) exists of draft-ietf-idr-flow-spec-v6-09 == Outdated reference: A later version (-27) exists of draft-ietf-idr-rfc5575bis-17 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT W. Hao 2 Intended Status: Proposed Standard Huawei Technologies 3 D. Eastlake 4 Futurewei Technologies 5 J. Uttaro 6 AT&T 7 S. Litkowski 8 Orange Business Service 9 S. Zhuang 10 Huawei Technologies" 11 Expires: January 7, 2020 July 8, 2019 13 BGP Dissemination of L2VPN Flow Specification Rules 14 draft-ietf-idr-flowspec-l2vpn-11 16 Abstract 17 This document defines a BGP flow-spec extension to disseminate L2 VPN 18 Ethernet traffic filtering rules. SAFI=134 in draft-ietf-idr- 19 rfc5575bis is redefined for this purpose. A new subset of component 20 types and extended community also are defined. A new subset of 21 component types and new extended community also are defined. 23 Status of This Document 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Distribution of this document is unlimited. Comments should be sent 29 to the authors or the TRILL Working Group mailing list 30 . 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF), its areas, and its working groups. Note that 34 other groups may also distribute working documents as Internet- 35 Drafts. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 The list of current Internet-Drafts can be accessed at 43 http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft 44 Shadow Directories can be accessed at 45 http://www.ietf.org/shadow.html. 47 Table of Contents 49 1. Introduction............................................3 50 1.1 Terminology............................................4 52 2. Layer 2 Flow Specification encoding in BGP..............5 54 3. Ethernet Flow Specification encoding in BGP.............6 55 3.1 Order of Traffic Filtering Rules.......................8 57 4. Ethernet Flow Specification Traffic Actions.............9 58 4.1 VLAN-action............................................9 59 4.2 TPID-action...........................................11 61 5. IANA Considerations....................................12 62 6. Security Considerations................................13 64 7. Acknowledgements.......................................13 65 8. Contributors...........................................13 67 Normative References......................................14 68 Informative References....................................14 70 Authors' Addresses........................................15 72 1. Introduction 74 BGP Flow-spec is an extension to BGP that supports the dissemination 75 of traffic flow specification rules. It leverages the BGP Control 76 Plane to simplify the distribution of ACLs. Using this extension new 77 filter rules can be injected to all BGP peers simultaneously without 78 changing router configuration. The typical application of BGP Flow- 79 spec is to automate the distribution of traffic filter lists to 80 routers for DDOS mitigation, access control, etc. 82 [RFC5575bis] defines a new BGP Network Layer Reachability Information 83 (NLRI) format used to distribute traffic flow specification rules. 84 NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1, 85 SAFI=134) is for BGP/MPLS VPN filtering. The Flow specification 86 match part only includes L3/L4 information like source/destination 87 prefix, protocol, ports, and etc., so traffic flows can only be 88 selectively filtered based on L3/L4 information. 90 Layer 2 Virtual Private Networks (L2VPNs) have already been deployed 91 in an increasing number of networks today. In an L2VPN network, we 92 also have requirements to deploy BGP Flow-spec to mitigate DDoS 93 attack traffic. Within an L2VPN network, both IP and non-IP Ethernet 94 traffic maybe exist. For IP traffic filtering, the Flow 95 specification rules defined in [RFC5575bis] which include match 96 criteria and actions can still be used, flow specification rules 97 received via new NLRI format apply only to traffic that belongs to 98 the VPN instance(s) in which it is imported. For non-IP Ethernet 99 traffic filtering, Layer 2 related information like 100 source/destination MAC and VLAN should be considered. But the flow 101 specification match criteria defined in [RFC5575bis] only include 102 layer 3 and layer 4 IP information, not layer 2 Ethernet information. 104 There are different kinds of L2VPN networks like EVPN [RFC7432], BGP 105 VPLS [RFC4761], LDP VPLS [RFC4762] and border gateway protocol (BGP) 106 auto discovery [RFC6074]. Because the flow-spec feature relies on 107 BGP protocol to distribute traffic filtering rules, it can only be 108 incrementally deployed in those L2VPN networks where BGP has already 109 been used for auto discovery and/or signaling purposes such as BGP- 110 based VPLS [RFC4761], EVPN and LDP-based VPLS [RFC4762] with BGP 111 auto-discovery [RFC6074]. 113 This draft proposes a new subset of flow-spec component types and an 114 extended community to support L2VPN flow-spec application. The flow- 115 spec rules can be enforced on all border routers or on some interface 116 sets of the border routers. SAFI=134 in [RFC5575bis] is redefined 117 for dissemination of traffic filtering information in an L2VPN 118 environment. 120 1.1 Terminology 122 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 123 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 124 "OPTIONAL" in this document are to be interpreted as described in BCP 125 14 [RFC2119] [RFC8174] when, and only when, they appear in all 126 capitals, as shown here. 128 2. Layer 2 Flow Specification encoding in BGP 130 [RFC5575bis] defines SAFI 133 and SAFI 134 for "dissemination of IPv4 131 flow specification rules" and "dissemination of VPNv4 flow 132 specification rules" respectively. [I-D.ietf-idr-flow-spec-v6] 133 redefines the [RFC5575bis] SAFIs in order to make them applicable to 134 both IPv4 and IPv6 applications. This document will further redefine 135 the SAFI 134 in order to make them applicable to L2VPN applications. 137 The following changes are defined: 139 "SAFI 134 for dissemination of L3VPN flow specification rules" to now 140 be defined as "SAFI 134 for dissemination of VPN flow specification 141 rules" 143 For SAFI 134 the indication to which address family it is referring 144 to will be recognized by AFI value (AFI=1 for VPNv4, AFI=2 VPNv6 and 145 AFI=25 for L2VPN). Such modification is fully backwards compatible 146 with existing implementation and production deployments. 148 For SAFI 134 the indication to which address family it is referring 149 to will be recognized by AFI value (AFI=1 for VPNv4, AFI=2 VPNv6 and 150 AFI=25 for L2VPN). Such modification is fully backwards compatible 151 with existing implementation and production deployments. 153 3. Ethernet Flow Specification encoding in BGP 155 The NLRI format for this address family consists of a fixed-length 156 Route Distinguisher field (8 bytes) followed by a flow specification, 157 following the encoding defined in this document. The NLRI length 158 field includes both the 8 bytes of the Route Distinguisher as well as 159 the subsequent flow specification. 161 Flow specification rules received via this NLRI apply only to traffic 162 that belongs to the VPN instance(s) into which it is imported. Flow 163 rules are accepted by default when received from remote PE routers. 165 Besides the component types defined in [RFC5575bis] and 166 [I-D.ietf-idr-flow-spec-v6], this document specifies the following 167 additional component types for L2 VPN Ethernet traffic filtering: 169 Type 14 - Ethernet Type 170 Encoding: 172 Defines a list of {operation, value} pairs used to match two-octet 173 field. Values are encoded as 2-byte quantities. Ethernet II 174 framing defines the two-octet Ethernet Type (EtherType) field in 175 an Ethernet frame, preceded by destination and source MAC 176 addresses, that identifies an upper layer protocol encapsulating 177 the frame data. 179 Type 15 - Source MAC 180 Encoding: 182 Defines the source MAC Address to match. 184 Type 16 - Destination MAC 185 Encoding: 187 Defines the destination MAC Address to match. 189 Type 17 - DSAP(Destination Service Access Point) in LLC 190 Encoding: 192 Defines a list of {operation, value} pairs used to match the 193 1-octet DSAP in the 802.2 LLC (Logical Link Control Header). 194 Values are encoded as 1-byte quantities. The operation field is 195 encoded as a 197 Type 18 - SSAP(Source Service Access Point) in LLC 198 Encoding: 200 Defines a list of {operation, value} pairs used to match the 201 1-octet SSAP in the 802.2 LLC. Values are encoded as 1-byte 202 quantities. 204 Type 19 - Control field in LLC 205 Encoding: 207 Defines a list of {operation, value} pairs used to match 1-octet 208 control field in the 802.2 LLC. Values are encoded as 1-byte 209 quantities. 211 Type 20 - SNAP 212 Encoding: 214 Defines a list of {operation, value} pairs used to match 5-octet 215 SNAP (Sub-Network Access Protocol) field. Values are encoded as 216 5-byte quantities. 218 Type 21 - VLAN ID 219 Encoding: 221 Defines a list of {operation, value} pairs used to match VLAN ID. 222 Values are encoded as 2-byte quantities, where the four most 223 significant bits are zero and the 12 least significant bits 224 contain the VLAN value. 226 In the virtual local-area network (VLAN) stacking case, the VLAN 227 ID is the outer VLAN ID. 229 Type 22 - VLAN COS 230 Encoding: 232 Defines a list of {operation, value} pairs used to match 3-bit 233 VLAN COS fields [802.1Q]. Values are encoded using a single byte, 234 where the five most significant bits are zero and the three least 235 significant bits contain the VLAN COS value. 237 In the virtual local-area network (VLAN) stacking case, the VLAN 238 COS is outer VLAN COS. 240 Type 23 - Inner VLAN ID 241 Encoding: 243 Defines a list of {operation, value} pairs used to match the inner 244 VLAN ID using for virtual local-area network (VLAN) stacking or Q 245 in Q use. Values are encoded as 2-byte quantities, where the four 246 most significant bits are zero and the 12 least significant bits 247 contain the VLAN value. 249 In single VLAN case, this component type MUST NOT be used. 251 Type 24 - Inner VLAN COS 252 Encoding: 253 Defines a list of {operation, value} pairs used to match 3-bit 254 inner VLAN COS fields [802.1Q] using for virtual local-area 255 network (VLAN) stacking or Q in Q use. Values are encoded using a 256 single byte, where the five most significant bits are zero and the 257 three least significant bits contain the VLAN COS value. 259 In single VLAN case, the component type MUST NOT be used. 261 3.1 Order of Traffic Filtering Rules 263 The original definition for the order of traffic filtering rules can 264 be reused with new consideration for the MAC Address offset. As long 265 as the offsets are equal, the comparison is the same, retaining 266 longest-prefix-match semantics. If the offsets are not equal, the 267 lowest offset has precedence, as this flow matches the most 268 significant bit. 270 Pseudocode: 271 flow_rule_L2_cmp (a, b) 272 { 273 comp1 = next_component(a); 274 comp2 = next_component(b); 275 while (comp1 || comp2) { 276 // component_type returns infinity on end-of-list 277 if (component_type(comp1) < component_type(comp2)) { 278 return A_HAS_PRECEDENCE; 279 } 280 if (component_type(comp1) > component_type(comp2)) { 281 return B_HAS_PRECEDENCE; 282 } 284 if (component_type(comp1) == MAC_DESTINATION || MAC_SOURCE) { 285 common = MIN(MAC Address length (comp1), 286 MAC Address length (comp2)); 287 cmp = MAC Address compare(comp1, comp2, common); 288 // not equal, lowest value has precedence 289 // equal, longest match has precedence 290 } else { 291 common = 292 MIN(component_length(comp1), component_length(comp2)); 293 cmp = memcmp(data(comp1), data(comp2), common); 294 // not equal, lowest value has precedence 295 // equal, longest string has precedence 296 } 297 } 298 return EQUAL; 299 } 301 4. Ethernet Flow Specification Traffic Actions 303 The default action for a layer 2 traffic filtering flow specification 304 is to accept traffic that matches that particular rule. The 305 following extended community values per [RFC5575bis] can be used to 306 specify particular actions in an L2 VPN network: 308 +--------+--------------------+--------------------------+ 309 | type | extended community | encoding | 310 +--------+--------------------+--------------------------+ 311 | 0x8006 | traffic-rate | 2-byte as#, 4-byte float | 312 | 0x8007 | traffic-action | bitmask | 313 | 0x8008 | redirect | 6-byte Route Target | 314 | 0x8009 | traffic-marking | DSCP value | 315 +--------+--------------------+--------------------------+ 317 Redirect: The action should be redefined to allow the traffic to be 318 redirected to a MAC or IP VRF routing instance that lists the 319 specified route-target in its import policy. 321 Besides the above extended communities, this document also specifies 322 the following BGP extended communities for Ethernet flows to extend 323 [RFC5575bis]: 325 +--------+------------------------+--------------------------+ 326 | type | extended community | encoding | 327 +--------+------------------------+--------------------------+ 328 | TBD1 | VLAN-action | bitmask | 329 | TBD2 | TPID-action | bitmask | 330 +--------+------------------------+--------------------------+ 332 4.1 VLAN-action 334 The VLAN-action extended community, as shown in the diagram below, 335 consists of 6 bytes that include t action Flags, two VLAN IDs, and 336 the associating COS value. The action Flags fields are further 337 divided into two parts which correspond to the first action and the 338 second action respectively. Bit 0 to bit 7 give the first action 339 while bit 8 to bit 15 give the second action. The bits of PO, PU, 340 SW, RI and RO in each part represent the action of Pop, Push, Swap, 341 Rewrite inner VLAN and Rewrite outer VLAN respectively. Through this 342 method, more complicated actions also can be represented in a single 343 VLAN-action extended community, such as SwapPop, PushSwap, etc. For 344 example, SwapPop action is the sequence of two actions, the first 345 action is Swap and the second action is Pop. 347 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 348 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 349 |PO1|PU1|SW1|RI1|RO1| Resv |PO2|PU2|SW2|RI2|RO2| Resv | 350 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 351 | VLAN ID1 |COS1 |R1 | 352 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 353 | VLAN ID2 |COS2 |R2 | 354 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 356 PO1: Pop action. If the PO1 flag is one, it indicates the outmost 357 VLAN should be removed. 359 PU1: Push action. If PU1 is one, it indicates VLAN ID1 will be 360 added, the associated COS is COS1. 362 SW1: Swap action. If the SW1 flag is one, it indicates the outer 363 VLAN and inner VLAN should be swapped. 365 PO2: Pop action. If the PO2 flag is one, it indicates the outmost 366 VLAN should be removed. 368 PU2: Push action. If PU2 is one, it indicates VLAN ID2 will be 369 added, the associated COS is COS2. 371 SW2: Swap action. If the SW2 flag is one, it indicates the outer 372 VLAN and inner VLAN should be swapped. 374 RI1 and RI2: Rewrite inner VLAN action. If the RI flag is one, it 375 indicates the inner VLAN should be replaced by a new VLAN where the 376 new VLAN is VLAN ID1 and the associated COS is COS1. If the VLAN ID1 377 is 0, the action is to only modify the COS value of inner VLAN. 379 RO1 and RO2: Rewrite outer VLAN action. If the RO flag is one, it 380 indicates the outer VLAN should be replaced by a new VLAN where the 381 new VLAN is VLAN ID and the associated COS is COS2. If the VLAN ID2 382 is 0, the action is to only modify the COS value of outer VLAN. 384 Resv, R1, and R2: Reserved for future use. MUST be sent as zero and 385 ignored on receipt. 387 Giving an example below: if the action of PUSH Inner VLAN 10 with COS 388 value 5 and Outer VLAN 20 with COS value 6 is needed, the format of 389 the VLAN-action extended community is as follows: 391 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 392 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 393 |0 |1 |0 |0 |0 |0 |0 |0 |0 |1 |0 |0 |0 |0 |0 |0 | 394 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 395 | 10 |1 |0 |1 |0 | 396 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 397 | 20 |1 |1 |0 |0 | 398 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 400 4.2 TPID-action 402 The TPID-action extended community consists of 6 bytes which includes 403 the fields of action Flags, TPID1 and TPID2. 405 0 15 406 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 407 |TI|TO| Resv | 408 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 409 | TP ID1 | 410 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 411 | TP ID2 | 412 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 414 TI: Mapping inner TP ID action. If the TI flag is one, it indicates 415 the inner TP ID should be replaced by a new TP ID, the new TP ID is 416 TP ID1. 418 TO: Mapping outer TP ID action. If the TO flag is one, it indicates 419 the outer TP ID should be replaced by a new TP ID, the new TP ID is 420 TP ID2. 422 Resv: Reserved for future use. MUST be sent as zero and ignored on 423 receipt. 425 5. IANA Considerations 427 IANA is requested to change the description for SAFI 134 [RFC5575bis] 428 to read as follows more general description and to change the 429 reference for it to [this document]: 431 134 VPN dissemination of flow specification rules 433 IANA is requested to allocate 11 new values in the Flow-Spec 434 Component Type registry as follows: 436 +--------+-------------------------------+--------------------------+ 437 | type | RFC or Draft | discription | 438 +--------+-------------------------------+--------------------------+ 439 | 14 |This draft | Ethernet Type | 440 | 15 |This draft | Source MAC | 441 | 16 |This draft | Destination MAC | 442 | 17 |This draft | DSAP in LLC | 443 | 18 |This draft | SSAP in LLC | 444 | 19 |This draft | Control field in LLC | 445 | 20 |This draft | SNAP | 446 | 21 |This draft | VLAN ID | 447 | 22 |This draft | VLAN COS | 448 | 23 |This draft | Inner VLAN ID | 449 | 24 |This draft | Inner VLAN COS | 450 +--------+-------------------------------+--------------------------+ 452 IANA is requested to update the reference for the following 453 assignment in the "BGP Extended Communities Type - extended, 454 transitive" registry: 456 Type value Name Reference 457 ---------- --------------------------- --------------- 458 0x080A Flow spec VLAN action [this document] 459 0x080B Flow spec TPID action [this document] 461 6. Security Considerations 463 No new security issues are introduced to the BGP protocol by this 464 specification. 466 7. Acknowledgements 468 The authors wish to acknowledge the important contributions of Hannes 469 Gredler, Xiaohu Xu, Zhenbin Li, Lucy Yong, and Feng Dong. 471 8. Contributors 473 Qiandeng Liang 474 Huawei Technologies 475 101 Software Avenue, Yuhuatai District 476 Nanjing 210012 477 China 479 Email: liangqiandeng@huawei.com 481 Normative References 483 [I-D.ietf-idr-flow-spec-v6] McPherson, D., Raszuk, R., Pithawala, B., 484 akarch@cisco.com, a., and S. Hares, "Dissemination of Flow 485 Specification Rules for IPv6", draft-ietf-idr-flow-spec- 486 v6-09 (work in progress), November 2017. 488 [RFC5575bis] Hares, S., Loibl, C., Raszuk, R., McPherson, D., Bacher, 489 M., "Dissemination of Flow Specification Rules", draft- 490 ietf-idr-rfc5575bis-17, Work in progress, June 2019. 492 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 493 Requirement Levels", BCP 14, RFC 2119, DOI 494 10.17487/RFC2119, March 1997, . 497 [RFC4761] Kompella, K., Ed. and Y. Rekhter, Ed., "Virtual Private LAN 498 Service (VPLS) Using BGP for Auto-Discovery and Signaling", 499 RFC 4761, DOI 10.17487/RFC4761, January 2007, 500 . 502 [RFC4762] Lasserre, M., Ed. and V. Kompella, Ed., "Virtual Private 503 LAN Service (VPLS) Using Label Distribution Protocol (LDP) 504 Signaling", RFC 4762, DOI 10.17487/RFC4762, January 2007, 505 . 507 [RFC6074] Rosen, E., Davie, B., Radoaca, V., and W. Luo, 508 "Provisioning, Auto-Discovery, and Signaling in Layer 2 509 Virtual Private Networks (L2VPNs)", RFC 6074, DOI 510 10.17487/RFC6074, January 2011, . 513 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 514 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 515 2017, . 517 Informative References 519 [RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., 520 Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based 521 Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February 522 2015, . 524 Authors' Addresses 526 Weiguo Hao 527 Huawei Technologies 528 101 Software Avenue, 529 Nanjing 210012 530 China 532 Email: haoweiguo@huawei.com 534 Donald E. Eastlake, 3rd 535 Futurewei Technologies 536 1424 Pro Shop Court 537 Davenport, FL 33896 538 USA 540 Tel: +1-508-333-2270 541 Email: d3e3e3@gmail.com 543 James Uttaro 544 AT&T 546 Email: uttaro@att.com 548 Stephane Litkowski 549 Orange Business Service 551 Email: stephane.litkowski@orange.com 553 Shunwan Zhuang 554 Huawei Technologies 555 Huawei Bld., No.156 Beiqing Rd. 556 Beijing 100095 557 China 559 Email: zhuangshunwan@huawei.com 561 Copyright, Disclaimer, and Additional IPR Provisions 563 Copyright (c) 2019 IETF Trust and the persons identified as the 564 document authors. All rights reserved. 566 This document is subject to BCP 78 and the IETF Trust's Legal 567 Provisions Relating to IETF Documents 568 (http://trustee.ietf.org/license-info) in effect on the date of 569 publication of this document. Please review these documents 570 carefully, as they describe your rights and restrictions with respect 571 to this document. Code Components extracted from this document must 572 include Simplified BSD License text as described in Section 4.e of 573 the Trust Legal Provisions and are provided without warranty as 574 described in the Simplified BSD License.