idnits 2.17.1 draft-ietf-idr-route-filter-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 34. -- Found old boilerplate from RFC 3978, Section 5.5 on line 438. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 409. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 416. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 422. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 10 longer pages, the longest (page 2) being 60 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 11 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The exact meaning of the all-uppercase expression 'MAY NOT' is not defined in RFC 2119. If it is intended as a requirements expression, it should be rewritten using one of the combinations defined in RFC 2119; otherwise it should not be all-uppercase. == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: The set of ORF entries that the speaker sends to the peer expresses the speaker's local preference, that the peer MAY or MAY NOT decide to honor. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'BGP-4' is defined on line 448, but no explicit reference was found in the text == Unused Reference: 'BGP-MP' is defined on line 451, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2858 (ref. 'BGP-MP') (Obsoleted by RFC 4760) ** Obsolete normative reference: RFC 3392 (ref. 'BGP-CAP') (Obsoleted by RFC 5492) Summary: 5 errors (**), 0 flaws (~~), 7 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group E. Chen 3 Internet Draft Cisco Systems 4 Expiration Date: January 2007 Y. Rekhter 5 Juniper Networks 7 Outbound Route Filtering Capability for BGP-4 9 draft-ietf-idr-route-filter-15.txt 11 Status of this Memo 13 Internet-Drafts are working documents of the Internet Engineering 14 Task Force (IETF), its areas, and its working groups. Note that 15 other groups may also distribute working documents as Internet- 16 Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six months 19 and may be updated, replaced, or obsoleted by other documents at any 20 time. It is inappropriate to use Internet-Drafts as reference 21 material or to cite them other than as "work in progress". 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 IPR Disclosure Acknowledgement 31 By submitting this Internet-Draft, each author represents that any 32 applicable patent or other IPR claims of which he or she is aware 33 have been or will be disclosed, and any of which he or she becomes 34 aware will be disclosed, in accordance with Section 6 of BCP 79. 36 Abstract 38 This document defines a BGP-based mechanism that allows a BGP speaker 39 to send to its BGP peer a set of route filters that the peer would 40 use to constrain/filter its outbound routing updates to the speaker. 42 1. Specification of Requirements 44 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 45 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 46 document are to be interpreted as described in RFC 2119 [RFC-2119]. 48 2. Introduction 50 Currently it is not uncommon for a BGP speaker to receive, and then 51 filter out some unwanted routes from its peers based on its local 52 routing policy. Since the generation and transmission of routing 53 updates by the sender, as well as the processing of routing updates 54 by the receiver consume resources, it may be beneficial if the 55 generation of such unwanted routing updates can be avoided in the 56 first place. 58 This document defines a BGP-based mechanism that allows a BGP speaker 59 to send to its BGP peer a set of Outbound Route Filters (ORFs). The 60 peer would then apply these filters, in addition to its locally 61 configured outbound filters (if any), to constrain/filter its 62 outbound routing updates to the speaker. 64 3. Outbound Route Filter (ORF) 66 Conceptually an ORF entry is a tuple of the form ; an ORF consists of one or more ORF entries 68 that have a common AFI/SAFI and ORF-Type. An ORF is identified by 69 . 71 The "AFI/SAFI" component provides a coarse granularity control by 72 limiting the ORF to only the routes whose NLRI matches the "AFI/SAFI" 73 component of the ORF. 75 The "ORF-Type" component determines the content of the ORF-value. 77 The "Action" component controls handling of the ORF Request by the 78 remote peer. Action can be one of ADD, REMOVE, REMOVE-ALL. ADD adds 79 an ORF entry to the ORF on the remote peer; REMOVE deletes a 80 previously installed ORF entry on the remote peer; REMOVE-ALL deletes 81 the previously installed entries in the specified ORF on the remote 82 peer. 84 The "Match" component is used if support matching granularity on a 85 per ORF entry basis is needed, in which case the "Match" component 86 can be one of PERMIT or DENY. The semantics of PERMIT is to ask the 87 peer to pass updates for the set of routes that match the ORF entry. 88 The semantics of DENY is to ask the peer not to pass updates for the 89 set of routes that match the ORF entry. 91 4. Carrying ORF Entries in BGP 93 ORF entries are carried in the BGP ROUTE-REFRESH message [BGP-RR]. 95 A BGP speaker can distinguish an incoming ROUTE-REFRESH message that 96 carries one or more ORF entries from an incoming plain ROUTE-REFRESH 97 message by using the Message Length field in the BGP message header. 99 A single ROUTE-REFRESH message MAY carry multiple ORF entries, as 100 long as all these entries share the same AFI/SAFI. 102 From the encoding point of view each ORF entry consists of a common 103 part and type-specific part as shown in Figure 1. 105 The common part consists of , and 106 is encoded as follows: 108 The AFI/SAFI component of an ORF entry is encoded in the AFI/SAFI 109 field of the ROUTE-REFRESH message. 111 Following the AFI/SAFI component is the one-octet When-to-refresh 112 field. The value of this field can be one of IMMEDIATE (0x01) or 113 DEFER (0x02). The semantics of IMMEDIATE and DEFER are discussed 114 in the "Operation" section of this document. 116 Following the When-to-refresh field is a collection of one or more 117 ORFs, grouped by ORF-Type. 119 The ORF-Type component is encoded as a one-octet field. 121 The Length of ORFs component is a two-octets field that contains 122 the length (in octets) of the ORF entries that follows. 124 +--------------------------------------------------+ 125 | Address Family Identifier (2 octets) | 126 +--------------------------------------------------+ 127 | Reserved (1 octet) | 128 +--------------------------------------------------+ 129 | Subsequent Address Family Identifier (1 octet) | 130 +--------------------------------------------------+ 131 | When-to-refresh (1 octet) | 132 +--------------------------------------------------+ 133 | ORF Type (1 octet) | 134 +--------------------------------------------------+ 135 | Length of ORFs (2 octets) | 136 +--------------------------------------------------+ 137 | First ORF entry (variable) | 138 +--------------------------------------------------+ 139 | Second ORF entry (variable) | 140 +--------------------------------------------------+ 141 | ... | 142 +--------------------------------------------------+ 143 | N-th ORF entry (variable) | 144 +--------------------------------------------------+ 145 | ORF Type (1 octet) | 146 +--------------------------------------------------+ 147 | Length of ORFs (2 octets) | 148 +--------------------------------------------------+ 149 | First ORF entry (variable) | 150 +--------------------------------------------------+ 151 | Second ORF entry (variable) | 152 +--------------------------------------------------+ 153 | ... | 154 +--------------------------------------------------+ 155 | N-th ORF entry (variable) | 156 +--------------------------------------------------+ 157 | ... | 158 +--------------------------------------------------+ 160 Figure 1: Carrying ORF Entries in the ROUTE-REFRESH Message 162 The rest of the components in the common part are encoded in the 163 first octet of each ORF-entry (from the most significant to the least 164 significant bit) as shown in Figure 2: 166 Action is a two-bit field. The value of this field is 0 for ADD, 1 167 for REMOVE, and 2 for REMOVE-ALL. 169 Match is a one-bit field. The value of this field is 0 for PERMIT 170 and 1 for DENY. This field is significant only when the value of 171 the Action field is either ADD or REMOVE. 173 Reserved is a 5-bit field. It is set to 0 on transmit and ignored 174 on receive. 176 +---------------------------------+ 177 | Action (2 bit) | 178 +---------------------------------+ 179 | Match (1 bit) | 180 +---------------------------------+ 181 | Reserved (5 bits) | 182 +---------------------------------+ 183 | Type specific part (variable) | 184 +---------------------------------+ 186 Figure 2: ORF Entry Encoding 188 When the Action component of an ORF entry specifies REMOVE-ALL, 189 the entry consists of only the common part. 191 5. Outbound Route Filtering Capability 193 A BGP speaker that is willing to receive ORF entries from its peer, 194 or a BGP speaker that would like to send ORF entries to its peer 195 advertises this to the peer by using the Outbound Route Filtering 196 Capability, as described below. 198 The Outbound Route Filtering Capability is a new BGP capability [BGP- 199 CAP] defined as follows: 201 Capability code: 3 203 Capability length: variable 205 Capability value: one or more of the entries as shown in Figure 3. 207 +--------------------------------------------------+ 208 | Address Family Identifier (2 octets) | 209 +--------------------------------------------------+ 210 | Reserved (1 octet) | 211 +--------------------------------------------------+ 212 | Subsequent Address Family Identifier (1 octet) | 213 +--------------------------------------------------+ 214 | Number of ORFs (1 octet) | 215 +--------------------------------------------------+ 216 | ORF Type (1 octet) | 217 +--------------------------------------------------+ 218 | Send/Receive (1 octet) | 219 +--------------------------------------------------+ 220 | ... | 221 +--------------------------------------------------+ 222 | ORF Type (1 octet) | 223 +--------------------------------------------------+ 224 | Send/Receive (1 octet) | 225 +--------------------------------------------------+ 227 Figure 3: Outbound Route Filtering Capability Encoding 229 The use and meaning of these fields are as follows: 231 Address Family Identifier (AFI): 233 This field carries the identity of the Network Layer protocol 234 associated with the Network Address that follows. Presently 235 defined values for this field are specified in RFC 1700 (see 236 the Address Family Numbers section). 238 Subsequent Address Family Identifier (SAFI): 240 This field provides additional information about the type of 241 the Network Layer Reachability Information carried in the 242 attribute. 244 Number of ORF Types: 246 This field contains the number of Filter Types to be listed in 247 the following fields. 249 ORF Type: 251 This field contains the value of an ORF Type. 253 Send/Receive: 255 This field indicates whether the sender is (a) willing to 256 receive ORF entries from its peer (value 1), (b) would like to 257 send ORF entries to its peer (value 2), or (c) both (value 3) 258 for the ORF Type that follows. 260 6. Operation 262 A BGP speaker that is willing to receive ORF entries from its peer, 263 or would like to send ORF entries to its peer SHOULD advertise the 264 Outbound Route Filtering Capability to the peer using BGP 265 Capabilities advertisement [BGP-CAP]. 267 A BGP speaker that implements the Outbound Route Filtering Capability 268 MUST support the BGP ROUTE-REFRESH message, as defined in [BGP-RR]. A 269 BGP speaker that advertises the Outbound Route Filtering Capability 270 to a peer using BGP Capabilities advertisement [BGP-CAP] does not 271 have to advertise the BGP Route Refresh capability to that peer. 273 Consider a BGP speaker that advertises the Outbound Route Filtering 274 Capability indicating its willingness to receive a particular set of 275 from its peer, and that receives the Outbound 276 Route Filtering Capability indicating the desire of the peer to send 277 a particular set to the speaker. If for a given 278 the intersection between these two sets are not-empty, 279 the speaker SHOULD NOT advertise to the peer any routes with that 280 prior to receiving from the peer any ROUTE-REFRESH 281 message carrying that , where the message could be either 282 without any ORF entries, or with one or more ORF entry and When-to- 283 refresh field set to IMMEDIATE. If, on the other hand, for a given 284 the intersection between these two sets is empty, the 285 speaker SHOULD follow normal BGP procedures. 287 A BGP speaker may send a ROUTE-REFRESH message with one or more ORF 288 entries to its peer only if the peer advertises to the speaker the 289 Outbound Route Filtering Capability indicating its willingness to 290 receive ORF entries from the speaker, and the speaker advertises to 291 the peer the Outbound Route Filtering Capability indicating its 292 desire to send ORF entries to the peer. The message may contain only 293 ORF entries of that the peer is willing to 294 receive, as advertised to the speaker in the Outbound Route Filtering 295 Capability. 297 When a BGP speaker receives a ROUTE-REFRESH message with one or more 298 ORF entries from its peer, then the speaker performs the following 299 actions. If the carried by the message does not 300 match that the speaker is willing to receive 301 from the peer (as advertised to the peer in the Outbound Route 302 Filtering Capability), the specified ORF is ignored. Otherwise, the 303 speaker modifies the specified ORF, as specified in the ORF entries 304 carried by the message. If any of the fields within an ORF entry 305 contain an unrecognized value, the whole specified ORF is removed. 307 If the Action component of an ORF entry is REMOVE, but the ORF does 308 not contain the specified entry, the entry is ignored. 310 ORF entries with either REMOVE or REMOVE-ALL can not remove locally 311 configured outbound route filters. 313 If the When-to-refresh indicates IMMEDIATE, then after processing all 314 the ORF entries carried in the message the speaker re-advertises to 315 the peer routes from the Adj-RIB-Out associated with the peer that 316 have the same AFI/SAFI as what is carried in the message, and taking 317 into account all the ORF entries for that AFI/SAFI received from the 318 peer. The speaker MUST re-advertise all the routes that have been 319 affected by the ORF entries carried in the message, but MAY also re- 320 advertise the routes that have not been affected by the ORF entries 321 carried in the message. 323 If the When-to-refresh indicates DEFER, then after processing all the 324 ORF entries carried in the message the speaker defers re- 325 advertisement to the peer routes from the Adj-RIB-Out associated with 326 the peer that have the same AFI/SAFI as what is carried in the 327 message, and taking into account all the ORF entries received from 328 the peer until the speaker receives a subsequent ROUTE-REFRESH 329 message for the same AFI/SAFI either without any ORF entries, or with 330 one or more ORF entries and When-to-refresh set to IMMEDIATE. 332 If the speaker receives from the peer a ROUTE-REFRESH message without 333 any ORF entries, then the speaker sends to the peer all routes from 334 the Adj-RIB-Out associated with the peer whose AFI/SAFI is the same 335 as what is carried in the message and taking into account the ORF 336 received from the peer. 338 The set of ORF entries that the speaker sends to the peer expresses 339 the speaker's local preference, that the peer MAY or MAY NOT decide 340 to honor. 342 During a single BGP session the speaker MAY pass multiple ORF entries 343 to the peer. 345 After a BGP speaker makes changes to the ORF entries previously sent 346 to a peer, the speaker SHOULD send to the peer the updated ORF 347 entries with either (a) When-to-refresh set to IMMEDIATE, or (b) 348 When-to-refresh set to DEFER followed by a ROUTE-REFRESH message. The 349 latter SHALL be used by the speaker when there are other policy 350 changes (in addition to the ORF entries) that require the peer to re- 351 advertise all the routes. 353 The lifetime of an ORF is the duration of the BGP session during 354 which the ORF is exchanged. 356 An ORF is removed when the last ORF entry is removed (either via 357 REMOVE-ALL, or via a sequence of REMOVE). 359 If a particular route maintained by a BGP speaker does not match any 360 of the ORF entries of any of the (non-empty) ORFs associated with a 361 particular peer, then this route SHOULD NOT be advertised to the 362 peer. 364 If a BGP speaker maintains multiple ORFs of different ORF-Types for a 365 particular peer, then the decision by the speaker to advertise a 366 route to the peer is determined by passing the route through each 367 such ORF, and and-ing the results (and-ing of PERMIT and DENY results 368 in DENY). 370 7. IANA Considerations 372 This document defines a new BGP Capability - Outbound Route Filtering 373 Capability. The Capability Code for the Outbound Route Filtering 374 Capability is 3. 376 As specified in this document, an ORF entry contains the ORF-Type 377 field for which IANA is to create and maintain a registry entitled 378 "BGP ORF Type". 380 IANA will maintain and register values for ORF-Type field as follows: 382 - ORF-Type value 0 is reserved. 384 - ORF-Type values 1 through 63 are to be assigne dby IANA using 385 either the Standards Action process defined in RFC 2434, or the 386 Early IANA Allocation process defined in RFC 4020. 388 - ORF-Type values 64 through 127 are to be assigned by IANA, using 389 the "First Come First Served" policy defined in RFC 2434. 391 - ORF-Type values 128 through 255 are vendor-specific, and values 392 in this range are not to be assigned by IANA. 394 8. Security Considerations 396 This extension to BGP does not change the underlying security issues. 398 9. Intellectual Property Considerations 400 This section is taken from Section 5 of RFC 3668. 402 The IETF takes no position regarding the validity or scope of any 403 Intellectual Property Rights or other rights that might be claimed to 404 pertain to the implementation or use of the technology described in 405 this document or the extent to which any license under such rights 406 might or might not be available; nor does it represent that it has 407 made any independent effort to identify any such rights. Information 408 on the procedures with respect to rights in RFC documents can be 409 found in BCP 78 and BCP 79. 411 Copies of IPR disclosures made to the IETF Secretariat and any 412 assurances of licenses to be made available, or the result of an 413 attempt made to obtain a general license or permission for the use of 414 such proprietary rights by implementers or users of this 415 specification can be obtained from the IETF on-line IPR repository at 416 http://www.ietf.org/ipr. 418 The IETF invites any interested party to bring to its attention any 419 copyrights, patents or patent applications, or other proprietary 420 rights that may cover technology that may be required to implement 421 this standard. Please address the information to the IETF at ietf- 422 ipr@ietf.org. 424 10. Copyright Notice 426 Copyright (C) The Internet Society (2006). 428 This document is subject to the rights, licenses and restrictions 429 contained in BCP 78, and except as set forth therein, the authors 430 retain all their rights. 432 This document and the information contained herein are provided on an 433 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 434 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 435 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 436 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 437 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 438 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 440 11. Acknowledgements 442 Some of the material in the document is adapted from a proposal for 443 selective updates by Yakov Rekhter, Kannan Varadhan, and Curtis 444 Villamizar. 446 12. Normative References 448 [BGP-4] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway Protocol 449 4 (BGP-4)", RFC 4271, January 2006. 451 [BGP-MP] Bates, T., Rekhter, Y., Chandra, R., and D. Katz, 452 "Multiprotocol Extensions for BGP-4", RFC 2858, June 2000. 454 [BGP-CAP] Chandra, R., Scudder, J., "Capabilities Advertisement with 455 BGP-4", RFC 3392, November 2002. 457 [BGP-RR] Chen, E., "Route Refresh Capability for BGP-4", RFC 2918, 458 September 2000. 460 [RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate 461 Requirement Levels", BCP 14, RFC 2119, March 1997. 463 13. Author Information 465 Enke Chen 466 Cisco Systems, Inc. 467 170 W. Tasman Dr. 468 San Jose, CA 95134 470 Email: enkechen@cisco.com 472 Yakov Rekhter 473 Juniper Networks 474 1194 N. Mathilda Ave 475 Sunnyvale, CA 94089 477 Email: yakov@juniper.net