idnits 2.17.1 draft-lemon-vxlan-gpe-gbp-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 25, 2017) is 2375 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-13) exists of draft-ietf-nvo3-vxlan-gpe-04 == Outdated reference: A later version (-05) exists of draft-smith-vxlan-group-policy-04 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force J. Lemon, Ed. 3 Internet-Draft Broadcom 4 Intended status: Informational F. Maino 5 Expires: April 28, 2018 M. Smith 6 Cisco 7 October 25, 2017 9 Group Policy Encoding with VXLAN-GPE 10 draft-lemon-vxlan-gpe-gbp-00 12 Abstract 14 This document defines a header companion for the Generic Protocol 15 Extension for Virtual eXtensible Local Area Network (VXLAN-GPE) that 16 is used to carry a Group Policy Identifier for the purposes of policy 17 enforcement. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on April 28, 2018. 36 Copyright Notice 38 Copyright (c) 2017 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.2. Abbreviations used in this document . . . . . . . . . . . 2 56 2. Group Based Policy Sub-header . . . . . . . . . . . . . . . . 2 57 2.1. Header Format . . . . . . . . . . . . . . . . . . . . . . 2 58 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 59 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 60 5. Normative References . . . . . . . . . . . . . . . . . . . . 4 61 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 63 1. Introduction 65 This document defines the group-based policy (GBP) sub-header for 66 VXLAN-GPE [I-D.ietf-nvo3-vxlan-gpe]. The GBP sub-header carries a 67 16-bit group policy ID that is semantically equivalent to the 16-bit 68 group policy ID defined in [I-D.smith-vxlan-group-policy]. 70 1.1. Conventions 72 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 73 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 74 document are to be interpreted as described in RFC 2119 [RFC2119]. 76 1.2. Abbreviations used in this document 78 GBP: Group-Based Policy 80 VXLAN-GPE: Virtual eXtensible Local Area Network, Generic Protocol 81 Extension [I-D.ietf-nvo3-vxlan-gpe] 83 2. Group Based Policy Sub-header 85 The Group-Based Policy (GBP) Sub-header follows the VXLAN-GPE header, 86 or another VXLAN-GPE subheader. 88 2.1. Header Format 90 The format of the GBP sub-header is as shown below: 92 0 1 2 3 93 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 94 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 95 | Group Policy ID | Res |E|A|D|Ver| Next Protocol | 96 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 98 o Group Policy ID: 16 bit identifier that indicates the Group Policy 99 ID being encapsulated by this GBP sub-header. The allocation of 100 Group Policy ID values is outside the scope of this document. 102 o Reserved (Res): the 3 bit field MUST be set to zero on 103 transmission and ignored on receipt. 105 o End Destination bit (E bit): The E bit is set to 0 to represent 106 the Group Policy ID associated with the sender of the packet. The 107 E bit is set to 1 to represent the Group Policy ID associated with 108 the end destination of the packet. Note that if the packet 109 carryies a destination group sub-header, it MUST also carry a 110 source group sub-header. 112 o Policy Applied bit (A bit): The A bit is set to 0 to indicate that 113 the group policy has not (yet) been applied to this packet. Group 114 policies MUST be applied by devices when the A bit is set to 0 and 115 the destination Group has been determined. Devices that apply the 116 group policy MUST set the A bit to 1 after the policy has been 117 applied. The A bit is set to 1 to indicate that the group policy 118 has already been applied to this packet. Policies that redirect 119 the packet MUST NOT be applied by devices when the A bit is set. 120 Policies that cause the packet to be dropped MAY be applied. 122 o Don't Learn bit (D bit): The D bit is set to 0 to indicate that 123 the egress VTEP MUST NOT learn the source address of the 124 encapsulated frame. 126 o Version (Ver): indicates the Version of the Group Policy VXLAN-GPE 127 sub-header. The initial version is 0. 129 o Next Protocol: This 8 bit field indicates the protocol header 130 immediately following this VXLAN GPE sub-header. Next Protocol 131 types are encoded as specified in [I-D.ietf-nvo3-vxlan-gpe]. 133 An example frame format is as shown below: 135 0 1 2 3 136 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 137 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 138 | Outer Ethernet Header | 139 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 140 | Outer IP Header | 141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 142 | Outer UDP Header | 143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 144 |R|R|Ver|I|P|R|O| Reserved | NP = GBP | | 145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ GPE 146 | Virtual Network Identifier (VNI) | Reserved | | 147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 148 | Group Policy ID | Res |E|A|D|Ver| Next Protocol | GBP 149 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 150 | | 151 : Next Protocol : 152 | | 153 +---------------------------------------------------------------+ 155 3. IANA Considerations 157 IANA is requested to add a new value to registry of "Next Protocol", 158 which is defined in [I-D.ietf-nvo3-vxlan-gpe]. The new value of 6 159 will signify a GBP sub-header as the next protocol. 161 4. Security Considerations 163 The same security considerations applied to [I-D.ietf-nvo3-vxlan-gpe] 164 and to [I-D.smith-vxlan-group-policy] apply to this document. 166 Additionally, the security policy value carried in the GBP header 167 impacts security directly. There is a risk that this identifier 168 could be altered. Accordingly, the network should be designed such 169 that this header can be inserted only by trusted entities, and can 170 not be altered before reaching the destination. This can be 171 mitigated through physical security of the network and/or by 172 encryption or validation of the entire packet, including the GBP. 174 5. Normative References 176 [I-D.ietf-nvo3-vxlan-gpe] 177 Maino, F., Kreeger, L., and U. Elzur, "Generic Protocol 178 Extension for VXLAN", draft-ietf-nvo3-vxlan-gpe-04 (work 179 in progress), April 2017. 181 [I-D.smith-vxlan-group-policy] 182 Smith, M. and L. Kreeger, "VXLAN Group Policy Option", 183 draft-smith-vxlan-group-policy-04 (work in progress), 184 October 2017. 186 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 187 Requirement Levels", BCP 14, RFC 2119, 188 DOI 10.17487/RFC2119, March 1997, 189 . 191 Authors' Addresses 193 John Lemon (editor) 194 Broadcom Limited 195 3151 Zanker Road 196 San Jose, CA 95134 197 USA 199 Email: john.lemon@broadcom.com 201 Fabio Maino 202 Cisco Systems 204 Email: fmaino@cisco.com 206 Michael Smith 207 Cisco Systems 209 Email: michsmit@cisco.com