idnits 2.17.1 draft-lemon-vxlan-lisp-gpe-gbp-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 11, 2019) is 1874 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-19) exists of draft-ietf-lisp-gpe-06 == Outdated reference: A later version (-13) exists of draft-ietf-nvo3-vxlan-gpe-06 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force J. Lemon, Ed. 3 Internet-Draft Broadcom 4 Intended status: Informational F. Maino 5 Expires: September 12, 2019 M. Smith 6 Cisco 7 A. Isaac 8 Juniper 9 March 11, 2019 11 Group Policy Encoding with VXLAN-GPE and LISP-GPE 12 draft-lemon-vxlan-lisp-gpe-gbp-01 14 Abstract 16 This document defines header companions for the Generic Protocol 17 Extension for Virtual eXtensible Local Area Network (VXLAN-GPE) and 18 for the Locator/ID Separation Protocol (LISP) Generic Protocol 19 Extension (LISP-GPE) that are used to carry a Group Policy Identifier 20 for the purposes of policy enforcement. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 12, 2019. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.2. Abbreviations used in this document . . . . . . . . . . . 2 59 2. Treatment By Intermediate Nodes . . . . . . . . . . . . . . . 3 60 3. Group Based Policy Sub-header . . . . . . . . . . . . . . . . 3 61 3.1. Common GBP Sub-Header Format . . . . . . . . . . . . . . 3 62 4. Use Of Multiple GBP Sub-options . . . . . . . . . . . . . . . 6 63 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 64 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 65 7. Normative References . . . . . . . . . . . . . . . . . . . . 6 66 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 68 1. Introduction 70 This document defines the group-based policy (GBP) sub-header for 71 VXLAN-GPE [I-D.ietf-nvo3-vxlan-gpe] and the GBP sub-header for LISP- 72 GPE [I-D.ietf-lisp-gpe]. The GBP sub-header carries a 16-bit group 73 policy ID that is semantically equivalent to the 16-bit group policy 74 ID defined in [I-D.smith-vxlan-group-policy]. 76 Group-based policy provides a more scalable alternative to access 77 control lists (ACLs) by allowing separation of source marking and 78 destination enforcement. This allows a decrease in the amount of 79 information needed at each entry node, rather than a cross product of 80 every possible source and every possible destination. It also allows 81 assigning source marking based many different possibilities, not just 82 the source address. It also allows not having to know where the 83 packet will end up since whatever the destination is can enforce the 84 policy specific to the destination service. 86 1.1. Conventions 88 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 89 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 90 document are to be interpreted as described in RFC 2119 [RFC2119]. 92 1.2. Abbreviations used in this document 94 GBP: Group-Based Policy 95 LISP-GPE: Locator/ID Separation Protocol Generic Protocol Extension 96 [I-D.ietf-lisp-gpe] 98 VXLAN-GPE: Virtual eXtensible Local Area Network, Generic Protocol 99 Extension [I-D.ietf-nvo3-vxlan-gpe] 101 2. Treatment By Intermediate Nodes 103 Any receiving device may use the group policy information contained 104 in the Group-Based Policy (GBP) sub-header. If an intermediate 105 device applies policy based upon the GBP sub-header, then it must set 106 the Policy Applied Bit, described below. 108 If an intermediate device terminates the VXLAN-GPE or LISP-GPE tunnel 109 and reencapsulates the data in a new tunnel with the ability to 110 convey the group policy information, it SHOULD propagate the group 111 policy information and the Policy Applied bit into the new tunnel, 112 unless there is an explicit policy not to do so. 114 3. Group Based Policy Sub-header 116 In the case of VXLAN-GPE, the Group-Based Policy (GBP) sub-header 117 follows the VXLAN-GPE header, or a previous VXLAN-GPE sub-header. 118 Similarly, in the case of LISP-GPE, the Group-Based Policy (GBP) sub- 119 header follows the LISP-GPE header, or a previous LISP-GPE sub- 120 header. 122 3.1. Common GBP Sub-Header Format 124 The format of the GBP sub-header in either a VXLAN-GPE header or a 125 LISP-GPE header is as shown below: 127 0 1 2 3 128 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 129 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 130 | Group Policy ID |A|D|E| Res |Ver| Next Protocol | 131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 133 o Group Policy ID: 16-bit identifier that indicates the Group Policy 134 ID being encapsulated by this GBP sub-header. The allocation of 135 Group Policy ID values is outside the scope of this document. 137 o Policy Applied bit (A bit): The A bit is set to 0 to indicate that 138 the group policy has not (yet) been applied to this packet. Group 139 policies MUST be applied by devices when the A bit is set to 0 and 140 the destination Group has been determined. Devices that apply the 141 group policy MUST set the A bit to 1 after the policy has been 142 applied. The A bit is set to 1 to indicate that the group policy 143 has already been applied to this packet. Policies that redirect 144 the packet MUST NOT be applied by devices when the A bit is set. 145 Policies that cause the packet to be dropped MAY be applied. 147 o Don't Learn bit (D bit): The D bit is set to 1 to indicate that 148 the egress VTEP or the Egress Tunnel Router MUST NOT learn the 149 source address of the encapsulated frame. 151 o End Destination bit (E bit): The E bit is set to 0 to represent 152 the Group Policy ID associated with the source of the packet. The 153 E bit is set to 1 to represent the Group Policy ID associated with 154 the end destination of the packet. Note that if the packet 155 carryies a destination group sub-header, it MUST also carry a 156 source group sub-header. 158 o Reserved (Res): The 3-bit field MUST be set to zero on 159 transmission and ignored on receipt. 161 o Version (Ver): The 2-bit field indicates the Version of the Group 162 Policy sub-header. The initial version is 0. 164 o Next Protocol: The 8-bit field indicates the protocol header 165 immediately following this sub-header. Next Protocol types are 166 encoded as specified in [I-D.ietf-nvo3-vxlan-gpe] and 167 [I-D.ietf-lisp-gpe]. 169 An example frame format using VXLAN-GPE encapsulation is as shown 170 below: 172 0 1 2 3 173 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 174 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 175 | Outer Ethernet Header | 176 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 177 | Outer IP Header | 178 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 179 | Outer UDP Header | 180 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 181 |R|R|Ver|I|P|R|O| Reserved | NP = GBP | | 182 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ VXLAN 183 | Virtual Network Identifier (VNI) | Reserved | -GPE 184 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 185 | Group Policy ID |A|D|E| Res |Ver| Next Protocol | GBP 186 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 187 | | 188 : Next Protocol : 189 | | 190 +---------------------------------------------------------------+ 192 An example frame format using LISP-GPE encapsulation is as shown 193 below: 195 0 1 2 3 196 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 197 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 198 | Outer Ethernet Header | 199 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 200 | Outer IP Header | 201 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 202 | Outer UDP Header | 203 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 204 |N|L|E|V|I|P|K|K| Nonce/Map-Version | NP = GBP | | 205 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ LISP 206 | Instance ID/Locator-Status-Bits | -GPE 207 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 208 | Group Policy ID |A|D|E| Res |Ver| Next Protocol | GBP 209 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 210 | | 211 : Next Protocol : 212 | | 213 +---------------------------------------------------------------+ 215 4. Use Of Multiple GBP Sub-options 217 A tunnel header MAY carry multiple GBP option headers where each GBP 218 option header is of a unique GBP type. However, only one header of a 219 specific GBP type is allowed per tunneled packet. 221 5. IANA Considerations 223 IANA is requested to add a new value to registry of "Next Protocol", 224 which is defined in [I-D.ietf-nvo3-vxlan-gpe]. The new value of 6 225 will signify a GBP sub-header as the next protocol. 227 IANA is requested to add a new value to registry of "Next Protocol", 228 which is defined in [I-D.ietf-lisp-gpe]. The new value of 6 will 229 signify a GBP sub-header as the next protocol. 231 6. Security Considerations 233 The same security considerations applied to 234 [I-D.ietf-nvo3-vxlan-gpe], [I-D.ietf-lisp-gpe], and to 235 [I-D.smith-vxlan-group-policy] apply to this document. 237 Additionally, the security policy value carried in the GBP sub-header 238 impacts security directly. There is a risk that this identifier 239 could be altered. Accordingly, the network should be designed such 240 that this sub-header can be inserted only by trusted entities, and 241 can not be altered before reaching the destination. This can be 242 mitigated through physical security of the network and/or by 243 encryption or validation of the entire packet, including the GBP. 245 7. Normative References 247 [I-D.ietf-lisp-gpe] 248 Maino, F., Lemon, J., Agarwal, P., Lewis, D., and M. 249 Smith, "LISP Generic Protocol Extension", draft-ietf-lisp- 250 gpe-06 (work in progress), September 2018. 252 [I-D.ietf-nvo3-vxlan-gpe] 253 Maino, F., Kreeger, L., and U. Elzur, "Generic Protocol 254 Extension for VXLAN", draft-ietf-nvo3-vxlan-gpe-06 (work 255 in progress), April 2018. 257 [I-D.smith-vxlan-group-policy] 258 Smith, M. and L. Kreeger, "VXLAN Group Policy Option", 259 draft-smith-vxlan-group-policy-05 (work in progress), 260 October 2018. 262 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 263 Requirement Levels", BCP 14, RFC 2119, 264 DOI 10.17487/RFC2119, March 1997, 265 . 267 Authors' Addresses 269 John Lemon (editor) 270 Broadcom Inc. 271 270 Innovation Drive 272 San Jose, CA 95134 273 USA 275 Email: john.lemon@broadcom.com 277 Fabio Maino 278 Cisco Systems 280 Email: fmaino@cisco.com 282 Michael Smith 283 Cisco Systems 285 Email: michsmit@cisco.com 287 Aldrin Isaac 288 Juniper Networks 289 1133 Innovation Way 290 Sunnyvale, CA 94089 291 USA 293 Email: aldrin.isaac@gmail.com