idnits 2.17.1 draft-smith-vxlan-group-policy-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 6, 2017) is 2630 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force M. Smith 3 Internet-Draft L. Kreeger 4 Intended status: Informational Cisco Systems, Inc. 5 Expires: August 10, 2017 February 6, 2017 7 VXLAN Group Policy Option 8 draft-smith-vxlan-group-policy-03 10 Abstract 12 This document defines a backward compatible extension to Virtual 13 eXtensible Local Area Network (VXLAN) that allows a Tenant System 14 Interface (TSI) Group Identifier to be carried for the purposes of 15 policy enforcement. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on August 10, 2017. 34 Copyright Notice 36 Copyright (c) 2017 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 53 1.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 3 54 2. Approach . . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2.1. VXLAN Group Based Policy Extension . . . . . . . . . . . 3 56 3. Backward Compatibility . . . . . . . . . . . . . . . . . . . 4 57 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 59 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 60 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 61 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 62 7.2. Informative References . . . . . . . . . . . . . . . . . 5 63 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 65 1. Introduction 67 The Group Based Policy [GROUPPOLICY][GROUPBASEDPOLICY] model defines 68 an application-centric policy model where the application 69 connectivity requirements are specified in a manner that is 70 independent of the underlying network topology. In this model, 71 Tenant System Interfaces (TSIs) are assigned to Tenant System 72 Interface (TSI) Groups. Each TSI Group consists of TSIs that share 73 the same network policies and requirements. Network policies are 74 defined between the TSI Group of the traffic source and the TSI Group 75 of the traffic destination. These policies are deployed when the TSI 76 attaches to the network. 78 In many situations, the TSI to TSI Group mapping is known only at the 79 Network Virtualization Edge (NVE) that the TSI is attached. This 80 implies that the TSI Group of a packet destination may not be known 81 until the packet reaches the egress NVE where the packet destination 82 is attached. In such situations, it is critical to retain the source 83 TSI Group membership with the packet so that policy can be applied at 84 the egress NVE. 86 This document defines a backward compatible extension to VXLAN 87 [RFC7348] that allows the source TSI Group identifier to be carried 88 so that policy can be applied when the destination TSI Group is 89 determined at the egress NVE. 91 1.1. Requirements Language 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 95 document are to be interpreted as described in RFC 2119 [RFC2119]. 97 1.2. Definition of Terms 99 This document uses the same terminology as [RFC7365] and [RFC7348]. 100 In addition, the following terms are used: 102 Tenant System Interface (TSI) Group: A TSI Group is a collection of 103 TSIs that share the same network policies and requirements. 105 2. Approach 107 2.1. VXLAN Group Based Policy Extension 109 The VXLAN Group Based Policy Extension (VXLAN-GBP) header is defined 110 as: 112 0 1 2 3 113 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 114 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 115 |G|R|R|R|I|R|R|R|R|D|R|R|A|R|R|R| Group Policy ID | 116 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 117 | VXLAN Network Identifier (VNI) | Reserved | 118 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 120 Figure 1: VXLAN-GBP Extension 122 The following bits are defined in addition to the existing VXLAN 123 fields: 125 G Bit: Bit 0 of the initial word is defined as the G (Group Based 126 Policy Extension) bit. 128 G = 1 indicates that the source TSI Group membership is being 129 carried within the Group Policy ID field as defined in this 130 document. 132 G = 0 indicates that the Group Policy ID is not being carried, and 133 the G Bit MUST be set to 0 as specified in [RFC7348]. 135 D bit: Bit 9 of the initial word is defined as the Don't Learn bit. 136 When set, this bit indicates that the egress VTEP MUST NOT learn the 137 source address of the encapsulated frame. 139 A Bit: Bit 12 of the initial word is defined as the A (Policy 140 Applied) bit. This bit is only defined as the A bit when the G bit 141 is set to 1. 143 A = 1 indicates that the group policy has already been applied to 144 this packet. Policies MUST NOT be applied by devices when the A 145 bit is set. 147 A = 0 indicates that the group policy has not been applied to this 148 packet. Group policies MUST be applied by devices when the A bit 149 is set to 0 and the destination Group has been determined. 150 Devices that apply the Group policy MUST set the A bit to 1 after 151 the policy has been applied. 153 Group Policy ID: 16 bit identifier that indicates the source TSI 154 Group membership being encapsulated by VXLAN. The allocation of 155 Group Policy ID values is outside the scope of this document. 157 3. Backward Compatibility 159 VXLAN [RFC7348] requires reserved fields to be set to zero on 160 transmit and ignored on receive. This ensures that the G bit will 161 never be set by VXLAN VTEPs and therefore packets received from these 162 VTEPs can be assigned to a default Group Policy ID. It also ensures 163 that VXLAN VTEPs receiving packets with the G bit set will ignore the 164 Group Policy ID. Due to this defined behavior by VXLAN VTEPs, it 165 allows the extensions described in this document to operate on the 166 IANA assigned VXLAN UDP port (port 4789). 168 In some environments, there may be a mix of devices supporting the 169 VXLAN Group Based Policy Extension and devices that do not. Devices 170 supporting the VXLAN Group Based Policy Extension SHOULD assign 171 traffic arriving without the G bit set to a default Group Policy ID 172 for the purposes of policy enforcement. 174 4. IANA Considerations 176 This memo includes no request to IANA. 178 5. Security Considerations 180 This document describes an extension to VXLAN to carry the Group 181 Policy Identifier of the source endpoint. These identifiers must be 182 distributed to participating VTEPs that are encapsulating traffic 183 from the endpoints sourcing traffic. While the control plane 184 protocols for distributing these identifiers is outside the scope of 185 this document, any control plane protocol should ensure that these 186 identifiers are securely distributed to the network elements 187 participating in the policy enforcement domain. 189 Additionally, the Group Policy Identifier field being carried in the 190 packet directly impacts the network policy applied to the traffic. 192 There is a risk that these identifiers may be spoofed and proper 193 integrity protection should be put in place to ensure that these 194 fields can only be populated by trusted entities. Due to the 195 importance of these fields, confidentiality may also be required to 196 ensure that traffic cannot be targeted for attack based on the policy 197 identifiers. In some environments, these attacks are mitigated 198 through physical security. In other environments, traditional 199 security mechanisms like IPsec that authenticate and optionally 200 encrypt VXLAN traffic including the bits and fields described in this 201 document. 203 6. Acknowledgements 205 Many thanks to Tom Edsall and Thomas Graf for their comments and 206 review of this document. 208 7. References 210 7.1. Normative References 212 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 213 Requirement Levels", BCP 14, RFC 2119, March 1997. 215 [RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, 216 L., Sridhar, T., Bursell, M., and C. Wright, "Virtual 217 eXtensible Local Area Network (VXLAN): A Framework for 218 Overlaying Virtualized Layer 2 Networks over Layer 3 219 Networks", RFC 7348, August 2014. 221 [RFC7365] Lasserre, M., Balus, F., Morin, T., Bitar, N., and Y. 222 Rekhter, "Framework for Data Center (DC) Network 223 Virtualization", RFC 7365, October 2014. 225 7.2. Informative References 227 [GROUPBASEDPOLICY] 228 OpenStack, "Group Based Policy", 2015, 229 . 231 [GROUPPOLICY] 232 OpenDaylight, "Group Policy", 2015, 233 . 235 Authors' Addresses 236 Michael Smith 237 Cisco Systems, Inc. 238 170 West Tasman Drive 239 San Jose, California 95134 240 USA 242 Email: michsmit@cisco.com 244 Lawrence Kreeger 245 Cisco Systems, Inc. 246 170 West Tasman Drive 247 San Jose, California 95134 248 USA 250 Email: kreeger@cisco.com