idnits 2.17.1 draft-smith-vxlan-group-policy-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 20, 2017) is 2351 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force M. Smith 3 Internet-Draft Cisco Systems, Inc. 4 Intended status: Informational L. Kreeger 5 Expires: April 23, 2018 6 October 20, 2017 8 VXLAN Group Policy Option 9 draft-smith-vxlan-group-policy-04 11 Abstract 13 This document defines a backward compatible extension to Virtual 14 eXtensible Local Area Network (VXLAN) that allows a Tenant System 15 Interface (TSI) Group Identifier to be carried for the purposes of 16 policy enforcement. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on April 23, 2018. 35 Copyright Notice 37 Copyright (c) 2017 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 54 1.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 3 55 2. Approach . . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2.1. VXLAN Group Based Policy Extension . . . . . . . . . . . 3 57 3. Backward Compatibility . . . . . . . . . . . . . . . . . . . 4 58 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 59 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 60 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 61 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 63 7.2. Informative References . . . . . . . . . . . . . . . . . 5 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 66 1. Introduction 68 The Group Based Policy [GROUPPOLICY][GROUPBASEDPOLICY] model defines 69 an application-centric policy model where the application 70 connectivity requirements are specified in a manner that is 71 independent of the underlying network topology. In this model, 72 Tenant System Interfaces (TSIs) are assigned to Tenant System 73 Interface (TSI) Groups. Each TSI Group consists of TSIs that share 74 the same network policies and requirements. Network policies are 75 defined between the TSI Group of the traffic source and the TSI Group 76 of the traffic destination. These policies are deployed when the TSI 77 attaches to the network. 79 In many situations, the TSI to TSI Group mapping is known only at the 80 Network Virtualization Edge (NVE) that the TSI is attached. This 81 implies that the TSI Group of a packet destination may not be known 82 until the packet reaches the egress NVE where the packet destination 83 is attached. In such situations, it is critical to retain the source 84 TSI Group membership with the packet so that policy can be applied at 85 the egress NVE. 87 This document defines a backward compatible extension to VXLAN 88 [RFC7348] that allows the source TSI Group identifier to be carried 89 so that policy can be applied when the destination TSI Group is 90 determined at the egress NVE. 92 1.1. Requirements Language 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 96 document are to be interpreted as described in RFC 2119 [RFC2119]. 98 1.2. Definition of Terms 100 This document uses the same terminology as [RFC7365] and [RFC7348]. 101 In addition, the following terms are used: 103 Tenant System Interface (TSI) Group: A TSI Group is a collection of 104 TSIs that share the same network policies and requirements. 106 2. Approach 108 2.1. VXLAN Group Based Policy Extension 110 The VXLAN Group Based Policy Extension (VXLAN-GBP) header is defined 111 as: 113 0 1 2 3 114 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 115 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 116 |G|R|R|R|I|R|R|R|R|D|R|R|A|R|R|R| Group Policy ID | 117 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 118 | VXLAN Network Identifier (VNI) | Reserved | 119 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 121 Figure 1: VXLAN-GBP Extension 123 The following bits are defined in addition to the existing VXLAN 124 fields: 126 G Bit: Bit 0 of the initial word is defined as the G (Group Based 127 Policy Extension) bit. 129 G = 1 indicates that the source TSI Group membership is being 130 carried within the Group Policy ID field as defined in this 131 document. 133 G = 0 indicates that the Group Policy ID is not being carried, and 134 the G Bit MUST be set to 0 as specified in [RFC7348]. 136 D bit: Bit 9 of the initial word is defined as the Don't Learn bit. 137 When set, this bit indicates that the egress VTEP MUST NOT learn the 138 source address of the encapsulated frame. 140 A Bit: Bit 12 of the initial word is defined as the A (Policy 141 Applied) bit. This bit is only defined as the A bit when the G bit 142 is set to 1. 144 A = 1 indicates that the group policy has already been applied to 145 this packet. Policies MUST NOT be applied by devices when the A 146 bit is set. 148 A = 0 indicates that the group policy has not been applied to this 149 packet. Group policies MUST be applied by devices when the A bit 150 is set to 0 and the destination Group has been determined. 151 Devices that apply the Group policy MUST set the A bit to 1 after 152 the policy has been applied. 154 Group Policy ID: 16 bit identifier that indicates the source TSI 155 Group membership being encapsulated by VXLAN. The allocation of 156 Group Policy ID values is outside the scope of this document. 158 3. Backward Compatibility 160 VXLAN [RFC7348] requires reserved fields to be set to zero on 161 transmit and ignored on receive. This ensures that the G bit will 162 never be set by VXLAN VTEPs and therefore packets received from these 163 VTEPs can be assigned to a default Group Policy ID. It also ensures 164 that VXLAN VTEPs receiving packets with the G bit set will ignore the 165 Group Policy ID. Due to this defined behavior by VXLAN VTEPs, it 166 allows the extensions described in this document to operate on the 167 IANA assigned VXLAN UDP port (port 4789). 169 In some environments, there may be a mix of devices supporting the 170 VXLAN Group Based Policy Extension and devices that do not. Devices 171 supporting the VXLAN Group Based Policy Extension SHOULD assign 172 traffic arriving without the G bit set to a default Group Policy ID 173 for the purposes of policy enforcement. 175 4. IANA Considerations 177 This memo includes no request to IANA. 179 5. Security Considerations 181 This document describes an extension to VXLAN to carry the Group 182 Policy Identifier of the source endpoint. These identifiers must be 183 distributed to participating VTEPs that are encapsulating traffic 184 from the endpoints sourcing traffic. While the control plane 185 protocols for distributing these identifiers is outside the scope of 186 this document, any control plane protocol should ensure that these 187 identifiers are securely distributed to the network elements 188 participating in the policy enforcement domain. 190 Additionally, the Group Policy Identifier field being carried in the 191 packet directly impacts the network policy applied to the traffic. 193 There is a risk that these identifiers may be spoofed and proper 194 integrity protection should be put in place to ensure that these 195 fields can only be populated by trusted entities. Due to the 196 importance of these fields, confidentiality may also be required to 197 ensure that traffic cannot be targeted for attack based on the policy 198 identifiers. In some environments, these attacks are mitigated 199 through physical security. In other environments, traditional 200 security mechanisms like IPsec that authenticate and optionally 201 encrypt VXLAN traffic including the bits and fields described in this 202 document. 204 6. Acknowledgements 206 Many thanks to Tom Edsall and Thomas Graf for their comments and 207 review of this document. 209 7. References 211 7.1. Normative References 213 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 214 Requirement Levels", BCP 14, RFC 2119, March 1997. 216 [RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, 217 L., Sridhar, T., Bursell, M., and C. Wright, "Virtual 218 eXtensible Local Area Network (VXLAN): A Framework for 219 Overlaying Virtualized Layer 2 Networks over Layer 3 220 Networks", RFC 7348, August 2014. 222 [RFC7365] Lasserre, M., Balus, F., Morin, T., Bitar, N., and Y. 223 Rekhter, "Framework for Data Center (DC) Network 224 Virtualization", RFC 7365, October 2014. 226 7.2. Informative References 228 [GROUPBASEDPOLICY] 229 OpenStack, "Group Based Policy", 2015, 230 . 232 [GROUPPOLICY] 233 OpenDaylight, "Group Policy", 2015, 234 . 236 Authors' Addresses 237 Michael Smith 238 Cisco Systems, Inc. 239 170 West Tasman Drive 240 San Jose, California 95134 241 USA 243 Email: michsmit@cisco.com 245 Lawrence Kreeger 247 Email: lkreeger@gmail.com