idnits 2.17.1 draft-yong-idr-flowspec-mpls-match-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (March 21, 2016) is 2952 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2119' is defined on line 255, but no explicit reference was found in the text ** Obsolete normative reference: RFC 5575 (Obsoleted by RFC 8955) == Outdated reference: A later version (-15) exists of draft-ietf-idr-bgp-flowspec-oid-02 == Outdated reference: A later version (-22) exists of draft-ietf-idr-flow-spec-v6-07 == Outdated reference: A later version (-23) exists of draft-ietf-idr-flowspec-l2vpn-03 == Outdated reference: A later version (-02) exists of draft-liang-idr-bgp-flowspec-label-01 Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IDR Working Group L. Yong 3 Internet-Draft S. Hares 4 Intended status: Standards Track Q. Liang 5 Expires: September 22, 2016 J. You 6 Huawei 7 March 21, 2016 9 BGP Flow Specification Filter for MPLS Label 10 draft-yong-idr-flowspec-mpls-match-00.txt 12 Abstract 14 This draft proposes BGP flow specification rules that are used to 15 filter MPLS labeled packets. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on September 22, 2016. 34 Copyright Notice 36 Copyright (c) 2016 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 2. The Flow Specification Encoding for MPLS Match . . . . . . . 3 53 3. Deployment Example: DDoS Traffic . . . . . . . . . . . . . . 5 54 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 55 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 56 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 57 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 58 6.2. Informative References . . . . . . . . . . . . . . . . . 7 59 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 61 1. Introduction 63 BGP Flow Specification (BGP-FS) [RFC5575] is an extension to that 64 allows for the dissemination of traffic flow specification rules via 65 BGP ([RFC4271]). BGP-FS policies have a match condition that may be 66 n-tuple match in a policy, and an action that modifies the packet and 67 forwards/drops the packet. Via BGP, new filter rules can be sent to 68 all BGP peers simultaneously without changing router configuration, 69 and the BGP peer can install these routes in the forwarding table. 70 The typical application of BGP-FS is to automate the distribution of 71 traffic filter lists to routers for DDOS mitigation. 73 [RFC5575] defines a new BGP Network Layer Reachability Information 74 (NLRI) format used to distribute traffic flow specification rules. 75 NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1, 76 SAFI=134)is for BGP/MPLS VPN filtering. [I-D.ietf-idr-flow-spec-v6] 77 defines flow-spec extension for IPv6 data packets. 78 [I-D.ietf-idr-flowspec-l2vpn] extends the flow-spec rules for layer 2 79 Ethernet packets (AFI=25, SAFI=133, SAFI=134). All these flow 80 specifications match parts only reflect single layer IP (source/ 81 destination IP prefix, protocol type, ports, etc.) and Ethernet 82 information with matches for source/destination MAC 84 MPLS technologies [RFC3031] have been widely deployed in WAN 85 networks. MPLS label stack [RFC3032] is the foundation for label 86 switched data plane. A label on a label stack may represent a label 87 switch path (LSP), application identification such as Pseudo Wire 88 (PW), a reserved label that triggers a specific data plane action, or 89 etc. The data plane label switching operations includes pop, push, 90 or swap label on the label stack. 92 For value added services, it is valuable for a MPLS network to have 93 BGP-FS policy filter that matches on the MPLS portion of a packet and 94 an action to modify the MPLS packet header and/or monitor the packets 95 that match the policy. This document specifies an MPLS match filter. 97 [I-D.liang-idr-bgp-flowspec-label] specifies a BGP action to modify 98 the MPLS label. 100 [I-D.hares-idr-flowspec-combo] describes the following two options 101 for extending [RFC5575]: 103 o Option 1: Extend [RFC5575] with new filters, match filters and 104 actions. Extend the match default order by type and require that 105 all matches be combined with an "AND". Extend the actions and 106 define a default order and the resolution of conflicts. 108 o Option 2: Create a version 2 of BGP flow Specification which can 109 run in parallel to Option 1 which supports explicit ordering of 110 match filters and actions. Option 2 will also refine the BGP-FS 111 security to optionally include ROAs between ASes, and other 112 mechanisms ([I-D.ietf-idr-bgp-flowspec-oid]) 114 2. The Flow Specification Encoding for MPLS Match 116 This document proposes new flow specifications rules that is encoded 117 in NLRI. 119 Type TBD1- MPLS Match1 121 Function: The match1 applies to MPLS Label field on the label 122 stack. 124 Encoding: . 126 It contains a set of {operator, value} pairs that are used for 127 matching filter. 129 The operator byte is encoded as: 131 0 1 2 3 4 5 6 7 132 +---+---+---+---+---+---+---+---+ 133 | e | a | i | pos | Resv | 134 +---+---+---+---+---+---+---+---+ 136 where: 138 e - end of list bit: Set in the last {op, value} pair in the 139 list. 141 a - AND bit: If unset, the previous term is logically ORed 142 with the current one. If set, the operation is a logical 143 AND. It should be unset in the first operator byte of a 144 sequence. The AND operator has higher priority than OR for 145 the purposes of evaluating logical expressions. 147 i - before bit: If unset, apply matching filter before MPLS 148 label data plane action; if set, apply matching filter after 149 MPLS label data plane action. 151 pos - the label position indication bits: where: 153 00:any position on the label stack - the presented label 154 value is used to match any label on the label stack. 155 When apply it, at least one label on the stack match the 156 value 158 01:top label indication- the presented label value MUST be 159 used to match the top label on the label stack. 161 10: bottom label indication- If it is set, the presented 162 label value MUST match the bottom label on the label 163 stack. When it is clear, the present label value can 164 match to any label on the label stack 166 11: (for reserved labels) 168 The value field is encoded as: 170 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 172 | Label | 173 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 175 Type TBD2 - MPLS Match2 177 Function: MPLS Match2 applies to MPLS Label experiment bits 178 (EXP) on the top label in the label stack. 180 Encoding: 182 [op,value] - Defines a list of {operation, value} pairs used 183 to match 3-bit exp field on the top label of packets 184 [RFC3032]. 186 Values are encoded using a single byte, where the five most 187 significant bits are zero and the three least significant 188 bits contain the exp value. 190 3. Deployment Example: DDoS Traffic 192 In this example, 5 local policy rules in the filter-based RIBs (FB- 193 RB, aka Policy Routing) will match n-tuples (destination IP address, 194 Destination Port, source IP address, Source IP Address, protocols 195 (ICMP and STCP). These policy rules can be created by standard yang 196 modules for filter-based RIBS (configuration, and ephemeral 197 configuration) or ACLs, or vendor based policy. These policies will 198 put the DDoS attack data onto one LSP (LSP1) in order to send the 199 DDoS traffic to the IDS/IPS processing attached to PE2. 201 The MPLS Filter allows the BGP Flow specification to match on the LSP 202 label rather than the IP address so that PE2 (with the FB-RIBs on 203 PE2) can forward the traffic to a set of IDS/IPS machines. The BGP 204 Flow Specification (BGP-FS) can forward this simple match policy 205 along with an action policy that constraints the traffic on this Flow 206 to a certain rate (bytes/second). 208 |<---------------- AS1 ----------------->| 209 +---------+ +-----+ +-----+ +-----+ 210 ===| PE1 |---|IBGP |----|IBGP |----| PE2 |--IDS-1/IPS 211 | Filters | | | | | | |--IDS-2/IPS 212 +---------+ +-----+ +-----+ +-----+ 213 |-------------------------------| 214 MPLS travel on LSP-1 with label-1 216 BGP Flow Specification Filter 1 218 BGP Flow Specification 219 Match Policy 220 Destination IP address (0/0) [Required by RFC5575] 221 MPLS Label match (label-1) 222 Action Policy 223 Traffic-rate (n bytes) 225 4. Security Considerations 227 The validation of BGP Flow Specification policy is considered in 228 [I-D.hares-idr-flowspec-combo] for option 1, and for option 2. For 229 Option 1, the MPLS Match can be one of the match filtes, and and the 230 final match is an "AND" of all the filters. Match filters are tested 231 in the order specified in [I-D.hares-idr-flowspec-combo] and/or an 232 RFC5575bis document. 234 The traffic rate action described above is described in [RFC5575]. 235 [I-D.hares-idr-flowspec-combo] suggests a default order for filters 236 and for the BGP-FS action proposed after [RFC5575], and this document 237 discusses how conflicts between action are handled. 239 5. IANA Considerations 241 This section complies with [RFC7153] 243 IANA is requested to a new entry in "Flow Spec component types 244 registry" with the following values: 246 Value Name: Value Reference 247 =========== ===== ========= 248 MPLS-Match1 TBD1 [This Document] 249 MPLS-Match2 TBD2 [This Document] 251 6. References 253 6.1. Normative References 255 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 256 Requirement Levels", BCP 14, RFC 2119, 257 DOI 10.17487/RFC2119, March 1997, 258 . 260 [RFC3031] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol 261 Label Switching Architecture", RFC 3031, 262 DOI 10.17487/RFC3031, January 2001, 263 . 265 [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., 266 Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack 267 Encoding", RFC 3032, DOI 10.17487/RFC3032, January 2001, 268 . 270 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 271 Border Gateway Protocol 4 (BGP-4)", RFC 4271, 272 DOI 10.17487/RFC4271, January 2006, 273 . 275 [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., 276 and D. McPherson, "Dissemination of Flow Specification 277 Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, 278 . 280 [RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP 281 Extended Communities", RFC 7153, DOI 10.17487/RFC7153, 282 March 2014, . 284 6.2. Informative References 286 [I-D.hares-idr-flowspec-combo] 287 Hares, S., "An Information Model for Basic Network Policy 288 and Filter Rules", draft-hares-idr-flowspec-combo-01 (work 289 in progress), March 2016. 291 [I-D.ietf-idr-bgp-flowspec-oid] 292 Uttaro, J., Filsfils, C., Smith, D., Alcaide, J., and P. 293 Mohapatra, "Revised Validation Procedure for BGP Flow 294 Specifications", draft-ietf-idr-bgp-flowspec-oid-02 (work 295 in progress), January 2014. 297 [I-D.ietf-idr-flow-spec-v6] 298 McPherson, D., Raszuk, R., Pithawala, B., Andy, A., and S. 299 Hares, "Dissemination of Flow Specification Rules for 300 IPv6", draft-ietf-idr-flow-spec-v6-07 (work in progress), 301 March 2016. 303 [I-D.ietf-idr-flowspec-l2vpn] 304 Weiguo, H., Litkowski, S., and S. Zhuang, "Dissemination 305 of Flow Specification Rules for L2 VPN", draft-ietf-idr- 306 flowspec-l2vpn-03 (work in progress), November 2015. 308 [I-D.liang-idr-bgp-flowspec-label] 309 You, J., Raszuk, R., and d. danma@cisco.com, "Carrying 310 Label Information for BGP FlowSpec", draft-liang-idr-bgp- 311 flowspec-label-01 (work in progress), September 2015. 313 Authors' Addresses 315 Lucy Yong 316 Huawei 318 Email: lucy.yong@huawei.com 320 Susan Hares 321 Huawei 322 7453 Hickory Hill 323 Saline, MI 48176 324 USA 326 Email: shares@ndzh.com 327 Qiandeng Liang 328 Huawei 329 101 Software Avenue, Yuhuatai District 330 Nanjing 210012 331 China 333 Email: liangqiandeng@huawei.com 335 Jianjie You 336 Huawei 337 101 Software Avenue, Yuhuatai District 338 Nanjing 210012 339 China 341 Email: youjianjie@huawei.com