draft-ietf-idr-flowspec-mpls-match-00.txt   draft-ietf-idr-flowspec-mpls-match-01.txt 
IDR Working Group L. Yong IDR Working Group L. Yong
Internet-Draft S. Hares Internet-Draft S. Hares
Intended status: Standards Track Q. Liang Intended status: Standards Track Q. Liang
Expires: December 2, 2016 J. You Expires: June 9, 2017 J. You
Huawei Huawei
May 31, 2016 December 6, 2016
BGP Flow Specification Filter for MPLS Label BGP Flow Specification Filter for MPLS Label
draft-ietf-idr-flowspec-mpls-match-00.txt draft-ietf-idr-flowspec-mpls-match-01.txt
Abstract Abstract
This draft proposes BGP flow specification rules that are used to This draft proposes BGP flow specification rules that are used to
filter MPLS labeled packets. filter MPLS labeled packets.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 2, 2016. This Internet-Draft will expire on June 9, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The Flow Specification Encoding for MPLS Match . . . . . . . 3 2. The Flow Specification Encoding for MPLS Match . . . . . . . 3
3. Deployment Example: DDoS Traffic . . . . . . . . . . . . . . 5 3. Deployment Example: DDoS Traffic . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Normative References . . . . . . . . . . . . . . . . . . 6 6.1. Normative References . . . . . . . . . . . . . . . . . . 6
6.2. Informative References . . . . . . . . . . . . . . . . . 7 6.2. Informative References . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction 1. Introduction
BGP Flow Specification (BGP-FS) [RFC5575] is an extension to that BGP Flow Specification (BGP-FS) [RFC5575] is an extension to that
allows for the dissemination of traffic flow specification rules via allows for the dissemination of traffic flow specification rules via
BGP ([RFC4271]). BGP-FS policies have a match condition that may be BGP ([RFC4271]). BGP-FS policies have a match condition that may be
n-tuple match in a policy, and an action that modifies the packet and n-tuple match in a policy, and an action that modifies the packet and
forwards/drops the packet. Via BGP, new filter rules can be sent to forwards/drops the packet. Via BGP, new filter rules can be sent to
all BGP peers simultaneously without changing router configuration, all BGP peers simultaneously without changing router configuration,
skipping to change at page 2, line 40 skipping to change at page 2, line 40
(NLRI) format used to distribute traffic flow specification rules. (NLRI) format used to distribute traffic flow specification rules.
NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1, NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1,
SAFI=134)is for BGP/MPLS VPN filtering. [I-D.ietf-idr-flow-spec-v6] SAFI=134)is for BGP/MPLS VPN filtering. [I-D.ietf-idr-flow-spec-v6]
defines flow-spec extension for IPv6 data packets. defines flow-spec extension for IPv6 data packets.
[I-D.ietf-idr-flowspec-l2vpn] extends the flow-spec rules for layer 2 [I-D.ietf-idr-flowspec-l2vpn] extends the flow-spec rules for layer 2
Ethernet packets (AFI=25, SAFI=133, SAFI=134). All these flow Ethernet packets (AFI=25, SAFI=133, SAFI=134). All these flow
specifications match parts only reflect single layer IP (source/ specifications match parts only reflect single layer IP (source/
destination IP prefix, protocol type, ports, etc.) and Ethernet destination IP prefix, protocol type, ports, etc.) and Ethernet
information with matches for source/destination MAC information with matches for source/destination MAC
[I-D.hr-idr-rfc5575bis] provides updates to [RFC5575] to resolve
unclear sections in text and conflicts with interactions of filtering
actions.
MPLS technologies [RFC3031] have been widely deployed in WAN MPLS technologies [RFC3031] have been widely deployed in WAN
networks. MPLS label stack [RFC3032] is the foundation for label networks. MPLS label stack [RFC3032] is the foundation for label
switched data plane. A label on a label stack may represent a label switched data plane. A label on a label stack may represent a label
switch path (LSP), application identification such as Pseudo Wire switch path (LSP), application identification such as Pseudo Wire
(PW), a reserved label that triggers a specific data plane action, or (PW), a reserved label that triggers a specific data plane action, or
etc. The data plane label switching operations includes pop, push, etc. The data plane label switching operations includes pop, push,
or swap label on the label stack. or swap label on the label stack.
For value added services, it is valuable for a MPLS network to have For value added services, it is valuable for a MPLS network to have
BGP-FS policy filter that matches on the MPLS portion of a packet and BGP-FS policy filter that matches on the MPLS portion of a packet and
an action to modify the MPLS packet header and/or monitor the packets an action to modify the MPLS packet header and/or monitor the packets
that match the policy. This document specifies an MPLS match filter. that match the policy. This document specifies an MPLS match filter.
[I-D.ietf-idr-bgp-flowspec-label] specifies a BGP action to modify
[I-D.liang-idr-bgp-flowspec-label] specifies a BGP action to modify
the MPLS label. the MPLS label.
[I-D.hares-idr-flowspec-combo] describes the following two options [I-D.hares-idr-flowspec-v2] describes the following two options for
for extending [RFC5575]: extending [RFC5575]: creating a version 2 of BGP Flow Specification
which can run in parallel to the original BGP Flow specification.
o Option 1: Extend [RFC5575] with new filters, match filters and Version 2 may also include improved security features (ROAs or
actions. Extend the match default order by type and require that [I-D.ietf-idr-bgp-flowspec-oid])
all matches be combined with an "AND". Extend the actions and
define a default order and the resolution of conflicts.
o Option 2: Create a version 2 of BGP flow Specification which can This MPLS match option can be used for RFC5575 ([RFC5575],
run in parallel to Option 1 which supports explicit ordering of [I-D.hr-idr-rfc5575bis]) or version 2 of the flow specification.
match filters and actions. Option 2 will also refine the BGP-FS
security to optionally include ROAs between ASes, and other
mechanisms ([I-D.ietf-idr-bgp-flowspec-oid])
2. The Flow Specification Encoding for MPLS Match 2. The Flow Specification Encoding for MPLS Match
This document proposes new flow specifications rules that is encoded This document proposes new flow specifications rules that is encoded
in NLRI. in NLRI.
Type TBD1- MPLS Match1 Type TBD1- MPLS Match1
Function: The match1 applies to MPLS Label field on the label Function: The match1 applies to MPLS Label field on the label
stack. stack.
skipping to change at page 5, line 42 skipping to change at page 5, line 36
BGP Flow Specification BGP Flow Specification
Match Policy Match Policy
Destination IP address (0/0) [Required by RFC5575] Destination IP address (0/0) [Required by RFC5575]
MPLS Label match (label-1) MPLS Label match (label-1)
Action Policy Action Policy
Traffic-rate (n bytes) Traffic-rate (n bytes)
4. Security Considerations 4. Security Considerations
The validation of BGP Flow Specification policy is considered in The validation of BGP Flow Specification policy relies on the
[I-D.hares-idr-flowspec-combo] for option 1, and for option 2. For security of the BGP protocol and RFC 5575 checks ([RFC5575],
[I-D.hr-idr-rfc5575bis]) for BGP Flow specification version 1 and BGP
Flow specification version 2 ([I-D.hares-idr-flowspec-v2]). For
Option 1, the MPLS Match can be one of the match filtes, and and the Option 1, the MPLS Match can be one of the match filtes, and and the
final match is an "AND" of all the filters. Match filters are tested final match is an "AND" of all the filters. Match filters are tested
in the order specified in [I-D.hares-idr-flowspec-combo] and/or an in the order specified in [I-D.hares-idr-flowspec-v2] and/or an
RFC5575bis document. RFC5575bis document.
The traffic rate action described above is described in [RFC5575].
[I-D.hares-idr-flowspec-combo] suggests a default order for filters
and for the BGP-FS action proposed after [RFC5575], and this document
discusses how conflicts between action are handled.
5. IANA Considerations 5. IANA Considerations
This section complies with [RFC7153] This section complies with [RFC7153]
IANA is requested to a new entry in "Flow Spec component types IANA is requested to a new entry in "Flow Spec component types
registry" with the following values: registry" with the following values:
Value Name: Value Reference Value Name: Value Reference
=========== ===== ========= =========== ===== =========
MPLS-Match1 TBD1 [This Document] MPLS-Match1 TBD1 [This Document]
skipping to change at page 7, line 7 skipping to change at page 6, line 45
and D. McPherson, "Dissemination of Flow Specification and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
<http://www.rfc-editor.org/info/rfc5575>. <http://www.rfc-editor.org/info/rfc5575>.
[RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP [RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP
Extended Communities", RFC 7153, DOI 10.17487/RFC7153, Extended Communities", RFC 7153, DOI 10.17487/RFC7153,
March 2014, <http://www.rfc-editor.org/info/rfc7153>. March 2014, <http://www.rfc-editor.org/info/rfc7153>.
6.2. Informative References 6.2. Informative References
[I-D.hares-idr-flowspec-combo] [I-D.hares-idr-flowspec-v2]
Hares, S., "An Information Model for Basic Network Policy Hares, S., "BGP Flow Specification Version 2", draft-
and Filter Rules", draft-hares-idr-flowspec-combo-01 (work hares-idr-flowspec-v2-00 (work in progress), June 2016.
in progress), March 2016.
[I-D.hr-idr-rfc5575bis]
Hares, S., Raszuk, R., McPherson, D., Loibl, C., and M.
Bacher, "Dissemination of Flow Specification Rules",
draft-hr-idr-rfc5575bis-02 (work in progress), November
2016.
[I-D.ietf-idr-bgp-flowspec-label]
liangqiandeng, l., Hares, S., You, J., Raszuk, R., and d.
danma@cisco.com, "Carrying Label Information for BGP
FlowSpec", draft-ietf-idr-bgp-flowspec-label-00 (work in
progress), June 2016.
[I-D.ietf-idr-bgp-flowspec-oid] [I-D.ietf-idr-bgp-flowspec-oid]
Uttaro, J., Filsfils, C., Smith, D., Alcaide, J., and P. Uttaro, J., Filsfils, C., Smith, D., Alcaide, J., and P.
Mohapatra, "Revised Validation Procedure for BGP Flow Mohapatra, "Revised Validation Procedure for BGP Flow
Specifications", draft-ietf-idr-bgp-flowspec-oid-03 (work Specifications", draft-ietf-idr-bgp-flowspec-oid-03 (work
in progress), March 2016. in progress), March 2016.
[I-D.ietf-idr-flow-spec-v6] [I-D.ietf-idr-flow-spec-v6]
McPherson, D., Raszuk, R., Pithawala, B., Andy, A., and S. McPherson, D., Raszuk, R., Pithawala, B.,
Hares, "Dissemination of Flow Specification Rules for akarch@cisco.com, a., and S. Hares, "Dissemination of Flow
IPv6", draft-ietf-idr-flow-spec-v6-07 (work in progress), Specification Rules for IPv6", draft-ietf-idr-flow-spec-
March 2016. v6-07 (work in progress), March 2016.
[I-D.ietf-idr-flowspec-l2vpn] [I-D.ietf-idr-flowspec-l2vpn]
Weiguo, H., Litkowski, S., and S. Zhuang, "Dissemination Weiguo, H., liangqiandeng, l., Litkowski, S., and S.
of Flow Specification Rules for L2 VPN", draft-ietf-idr- Zhuang, "Dissemination of Flow Specification Rules for L2
flowspec-l2vpn-04 (work in progress), May 2016. VPN", draft-ietf-idr-flowspec-l2vpn-04 (work in progress),
May 2016.
[I-D.liang-idr-bgp-flowspec-label]
Hares, S., You, J., Raszuk, R., and d. danma@cisco.com,
"Carrying Label Information for BGP FlowSpec", draft-
liang-idr-bgp-flowspec-label-02 (work in progress), March
2016.
Authors' Addresses Authors' Addresses
Lucy Yong Lucy Yong
Huawei Huawei
Email: lucy.yong@huawei.com Email: lucy.yong@huawei.com
Susan Hares Susan Hares
Huawei Huawei
 End of changes. 17 change blocks. 
46 lines changed or deleted 47 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/