draft-ietf-idr-flowspec-path-redirect-01.txt   draft-ietf-idr-flowspec-path-redirect-02.txt 
IDR Working Group G. Van de Velde, Ed. IDR Working Group G. Van de Velde, Ed.
Internet-Draft Nokia Internet-Draft Nokia
Intended status: Standards Track K. Patel Intended status: Standards Track K. Patel
Expires: September 3, 2017 Arrcus Expires: March 3, 2018 Arrcus
Z. Li Z. Li
Huawei Technologies Huawei Technologies
March 2, 2017 August 30, 2017
Flowspec Indirection-id Redirect Flowspec Indirection-id Redirect
draft-ietf-idr-flowspec-path-redirect-01 draft-ietf-idr-flowspec-path-redirect-02
Abstract Abstract
Flowspec is an extension to BGP that allows for the dissemination of This document defines a new extended community known as flowspec
traffic flow specification rules. This has many possible redirect-to-indirection-id. This extended community triggers
applications but the primary one for many network operators is the advanced redirection capabilities to flowspec clients. When
distribution of traffic filtering actions for DDoS mitigation. The activated, this flowspec extended community is used by a flowspec
flow-spec standard RFC5575 [2] defines a redirect-to-VRF action for client to find the correct next-hop information within a localised
policy-based forwarding but this mechanism is not always sufficient, indirection-id mapping table.
particularly if the redirected traffic needs to be steered into an
engineered path or into a service plane.
This document defines a new extended community known as redirect-to-
indirection-id (32-bit) flowspec action to provide advanced
redirection capabilities on flowspec clients. When activated, the
flowspec extended community is used by a flowspec client to find the
correct next-hop entry within a localised indirection-id mapping
table.
The functionality present in this draft allows a network controller The functionality detailed in this document allows a network
to decouple flowspec functionality from the creation and maintainance controller to decouple the BGP flowspec redirection instruction from
of the network's service plane itself including the setup of tunnels the actual redirection path selected.
and other service constructs that could be managed by other network
devices.
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1]. document are to be interpreted as described in RFC 2119 [1].
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 2, line 15 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 3, 2017. This Internet-Draft will expire on March 3, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. indirection-id and indirection-id table . . . . . . . . . . . 3 2. indirection-id and indirection-id table . . . . . . . . . . . 3
3. Use Case Scenarios . . . . . . . . . . . . . . . . . . . . . 4 3. Use Case Scenarios . . . . . . . . . . . . . . . . . . . . . 4
3.1. Redirection shortest Path tunnel . . . . . . . . . . . . 4 3.1. Redirection shortest Path tunnel . . . . . . . . . . . . 4
3.2. Redirection to path-engineered tunnels . . . . . . . . . 5 3.2. Redirection to path-engineered tunnels . . . . . . . . . 5
3.3. Redirection to complex dynamically constructed tunnels . 6 3.3. Redirection to complex dynamically constructed tunnels . 6
4. Redirect to indirection-id Community . . . . . . . . . . . . 7 4. Redirect to indirection-id Community . . . . . . . . . . . . 7
5. Redirect using localised indirection-id mapping table . . . . 8 5. Redirect using localised indirection-id mapping table . . . . 8
6. Validation Procedures . . . . . . . . . . . . . . . . . . . . 9 6. Validation Procedures . . . . . . . . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
9. Contributor Addresses . . . . . . . . . . . . . . . . . . . . 9 9. Contributor Addresses . . . . . . . . . . . . . . . . . . . . 9
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
11.1. Normative References . . . . . . . . . . . . . . . . . . 11 11.1. Normative References . . . . . . . . . . . . . . . . . . 11
11.2. Informative References . . . . . . . . . . . . . . . . . 12 11.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Additional indirection_id types waiting for use-case Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
description . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
Flowspec RFC5575 [2] is an extension to BGP that allows for the Flowspec is an extension to BGP that allows for the dissemination of
dissemination of traffic flow specification rules. This has many traffic flow specification rules. This has many possible
possible applications, however the primary one for many network applications but the primary one for many network operators is the
operators is the distribution of traffic filtering actions for DDoS distribution of traffic filtering actions for DDoS mitigation. The
mitigation. flow-spec standard RFC5575 [2] defines a redirect-to-VRF action for
policy-based forwarding but this mechanism is not always sufficient,
particularly if the redirected traffic needs to be steered onto an
explicite path.
Every flowspec policy route is effectively a rule, consisting of a Every flowspec policy route is effectively a rule, consisting of a
matching part (encoded in the NLRI field) and an action part (encoded matching part (encoded in the NLRI field) and an action part (encoded
in one or more BGP extended communities). The flow-spec standard in one or more BGP extended communities). The flow-spec standard
RFC5575 [2] defines widely-used filter actions such as discard and RFC5575 [2] defines widely-used filter actions such as discard and
rate limit; it also defines a redirect-to-VRF action for policy-based rate limit; it also defines a redirect-to-VRF action for policy-based
forwarding. Using the redirect-to-VRF action to steer traffic forwarding. Using the redirect-to-VRF action to steer traffic
towards an alternate destination is useful for DDoS mitigation but towards an alternate destination is useful for DDoS mitigation but
using this technology can be cumbersome when there is need to steer using this technology can be cumbersome when there is need to steer
the traffic onto an engineered traffic path. the traffic onto an explicitely defined traffic path.
This draft proposes a new redirect-to-indirection-id flowspec action This draft proposes a new redirect-to-indirection-id flowspec action
facilitating an anchor point for policy-based forwarding onto an making use of a 32-bit indirection-id within a new extended
engineered path or into a service plane. The flowspec client community. Each indirection-id serves as anchor point, for policy-
consuming and utilizing the new flowspec indirection-id extended- based forwarding onto an explicite path on a flowspec client.
community constructs the redirection information based upon
information found within a localised indirection-id mapping table.
The localised mapping table is a table construct, sequenced by a
table key, providing next-hop information.
The redirect-to-indirection-id flowspec action is encoded in a newly
defined BGP extended community. The type of redirection is
identified as an extended community indirection-id type field.
This draft defines the indirection-id extended-community and a few A flowspec based indirection service plane can be create when a
wellknown indirection-id types. The specific mechanics to construct single 32-bit flowspec indirection-id maps towards a pool of
a localised indirection-id mapping table are out-of-scope of this explicite paths.
document.
2. indirection-id and indirection-id table 2. indirection-id and indirection-id table
An indirection-id is an abstract number (32-bit value) used as The indirection-id is a 32-bit unsigned number, used as anchor point
identifier for a localised indirection decision. The indirection-id on a flowspec client. The indirection-id is on a flowspec client the
will allow a flowspec client to redirect traffic into a service plane lookup key-value within a localised list of potential indirection
or consequently onto an engineered traffic path. For example, when a paths. The indirection-id will allow the flowspec client to steer
BGP flowspec controller signals a flowspec client the indirection-id traffic to a particular path or into an indirection service plane by
extended community, then the flowspec client uses the indirection-id doing a recursive key-value lookup.
to make a recursive lookup to find the next-hop information. The
indirection-id is used to find the corresponding next-hop information
within the localised indirection mapping table.
The indirection-id table is localised on the router. The The indirection-id table is the table containing an ordered list of
indirection-id table is constructed out of table keys, each mapped to indirection-id key-values, ordered by indirection-id type; where each
localised redirection information. Each table key is composed by the key-value maps towards a particular path or set of paths. The
combining indirection-id type and an indirection-id 32-bit value. indirection-id type MAY provide additional context about the
Each entry in the indirection-table key maps to sufficient indirection-id 32-bit value. The flowspec client MUST use the
information (parameters regarding encapsulation, egress-interface, indirection-id as key-value within the indirection-id type
QoS, etc...) to successfully redirect traffic according flowspec corresponding indirection-id table to locate the explicite path and
controller expectations. corresponding next-hop information.
The configuration of the indirection-id table on a flowspec client
MAY happen out-of-band from BGP flowspec and is a localised construct
on each router. For some use-case scenarios the indirection-id type
provides additional (maybe even fully sufficient) context towards a
flowspec client to deduct automatic, without explicite out-of-band
configuration, the indirection-id table. For example, when the
indirection-id refers to a segment routing node-id [6], then
indirection-id type can provide the flowspec client the awareness
that the indirection-id is a segment routing node-id. For this
example the indirection-id type allows the flowspec clients to do a
recursive lookup using traditional segment routing technology.
To summarise, each indirection-id key-value entry in the indirection-
table maps recursively to sufficient next-hop information (parameters
regarding encapsulation, egress-interface, QoS, etc...) to
successfully indirect traffic according flowspec controller
expectations.
3. Use Case Scenarios 3. Use Case Scenarios
This section describes use-case scenarios when deploying redirect-to- This section describes use-case scenarios when deploying redirect-to-
indirection-id. indirection-id.
3.1. Redirection shortest Path tunnel 3.1. Redirection shortest Path tunnel
Example: Indirection-ID community types to be used:
o 0 (localised ID): When the intent is to use a localised
Indirection-id table on the flowspec client
o 1 (Node ID): When the intent is to use a Segment Routing based
Indirection-id table on the flowspec client
Description: Description:
The first use-case describes an example where a single flowspec route The first use-case describes an example where a single flowspec route
(i.e. flowspec_route#1) is sent by a flowspec controller to many BGP is sent from a BGP flowspec controller to many BGP flowspec clients.
flowspec clients. This single flowspec route will instruct all This BGP flowspec route carries the redirect-to-indirection-id to all
Flowspec clients to redirect matching dataflows onto a shortest-path flowspec clients to redirect matching dataflows onto a shortest-path
tunnel pointing towards a single IP destination address. tunnel pointing towards a single remote destination.
For this first use-case scenario, each flowspec client receives a For this first use-case scenario, each flowspec client receives
flowspec route (flowspec_route#1) which has the redirect-to- flowspec routes. The flowspec routes have the extended redirect-to-
indirection-id extended community attached. The extended redirect- indirection-id community attached. Each redirect-to-indirection-id
to-indirection-id community contains the table key consisting out of community embeds two relevant components: (1) 32-bit indirection-id
the indirection-id type and indirection-id 32-bit value. The table key-value and (2) indirection-id type. The indirection-id type is
key is used on the flowspec client to map to the corresponding next- used to identify the corresponding indirection-id table, and the
hop information within the local indirection-id table. The finite actual 32-bit indirection-id key-value is used within the
result of this operation is a remote tunnel end-point IP address indirection-id table to locate the corresponding next-hop
together with accordingly sufficient tunnel encapsulation information information. The finite result of this operation is sufficient
to forward and encapsulate the data-packet accordingly. tunnel encapsulation information to forward and encapsulate the data-
packet accordingly to a remote tunnel end-point.
Requirements: Requirements:
For redirect to shortest path tunnel it is required that the tunnel For redirect to shortest path tunnel it is required that the tunnel
MUST be operational and allow packets to be exchanged between tunnel MUST be up-and-running and allow packets to be unidirectional
head- and tail-end. exchanged between tunnel head- and tail-end.
3.2. Redirection to path-engineered tunnels
Example: Indirection-ID community types to be used: Example: Indirection-ID community types to be used:
o 0 (localised ID): When the intent is to use a localised o 0 (localised ID): When the intent is to use a localised
Indirection-id table on the flowspec client Indirection-id table on the flowspec client. This requires out-
of-band configuration of the indirection-id table
o 6 (Binding Segment ID): When the intent is to use a Segment o 1 (Node ID): When the intent is to use a Segment Routing based
Routing based Indirection-id table on the flowspec client Indirection-id table on the flowspec client. This requires that
Segment Routing is enabled on the flowspec client.
3.2. Redirection to path-engineered tunnels
Description: Description:
The second use-case describes an example where a flowspec controler The second use-case describes an example where a single flowspec
injects a single flowspec route which gets distributed to many BGP route is sent from a BGP flowspec controller to many BGP flowspec
flowspec clients. This single flowspec route intends to instruct all clients. This BGP flowspec route carries the redirect-to-
Flowspec clients to redirect corresponding dataflows onto a path indirection-id extended community to all flowspec clients with
engineered tunnel. It is expected that each of the path engineered instructions to redirect matching dataflows onto a path engineered
tunnels is instantiated by out-of-band mechanisms. Each used path tunnel. It is expected that each of the path engineered tunnels is
engineered tunnel has a unque table key identifier. consequently, the instantiated by out-of-band configuration and can be uniquely
table key uniquely identifies exactly -one- path engineered tunnel. identified by the combination of (1) indirection-id 32-bit key-value
and (2) indirection-id type.
In this use-case example, the flowspec controller sends a flowspec For this second use-case scenario, each flowspec client receives
route to each of the flowspec clients and this flowspec route has a flowspec routes. The flowspec routes have the extended redirect-to-
redirect-to-indirection-id extended community attached. The indirection-id community attached. Each redirect-to-indirection-id
redirect-to-indirection-id extended community embeds table key community embeds two relevant components similar as explained in
information and hence provides sufficient information to select the previous use-case. However the finite result of this operation is
corresponding path-engineered tunnel to redirect the packet according sufficient tunnel encapsulation information to forward and
the flowspec controller expectations. encapsulate the data-packet accordingly to a remote tunnel end-point
using a path engineered tunnel construction.
Segment Routing Example: Segment Routing Example:
A concrete embodiment of a Segment Routing use-case example is found For this example the indirection-id type informs the flowspec client
in networks where path engineered tunnels are created by a Segment that the indirection-id 32-bit key-value references a Segment Routing
Routing MPLS label stack. In such a deployment, the indirection-id Binding SID. The Binding SID is a segment identifier value (as per
provides an anchorpoint reference to a Segment Routing Binding SID. segment routing definitions in [I-D.draft-ietf-spring-segment-
However, the indirection-id type provides a pointer to the Binding routing] [6]) used to associate an explicit path. The Binding SID
SID semantics to be used. The Binding SID is a segment identifier and corresponding path engineered tunnel can for example be setup by
value (as per segment routing definitions in [I-D.draft-ietf-spring- a controller using BGP as specified in [I-D.sreekantiah-idr-segment-
segment-routing] [6]) used to associate an explicit path. The routing-te] [5] or by using PCEP as detailed in draft-ietf-pce-
Binding SID and corresponding path engineered tunnel can for example segment-routing [7]. To conclude, when a BGP speaker at some point
be setup by a controller using BGP as specified in [I-D.sreekantiah- in time receives a flow-spec route with an extended 'redirect-to-
idr-segment-routing-te] [5] or by using PCEP as detailed in draft- indirection-id' community, it installs a traffic filtering rule that
ietf-pce-segment-routing [7]. To conclude, when a BGP speaker at matches particular packets and redirects them onto an explicit path
some point in time receives a flow-spec route with an extended associated with the corresponding Binding SID. The encoding of the
'redirect-to-indirection-id' community, it installs a traffic Binding SID within the redirect-to-indirection-id extended community
filtering rule that matches particular packets and redirects them is specified in section 4.
onto an explicit path associated with the corresponding Binding SID.
The encoding of the Binding SID within the redirect-to-indirection-id
extended community is specified in section 4.
Requirements: Requirements:
For redirect to path engineered tunnels it is required that the For redirect to path engineered tunnels it is required that the
engineered tunnel MUST be active and allow packets to be exchanged engineered tunnel MUST be active and allow packets to be
between tunnel head- and tail-end. unidirectional exchanged between tunnel head- and tail-end.
3.3. Redirection to complex dynamically constructed tunnels
Example: Indirection-ID community types to be used: Example: Indirection-ID community types to be used:
o 0 (localised ID) with TID: When the intent is to use a localised o 0 (localised ID): When the intent is to use a localised
Indirection-id table, then TID (Table-ID) field could be used to Indirection-id table on the flowspec client. This requires out-
sequence multiple redirect-to-indirection-id actions together to of-band configuration of the indirection-id table.
construct a more complex path engineered tunnel. The order of
sequencing the redirection information may be identified by using o 6 (Binding Segment ID): When the intent is to use a Segment
the TID field. Routing based Indirection-id table on the flowspec client. This
requires out-of-band configuration of the Binding Segment IDs.
3.3. Redirection to complex dynamically constructed tunnels
Description: Description:
A third use-case describes the application and redirection towards A third use-case describes the application and redirection towards
complex dynamically constructed tunnels. For this use-case a BGP complex dynamically constructed tunnels. For this use-case a BGP
flowspec controller injects a flowspec route with multiple 'redirect- flowspec controller injects a flowspec route with two 'redirect-to-
to-indirection-id' communities attached. A recipient flowspec client indirection-id' communities attached, each tagged with a different
may use the Table-ID (TID) field embedded within each 'redirect-to- Table-ID (TID). A flowspec client may use the Table-ID (TID) to
indirection-id' community to sequence the redirect information. The sequence the flowspec redirect information. A common use-case
complex dynamically constructed tunnel is the product of scenario would for example be the dynamic construction of Segment
concatenating the available redirect information (i.e. MPLS Segment Routing Central Egress Path Engineered tunnel [4] or next-next-hop
Routing Labels). tunnels.
Segment Routing Example: Segment Routing Example:
i.e. a classic Segment Routing example using complex tunnels is found i.e. a classic Segment Routing example using complex tunnels is found
in DDoS mitigation and traffic offload. Suspicious traffic (e.g. in DDoS mitigation and traffic offload. Suspicious traffic (e.g.
dirty traffic flows) may be steered into a Segment Routing Central dirty traffic flows) may be steered into a Segment Routing Central
Egress Path Engineered tunnel [4]. For this particular complex Egress Path Engineered tunnel [4]. For this complex dynamic redirect
dynamic redirect tunnel embodiment, a first redirect-to-indirection- tunnel construction, a first redirect-to-indirection-id (i.e. TID=0)
id (i.e. TID=0) is used to redirect traffic into a tunnel towards a is used to redirect traffic into a tunnel towards a particlar egress
particlar egress router, while a second redirect-to-indirection-id router, while a second redirect-to-indirection-id (i.e. TID=1) is
(i.e. TID=1) is used to steer traffic beyond the particular egress used to steer traffic beyond the particular egress router towards a
router towards a pre-identified interface/peer. pre-identified interface/peer.
For this DDoS use-case, in its simplest embodiment, the flowspec For this DDoS use-case, in its simplest embodiment, the flowspec
client must dynamically append 2 MPLS labels. A first MPLS label client must dynamically append 2 MPLS Segment Routing labels. A
(the outer label) to steer the original packet to the egress node first MPLS Segment Routing label (the outer label) to steer the
(and hence using a shortest path tunnel), while a second MPLS label packet to the egress node (and hence use a shortest path tunnel),
(matching redirect-to-indirection-id with TID=1), the inner label, to while a second MPLS label (matching redirect-to-indirection-id with
steer on the egress router the original packet to a pre-defined TID=1), the inner label, to steer on the egress router the original
interface/peer. The basic data-plane principles are documented by packet to a pre-defined interface/peer. The basic data-plane
[4]. principles are documented by [4].
Requirements: Requirements:
To achieve redirection towards complex dynamically constructed To achieve redirection towards complex dynamically constructed
tunnels, for each flowspec route, multiple indirection-ids, each tunnels, for each flowspec route, multiple indirection-ids, each
using a unique Tunnel ID may imposed upon a given flowspec policy using a unique Tunnel ID are pushed upon a given flowspec policy
rule. It is required that there is synchronisation established rule. It is required that there is synchronisation established
between the data- and control-plane of all relevant devices involved. between the data-plane and control-plane of all relevant devices
Each complex dynamically constructed tunnel MUST be operational and involved. Each complex dynamically constructed tunnel MUST be
allow packets to be exchanged between tunnel head- and tail-end operational and allow packets to be unidirectional exchanged between
before it should be used to redirect traffic. tunnel head- and tail-end before it can be used to redirect traffic.
Example: Indirection-ID community types to be used:
o 0 (localised ID) with TID: When the intent is to use a localised
Indirection-id table, then the TID (Table-ID) MUST be used to
sequence multiple redirect-to-indirection-id actions to construct
a more complex path engineered tunnel. The order of sequencing
the redirection information MUST be identified by using the TID
field.
4. Redirect to indirection-id Community 4. Redirect to indirection-id Community
This document defines a new BGP extended community known as a This document defines a new BGP extended community known as a
Redirect-to-indirection-id extended community. This extended Redirect-to-indirection-id extended community. This extended
community is a new transitive extended community with the Type and community is a new transitive extended community with the Type and
the Sub-Type field to be assigned by IANA. The format of this the Sub-Type field to be assigned by IANA. The format of this
extended community is show in Figure 1. extended community is show in Figure 1.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 8, line 21 skipping to change at page 8, line 21
Figure 2 Figure 2
The least-significant Flag bit is defined as the 'C' (or copy) bit. The least-significant Flag bit is defined as the 'C' (or copy) bit.
When the 'C' bit is set the redirection applies to copies of the When the 'C' bit is set the redirection applies to copies of the
matching packets and not to the original traffic stream. matching packets and not to the original traffic stream.
The 'TID' field identifies a 4 bit Table-id field. This field is The 'TID' field identifies a 4 bit Table-id field. This field is
used to provide the flowspec client an indication how and where to used to provide the flowspec client an indication how and where to
sequence the received indirection-ids to redirecting traffic. TID sequence the received indirection-ids to redirecting traffic. TID
value 0 indicates that Table-id field is NOT set and SHOULD be value 0 indicates that Table-id field is NOT set and SHOULD be
ignored. ignored. On a flowspec client the indirection-id with lowest TID
MUST be processed first for a flowspec route.
All bits other than the 'C' and 'TID' bits MUST be set to 0 by the All bits other than the 'C' and 'TID' bits MUST be set to 0 by the
originating BGP speaker and ignored by receiving BGP speakers. originating BGP speaker and ignored by receiving BGP speakers.
Indirection ID: 1 octet value. This draft defines following Indirection ID: 1 octet value. This draft defines following
indirection_id Types: indirection_id Types:
0 - Localised ID (The flowspec client uses the received 0 - Localised ID (The flowspec client uses the received
indirection-id to lookup the redirection information in the indirection-id to lookup the redirection information in the
localised indirection-id table.) localised indirection-id table.)
skipping to change at page 8, line 43 skipping to change at page 8, line 44
1 - Node ID (The flowspec client uses the received indirection-id 1 - Node ID (The flowspec client uses the received indirection-id
as a Segment Routing Node ID to redirect traffic towards) as a Segment Routing Node ID to redirect traffic towards)
6 - Binding Segment ID (The flowspec client uses the received 6 - Binding Segment ID (The flowspec client uses the received
indirection-id as a Segment Routing Binding Segment ID to redirect indirection-id as a Segment Routing Binding Segment ID to redirect
traffic towards) [I-D.draft-ietf-spring-segment-routing] [6] traffic towards) [I-D.draft-ietf-spring-segment-routing] [6]
5. Redirect using localised indirection-id mapping table 5. Redirect using localised indirection-id mapping table
When a BGP flowspec client receives a flowspec policy route with a When a BGP flowspec client receives a flowspec policy route with a
'redirect to indirection-id' extended community attached and the redirect-to-indirection-id extended community attached and the route
route represents the best BGP path, it will install a flowspec represents the best BGP path, it will install a flowspec traffic
traffic filtering rule matching the IP tupples described by the filtering rule matching the IP tupples described by the flowpsec NLRI
flowpsec NLRI field and consequently redirects the flow (C=0) or field and consequently redirects the flow (C=0) or copies the flow
copies the flow (C=1) using the information identified by the (C=1) using the information identified by the 'redirect-to-
'redirect-to-indirection-id' community. indirection-id' community.
6. Validation Procedures 6. Validation Procedures
The validation check described in RFC5575 [2] and revised in [3] The validation check described in RFC5575 [2] and revised in [3]
SHOULD be applied by default to received flow-spec routes with a SHOULD be applied by default to received flow-spec routes with a
'redirect to indirection-id' extended community. This means that a 'redirect to indirection-id' extended community. This means that a
flow-spec route with a destination prefix subcomponent SHOULD NOT be flow-spec route with a destination prefix subcomponent SHOULD NOT be
accepted from an EBGP peer unless that peer also advertised the best accepted from an EBGP peer unless that peer also advertised the best
path for the matching unicast route. path for the matching unicast route.
skipping to change at page 11, line 19 skipping to change at page 11, line 19
Reference: [RFC-To-Be] Reference: [RFC-To-Be]
Registration Procedure(s): First Come, First Served Registration Procedure(s): First Come, First Served
Registry: "Redirect Extended Community indirection_id" Registry: "Redirect Extended Community indirection_id"
Value Code Reference Value Code Reference
0 Localised ID [RFC-To-Be] 0 Localised ID [RFC-To-Be]
1 Node ID [RFC-To-Be] 1 Node ID [RFC-To-Be]
2 Agency ID [RFC-To-Be]
3 AS (Autonomous System) ID [RFC-To-Be]
4 Anycast ID [RFC-To-Be]
5 Multicast ID [RFC-To-Be]
6 Tunnel ID (Tunnel Binding ID ) [RFC-To-Be] 6 Tunnel ID (Tunnel Binding ID ) [RFC-To-Be]
7 VPN ID [RFC-To-Be]
8 OAM ID [RFC-To-Be]
9 ECMP (Equal Cost Multi-Path) ID [RFC-To-Be]
10 QoS ID [RFC-To-Be]
11 Bandwidth-Guarantee ID [RFC-To-Be]
12 Security ID [RFC-To-Be]
13 Multi-Topology ID [RFC-To-Be]
Figure 4 Figure 4
11. References 11. References
11.1. Normative References 11.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate [1] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997, Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://xml.resource.org/public/rfc/html/rfc2119.html>. <http://xml.resource.org/public/rfc/html/rfc2119.html>.
[2] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., [2] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J.,
and D. McPherson, "Dissemination of Flow Specification and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
<http://www.rfc-editor.org/info/rfc5575>. <https://www.rfc-editor.org/info/rfc5575>.
11.2. Informative References 11.2. Informative References
[3] Uttaro, J., Filsfils, C., Alcaide, J., and P. Mohapatra, [3] Uttaro, J., Filsfils, C., Alcaide, J., and P. Mohapatra,
"Revised Validation Procedure for BGP Flow "Revised Validation Procedure for BGP Flow
Specifications", January 2014. Specifications", January 2014.
[4] Filsfils, C., Previdi, S., Aries, E., Ginsburg, D., and D. [4] Filsfils, C., Previdi, S., Aries, E., Ginsburg, D., and D.
Afanasiev, "Segment Routing Centralized Egress Peer Afanasiev, "Segment Routing Centralized Egress Peer
Engineering", October 2015. Engineering", October 2015.
skipping to change at page 12, line 29 skipping to change at page 12, line 15
[6] Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., [6] Filsfils, C., Previdi, S., Decraene, B., Litkowski, S.,
Shakir, R., Bashandy, A., Horneffer, M., Henderickx, W., Shakir, R., Bashandy, A., Horneffer, M., Henderickx, W.,
Tantsura, J., Crabbe, E., Milojevic, I., and S. Ytti, Tantsura, J., Crabbe, E., Milojevic, I., and S. Ytti,
"Segment Routing Architecture", December 2015. "Segment Routing Architecture", December 2015.
[7] Sivabalan, S., Medved, M., Filsfils, C., Litkowski, S., [7] Sivabalan, S., Medved, M., Filsfils, C., Litkowski, S.,
Raszuk, R., Bashandy, A., Lopez, V., Tantsura, J., Raszuk, R., Bashandy, A., Lopez, V., Tantsura, J.,
Henderickx, W., Hardwick, J., Milojevic, I., and S. Ytti, Henderickx, W., Hardwick, J., Milojevic, I., and S. Ytti,
"PCEP Extensions for Segment Routing", December 2015. "PCEP Extensions for Segment Routing", December 2015.
Appendix A. Additional indirection_id types waiting for use-case
description
This section is a placeholder and collection of potential additional
indirection_id types. The current use-cases do not require these
particular indirection types, however at later stage when use-cases
are identified they may be added to the body of teh draft.
2 - Agency ID (The flowspec client uses the received indirection-id
as a Segment Routing Agency ID to redirect traffic towards)
3 - AS (Autonomous System) ID (The flowspec client uses the received
indirection-id as a Segment Routing Autonomous System ID to redirect
traffic towards)
4 - Anycast ID (The flowspec client uses the received indirection-id
as a Segment Routing Anycast ID to redirect traffic towards)
5 - Multicast ID (The flowspec client uses the received indirection-
id as a Segment Routing Multicast ID to redirect traffic towards)
7 - VPN ID (The flowspec client uses the received indirection-id as a
Segment Routing VPN ID to redirect traffic towards)
8 - OAM ID (The flowspec client uses the received indirection-id as a
Segment Routing OAM ID to redirect traffic towards)
9 - ECMP (Equal Cost Multi-Path) ID (The flowspec client uses the
received indirection-id as a Segment Routing PeerSet ID to redirect
traffic towards)
10 - QoS ID (The flowspec client uses the received indirection-id as
a Segment Routing QoS ID to redirect traffic towards)
11 - Bandwidth-Guarantee ID (The flowspec client uses the received
indirection-id as a Segment Routing Bandwidth-Guarantee ID to
redirect traffic towards)
12 - Security ID (The flowspec client uses the received indirection-
id as a Segment Routing Security ID to redirect traffic towards)
13 - Multi-Topology ID (The flowspec client uses the received
indirection-id as a Segment Routing Multi-Topology ID to redirect
traffic towards)
Authors' Addresses Authors' Addresses
Gunter Van de Velde (editor) Gunter Van de Velde (editor)
Nokia Nokia
Antwerp Antwerp
BE BE
Email: gunter.van_de_velde@nokia.com Email: gunter.van_de_velde@nokia.com
Keyur Patel Keyur Patel
 End of changes. 36 change blocks. 
228 lines changed or deleted 173 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/