draft-ietf-idr-flowspec-path-redirect-02.txt   draft-ietf-idr-flowspec-path-redirect-03.txt 
IDR Working Group G. Van de Velde, Ed. IDR Working Group G. Van de Velde, Ed.
Internet-Draft Nokia Internet-Draft Nokia
Intended status: Standards Track K. Patel Intended status: Standards Track K. Patel
Expires: March 3, 2018 Arrcus Expires: June 23, 2018 Arrcus
Z. Li Z. Li
Huawei Technologies Huawei Technologies
August 30, 2017 December 20, 2017
Flowspec Indirection-id Redirect Flowspec Indirection-id Redirect
draft-ietf-idr-flowspec-path-redirect-02 draft-ietf-idr-flowspec-path-redirect-03
Abstract Abstract
This document defines a new extended community known as flowspec This document defines a new extended community known as flowspec
redirect-to-indirection-id. This extended community triggers redirect-to-indirection-id. This extended community triggers
advanced redirection capabilities to flowspec clients. When advanced redirection capabilities to flowspec clients. When
activated, this flowspec extended community is used by a flowspec activated, this flowspec extended community is used by a flowspec
client to find the correct next-hop information within a localised client to find the corresponding next-hop information within a
indirection-id mapping table. indirection-id mapping table.
The functionality detailed in this document allows a network The functionality detailed in this document allows a network
controller to decouple the BGP flowspec redirection instruction from controller to decouple the BGP flowspec redirection instruction from
the actual redirection path selected. the selected redirection path itself.
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1]. document are to be interpreted as described in RFC 2119 [1].
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 3, 2018. This Internet-Draft will expire on June 23, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. indirection-id and indirection-id table . . . . . . . . . . . 3 2. indirection-id and indirection-id table . . . . . . . . . . . 3
3. Use Case Scenarios . . . . . . . . . . . . . . . . . . . . . 4 3. Use Case Scenarios . . . . . . . . . . . . . . . . . . . . . 3
3.1. Redirection shortest Path tunnel . . . . . . . . . . . . 4 3.1. Redirection shortest Path tunnel . . . . . . . . . . . . 3
3.2. Redirection to path-engineered tunnels . . . . . . . . . 5 3.2. Redirection to path-engineered tunnels . . . . . . . . . 4
3.3. Redirection to complex dynamically constructed tunnels . 6 3.3. Redirection to complex dynamically constructed tunnels . 5
4. Redirect to indirection-id Community . . . . . . . . . . . . 7 4. redirect-to-indirection-id Community . . . . . . . . . . . . 6
5. Redirect using localised indirection-id mapping table . . . . 8 5. Redirect using localised indirection-id mapping table . . . . 8
6. Validation Procedures . . . . . . . . . . . . . . . . . . . . 9 6. Validation Procedures . . . . . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
9. Contributor Addresses . . . . . . . . . . . . . . . . . . . . 9 9. Contributor Addresses . . . . . . . . . . . . . . . . . . . . 9
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
11.1. Normative References . . . . . . . . . . . . . . . . . . 11 11.1. Normative References . . . . . . . . . . . . . . . . . . 11
11.2. Informative References . . . . . . . . . . . . . . . . . 11 11.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
Flowspec is an extension to BGP that allows for the dissemination of Flowspec is an extension to BGP that allows for the dissemination of
traffic flow specification rules. This has many possible traffic flow specification rules. This has many possible
applications but the primary one for many network operators is the applications but the primary one for many network operators is the
distribution of traffic filtering actions for DDoS mitigation. The distribution of traffic filtering actions for DDoS mitigation. The
flow-spec standard RFC5575 [2] defines a redirect-to-VRF action for flow-spec standard RFC5575 [2] defines a redirect-to-VRF action for
policy-based forwarding but this mechanism is not always sufficient, policy-based forwarding, but this mechanism is not always sufficient,
particularly if the redirected traffic needs to be steered onto an particularly if the redirected traffic needs to be steered onto an
explicite path. explicite path.
Every flowspec policy route is effectively a rule, consisting of a Every flowspec policy route is effectively a rule, consisting of two
matching part (encoded in the NLRI field) and an action part (encoded parts. The first part, encoded in the NLRI field, provides
in one or more BGP extended communities). The flow-spec standard information about the traffic matching the policy rule. the second
RFC5575 [2] defines widely-used filter actions such as discard and part, encoded in one or more BGP extended communities, provides
rate limit; it also defines a redirect-to-VRF action for policy-based policy instructions for traffic handling on the flowspec client. The
forwarding. Using the redirect-to-VRF action to steer traffic flowspec standard RFC5575 [2] defines widely-used filter actions such
towards an alternate destination is useful for DDoS mitigation but as discard and rate limit; it also defines a redirect-to-VRF action
using this technology can be cumbersome when there is need to steer for policy-based forwarding. Using the redirect-to-VRF action to
the traffic onto an explicitely defined traffic path. steer traffic towards an alternate destination is useful for DDoS
mitigation, however using this methodology can be cumbersome when
This draft proposes a new redirect-to-indirection-id flowspec action there is need to steer the traffic onto an explicitely defined
making use of a 32-bit indirection-id within a new extended traffic path.
community. Each indirection-id serves as anchor point, for policy-
based forwarding onto an explicite path on a flowspec client.
A flowspec based indirection service plane can be create when a This draft specifies a redirect-to-indirection-id flowspec action
single 32-bit flowspec indirection-id maps towards a pool of making use of a 32-bit indirection-id using a new extended community.
explicite paths. Each indirection-id serves as anchor point, for policy-based
forwarding onto an explicite path by a flowspec client.
2. indirection-id and indirection-id table 2. indirection-id and indirection-id table
The indirection-id is a 32-bit unsigned number, used as anchor point The indirection-id is a 32-bit unsigned number, used as anchor point
on a flowspec client. The indirection-id is on a flowspec client the on a flowspec client for policy-based forwarding onto an explicite
lookup key-value within a localised list of potential indirection path by a flowspec client.
paths. The indirection-id will allow the flowspec client to steer
traffic to a particular path or into an indirection service plane by
doing a recursive key-value lookup.
The indirection-id table is the table containing an ordered list of
indirection-id key-values, ordered by indirection-id type; where each
key-value maps towards a particular path or set of paths. The
indirection-id type MAY provide additional context about the
indirection-id 32-bit value. The flowspec client MUST use the
indirection-id as key-value within the indirection-id type
corresponding indirection-id table to locate the explicite path and
corresponding next-hop information.
The configuration of the indirection-id table on a flowspec client The indirection-id table is the table construct of indirection-id
MAY happen out-of-band from BGP flowspec and is a localised construct values, ordered by indirection-id type. Each entry in this table
on each router. For some use-case scenarios the indirection-id type contains policy-based forwarding instructions.
provides additional (maybe even fully sufficient) context towards a
flowspec client to deduct automatic, without explicite out-of-band
configuration, the indirection-id table. For example, when the
indirection-id refers to a segment routing node-id [6], then
indirection-id type can provide the flowspec client the awareness
that the indirection-id is a segment routing node-id. For this
example the indirection-id type allows the flowspec clients to do a
recursive lookup using traditional segment routing technology.
To summarise, each indirection-id key-value entry in the indirection- The configuration of the indirection-id table on a flowspec client is
table maps recursively to sufficient next-hop information (parameters localised on each router and MAY happen out-of-band from BGP
regarding encapsulation, egress-interface, QoS, etc...) to flowspec. For some use-case scenarios the indirection-id type
successfully indirect traffic according flowspec controller provides additional (maybe even fully sufficient) context for a
expectations. flowspec client for policy based forwarding, making a localized
indirection-id table obsolete. For example, when the indirection-id
refers to a MPLS segment routing node-id [6], then the indirection-id
provides sufficient information for a segment routing lookup on the
flowspec client.
3. Use Case Scenarios 3. Use Case Scenarios
This section describes use-case scenarios when deploying redirect-to- This section describes a few use-case scenarios when deploying
indirection-id. redirect-to-indirection-id.
3.1. Redirection shortest Path tunnel 3.1. Redirection shortest Path tunnel
Description: Description:
The first use-case describes an example where a single flowspec route The first use-case describes an example where a single flowspec route
is sent from a BGP flowspec controller to many BGP flowspec clients. is sent from a BGP flowspec controller to many BGP flowspec clients.
This BGP flowspec route carries the redirect-to-indirection-id to all This BGP flowspec route carries the redirect-to-indirection-id to all
flowspec clients to redirect matching dataflows onto a shortest-path flowspec clients to redirect matching dataflows onto a shortest-path
tunnel pointing towards a single remote destination. tunnel pointing towards a single remote destination.
For this first use-case scenario, each flowspec client receives In this first use-case scenario, each flowspec client receives
flowspec routes. The flowspec routes have the extended redirect-to- flowspec routes. The received flowspec routes have the extended
indirection-id community attached. Each redirect-to-indirection-id redirect-to-indirection-id community attached. Each redirect-to-
community embeds two relevant components: (1) 32-bit indirection-id indirection-id community embeds two relevant components: (1) 32-bit
key-value and (2) indirection-id type. The indirection-id type is indirection-id and (2) indirection-id type. These two components
used to identify the corresponding indirection-id table, and the provide the flowspec client with sufficient information for policy
actual 32-bit indirection-id key-value is used within the based forwarding to steer and encapsulate the data-packet accordingly
indirection-id table to locate the corresponding next-hop to a shortest path tunnel to a remote end-point.
information. The finite result of this operation is sufficient
tunnel encapsulation information to forward and encapsulate the data-
packet accordingly to a remote tunnel end-point.
Requirements: Requirements:
For redirect to shortest path tunnel it is required that the tunnel For redirect to shortest path tunnel it is required that the tunnel
MUST be up-and-running and allow packets to be unidirectional MUST be operational and allow packets to be steered over the shortest
exchanged between tunnel head- and tail-end. path between tunnel head- and tail-end.
Example: Indirection-ID community types to be used: Example: Indirection-ID community types to be used:
o 0 (localised ID): When the intent is to use a localised o 0 (localised ID): When the intent is to use a localised
Indirection-id table on the flowspec client. This requires out- Indirection-id table, configured through out-of-band procedures.
of-band configuration of the indirection-id table
o 1 (Node ID): When the intent is to use a Segment Routing based o 1 or 2 (Node ID's): This type can be used when the goal is to use
Indirection-id table on the flowspec client. This requires that MPLS based Segment Routing towards a remote destination. In this
Segment Routing is enabled on the flowspec client. use-case scenario the flowspec rule contains a SR (Segment
Routing) node SID to steer traffic towards.
3.2. Redirection to path-engineered tunnels 3.2. Redirection to path-engineered tunnels
Description: Description:
The second use-case describes an example where a single flowspec The second use-case describes an example where a single flowspec
route is sent from a BGP flowspec controller to many BGP flowspec route is sent from a BGP flowspec controller to many BGP flowspec
clients. This BGP flowspec route carries the redirect-to- clients. This BGP flowspec route carries policy information to steer
indirection-id extended community to all flowspec clients with traffic upon a path-engineered tunnel. It is assumed that the path
instructions to redirect matching dataflows onto a path engineered engineered tunnels are configured using out-of-band from BGP
tunnel. It is expected that each of the path engineered tunnels is flowspec.
instantiated by out-of-band configuration and can be uniquely
identified by the combination of (1) indirection-id 32-bit key-value
and (2) indirection-id type.
For this second use-case scenario, each flowspec client receives
flowspec routes. The flowspec routes have the extended redirect-to-
indirection-id community attached. Each redirect-to-indirection-id
community embeds two relevant components similar as explained in
previous use-case. However the finite result of this operation is
sufficient tunnel encapsulation information to forward and
encapsulate the data-packet accordingly to a remote tunnel end-point
using a path engineered tunnel construction.
Segment Routing Example: Segment Routing Example:
For this example the indirection-id type informs the flowspec client For this example the indirection-id type points towards a Segment
that the indirection-id 32-bit key-value references a Segment Routing Routing Binding SID. The Binding SID is a segment identifier value
Binding SID. The Binding SID is a segment identifier value (as per (as per segment routing definitions in [I-D.draft-ietf-spring-
segment routing definitions in [I-D.draft-ietf-spring-segment- segment-routing] [6]) used to associate an explicit path. The
routing] [6]) used to associate an explicit path. The Binding SID Binding SID and corresponding path engineered tunnel may for example
and corresponding path engineered tunnel can for example be setup by be setup by a controller using BGP as specified in [I-D.sreekantiah-
a controller using BGP as specified in [I-D.sreekantiah-idr-segment- idr-segment-routing-te] [5] or alternatly by using PCEP as detailed
routing-te] [5] or by using PCEP as detailed in draft-ietf-pce- in draft-ietf-pce-segment-routing [7]. To conclude, when a BGP
segment-routing [7]. To conclude, when a BGP speaker at some point speaker at some point in time receives a flow-spec route with an
in time receives a flow-spec route with an extended 'redirect-to- extended 'redirect-to-indirection-id' community, it installs a
indirection-id' community, it installs a traffic filtering rule that policy-based forwarding rule to redirect packets onto an explicit
matches particular packets and redirects them onto an explicit path path associated with the corresponding Binding SID. The encoding of
associated with the corresponding Binding SID. The encoding of the the Binding SID within the redirect-to-indirection-id extended
Binding SID within the redirect-to-indirection-id extended community community is specified in section 4.
is specified in section 4.
Requirements: Requirements:
For redirect to path engineered tunnels it is required that the For redirect to path engineered tunnels it is required that the
engineered tunnel MUST be active and allow packets to be tunnel MUST be operational and allow packets to be steered over the
unidirectional exchanged between tunnel head- and tail-end. engineered path between tunnel head- and tail-end.
Example: Indirection-ID community types to be used: Example: Indirection-ID community types to be used:
o 0 (localised ID): When the intent is to use a localised o 0 (localised ID): When the intent is to policy-based steer traffic
Indirection-id table on the flowspec client. This requires out- using Indirection. The engineered path is configured through out-
of-band configuration of the indirection-id table. of-band procedures and uses the 32-bit Indirection-id as local
anchor point on the local flowspec client.
o 6 (Binding Segment ID): When the intent is to use a Segment o 2 or 3 (Binding Segment ID's): This type can be used when the goal
Routing based Indirection-id table on the flowspec client. This is to use MPLS based Segment Routing towards an out-of-band
requires out-of-band configuration of the Binding Segment IDs. configured explicite path.
o 5 (Tunnel ID): When the intent is to policy-based steer traffic
using a global tunnel-id. The engineered path is configured
through out-of-band procedures and uses the 32-bit Indirection-id
as global anchor point on the local flowspec client.
3.3. Redirection to complex dynamically constructed tunnels 3.3. Redirection to complex dynamically constructed tunnels
Description: Description:
A third use-case describes the application and redirection towards A third use-case describes the application and redirection towards
complex dynamically constructed tunnels. For this use-case a BGP complex dynamically constructed tunnels. For this use-case a BGP
flowspec controller injects a flowspec route with two 'redirect-to- flowspec controller injects a single flowspec route with two unique
indirection-id' communities attached, each tagged with a different 'redirect-to-indirection-id' communities attached, each community
Table-ID (TID). A flowspec client may use the Table-ID (TID) to tagged with a different Sequence-ID (S-ID). A flowspec client may
sequence the flowspec redirect information. A common use-case use the Sequence-ID (S-ID) to sequence the flowspec redirect
scenario would for example be the dynamic construction of Segment information. A common use-case scenario would for example be the
Routing Central Egress Path Engineered tunnel [4] or next-next-hop dynamic construction of Segment Routing Central Egress Path
tunnels. Engineered tunnel [4] or next-next-hop tunnels.
Segment Routing Example: Segment Routing Example:
i.e. a classic Segment Routing example using complex tunnels is found i.e. a classic Segment Routing example using complex tunnels is found
in DDoS mitigation and traffic offload. Suspicious traffic (e.g. in DDoS mitigation and traffic offload. Suspicious traffic (e.g.
dirty traffic flows) may be steered into a Segment Routing Central
Egress Path Engineered tunnel [4]. For this complex dynamic redirect
tunnel construction, a first redirect-to-indirection-id (i.e. TID=0)
is used to redirect traffic into a tunnel towards a particlar egress
router, while a second redirect-to-indirection-id (i.e. TID=1) is
used to steer traffic beyond the particular egress router towards a
pre-identified interface/peer.
For this DDoS use-case, in its simplest embodiment, the flowspec dirty traffic flows) may be policy-based routed into a purpose built
client must dynamically append 2 MPLS Segment Routing labels. A Segment Routing Central Egress Path Engineered tunnel [4]. For this
first MPLS Segment Routing label (the outer label) to steer the complex dynamic redirect tunnel construction, a first redirect-to-
packet to the egress node (and hence use a shortest path tunnel), indirection-id (i.e. S-ID=0) may be used to redirect traffic into a
while a second MPLS label (matching redirect-to-indirection-id with tunnel towards a particular egress router, while a second redirect-
TID=1), the inner label, to steer on the egress router the original to-indirection-id (i.e. S-ID=1) is used to steer traffic beyond the
packet to a pre-defined interface/peer. The basic data-plane particular egress router towards a pre-identified interface/peer.
principles are documented by [4]. From data-plane perspective, the principles documented by [4] are
valid for this use case scenario.
Requirements: Requirements:
To achieve redirection towards complex dynamically constructed To achieve redirection towards complex dynamically constructed
tunnels, for each flowspec route, multiple indirection-ids, each tunnels, various indirection-id communities are imposed upon the
using a unique Tunnel ID are pushed upon a given flowspec policy flowspec route and are sequenced using the Sequence ID (S-ID). For
rule. It is required that there is synchronisation established redirect to complex dynamic engineered tunnels it is required that
between the data-plane and control-plane of all relevant devices the tunnel MUST be operational and allow packets to be steered over
involved. Each complex dynamically constructed tunnel MUST be the engineered path between tunnel head- and tail-end.
operational and allow packets to be unidirectional exchanged between
tunnel head- and tail-end before it can be used to redirect traffic.
Example: Indirection-ID community types to be used: Example: Indirection-ID community types to be used:
o 0 (localised ID) with TID: When the intent is to use a localised o 0 (localised ID) with S-ID: When the intent is to construct a
Indirection-id table, then the TID (Table-ID) MUST be used to dynamic engineered tunnel, then a sequence of localised
sequence multiple redirect-to-indirection-id actions to construct indirection-ids may be used. The Sequence ID (S-ID) MUST be used
a more complex path engineered tunnel. The order of sequencing to sequence multiple redirect-to-indirection-id actions to
the redirection information MUST be identified by using the TID construct a more complex path engineered tunnel. The construction
field. of the localised indirection-id table is done out-of-band and is
outside scope of this document.
4. Redirect to indirection-id Community 4. redirect-to-indirection-id Community
This document defines a new BGP extended community known as a This document defines a new BGP extended community known as a
Redirect-to-indirection-id extended community. This extended Redirect-to-indirection-id extended community. This extended
community is a new transitive extended community with the Type and community is a new transitive extended community with the Type and
the Sub-Type field to be assigned by IANA. The format of this the Sub-Type field to be assigned by IANA. The format of this
extended community is show in Figure 1. extended community is show in Figure 1.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Sub-Type | Flags(1 octet)| Indirection ID| | Type | Sub-Type | Flags(1 octet)| Indirection ID|
skipping to change at page 8, line 8 skipping to change at page 7, line 16
Type: 1 octet to be assigned by IANA. Type: 1 octet to be assigned by IANA.
Sub-Type: 1 octet to be assigned by IANA. Sub-Type: 1 octet to be assigned by IANA.
Flags: 1 octet field. Following Flags are defined. Flags: 1 octet field. Following Flags are defined.
0 1 0 1
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
| RES | TID |C| | RES | S-ID |C|
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
Figure 2 Figure 2
The least-significant Flag bit is defined as the 'C' (or copy) bit. The least-significant Flag bit is defined as the 'C' (or copy) bit.
When the 'C' bit is set the redirection applies to copies of the When the 'C' bit is set the redirection applies to copies of the
matching packets and not to the original traffic stream. matching packets and not to the original traffic stream.
The 'TID' field identifies a 4 bit Table-id field. This field is The 'S-ID' field identifies a 4 bit Sequence ID field. This field is
used to provide the flowspec client an indication how and where to used to provide a flowspec client an indication how and where to
sequence the received indirection-ids to redirecting traffic. TID sequence the received indirection-ids. The Sequence ID value 0
value 0 indicates that Table-id field is NOT set and SHOULD be indicates that Sequence ID field is NOT set and SHOULD be ignored. A
ignored. On a flowspec client the indirection-id with lowest TID single flowspec rule MUST NOT have more as one indirection-id per
MUST be processed first for a flowspec route. S-ID. On a flowspec client the indirection-id with lowest S-ID MUST
be imposed first for any given flowspec entry.
All bits other than the 'C' and 'TID' bits MUST be set to 0 by the All bits other than the 'C' and 'S-ID' bits MUST be set to 0 by the
originating BGP speaker and ignored by receiving BGP speakers. originating BGP speaker and ignored by receiving BGP speakers.
Indirection ID: 1 octet value. This draft defines following Indirection ID: 1 octet value. This draft defines following
indirection_id Types: indirection-id Types:
0 - Localised ID (The flowspec client uses the received 0 - Localised ID (The flowspec client uses the received
indirection-id to lookup the redirection information in the indirection-id to lookup forwarding information within the
localised indirection-id table.) localised indirection-id table. The allocation and programming of
the localised indirection-id table is outside scope of the
document)
1 - Node ID (The flowspec client uses the received indirection-id 1 - Node ID with SID/index in MPLS-based Segment Routing (This
as a Segment Routing Node ID to redirect traffic towards) means indirection-id is mapped to an MPLS label using the index as
a global offset in the SID/label space)
2 - Node ID with SID/label in MPLS-based Segment Routing (This
means indirection-id is mapped to an MPLS label using the label as
global label)
6 - Binding Segment ID (The flowspec client uses the received 3 - Binding Segment ID with SID/index in MPLS-based Segment
indirection-id as a Segment Routing Binding Segment ID to redirect Routing (This means indirection-id is mapped to an MPLS binding
traffic towards) [I-D.draft-ietf-spring-segment-routing] [6] label using the index as a global offset in the SID/label space)
[I-D.draft-ietf-spring-segment-routing] [6]
4 - Binding Segment ID with SID/label in MPLS-based Segment
Routing (This means indirection-id is mapped to an MPLS binding
label using the index as a global offset in the SID/label space)
[I-D.draft-ietf-spring-segment-routing] [6]
5 - Tunnel ID (Tunnel ID is a global value in a network single
administrative domain identifying tunnel information. The
allocation of the Tunnel ID is out of the scope of the document.)
5. Redirect using localised indirection-id mapping table 5. Redirect using localised indirection-id mapping table
When a BGP flowspec client receives a flowspec policy route with a When a BGP flowspec client receives a flowspec policy route with a
redirect-to-indirection-id extended community attached and the route redirect-to-indirection-id extended community attached and the route
represents the best BGP path, it will install a flowspec traffic represents the best BGP path, it will install a flowspec policy-based
filtering rule matching the IP tupples described by the flowpsec NLRI forwarding rule matching the tupples described by the flowpsec NLRI
field and consequently redirects the flow (C=0) or copies the flow field and consequently redirects the flow (C=0) or copies the flow
(C=1) using the information identified by the 'redirect-to- (C=1) using the information identified by the 'redirect-to-
indirection-id' community. indirection-id' community.
6. Validation Procedures 6. Validation Procedures
The validation check described in RFC5575 [2] and revised in [3] The validation check described in RFC5575 [2] and revised in [3]
SHOULD be applied by default to received flow-spec routes with a SHOULD be applied by default by a flowspec client, for received
'redirect to indirection-id' extended community. This means that a flowspec policy routes containing a 'redirect-to-indirection-id'
flow-spec route with a destination prefix subcomponent SHOULD NOT be extended community. This means that a flow-spec route with a
accepted from an EBGP peer unless that peer also advertised the best destination prefix subcomponent SHOULD NOT be accepted from an EBGP
path for the matching unicast route. peer unless that peer also advertised the best path for the matching
unicast route.
While it MUST NOT happen, and is seen as invallid combination, it is While it MUST NOT happen, and is seen as invalid combination, it is
possible from a semenatics perspective to have multiple clashing possible from a semantics perspective to have multiple clashing
redirect actions defined within a single flowspec rule. For best and redirect actions defined within a single flowspec rule. For best and
consistant RFC5575 flowspec redirect behavior the redirect as consistant with legacy implementations, the redirect functionality as
documented by RFC5575 MUST not be broken, and hence when a clash documented by RFC5575 MUST NOT be broken, and hence when a clash
occurs, then RFC5575 based redirect SHOULD take priority. occurs, then RFC5575 based redirect MUST take priority.
Additionally, if the 'redirect to indirection-id' does not result in Additionally, if the 'redirect-to-indirection-id' does not result in
a valid redirection, then the flowspec rule must be processed as if a valid redirection, then the flowspec rule MUST be processed as if
the 'redirect to indirection-id' community was not attached to the the 'redirect-to-indirection-id' community was not attached to the
flowspec route and MUST provide an indication within the BGP routing flowspec route and MUST provide an indication within the BGP routing
table that the respective 'redirect to indirection-id' resulted in an table that the respective 'redirect-to-indirection-id' resulted in an
invalid redirection action. invalid redirection action.
7. Security Considerations 7. Security Considerations
A system using 'redirect-to-indirection-id' extended community can A system using 'redirect-to-indirection-id' extended community can
cause during the redirect mitigation of a DDoS attack result in cause during the redirect mitigation of a DDoS attack result in
overflow of traffic received by the mitigation infrastructure. overflow of traffic received by the mitigation infrastructure.
8. Acknowledgements 8. Acknowledgements
skipping to change at page 10, line 40 skipping to change at page 10, line 40
Nokia Nokia
Antwerp Antwerp
BE BE
Email: wim.henderickx@nokia.com Email: wim.henderickx@nokia.com
Figure 3 Figure 3
10. IANA Considerations 10. IANA Considerations
This document requests a new type and sub-type for the Redirect to This document requests a new type and sub-type for the redirect-to-
indirection-id Extended community from the "Transitive Extended indirection-id Extended community from the "Transitive Extended
community" registry. The Type name shall be "Redirect to community" registry. The Type name shall be "Redirect-to-
indirection-id Extended Community" and the Sub-type name shall be indirection-id Extended Community" and the Sub-type name shall be
'Flow-spec Redirect to 32-bit Path-id'. 'Flow-spec Redirect to 32-bit Path-id'.
In addition, this document requests IANA to create a new registry for In addition, this document requests IANA to create a new registry for
Redirect to indirection-id Extended Community INDIRECTION-IDs as redirect-to-indirection-id Extended Community INDIRECTION-IDs as
follows: follows:
Under "Transitive Extended Community:" Under "Transitive Extended Community:"
Registry: "Redirect Extended Community indirection_id" Registry: "Redirect Extended Community indirection_id"
Reference: [RFC-To-Be] Reference: [RFC-To-Be]
Registration Procedure(s): First Come, First Served Registration Procedure(s): First Come, First Served
Registry: "Redirect Extended Community indirection_id" Registry: "Redirect Extended Community indirection_id"
Value Code Reference Value Code Reference
0 Localised ID [RFC-To-Be] 0 Localised ID [RFC-To-Be]
1 Node ID [RFC-To-Be] 1 Node ID [RFC-To-Be]
6 Tunnel ID (Tunnel Binding ID ) [RFC-To-Be] 2 Binding ID [RFC-To-Be]
3 Tunnel ID [RFC-To-Be]
Figure 4 Figure 4
11. References 11. References
11.1. Normative References 11.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate [1] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997, Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://xml.resource.org/public/rfc/html/rfc2119.html>. <http://xml.resource.org/public/rfc/html/rfc2119.html>.
 End of changes. 48 change blocks. 
193 lines changed or deleted 178 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/