draft-ietf-idr-flowspec-path-redirect-03.txt   draft-ietf-idr-flowspec-path-redirect-04.txt 
IDR Working Group G. Van de Velde, Ed. IDR Working Group G. Van de Velde, Ed.
Internet-Draft Nokia Internet-Draft Nokia
Intended status: Standards Track K. Patel Intended status: Standards Track K. Patel
Expires: June 23, 2018 Arrcus Expires: November 16, 2018 Arrcus
Z. Li Z. Li
Huawei Technologies Huawei Technologies
December 20, 2017 May 15, 2018
Flowspec Indirection-id Redirect Flowspec Indirection-id Redirect
draft-ietf-idr-flowspec-path-redirect-03 draft-ietf-idr-flowspec-path-redirect-04
Abstract Abstract
This document defines a new extended community known as flowspec This document defines a new extended community known as "FlowSpec
redirect-to-indirection-id. This extended community triggers Redirect to indirection-id Extended Community". This extended
advanced redirection capabilities to flowspec clients. When community triggers advanced redirection capabilities to flowspec
activated, this flowspec extended community is used by a flowspec clients. When activated, this flowspec extended community is used by
client to find the corresponding next-hop information within a a flowspec client to retrieve the corresponding next-hop and encoding
indirection-id mapping table. information within a localised indirection-id mapping table.
The functionality detailed in this document allows a network The functionality detailed in this document allows a network
controller to decouple the BGP flowspec redirection instruction from controller to decouple the BGP flowspec redirection instruction from
the selected redirection path itself. the operation of the available paths.
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1]. document are to be interpreted as described in RFC 2119 [1].
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 48 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 23, 2018. This Internet-Draft will expire on November 16, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. indirection-id and indirection-id table . . . . . . . . . . . 3 2. indirection-id and indirection-id table . . . . . . . . . . . 3
3. Use Case Scenarios . . . . . . . . . . . . . . . . . . . . . 3 3. Use Case Scenarios . . . . . . . . . . . . . . . . . . . . . 3
3.1. Redirection shortest Path tunnel . . . . . . . . . . . . 3 3.1. Redirection shortest Path tunnel . . . . . . . . . . . . 3
3.2. Redirection to path-engineered tunnels . . . . . . . . . 4 3.2. Redirection to path-engineered tunnels . . . . . . . . . 4
3.3. Redirection to complex dynamically constructed tunnels . 5 3.3. Redirection to complex dynamically constructed tunnels . 5
4. redirect-to-indirection-id Community . . . . . . . . . . . . 6 4. Redirect to indirection-id Community . . . . . . . . . . . . 6
5. Redirect using localised indirection-id mapping table . . . . 8 5. Redirect using localised indirection-id mapping table . . . . 8
6. Validation Procedures . . . . . . . . . . . . . . . . . . . . 8 6. Validation Procedures . . . . . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
9. Contributor Addresses . . . . . . . . . . . . . . . . . . . . 9 9. Contributor Addresses . . . . . . . . . . . . . . . . . . . . 9
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
11.1. Normative References . . . . . . . . . . . . . . . . . . 11 11.1. Normative References . . . . . . . . . . . . . . . . . . 11
11.2. Informative References . . . . . . . . . . . . . . . . . 11 11.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
Flowspec is an extension to BGP that allows for the dissemination of Flowspec is an extension to BGP that allows for the dissemination of
traffic flow specification rules. This has many possible traffic flow specification rules. This has many possible
applications but the primary one for many network operators is the applications but the primary one for many network operators is the
distribution of traffic filtering actions for DDoS mitigation. The distribution of traffic filtering actions for DDoS mitigation. The
flow-spec standard RFC5575 [2] defines a redirect-to-VRF action for flowspec standard RFC5575 [2] defines a redirect-to-VRF action for
policy-based forwarding, but this mechanism is not always sufficient, policy-based forwarding, but this mechanism is not always sufficient,
particularly if the redirected traffic needs to be steered onto an particularly if the redirected traffic needs to be steered onto an
explicite path. explicit path.
Every flowspec policy route is effectively a rule, consisting of two Every flowspec policy route is effectively a rule, consisting of two
parts. The first part, encoded in the NLRI field, provides parts. The first part, encoded in the NLRI field, provides
information about the traffic matching the policy rule. the second information about the traffic matching the policy rule. the second
part, encoded in one or more BGP extended communities, provides part, encoded in one or more BGP extended communities, provides
policy instructions for traffic handling on the flowspec client. The policy instructions for traffic handling on the flowspec client. The
flowspec standard RFC5575 [2] defines widely-used filter actions such flowspec standard RFC5575 [2] defines widely-used filter actions such
as discard and rate limit; it also defines a redirect-to-VRF action as discard and rate limit; it also defines a redirect-to-VRF action
for policy-based forwarding. Using the redirect-to-VRF action to for policy-based forwarding. Using the redirect-to-VRF action to
steer traffic towards an alternate destination is useful for DDoS steer traffic towards an alternate destination is useful for DDoS
mitigation, however using this methodology can be cumbersome when mitigation, however using this methodology can be cumbersome when
there is need to steer the traffic onto an explicitely defined there is need to steer the traffic onto an explicitely defined
traffic path. traffic path.
This draft specifies a redirect-to-indirection-id flowspec action This draft specifies a "Redirect to indirection-id" flowspec action
making use of a 32-bit indirection-id using a new extended community. making use of a 32-bit indirection-id using a new extended community.
Each indirection-id serves as anchor point, for policy-based Each indirection-id serves as anchor point, for policy-based
forwarding onto an explicite path by a flowspec client. forwarding onto an explicit path by a flowspec client.
2. indirection-id and indirection-id table 2. indirection-id and indirection-id table
The indirection-id is a 32-bit unsigned number, used as anchor point The indirection-id is a 32-bit unsigned number, used as anchor point
on a flowspec client for policy-based forwarding onto an explicite on a flowspec client for policy-based forwarding onto an explicit
path by a flowspec client. path by a flowspec client.
The indirection-id table is the table construct of indirection-id The indirection-id table is the table construct of indirection-id
values, ordered by indirection-id type. Each entry in this table values, grouped by indirection-id "Context Type". Each entry in this
contains policy-based forwarding instructions. table contains policy-based forwarding and encoding instructions.
The configuration of the indirection-id table on a flowspec client is The configuration of the indirection-id table on a flowspec client is
localised on each router and MAY happen out-of-band from BGP a localised operation on each router, and MAY happen out-of-band from
flowspec. For some use-case scenarios the indirection-id type BGP flowspec. For some use-case scenarios the indirection-id
provides additional (maybe even fully sufficient) context for a "Context Type" provides additional (maybe even fully sufficient)
flowspec client for policy based forwarding, making a localized context for a flowspec client for policy based forwarding, making a
indirection-id table obsolete. For example, when the indirection-id localised indirection-id table obsolete. For example, when the
refers to a MPLS segment routing node-id [6], then the indirection-id indirection-id refers to a MPLS segment routing node-id [6], then the
provides sufficient information for a segment routing lookup on the indirection-id provides sufficient information for a segment routing
flowspec client. lookup on the flowspec client.
3. Use Case Scenarios 3. Use Case Scenarios
This section describes a few use-case scenarios when deploying This section describes a few use-case scenarios when deploying
redirect-to-indirection-id. "Redirect to indirection-id".
3.1. Redirection shortest Path tunnel 3.1. Redirection shortest Path tunnel
Description: Description:
The first use-case describes an example where a single flowspec route The first use-case describes an example where a single flowspec route
is sent from a BGP flowspec controller to many BGP flowspec clients. is sent from a BGP flowspec controller to many BGP flowspec clients.
This BGP flowspec route carries the redirect-to-indirection-id to all This BGP flowspec route carries the "Redirect to indirection-id" to
flowspec clients to redirect matching dataflows onto a shortest-path all flowspec clients with intent to redirect matching dataflows onto
tunnel pointing towards a single remote destination. a shortest-path tunnel pointing towards a single remote destination.
In this first use-case scenario, each flowspec client receives In this first use-case scenario, each flowspec client receives
flowspec routes. The received flowspec routes have the extended flowspec routes. The received flowspec routes have the extended
redirect-to-indirection-id community attached. Each redirect-to- "Redirect to indirection-id" community attached. Each "Redirect to
indirection-id community embeds two relevant components: (1) 32-bit indirection-id" community embeds two relevant components: (1) 32-bit
indirection-id and (2) indirection-id type. These two components indirection-id and (2) context type. These two components provide
provide the flowspec client with sufficient information for policy the flowspec client with sufficient information for policy based
based forwarding to steer and encapsulate the data-packet accordingly forwarding, with intent to steer and encapsulate the data-packet
to a shortest path tunnel to a remote end-point. accordingly upon a shortest path tunnel to a single remote end-point.
Requirements: Requirements:
For redirect to shortest path tunnel it is required that the tunnel For redirect to shortest path tunnel it is required that the tunnel
MUST be operational and allow packets to be steered over the shortest MUST be operational and allow packets to flow between tunnel head-
path between tunnel head- and tail-end. and tail-end.
Example: Indirection-ID community types to be used: Example: Indirection-ID community "Context Type" which can be used:
o 0 (localised ID): When the intent is to use a localised o 0 (localised ID): When the intent is to use a localised
Indirection-id table, configured through out-of-band procedures. Indirection-id table, configured through out-of-band procedures.
o 1 or 2 (Node ID's): This type can be used when the goal is to use o 1 or 2 (Node ID's): This type can be used when the goal is to use
MPLS based Segment Routing towards a remote destination. In this MPLS based Segment Routing towards a remote destination. In this
use-case scenario the flowspec rule contains a SR (Segment use-case scenario the flowspec rule contains a SR (Segment
Routing) node SID to steer traffic towards. Routing) node SID to steer traffic towards.
3.2. Redirection to path-engineered tunnels 3.2. Redirection to path-engineered tunnels
skipping to change at page 4, line 45 skipping to change at page 4, line 45
The second use-case describes an example where a single flowspec The second use-case describes an example where a single flowspec
route is sent from a BGP flowspec controller to many BGP flowspec route is sent from a BGP flowspec controller to many BGP flowspec
clients. This BGP flowspec route carries policy information to steer clients. This BGP flowspec route carries policy information to steer
traffic upon a path-engineered tunnel. It is assumed that the path traffic upon a path-engineered tunnel. It is assumed that the path
engineered tunnels are configured using out-of-band from BGP engineered tunnels are configured using out-of-band from BGP
flowspec. flowspec.
Segment Routing Example: Segment Routing Example:
For this example the indirection-id type points towards a Segment For this example the indirection-id "Context Type" points towards a
Routing Binding SID. The Binding SID is a segment identifier value Segment Routing Binding SID. The Binding SID is a segment identifier
(as per segment routing definitions in [I-D.draft-ietf-spring- value (as per segment routing definitions in [I-D.draft-ietf-spring-
segment-routing] [6]) used to associate an explicit path. The segment-routing] [6]) used to associate an explicit path. The
Binding SID and corresponding path engineered tunnel may for example Binding SID and the associated path engineered tunnel may for example
be setup by a controller using BGP as specified in [I-D.sreekantiah- be setup by a controller using BGP as specified in [I-D.sreekantiah-
idr-segment-routing-te] [5] or alternatly by using PCEP as detailed idr-segment-routing-te] [5] or alternatly by using PCEP as detailed
in draft-ietf-pce-segment-routing [7]. To conclude, when a BGP in draft-ietf-pce-segment-routing [7]. To conclude, when a BGP
speaker at some point in time receives a flow-spec route with an speaker at some point in time receives a flowspec route with an
extended 'redirect-to-indirection-id' community, it installs a extended "Redirect to indirection-id' community, it installs a
policy-based forwarding rule to redirect packets onto an explicit policy-based forwarding rule to redirect packets onto an explicit
path associated with the corresponding Binding SID. The encoding of path, associated with the corresponding Binding SID. The encoding of
the Binding SID within the redirect-to-indirection-id extended the Binding SID within the "Redirect to indirection-id" extended
community is specified in section 4. community is specified in section 4.
Requirements: Requirements:
For redirect to path engineered tunnels it is required that the For redirect to path engineered tunnels it is required that the
tunnel MUST be operational and allow packets to be steered over the tunnel MUST be operational and allow packets to flow over the
engineered path between tunnel head- and tail-end. engineered path between tunnel head- and tail-end.
Example: Indirection-ID community types to be used: Example: Indirection-ID community "Context Type" to be used:
o 0 (localised ID): When the intent is to policy-based steer traffic o 0 (localised ID): When the intent is to policy-based steer traffic
using Indirection. The engineered path is configured through out- using Indirection. The engineered path is configured through out-
of-band procedures and uses the 32-bit Indirection-id as local of-band procedures and uses the 32-bit Indirection-id as local
anchor point on the local flowspec client. anchor point on the local flowspec client.
o 2 or 3 (Binding Segment ID's): This type can be used when the goal o 3 or 4 (Binding Segment ID's): This type can be used when the goal
is to use MPLS based Segment Routing towards an out-of-band is to use MPLS based Segment Routing towards an out-of-band
configured explicite path. configured explicit path.
o 5 (Tunnel ID): When the intent is to policy-based steer traffic o 5 (Tunnel ID): When the intent is to policy-based steer traffic
using a global tunnel-id. The engineered path is configured using a global tunnel-id. The engineered path is configured
through out-of-band procedures and uses the 32-bit Indirection-id through out-of-band procedures and uses the 32-bit Indirection-id
as global anchor point on the local flowspec client. as global anchor point on the local flowspec client.
3.3. Redirection to complex dynamically constructed tunnels 3.3. Redirection to complex dynamically constructed tunnels
Description: Description:
A third use-case describes the application and redirection towards A third use-case describes the application and redirection towards
complex dynamically constructed tunnels. For this use-case a BGP complex dynamically constructed tunnels. For this use-case a BGP
flowspec controller injects a single flowspec route with two unique flowspec controller injects a single flowspec route with two unique
'redirect-to-indirection-id' communities attached, each community "Redirect to indirection-id" communities attached, each community
tagged with a different Sequence-ID (S-ID). A flowspec client may tagged with a different Sequence-ID (S-ID). A flowspec client should
use the Sequence-ID (S-ID) to sequence the flowspec redirect use the Sequence-ID (S-ID) to sequence the received flowspec redirect
information. A common use-case scenario would for example be the information. A potential use-case scenario would for example be the
dynamic construction of Segment Routing Central Egress Path dynamic construction of Segment Routing Central Egress Path
Engineered tunnel [4] or next-next-hop tunnels. Engineered tunnel [4] or next-next-hop tunnels.
Segment Routing Example: Segment Routing Example:
i.e. a classic Segment Routing example using complex tunnels is found i.e. a classic Segment Routing example using complex tunnels is found
in DDoS mitigation and traffic offload. Suspicious traffic (e.g. in DDoS mitigation and traffic offload. Suspicious traffic (e.g.
dirty traffic flows) may be policy-based routed into a purpose built dirty traffic flows) may be policy-based routed into a purpose built
Segment Routing Central Egress Path Engineered tunnel [4]. For this Segment Routing Central Egress Path Engineered tunnel [4]. For this
complex dynamic redirect tunnel construction, a first redirect-to- complex dynamic redirect tunnel construct, a first "Redirect to
indirection-id (i.e. S-ID=0) may be used to redirect traffic into a indirection-id" (i.e. S-ID=0) may be used to redirect traffic into a
tunnel towards a particular egress router, while a second redirect- tunnel towards a particular egress router, while a second "Redirect
to-indirection-id (i.e. S-ID=1) is used to steer traffic beyond the to indirection-id" (i.e. S-ID=1) is used to steer traffic beyond the
particular egress router towards a pre-identified interface/peer. particular egress router towards a pre-identified interface/peer.
From data-plane perspective, the principles documented by [4] are From data-plane perspective, the principles documented by [4] are
valid for this use case scenario. valid for this use case scenario.
Requirements: Requirements:
To achieve redirection towards complex dynamically constructed To achieve redirection towards complex dynamically constructed
tunnels, various indirection-id communities are imposed upon the tunnels, multiple "Redirect to indirection-id" communities are
flowspec route and are sequenced using the Sequence ID (S-ID). For imposed upon the flowspec route. The "Redirect to indirection-id"
redirect to complex dynamic engineered tunnels it is required that communities should be sequenced using the Sequence ID (S-ID). For
the tunnel MUST be operational and allow packets to be steered over redirect to complex dynamic engineered tunnels the tunnel MUST be
the engineered path between tunnel head- and tail-end. operational and allow packets to flow over the engineered path
between tunnel head- and tail-end.
Example: Indirection-ID community types to be used: Example: Indirection-ID community "Context Type" to be used:
o 0 (localised ID) with S-ID: When the intent is to construct a o 0 (localised ID) with S-ID: When the intent is to construct a
dynamic engineered tunnel, then a sequence of localised dynamic engineered tunnel, then a sequence of localised
indirection-ids may be used. The Sequence ID (S-ID) MUST be used indirection-ids may be used. The Sequence ID (S-ID) MUST be used
to sequence multiple redirect-to-indirection-id actions to to sequence multiple "Redirect to indirection-id" actions to
construct a more complex path engineered tunnel. The construction construct a more complex engineered tunnel. The creation of the
of the localised indirection-id table is done out-of-band and is localised indirection-id table is operationalised out-of-band and
outside scope of this document. is outside scope of this document.
4. redirect-to-indirection-id Community 4. Redirect to indirection-id Community
This document defines a new BGP extended community known as a This document defines a new transitive BGP extended community known
Redirect-to-indirection-id extended community. This extended as "FlowSpec Redirect to indirection-id Extended Community" with the
community is a new transitive extended community with the Type and Type and the Sub-Type field to be assigned by IANA. The format of
the Sub-Type field to be assigned by IANA. The format of this this extended community is show in Figure 1.
extended community is show in Figure 1.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Sub-Type | Flags(1 octet)| Indirection ID| | Type | Sub-Type | Flags(1 octet)| Context Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Generalized indirection_id | | Generalized indirection_id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1 Figure 1
The meaning of the extended community fields are as follows: The meaning of the extended community fields are as follows:
Type: 1 octet to be assigned by IANA. Type: 1 octet to be assigned by IANA.
skipping to change at page 7, line 36 skipping to change at page 7, line 36
used to provide a flowspec client an indication how and where to used to provide a flowspec client an indication how and where to
sequence the received indirection-ids. The Sequence ID value 0 sequence the received indirection-ids. The Sequence ID value 0
indicates that Sequence ID field is NOT set and SHOULD be ignored. A indicates that Sequence ID field is NOT set and SHOULD be ignored. A
single flowspec rule MUST NOT have more as one indirection-id per single flowspec rule MUST NOT have more as one indirection-id per
S-ID. On a flowspec client the indirection-id with lowest S-ID MUST S-ID. On a flowspec client the indirection-id with lowest S-ID MUST
be imposed first for any given flowspec entry. be imposed first for any given flowspec entry.
All bits other than the 'C' and 'S-ID' bits MUST be set to 0 by the All bits other than the 'C' and 'S-ID' bits MUST be set to 0 by the
originating BGP speaker and ignored by receiving BGP speakers. originating BGP speaker and ignored by receiving BGP speakers.
Indirection ID: 1 octet value. This draft defines following Context Type: 1 octet value. This draft defines following Context
indirection-id Types: Types:
0 - Localised ID (The flowspec client uses the received 0 - Localised ID (The flowspec client uses the received 32-bit
indirection-id to lookup forwarding information within the indirection-id to lookup forwarding information within the
localised indirection-id table. The allocation and programming of localised indirection-id table. The allocation and programming of
the localised indirection-id table is outside scope of the the localised indirection-id table is outside scope of the
document) document)
1 - Node ID with SID/index in MPLS-based Segment Routing (This 1 - Node ID with SID/index in MPLS-based Segment Routing (This
means indirection-id is mapped to an MPLS label using the index as means the 32-bit indirection-id is mapped to an MPLS label using
a global offset in the SID/label space) the index as a global offset in the SID/label space)
2 - Node ID with SID/label in MPLS-based Segment Routing (This 2 - Node ID with SID/label in MPLS-based Segment Routing (This
means indirection-id is mapped to an MPLS label using the label as means the 32-bit indirection-id is mapped to an MPLS label using
global label) the 32-bit indirection-id as global label)
3 - Binding Segment ID with SID/index in MPLS-based Segment 3 - Binding Segment ID with SID/index in MPLS-based Segment
Routing (This means indirection-id is mapped to an MPLS binding Routing (This means the 32-bit indirection-id is mapped to an MPLS
label using the index as a global offset in the SID/label space) binding label using the indirection-id as index for global offset
[I-D.draft-ietf-spring-segment-routing] [6] in the SID/label space) [I-D.draft-ietf-spring-segment-routing]
[6]
4 - Binding Segment ID with SID/label in MPLS-based Segment 4 - Binding Segment ID with SID/label in MPLS-based Segment
Routing (This means indirection-id is mapped to an MPLS binding Routing (This means 32-bit indirection-id is mapped to an MPLS
label using the index as a global offset in the SID/label space) binding label using the 32-bit indirection-id as global label) [I-
[I-D.draft-ietf-spring-segment-routing] [6] D.draft-ietf-spring-segment-routing] [6]
5 - Tunnel ID (Tunnel ID is a global value in a network single 5 - Tunnel ID (Tunnel ID is within a single administrative domain
administrative domain identifying tunnel information. The a 32-bit global tunnel identifier. The allocation and programming
allocation of the Tunnel ID is out of the scope of the document.) of the Tunnel ID within the localised indirection-id table is
outside scope of the document)
5. Redirect using localised indirection-id mapping table 5. Redirect using localised indirection-id mapping table
When a BGP flowspec client receives a flowspec policy route with a When a BGP flowspec client receives a flowspec policy route with a
redirect-to-indirection-id extended community attached and the route "Redirect to indirection-id" extended community attached, and the
represents the best BGP path, it will install a flowspec policy-based route represents the best BGP path, it will install a flowspec
forwarding rule matching the tupples described by the flowpsec NLRI policy-based forwarding rule matching the tupples described by the
field and consequently redirects the flow (C=0) or copies the flow flowpsec NLRI field and consequently redirects the flow (C=0) or
(C=1) using the information identified by the 'redirect-to- copies the flow (C=1) using the information identified by the
indirection-id' community. "Redirect to indirection-id" community.
6. Validation Procedures 6. Validation Procedures
The validation check described in RFC5575 [2] and revised in [3] The validation check described in RFC5575 [2] and revised in [3]
SHOULD be applied by default by a flowspec client, for received SHOULD be applied by default by a flowspec client, for received
flowspec policy routes containing a 'redirect-to-indirection-id' flowspec policy routes containing a "Redirect to indirection-id"
extended community. This means that a flow-spec route with a extended community. This results that a flowspec route with a
destination prefix subcomponent SHOULD NOT be accepted from an EBGP destination prefix subcomponent SHOULD NOT be accepted from an EBGP
peer unless that peer also advertised the best path for the matching peer unless that peer also advertised the best path for the matching
unicast route. unicast route.
While it MUST NOT happen, and is seen as invalid combination, it is While it MUST NOT happen, and is seen as invalid combination, it is
possible from a semantics perspective to have multiple clashing possible from a semantics perspective to have multiple clashing
redirect actions defined within a single flowspec rule. For best and redirect actions defined within a single flowspec rule. For best and
consistant with legacy implementations, the redirect functionality as consistant compatibility with legacy implementations, the redirect
documented by RFC5575 MUST NOT be broken, and hence when a clash functionality as documented by RFC5575 MUST NOT be broken, and hence
occurs, then RFC5575 based redirect MUST take priority. when a clash occurs, then RFC5575 based redirect MUST take priority.
Additionally, if the 'redirect-to-indirection-id' does not result in Additionally, if the "Redirect to indirection-id" does not result in
a valid redirection, then the flowspec rule MUST be processed as if a valid redirection, then the flowspec rule MUST be processed as if
the 'redirect-to-indirection-id' community was not attached to the the "Redirect to indirection-id" community was not attached to the
flowspec route and MUST provide an indication within the BGP routing flowspec route. In addition the flowspec client MUST provide an
table that the respective 'redirect-to-indirection-id' resulted in an indication within the BGP routing table that the respective
invalid redirection action. "'Redirect to indirection-id" resulted in an invalid redirection
action.
7. Security Considerations 7. Security Considerations
A system using 'redirect-to-indirection-id' extended community can A system using "Redirect to indirection-id" extended community can
cause during the redirect mitigation of a DDoS attack result in cause during the redirect mitigation of a DDoS attack overflow of
overflow of traffic received by the mitigation infrastructure. traffic received by the mitigation infrastructure.
8. Acknowledgements 8. Acknowledgements
This document received valuable comments and input from IDR working This document received valuable comments and input from IDR working
group including Adam Simpson, Mustapha Aissaoui, Jan Mertens, Robert group including Adam Simpson, Mustapha Aissaoui, Jan Mertens, Robert
Raszuk, Jeff Haas, Susan Hares and Lucy Yong. Raszuk, Jeff Haas, Susan Hares and Lucy Yong.
9. Contributor Addresses 9. Contributor Addresses
Below is a list of other contributing authors in alphabetical order: Below is a list of other contributing authors in alphabetical order:
skipping to change at page 10, line 40 skipping to change at page 10, line 40
Nokia Nokia
Antwerp Antwerp
BE BE
Email: wim.henderickx@nokia.com Email: wim.henderickx@nokia.com
Figure 3 Figure 3
10. IANA Considerations 10. IANA Considerations
This document requests a new type and sub-type for the redirect-to- This document requests a new Transitive Extended Community Type and a
indirection-id Extended community from the "Transitive Extended new registery sub-type. The new Transitive Extended Community Type
community" registry. The Type name shall be "Redirect-to- name shall be "FlowSpec Redirect to indirection-id Extended Community
indirection-id Extended Community" and the Sub-type name shall be (Sub-Types are defined in the "FlowSpec Redirect to indirection-id
'Flow-spec Redirect to 32-bit Path-id'. Extended Community Sub-Type" registery)". The name of the new Sub-
type registery shall be "FlowSpec Redirect to indirection-id Extended
In addition, this document requests IANA to create a new registry for Community Sub-Type"
redirect-to-indirection-id Extended Community INDIRECTION-IDs as
follows:
Under "Transitive Extended Community:" Under "Transitive Extended Community:"
Registry: "FlowSpec Redirect to indirection-id Extended Community
Registry: "Redirect Extended Community indirection_id" (Sub-Types are defined in the "FlowSpec Redirect to indirection-id
Extended Community Sub-Type" registery)"
Reference: [RFC-To-Be] Reference: [RFC-To-Be]
Registration Procedure(s): First Come, First Served Registration Procedure(s): First Come, First Served
Registry: "Redirect Extended Community indirection_id" New Sub-Type Registry: "FlowSpec Redirect to indirection-id Extended
Community Sub-Type"
Value Code Reference
0 Localised ID [RFC-To-Be] Value Code Reference
1 Node ID [RFC-To-Be] 0x00 Flowspec Redirect to 32-bit Path-id [RFC-To-Be]
2 Binding ID [RFC-To-Be]
3 Tunnel ID [RFC-To-Be]
Figure 4 Figure 4
11. References 11. References
11.1. Normative References 11.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate [1] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997, Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://xml.resource.org/public/rfc/html/rfc2119.html>. <http://xml.resource.org/public/rfc/html/rfc2119.html>.
 End of changes. 52 change blocks. 
131 lines changed or deleted 130 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/