draft-ietf-idr-flowspec-path-redirect-08.txt   draft-ietf-idr-flowspec-path-redirect-09.txt 
IDR Working Group G. Van de Velde, Ed. IDR Working Group G. Van de Velde, Ed.
Internet-Draft Nokia Internet-Draft Nokia
Intended status: Standards Track K. Patel Intended status: Standards Track K. Patel
Expires: December 20, 2019 Arrcus Expires: February 20, 2020 Arrcus
Z. Li Z. Li
Huawei Technologies Huawei Technologies
June 18, 2019 August 19, 2019
Flowspec Indirection-id Redirect Flowspec Indirection-id Redirect
draft-ietf-idr-flowspec-path-redirect-08 draft-ietf-idr-flowspec-path-redirect-09
Abstract Abstract
This document defines a new extended community known as "FlowSpec This document defines a new extended community known as "FlowSpec
Redirect to indirection-id Extended Community". This extended Redirect to indirection-id Extended Community". This extended
community triggers advanced redirection capabilities to flowspec community triggers advanced redirection capabilities to flowspec
clients. When activated, this flowspec extended community is used by clients. When activated, this flowspec extended community is used by
a flowspec client to retrieve the corresponding next-hop and encoding a flowspec client to retrieve the corresponding next-hop and encoding
information within a localised indirection-id mapping table. information within a localised indirection-id mapping table.
skipping to change at page 1, line 48 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 20, 2019. This Internet-Draft will expire on February 20, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 46 skipping to change at page 2, line 46
11.1. Normative References . . . . . . . . . . . . . . . . . . 11 11.1. Normative References . . . . . . . . . . . . . . . . . . 11
11.2. Informative References . . . . . . . . . . . . . . . . . 11 11.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
Flowspec is an extension to BGP that allows for the dissemination of Flowspec is an extension to BGP that allows for the dissemination of
traffic flow specification rules. This has many possible traffic flow specification rules. This has many possible
applications but the primary one for many network operators is the applications but the primary one for many network operators is the
distribution of traffic filtering actions for DDoS mitigation. The distribution of traffic filtering actions for DDoS mitigation. The
flowspec standard RFC5575 [2] defines a redirect-to-VRF action for flowspec standard rfc5575bis [3] defines a redirect-to-VRF action for
policy-based forwarding, but this mechanism is not always sufficient, policy-based forwarding, but this mechanism is not always sufficient,
particularly if the redirected traffic needs to be steered onto an particularly if the redirected traffic needs to be steered onto an
explicit path. explicit path.
Every flowspec policy route is effectively a rule, consisting of two Every flowspec policy route is effectively a rule, consisting of two
parts. The first part, encoded in the NLRI field, provides parts. The first part, encoded in the NLRI field, provides
information about the traffic matching the policy rule. the second information about the traffic matching the policy rule. the second
part, encoded in one or more BGP extended communities, provides part, encoded in one or more BGP extended communities, provides
policy instructions for traffic handling on the flowspec client. The policy instructions for traffic handling on the flowspec client. The
flowspec standard RFC5575 [2] defines widely-used filter actions such flowspec standard rfc5575bis [3] defines widely-used filter actions
as discard and rate limit; it also defines a redirect-to-VRF action such as discard and rate limit; it also defines a redirect-to-VRF
for policy-based forwarding. Using the redirect-to-VRF action to action for policy-based forwarding. Using the redirect-to-VRF action
steer traffic towards an alternate destination is useful for DDoS to steer traffic towards an alternate destination is useful for DDoS
mitigation, however using this methodology can be cumbersome when mitigation, however using this methodology can be cumbersome when
there is need to steer the traffic onto an explicitely defined there is need to steer the traffic onto an explicitely defined
traffic path. traffic path.
This draft specifies a "Redirect to indirection-id" flowspec action This draft specifies a "Redirect to indirection-id" flowspec action
making use of a 32-bit indirection-id using a new extended community. making use of a 32-bit indirection-id using a new extended community.
Each indirection-id serves as anchor point, for policy-based Each indirection-id serves as anchor point, for policy-based
forwarding onto an explicit path by a flowspec client. forwarding onto an explicit path by a flowspec client.
2. indirection-id and indirection-id table 2. indirection-id and indirection-id table
skipping to change at page 8, line 38 skipping to change at page 8, line 38
When a BGP flowspec client receives a flowspec policy route with a When a BGP flowspec client receives a flowspec policy route with a
"Redirect to indirection-id" extended community attached, and the "Redirect to indirection-id" extended community attached, and the
route represents the best BGP path, it will install a flowspec route represents the best BGP path, it will install a flowspec
policy-based forwarding rule matching the tupples described by the policy-based forwarding rule matching the tupples described by the
flowpsec NLRI field and consequently redirects the flow (C=0) or flowpsec NLRI field and consequently redirects the flow (C=0) or
copies the flow (C=1) using the information identified by the copies the flow (C=1) using the information identified by the
"Redirect to indirection-id" community. "Redirect to indirection-id" community.
6. Validation Procedures 6. Validation Procedures
The validation check described in RFC5575 [2] and revised in [3] The validation check described in rfc5575bis [3] and revised in [2]
SHOULD be applied by default by a flowspec client, for received SHOULD be applied by default by a flowspec client, for received
flowspec policy routes containing a "Redirect to indirection-id" flowspec policy routes containing a "Redirect to indirection-id"
extended community. This results that a flowspec route with a extended community. This results that a flowspec route with a
destination prefix subcomponent SHOULD NOT be accepted from an EBGP destination prefix subcomponent SHOULD NOT be accepted from an EBGP
peer unless that peer also advertised the best path for the matching peer unless that peer also advertised the best path for the matching
unicast route. unicast route.
While it MUST NOT happen, and is seen as invalid combination, it is While it MUST NOT happen, and is seen as invalid combination, it is
possible from a semantics perspective to have multiple clashing possible from a semantics perspective to have multiple clashing
redirect actions defined within a single flowspec rule. For best and redirect actions defined within a single flowspec rule. For best and
consistant compatibility with legacy implementations, the redirect consistant compatibility with legacy implementations, the redirect
functionality as documented by RFC5575 MUST NOT be broken, and hence functionality as documented by rfc5575bis MUST NOT be broken, and
when a clash occurs, then RFC5575 based redirect MUST take priority. hence when a clash occurs, then rfc5575bis based redirect MUST take
priority. Additionally, if the "Redirect to indirection-id" does not
Additionally, if the "Redirect to indirection-id" does not result in result in a valid redirection, then the flowspec rule MUST be
a valid redirection, then the flowspec rule MUST be processed as if processed as if the "Redirect to indirection-id" community was not
the "Redirect to indirection-id" community was not attached to the attached to the flowspec route. In addition the flowspec client MUST
flowspec route. In addition the flowspec client MUST provide an provide an indication that the respective "'Redirect to indirection-
indication that the respective "'Redirect to indirection-id" resulted id" resulted in an invalid redirection action.
in an invalid redirection action.
7. Security Considerations 7. Security Considerations
A system using "Redirect to indirection-id" extended community can A system using "Redirect to indirection-id" extended community can
cause during the redirect mitigation of a DDoS attack overflow of cause during the redirect mitigation of a DDoS attack overflow of
traffic received by the mitigation infrastructure. traffic received by the mitigation infrastructure.
8. Acknowledgements 8. Acknowledgements
This document received valuable comments and input from IDR working This document received valuable comments and input from IDR working
skipping to change at page 11, line 28 skipping to change at page 11, line 28
Figure 4 Figure 4
11. References 11. References
11.1. Normative References 11.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate [1] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997, Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://xml.resource.org/public/rfc/html/rfc2119.html>. <http://xml.resource.org/public/rfc/html/rfc2119.html>.
[2] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J.,
and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
<https://www.rfc-editor.org/info/rfc5575>.
11.2. Informative References 11.2. Informative References
[3] Uttaro, J., Filsfils, C., Alcaide, J., and P. Mohapatra, [2] Uttaro, J., Filsfils, C., Alcaide, J., and P. Mohapatra,
"Revised Validation Procedure for BGP Flow "Revised Validation Procedure for BGP Flow
Specifications", January 2014. Specifications", January 2014.
[3] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M.
Bacher, "Dissemination of Flow Specification Rules", June
2019.
[4] Filsfils, C., Previdi, S., Aries, E., Ginsburg, D., and D. [4] Filsfils, C., Previdi, S., Aries, E., Ginsburg, D., and D.
Afanasiev, "Segment Routing Centralized Egress Peer Afanasiev, "Segment Routing Centralized Egress Peer
Engineering", October 2015. Engineering", October 2015.
[5] Sreekantiah, A., Filsfils, C., Previdi, S., Sivabalan, S., [5] Sreekantiah, A., Filsfils, C., Previdi, S., Sivabalan, S.,
Mattes, P., and S. Lin, "Segment Routing Traffic Mattes, P., and S. Lin, "Segment Routing Traffic
Engineering Policy using BGP", October 2015. Engineering Policy using BGP", October 2015.
[6] Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., [6] Filsfils, C., Previdi, S., Decraene, B., Litkowski, S.,
Shakir, R., Bashandy, A., Horneffer, M., Henderickx, W., Shakir, R., Bashandy, A., Horneffer, M., Henderickx, W.,
 End of changes. 11 change blocks. 
25 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/