draft-ietf-bess-datacenter-gateway-00.txt   draft-ietf-bess-datacenter-gateway-01.txt 
BESS Working Group J. Drake BESS Working Group J. Drake
Internet-Draft A. Farrel Internet-Draft A. Farrel
Intended status: Standards Track E. Rosen Intended status: Standards Track E. Rosen
Expires: April 30, 2018 Juniper Networks Expires: November 3, 2018 Juniper Networks
K. Patel K. Patel
Arrcus, Inc. Arrcus, Inc.
L. Jalil L. Jalil
Verizon Verizon
October 27, 2017 May 2, 2018
Gateway Auto-Discovery and Route Advertisement for Segment Routing Gateway Auto-Discovery and Route Advertisement for Segment Routing
Enabled Domain Interconnection Enabled Domain Interconnection
draft-ietf-bess-datacenter-gateway-00 draft-ietf-bess-datacenter-gateway-01
Abstract Abstract
Data centers have become critical components of the infrastructure Data centers have become critical components of the infrastructure
used by network operators to provide services to their customers. used by network operators to provide services to their customers.
Data centers are attached to the Internet or a backbone network by Data centers are attached to the Internet or a backbone network by
gateway routers. One data center typically has more than one gateway gateway routers. One data center typically has more than one gateway
for commercial, load balancing, and resiliency reasons. for commercial, load balancing, and resiliency reasons.
Segment routing is a popular protocol mechanism for operating within Segment routing is a popular protocol mechanism for operating within
skipping to change at page 2, line 20 skipping to change at page 2, line 20
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 30, 2018. This Internet-Draft will expire on November 3, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 4, line 12 skipping to change at page 4, line 12
selected by BGP, is distributed. This precludes load balancing flows selected by BGP, is distributed. This precludes load balancing flows
across both GWs. across both GWs.
----------------- --------------------- ----------------- ---------------------
| Ingress | | Egress ------ | | Ingress | | Egress ------ |
| SR Domain | | SR Domain |Prefix| | | SR Domain | | SR Domain |Prefix| |
| | | | X | | | | | | X | |
| | | ------ | | | | ------ |
| -- | | --- --- | | -- | | --- --- |
| |GW| | | |GW1| |GW2| | | |GW| | | |GW1| |GW2| |
-------++--------- ----+-----------+-+-- -------++-------- ----+-----------+-+--
| \ | / | | \ | / |
| \ | / | | \ | / |
| -+------------- --------+--------+-- | | -+------------- --------+--------+-- |
| ||PE| ----| |---- |PE| |PE| | | | ||PE| ----| |---- |PE| |PE| | |
| | -- |ASBR+------+ASBR| -- -- | | | | -- |ASBR+------+ASBR| -- -- | |
| | ----| |---- | | | | ----| |---- | |
| | | | | | | | | | | |
| | ----| |---- | | | | ----| |---- | |
| | AS1 |ASBR+------+ASBR| AS2 | | | | AS1 |ASBR+------+ASBR| AS2 | |
| | ----| |---- | | | | ----| |---- | |
skipping to change at page 4, line 40 skipping to change at page 4, line 40
Figure 1: Example Segment Routing Domain Interconnection Figure 1: Example Segment Routing Domain Interconnection
The obvious solution to this problem is to use the BGP feature that The obvious solution to this problem is to use the BGP feature that
allows the advertisement of multiple paths in BGP (known as Add- allows the advertisement of multiple paths in BGP (known as Add-
Paths) [RFC7911] to ensure that all routes to X get advertised by Paths) [RFC7911] to ensure that all routes to X get advertised by
BGP. However, even if this is done, the identity of the GWs will be BGP. However, even if this is done, the identity of the GWs will be
lost as soon as the routes get distributed through an Autonomous lost as soon as the routes get distributed through an Autonomous
System Border Router (ASBR) that will set itself to be the next hop. System Border Router (ASBR) that will set itself to be the next hop.
And if there are multiple Autonomous Systems (ASes) in the backbone, And if there are multiple Autonomous Systems (ASes) in the backbone,
not only will the next hop change several times, but the Add-Paths not only will the next hop change several times, but the Add-Paths
technique will experience scaling issues. This all means that this technique will experience scaling issues. This all means that the
approach is limited to SR domains connected over a single AS. Add-Paths approach is limited to SR domains connected over a single
AS.
This document defines a solution that overcomes this limitation and This document defines a solution that overcomes this limitation and
works equally well with a backbone constructed from one or more ASes. works equally well with a backbone constructed from one or more ASes.
This solution uses the Tunnel Encapsulation attribute The solution uses the Tunnel Encapsulation attribute
[I-D.ietf-idr-tunnel-encaps] as follows: [I-D.ietf-idr-tunnel-encaps] as follows:
We define a new tunnel type, "SR tunnel". When the GWs to a given We define a new tunnel type, "SR tunnel". When the GWs to a given
SR domain advertise a route to a prefix X within the SR domain, SR domain advertise a route to a prefix X within the SR domain,
they will each include a Tunnel Encapsulation attribute with they will each include a Tunnel Encapsulation attribute with
multiple tunnel instances each of type "SR tunnel", one for each multiple tunnel instances each of type "SR tunnel", one for each
GW, and each containing a Remote Endpoint sub-TLV with that GW's GW, and each containing a Remote Endpoint sub-TLV with that GW's
address. address.
In other words, each route advertised by any GW identifies all of the In other words, each route advertised by any GW identifies all of the
skipping to change at page 5, line 38 skipping to change at page 5, line 39
other existing protocol elements may be combined with the extensions other existing protocol elements may be combined with the extensions
defined in this document to provide a full system. defined in this document to provide a full system.
2. SR Domain Gateway Auto-Discovery 2. SR Domain Gateway Auto-Discovery
To allow a given SR domain's GWs to auto-discover each other and to To allow a given SR domain's GWs to auto-discover each other and to
coordinate their operations, the following procedures are coordinate their operations, the following procedures are
implemented: implemented:
o Each GW is configured with an identifier for the SR domain that is o Each GW is configured with an identifier for the SR domain that is
common across all GWs to the domain (i.e., across all GWs to all common across all GWs to the domain (i.e., the same identifier is
SR domains that are interconnected) and unique across all SR used by all GWs to the same SR domain) and unique across all SR
domains that are connected. domains that are connected (i.e., across all GWs to all SR domains
that are interconnected).
o A route target ([RFC4360]) is attached to each GW's auto-discovery o A route target ([RFC4360]) is attached to each GW's auto-discovery
route and has its value set to the SR domain identifier. route and has its value set to the SR domain identifier.
o Each GW constructs an import filtering rule to import any route o Each GW constructs an import filtering rule to import any route
that carries a route target with the same SR domain identifier that carries a route target with the same SR domain identifier
that the GW itself uses. This means that only these GWs will that the GW itself uses. This means that only these GWs will
import those routes and that all GWs to the same SR domain will import those routes and that all GWs to the same SR domain will
import each other's routes and will learn (auto-discover) the import each other's routes and will learn (auto-discover) the
current set of active GWs for the SR domain. current set of active GWs for the SR domain.
The auto-discovery route each GW advertises consists of the The auto-discovery route that each GW advertises consists of the
following: following:
o An IPv4 or IPv6 NLRI containing one of the GW's loopback addresses o An IPv4 or IPv6 NLRI containing one of the GW's loopback addresses
(that is, with AFI/SAFI that is one of 1/1, 2/1, 1/4, or 2/4). (that is, with AFI/SAFI that is one of 1/1, 2/1, 1/4, or 2/4).
o A Tunnel Encapsulation attribute containing the GW's encapsulation o A Tunnel Encapsulation attribute containing the GW's encapsulation
information, which at a minimum consists of an SR tunnel TLV (type information, which at a minimum consists of an SR tunnel TLV (type
to be allocated by IANA) with a Remote Endpoint sub-TLV as to be allocated by IANA) with a Remote Endpoint sub-TLV as
specified in [I-D.ietf-idr-tunnel-encaps]. specified in [I-D.ietf-idr-tunnel-encaps].
skipping to change at page 6, line 45 skipping to change at page 6, line 47
Encapsulation attribute for the removed gateway in their Encapsulation attribute for the removed gateway in their
advertisements. advertisements.
3. Relationship to BGP Link State and Egress Peer Engineering 3. Relationship to BGP Link State and Egress Peer Engineering
When a remote GW receives a route to a prefix X it can use the SR When a remote GW receives a route to a prefix X it can use the SR
tunnel instances within the contained Tunnel Encapsulation attribute tunnel instances within the contained Tunnel Encapsulation attribute
to identify the GWs through which X can be reached. It uses this to identify the GWs through which X can be reached. It uses this
information to compute SR TE paths across the backbone network information to compute SR TE paths across the backbone network
looking at the information advertised to it in SR BGP Link State looking at the information advertised to it in SR BGP Link State
(BGP-LS) [I-D.gredler-idr-bgp-ls-segment-routing-ext] and correlated (BGP-LS) [I-D.ietf-idr-bgp-ls-segment-routing-ext] and correlated
using the SR domain identity. SR Egress Peer Engineering (EPE) using the SR domain identity. SR Egress Peer Engineering (EPE)
[I-D.ietf-idr-bgpls-segment-routing-epe] can be used to supplement [I-D.ietf-idr-bgpls-segment-routing-epe] can be used to supplement
the information advertised in the BGP-LS. the information advertised in the BGP-LS.
4. Advertising an SR Domain Route Externally 4. Advertising an SR Domain Route Externally
When a packet destined for prefix X is sent on an SR TE path to a GW When a packet destined for prefix X is sent on an SR TE path to a GW
for the SR domain containing X, it needs to carry the receiving GW's for the SR domain containing X, it needs to carry the receiving GW's
label for X such that this label rises to the top of the stack before label for X such that this label rises to the top of the stack before
the GW completes its processing of the packet. To achieve this we the GW completes its processing of the packet. To achieve this we
skipping to change at page 8, line 23 skipping to change at page 8, line 23
respect to VPNs can be found in [RFC4364] while [RFC7926] describes respect to VPNs can be found in [RFC4364] while [RFC7926] describes
many of the issues associated with the exchange of topology or TE many of the issues associated with the exchange of topology or TE
information between domains. information between domains.
Particular exposures resulting from this work include: Particular exposures resulting from this work include:
o Gateways to a domain will know about all other gateways to the o Gateways to a domain will know about all other gateways to the
same domain. This feature applies within a domain and so is not a same domain. This feature applies within a domain and so is not a
substantial exposure, but it does mean that if the protocol BGP substantial exposure, but it does mean that if the protocol BGP
exchanges within a domain can be snooped or if a gateway can be exchanges within a domain can be snooped or if a gateway can be
subverted then an attacker may learn the ful set of gateways to a subverted then an attacker may learn the full set of gateways to a
domain. This facilitates more effective attacks on that domain. domain. This facilitates more effective attacks on that domain.
o The existence of multiple gateways to a domain becomes more o The existence of multiple gateways to a domain becomes more
visible across the backbone and even into remote domains. This visible across the backbone and even into remote domains. This
means that an attacker is able to prepare a more comprehensive means that an attacker is able to prepare a more comprehensive
attack than exists when only the locally attached backbone network attack than exists when only the locally attached backbone network
(e.g., the AS that hosts the domain) can see all of the gateways (e.g., the AS that hosts the domain) can see all of the gateways
to a site. to a site.
o A node in a domain that does not have external BGP peering (i.e., o A node in a domain that does not have external BGP peering (i.e.,
is not really a domain gateway and cannot speak BGP into the is not really a domain gateway and cannot speak BGP into the
backbone network) may be able to get itself advertised as a backbone network) may be able to get itself advertised as a
gateway by letting other genuine gateways discover it (by speaking gateway by letting other genuine gateways discover it (by speaking
BGP to them within the domain) and so may get those genuine BGP to them within the domain) and so may get those genuine
gateways to advertise it as a gateway into the backbone network. gateways to advertise it as a gateway into the backbone network.
o If it is possible to modify a BGP message within the backone, it o If it is possible to modify a BGP message within the backbone, it
may be possible to spoof the existence of a gateway. This could may be possible to spoof the existence of a gateway. This could
cause traffic to be attracted to a specific node and might result cause traffic to be attracted to a specific node and might result
in blackholing of traffic. in black-holing of traffic.
All of the issues in the list above could cause disruption to domain All of the issues in the list above could cause disruption to domain
interconnection, but are not new protocol vulnerabilities so much as interconnection, but are not new protocol vulnerabilities so much as
new exposures of information that could be protected against using new exposures of information that could be protected against using
existing protocol mechanisms. Furthermore, it is a general existing protocol mechanisms. Furthermore, it is a general
observation that if these attacks are possible then it is highly observation that if these attacks are possible then it is highly
likely that far more significant attacks can be made on the routing likely that far more significant attacks can be made on the routing
system. It should be noted that BGP peerings are not discovered, but system. It should be noted that BGP peerings are not discovered, but
always arrise from explicit configuration. always arise from explicit configuration.
8. Manageability Considerations 8. Manageability Considerations
The principal configuration item added by this solution is the
allocation of an SR domain identifier. The same identifier must be
assigned to every GW to the same domain, and each domain must have a
different identifier. This requires coordination probably through a
central management agent.
TBD TBD
9. Acknowledgements 9. Acknowledgements
Thanks to Bruno Rijsman for review comments, and to Robert Raszuk for Thanks to Bruno Rijsman for review comments, and to Robert Raszuk for
useful discussions. useful discussions.
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-idr-bgpls-segment-routing-epe] [I-D.ietf-idr-bgpls-segment-routing-epe]
Previdi, S., Filsfils, C., Patel, K., Ray, S., and J. Previdi, S., Filsfils, C., Patel, K., Ray, S., and J.
Dong, "BGP-LS extensions for Segment Routing BGP Egress Dong, "BGP-LS extensions for Segment Routing BGP Egress
Peer Engineering", draft-ietf-idr-bgpls-segment-routing- Peer Engineering", draft-ietf-idr-bgpls-segment-routing-
epe-13 (work in progress), June 2017. epe-15 (work in progress), March 2018.
[I-D.ietf-idr-tunnel-encaps] [I-D.ietf-idr-tunnel-encaps]
Rosen, E., Patel, K., and G. Velde, "The BGP Tunnel Rosen, E., Patel, K., and G. Velde, "The BGP Tunnel
Encapsulation Attribute", draft-ietf-idr-tunnel-encaps-07 Encapsulation Attribute", draft-ietf-idr-tunnel-encaps-09
(work in progress), July 2017. (work in progress), February 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271, Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006, DOI 10.17487/RFC4271, January 2006,
<https://www.rfc-editor.org/info/rfc4271>. <https://www.rfc-editor.org/info/rfc4271>.
skipping to change at page 10, line 16 skipping to change at page 10, line 20
S. Ray, "North-Bound Distribution of Link-State and S. Ray, "North-Bound Distribution of Link-State and
Traffic Engineering (TE) Information Using BGP", RFC 7752, Traffic Engineering (TE) Information Using BGP", RFC 7752,
DOI 10.17487/RFC7752, March 2016, DOI 10.17487/RFC7752, March 2016,
<https://www.rfc-editor.org/info/rfc7752>. <https://www.rfc-editor.org/info/rfc7752>.
10.2. Informative References 10.2. Informative References
[I-D.farrel-spring-sr-domain-interconnect] [I-D.farrel-spring-sr-domain-interconnect]
Farrel, A. and J. Drake, "Interconnection of Segment Farrel, A. and J. Drake, "Interconnection of Segment
Routing Domains - Problem Statement and Solution Routing Domains - Problem Statement and Solution
Landscape", draft-farrel-spring-sr-domain-interconnect-00 Landscape", draft-farrel-spring-sr-domain-interconnect-03
(work in progress), June 2017. (work in progress), January 2018.
[I-D.gredler-idr-bgp-ls-segment-routing-ext] [I-D.ietf-idr-bgp-ls-segment-routing-ext]
Previdi, S., Psenak, P., Filsfils, C., Gredler, H., Chen, Previdi, S., Talaulikar, K., Filsfils, C., Gredler, H.,
M., and j. jefftant@gmail.com, "BGP Link-State extensions and M. Chen, "BGP Link-State extensions for Segment
for Segment Routing", draft-gredler-idr-bgp-ls-segment- Routing", draft-ietf-idr-bgp-ls-segment-routing-ext-06
routing-ext-04 (work in progress), October 2016. (work in progress), April 2018.
[I-D.ietf-spring-segment-routing] [I-D.ietf-spring-segment-routing]
Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., Filsfils, C., Previdi, S., Ginsberg, L., Decraene, B.,
and R. Shakir, "Segment Routing Architecture", draft-ietf- Litkowski, S., and R. Shakir, "Segment Routing
spring-segment-routing-12 (work in progress), June 2017. Architecture", draft-ietf-spring-segment-routing-15 (work
in progress), January 2018.
[RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis",
RFC 4272, DOI 10.17487/RFC4272, January 2006, RFC 4272, DOI 10.17487/RFC4272, January 2006,
<https://www.rfc-editor.org/info/rfc4272>. <https://www.rfc-editor.org/info/rfc4272>.
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February
2006, <https://www.rfc-editor.org/info/rfc4364>. 2006, <https://www.rfc-editor.org/info/rfc4364>.
[RFC6952] Jethanandani, M., Patel, K., and L. Zheng, "Analysis of [RFC6952] Jethanandani, M., Patel, K., and L. Zheng, "Analysis of
 End of changes. 21 change blocks. 
31 lines changed or deleted 40 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/