| draft-ietf-idr-flowspec-l2vpn-17.txt | draft-ietf-idr-flowspec-l2vpn-18.txt | |||
|---|---|---|---|---|
| INTERNET-DRAFT W. Hao | INTERNET-DRAFT W. Hao | |||
| Intended Status: Proposed Standard Huawei Technologies | Intended Status: Proposed Standard Huawei Technologies | |||
| D. Eastlake | D. Eastlake | |||
| Futurewei Technologies | Futurewei Technologies | |||
| S. Litkowski | S. Litkowski | |||
| Cisco Systems | Cisco Systems | |||
| S. Zhuang | S. Zhuang | |||
| Huawei Technologies | Huawei Technologies | |||
| Expires: November 11, 2021 May 12, 2021 | Expires: April 22, 2022 October 23, 2021 | |||
| BGP Dissemination of L2 Flow Specification Rules | BGP Dissemination of L2 Flow Specification Rules | |||
| draft-ietf-idr-flowspec-l2vpn-17 | draft-ietf-idr-flowspec-l2vpn-18 | |||
| Abstract | Abstract | |||
| This document defines a Border Gateway Protocol (BGP) Flow | This document defines a Border Gateway Protocol (BGP) Flow | |||
| Specification (flowspec) extension to disseminate Ethernet Layer 2 | Specification (flowspec) extension to disseminate Ethernet Layer 2 | |||
| (L2) and Layer 2 Virtual Private Network (L2VPN) traffic filtering | (L2) and Layer 2 Virtual Private Network (L2VPN) traffic filtering | |||
| rules either by themselves or in conjunction with L3 flowspecs. | rules either by themselves or in conjunction with L3 flowspecs. | |||
| AFI/SAFI 6/133 and 25/134 are used for these purposes. New component | AFI/SAFI 6/133 and 25/134 are used for these purposes. New component | |||
| types and an extended community also are defined. | types and two extended communities are also defined. | |||
| Status of This Document | Status of This Document | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Distribution of this document is unlimited. Comments should be sent | Distribution of this document is unlimited. Comments should be sent | |||
| to the authors or the IDR Working Group mailing list <idr@ietf.org>. | to the authors or the IDR Working Group mailing list <idr@ietf.org>. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| skipping to change at page 3, line 11 ¶ | skipping to change at page 3, line 11 ¶ | |||
| Informative References....................................21 | Informative References....................................21 | |||
| Authors' Addresses........................................22 | Authors' Addresses........................................22 | |||
| INTERNET-DRAFT L2 Flow Spec | INTERNET-DRAFT L2 Flow Spec | |||
| 1. Introduction | 1. Introduction | |||
| Border Gateway Protocol (BGP) Flow Specification [RFC8955] (flowspec) | Border Gateway Protocol (BGP) Flow Specification [RFC8955] (flowspec) | |||
| is an extension to BGP that supports the dissemination of traffic | is an extension to BGP that supports the dissemination of traffic | |||
| flow specification rules and actions to be taken on packets in a | flow specifications and resulting actions to be taken on packets in a | |||
| specified flow. It leverages the BGP Control Plane to simplify the | specified flow. It leverages the BGP Control Plane to simplify the | |||
| distribution of ACLs (Access Control Lists). Using the Flow | distribution of ACLs (Access Control Lists). Using the Flow | |||
| Specification extension new filter rules can be injected to all BGP | Specification extension new filter rules can be injected to all BGP | |||
| peers simultaneously without changing router configuration. A | peers simultaneously without changing router configuration. A | |||
| typical application is to automate the distribution of traffic filter | typical application is to automate the distribution of traffic filter | |||
| lists to routers for DDoS (Distributed Denial of Service) mitigation, | lists to routers for DDoS (Distributed Denial of Service) mitigation, | |||
| access control, and similar applications. | access control, and similar applications. | |||
| BGP Flow Specification [RFC8955] defines a BGP Network Layer | BGP Flow Specification [RFC8955] defines a BGP Network Layer | |||
| Reachability Information (NLRI) format used to distribute traffic | Reachability Information (NLRI) format used to distribute traffic | |||
| skipping to change at page 6, line 34 ¶ | skipping to change at page 6, line 34 ¶ | |||
| field. This is necessary because there are different registries | field. This is necessary because there are different registries | |||
| for the L2, L3 IPv4, and L3 IPv6 component types. If the L3 | for the L2, L3 IPv4, and L3 IPv6 component types. If the L3 | |||
| flowspec is null (length zero), it always matches. | flowspec is null (length zero), it always matches. | |||
| 2.1 L2 Component Types | 2.1 L2 Component Types | |||
| The L2 flowspec portion of the NLRI-value consists of flowspec | The L2 flowspec portion of the NLRI-value consists of flowspec | |||
| components as in [RFC8955] but using L2 components and types as | components as in [RFC8955] but using L2 components and types as | |||
| specified below. All components start with a type octet followed by a | specified below. All components start with a type octet followed by a | |||
| length octet followed by any additional information needed. The | length octet followed by any additional information needed. The | |||
| length octet give the length, in octets, of the information after the | length octet gives the length, in octets, of the information after | |||
| length octet. This structure applies to all new components to be | the length octet. This structure applies to all new components to be | |||
| defined in the L2 Flow-spec Component Registry (see Section 6) and to | defined in the L2 Flow-spec Component Registry (see Section 6) and to | |||
| all existing components except Types 2 and 3 where the length is in | all existing components except Types 2 and 3 where the length is in | |||
| bits. | bits. | |||
| 2.1.1 Type 1 - Ethernet Type (EtherType) | 2.1.1 Type 1 - Ethernet Type (EtherType) | |||
| Encoding: <type (1 octet), length (1 octet), [op, value]+> | Encoding: <type (1 octet), length (1 octet), [op, value]+> | |||
| Defines a list of {operation, value} pairs used to match the two- | Defines a list of {operation, value} pairs used to match the two- | |||
| octet EtherType field. op is encoded as specified in Section 4.2.1.1 | octet EtherType field. op is encoded as specified in Section 4.2.1.1 | |||
| skipping to change at page 8, line 22 ¶ | skipping to change at page 8, line 22 ¶ | |||
| control field in the IEEE 802.2 LLC. Values are encoded as 1-octet | control field in the IEEE 802.2 LLC. Values are encoded as 1-octet | |||
| quantities. op is encoded as specified in Section 4.2.1.1 of | quantities. op is encoded as specified in Section 4.2.1.1 of | |||
| [RFC8955]. The match fails if EtherType L2 header encoding is being | [RFC8955]. The match fails if EtherType L2 header encoding is being | |||
| used rather than LLC encoding. | used rather than LLC encoding. | |||
| 2.1.7 Type 7 - SNAP | 2.1.7 Type 7 - SNAP | |||
| Encoding: <type (1 octet), length (1 octet), [op, value]+> | Encoding: <type (1 octet), length (1 octet), [op, value]+> | |||
| Defines a list of {operation, value} pairs used to match 5-octet SNAP | Defines a list of {operation, value} pairs used to match 5-octet SNAP | |||
| (Sub-Network Access Protocol) field. Values are encoded as 5-octet | (Sub-Network Access Protocol) field. Values are encoded as 8-octet | |||
| quantities. op is encoded as specified in Section 4.2.1.1 of | quantities with the zero padded SNAP left justified. op is encoded as | |||
| [RFC8955]. The match fails if EtherType L2 header encoding is being | specified in Section 4.2.1.1 of [RFC8955]. The match fails if | |||
| used rather than LLC encoding. | EtherType L2 header encoding is being used rather than LLC encoding. | |||
| 2.1.8 Type 8 - VLAN ID | 2.1.8 Type 8 - VLAN ID | |||
| Encoding: <type (1 octet), length (1 octet), [op, value]+> | Encoding: <type (1 octet), length (1 octet), [op, value]+> | |||
| Defines a list of {operation, value} pairs used to match VLAN ID. | Defines a list of {operation, value} pairs used to match VLAN ID. | |||
| Values are encoded as 2-octet quantities, where the four most | Values are encoded as 2-octet quantities, where the four most | |||
| significant bits are set to zero and ignored for matching and the 12 | significant bits are set to zero and ignored for matching and the 12 | |||
| least significant bits contain the VLAN value. op is encoded as | least significant bits contain the VLAN value. op is encoded as | |||
| specified in Section 4.2.1.1 of [RFC8955]. | specified in Section 4.2.1.1 of [RFC8955]. | |||
| skipping to change at page 9, line 15 ¶ | skipping to change at page 9, line 15 ¶ | |||
| INTERNET-DRAFT L2 Flow Spec | INTERNET-DRAFT L2 Flow Spec | |||
| In the virtual local-area network (VLAN) stacking case, the VLAN PCP | In the virtual local-area network (VLAN) stacking case, the VLAN PCP | |||
| is part of the outer VLAN tag. | is part of the outer VLAN tag. | |||
| 2.1.10 Type 10 - Inner VLAN ID | 2.1.10 Type 10 - Inner VLAN ID | |||
| Encoding: <type (1 octet), length (1 octet), [op, value]+> | Encoding: <type (1 octet), length (1 octet), [op, value]+> | |||
| Defines a list of {operation, value} pairs used to match the inner | Defines a list of {operation, value} pairs used to match the inner | |||
| VLAN ID using for virtual local-area network (VLAN) stacking or Q-in- | VLAN ID for virtual local-area network (VLAN) stacking or Q-in-Q use. | |||
| Q use. Values are encoded as 2-octet quantities, where the four most | Values are encoded as 2-octet quantities, where the four most | |||
| significant bits are set to zero and ignored for matching and the 12 | significant bits are set to zero and ignored for matching and the 12 | |||
| least significant bits contain the VLAN value. op is encoded as | least significant bits contain the VLAN value. op is encoded as | |||
| specified in Section 4.2.1.1 of [RFC8955]. | specified in Section 4.2.1.1 of [RFC8955]. | |||
| In the single VLAN case, this component type MUST NOT be used. If it | In the single VLAN case, this component type MUST NOT be used. If it | |||
| appears the match will fail. | appears the match will fail. | |||
| 2.1.11 Type 11 - Inner VLAN PCP | 2.1.11 Type 11 - Inner VLAN PCP | |||
| Encoding: <type (1 octet), length (1 octet), [op, value]+> | Encoding: <type (1 octet), length (1 octet), [op, value]+> | |||
| Defines a list of {operation, value} pairs used to match 3-bit inner | Defines a list of {operation, value} pairs used to match 3-bit inner | |||
| VLAN PCP fields [802.1Q] using for virtual local-area network (VLAN) | VLAN PCP fields [802.1Q] for virtual local-area network (VLAN) | |||
| stacking or Q in Q use. Values are encoded using a single octet, | stacking or Q-in-Q use. Values are encoded using a single octet, | |||
| where the five most significant bits are set to zero and ignored for | where the five most significant bits are set to zero and ignored for | |||
| matching and the three least significant bits contain the VLAN PCP | matching and the three least significant bits contain the VLAN PCP | |||
| value. op is encoded as specified in Section 4.2.1.1 of [RFC8955]. | value. op is encoded as specified in Section 4.2.1.1 of [RFC8955]. | |||
| In the single VLAN case, this component type MUST NOT be used. If it | In the single VLAN case, this component type MUST NOT be used. If it | |||
| appears the match will fail. | appears the match will fail. | |||
| 2.1.12 Type 12 - VLAN DEI | 2.1.12 Type 12 - VLAN DEI | |||
| Encoding: <type (1 octet), length (1 octet), op (1 octet)> | Encoding: <type (1 octet), length (1 octet), op (1 octet)> | |||
| skipping to change at page 10, line 35 ¶ | skipping to change at page 10, line 35 ¶ | |||
| changes in IEEE 802 have divided the local address space into 4 | changes in IEEE 802 have divided the local address space into 4 | |||
| quadrants specified by the next two bits (0x4 and 0x8) [RFC7042bis]. | quadrants specified by the next two bits (0x4 and 0x8) [RFC7042bis]. | |||
| This flowspec component permits testing, for example, that a MAC is | This flowspec component permits testing, for example, that a MAC is | |||
| group addressed or is a local address in a particular quadrant. The | group addressed or is a local address in a particular quadrant. The | |||
| encoding is as given in Section 4.2.1.2 of [RFC8955]. | encoding is as given in Section 4.2.1.2 of [RFC8955]. | |||
| 2.1.15 Type 15 - Destination MAC Special Bits | 2.1.15 Type 15 - Destination MAC Special Bits | |||
| Encoding: <type (1 octet), length (1 octet), op (1 octet)> | Encoding: <type (1 octet), length (1 octet), op (1 octet)> | |||
| As discussed in Section 2.1.14 but for the Destination MAC Address. | As discussed in Section 2.1.14 but for the Destination MAC Address | |||
| special bits. | ||||
| 2.2 Order of Traffic Filtering Rules | 2.2 Order of Traffic Filtering Rules | |||
| The existing rules in Section 5.1 of [RFC8955] and in [RFC8956] for | The existing rules in Section 5.1 of [RFC8955] and in [RFC8956] for | |||
| the ordering of traffic filtering are extended as follows: | the ordering of traffic filtering are extended as follows: | |||
| L2 flowspecs (AFI = 6, 25) take precedence over L3 flowspecs (AFI = | L2 flowspecs (AFI = 6, 25) take precedence over L3 flowspecs (AFI = | |||
| 1, 2). Between two L2 flowspecs, precedence of the L2 portion is | 1, 2). Between two L2 flowspecs, precedence of the L2 portion is | |||
| determined as specified in this section after this paragraph. If the | determined as specified in this section after this paragraph. If the | |||
| L2 flowspec L2 portions are the same and the L3-AFI is nonzero, then | L2 flowspec L2 portions are the same and the L3-AFI is nonzero, then | |||
| skipping to change at page 16, line 11 ¶ | skipping to change at page 16, line 11 ¶ | |||
| Resv: Reserved for future use. MUST be sent as zero and ignored on | Resv: Reserved for future use. MUST be sent as zero and ignored on | |||
| receipt. | receipt. | |||
| INTERNET-DRAFT L2 Flow Spec | INTERNET-DRAFT L2 Flow Spec | |||
| 5. Flow Spec Validation | 5. Flow Spec Validation | |||
| Flow Specifications received over AFI=25/SAFI=134 are validated | Flow Specifications received over AFI=25/SAFI=134 are validated | |||
| against routing reachability received over AFI=25/SAFI=128 as | against routing reachability received over AFI=25/SAFI=128 as | |||
| modified to conform to [FlowSpecOID]. | modified to conform to [RFC9117]. | |||
| INTERNET-DRAFT L2 Flow Spec | INTERNET-DRAFT L2 Flow Spec | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| IANA is requested to change the description for SAFI 134 [RFC8955] to | IANA is requested to change the description for SAFI 134 [RFC8955] to | |||
| read as follows and to change the reference for it to [this | read as follows and to change the reference for it to [this | |||
| document]: | document]: | |||
| 134 VPN dissemination of flow specification rules | 134 VPN dissemination of flow specification rules | |||
| skipping to change at page 20, line 49 ¶ | skipping to change at page 20, line 49 ¶ | |||
| [RFC8955] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M. | [RFC8955] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M. | |||
| Bacher, "Dissemination of Flow Specification Rules", RFC | Bacher, "Dissemination of Flow Specification Rules", RFC | |||
| 8955, DOI 10.17487/RFC8955, December 2020, | 8955, DOI 10.17487/RFC8955, December 2020, | |||
| <https://www.rfc-editor.org/info/rfc8955>. | <https://www.rfc-editor.org/info/rfc8955>. | |||
| [RFC8956] Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed., | [RFC8956] Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed., | |||
| "Dissemination of Flow Specification Rules for IPv6", RFC | "Dissemination of Flow Specification Rules for IPv6", RFC | |||
| 8956, DOI 10.17487/RFC8956, December 2020, | 8956, DOI 10.17487/RFC8956, December 2020, | |||
| <https://www.rfc-editor.org/info/rfc8956>. | <https://www.rfc-editor.org/info/rfc8956>. | |||
| [FlowSpecOID] Uttaro, J., Alcaide, J., Filsfils, C. Smith, D., | [RFC9117] Uttaro, J., Alcaide, J., Filsfils, C., Smith, D., and P. | |||
| Mohapatra, P., draft-ietf-idr-bgp-flowspec-oid, work in | Mohapatra, "Revised Validation Procedure for BGP Flow | |||
| progress, April 2021. | Specifications", RFC 9117, DOI 10.17487/RFC9117, August | |||
| 2021, <https://www.rfc-editor.org/info/rfc9117>. | ||||
| INTERNET-DRAFT L2 Flow Spec | INTERNET-DRAFT L2 Flow Spec | |||
| Informative References | Informative References | |||
| [RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., | [RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., | |||
| Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based | Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based | |||
| Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February | Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February | |||
| 2015, <https://www.rfc-editor.org/info/rfc7432>. | 2015, <https://www.rfc-editor.org/info/rfc7432>. | |||
| End of changes. 11 change blocks. | ||||
| 19 lines changed or deleted | 21 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||