draft-ietf-idr-rfc5575bis-18.txt   draft-ietf-idr-rfc5575bis-19.txt 
IDR Working Group C. Loibl IDR Working Group C. Loibl
Internet-Draft Next Layer Communications Internet-Draft Next Layer Communications
Obsoletes: 5575,7674 (if approved) S. Hares Obsoletes: 5575,7674 (if approved) S. Hares
Intended status: Standards Track Huawei Intended status: Standards Track Huawei
Expires: May 7, 2020 R. Raszuk Expires: July 20, 2020 R. Raszuk
Bloomberg LP Bloomberg LP
D. McPherson D. McPherson
Verisign Verisign
M. Bacher M. Bacher
T-Mobile Austria T-Mobile Austria
November 4, 2019 January 17, 2020
Dissemination of Flow Specification Rules Dissemination of Flow Specification Rules
draft-ietf-idr-rfc5575bis-18 draft-ietf-idr-rfc5575bis-19
Abstract Abstract
This document obsoletes both RFC5575 and RFC7674.
This document defines a Border Gateway Protocol Network Layer This document defines a Border Gateway Protocol Network Layer
Reachability Information (BGP NLRI) encoding format, that can be used Reachability Information (BGP NLRI) encoding format that can be used
to distribute traffic Flow Specifications. This allows the routing to distribute traffic Flow Specifications. This allows the routing
system to propagate information regarding more specific components of system to propagate information regarding more specific components of
the traffic aggregate defined by an IP destination prefix. the traffic aggregate defined by an IP destination prefix.
It also specifies BGP Extended Community encoding formats, that can It also specifies BGP Extended Community encoding formats, that can
be used to propagate Traffic Filtering Actions along with the Flow be used to propagate Traffic Filtering Actions along with the Flow
Specification NLRI. Those Traffic Filtering Actions encode actions a Specification NLRI. Those Traffic Filtering Actions encode actions a
routing system can take if the packet matches the Flow Specification. routing system can take if the packet matches the Flow Specification.
Additionally, it defines two applications of that encoding format: Additionally, it defines two applications of that encoding format:
one that can be used to automate inter-domain coordination of traffic one that can be used to automate inter-domain coordination of traffic
filtering, such as what is required in order to mitigate filtering, such as what is required in order to mitigate
(distributed) denial-of-service attacks, and a second application to (distributed) denial-of-service attacks, and a second application to
provide traffic filtering in the context of a BGP/MPLS VPN service. provide traffic filtering in the context of a BGP/MPLS VPN service.
Other applications (ie. centralized control of traffic in a SDN or Other applications (ie. centralized control of traffic in a SDN or
NFV context) are also possible. Other drafts specify IPv6, MPLS NFV context) are also possible. Other documents may specify Flow
addresses, L2VPN addresses, and NV03 encapsulation of IP addresses as Specification extensions.
Flow Specification extensions.
The information is carried via the BGP, thereby reusing protocol The information is carried via BGP, thereby reusing protocol
algorithms, operational experience, and administrative processes such algorithms, operational experience, and administrative processes such
as inter-provider peering agreements. as inter-provider peering agreements.
This document obsoletes both RFC5575 and RFC7674.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 7, 2020. This Internet-Draft will expire on July 20, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Definitions of Terms Used in This Memo . . . . . . . . . . . 5 2. Definitions of Terms Used in This Memo . . . . . . . . . . . 5
3. Flow Specifications . . . . . . . . . . . . . . . . . . . . . 5 3. Flow Specifications . . . . . . . . . . . . . . . . . . . . . 5
4. Dissemination of IPv4 FLow Specification Information . . . . 6 4. Dissemination of IPv4 Flow Specification Information . . . . 6
4.1. Length Encoding . . . . . . . . . . . . . . . . . . . . . 7 4.1. Length Encoding . . . . . . . . . . . . . . . . . . . . . 7
4.2. NLRI Value Encoding . . . . . . . . . . . . . . . . . . . 7 4.2. NLRI Value Encoding . . . . . . . . . . . . . . . . . . . 7
4.2.1. Operators . . . . . . . . . . . . . . . . . . . . . . 7 4.2.1. Operators . . . . . . . . . . . . . . . . . . . . . . 8
4.2.2. Components . . . . . . . . . . . . . . . . . . . . . 9 4.2.2. Components . . . . . . . . . . . . . . . . . . . . . 9
4.3. Examples of Encodings . . . . . . . . . . . . . . . . . . 13 4.3. Examples of Encodings . . . . . . . . . . . . . . . . . . 14
5. Traffic Filtering . . . . . . . . . . . . . . . . . . . . . . 16 5. Traffic Filtering . . . . . . . . . . . . . . . . . . . . . . 16
5.1. Ordering of Flow Specifications . . . . . . . . . . . . . 17 5.1. Ordering of Flow Specifications . . . . . . . . . . . . . 17
6. Validation Procedure . . . . . . . . . . . . . . . . . . . . 18 6. Validation Procedure . . . . . . . . . . . . . . . . . . . . 18
7. Traffic Filtering Actions . . . . . . . . . . . . . . . . . . 19 7. Traffic Filtering Actions . . . . . . . . . . . . . . . . . . 19
7.1. Traffic Rate in Bytes (traffic-rate-bytes) sub-type 0x06 20 7.1. Traffic Rate in Bytes (traffic-rate-bytes) sub-type 0x06 20
7.2. Traffic Rate in Packets (traffic-rate-packets) sub-type 7.2. Traffic Rate in Packets (traffic-rate-packets) sub-type
TBD . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 TBD . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
7.3. Traffic-action (traffic-action) sub-type 0x07 . . . . . . 21 7.3. Traffic-action (traffic-action) sub-type 0x07 . . . . . . 21
7.4. RT Redirect (rt-redirect) sub-type 0x08 . . . . . . . . . 22 7.4. RT Redirect (rt-redirect) sub-type 0x08 . . . . . . . . . 22
7.5. Traffic Marking (traffic-marking) sub-type 0x09 . . . . . 22 7.5. Traffic Marking (traffic-marking) sub-type 0x09 . . . . . 22
7.6. Interaction with other Filtering Mechanisms in Routers . 23 7.6. Interaction with other Filtering Mechanisms in Routers . 23
7.7. Considerations on Traffic Filtering Action Interference . 23 7.7. Considerations on Traffic Filtering Action Interference . 23
8. Dissemination of Traffic Filtering in BGP/MPLS VPN Networks . 24 8. Dissemination of Traffic Filtering in BGP/MPLS VPN Networks . 24
9. Traffic Monitoring . . . . . . . . . . . . . . . . . . . . . 25 9. Traffic Monitoring . . . . . . . . . . . . . . . . . . . . . 25
10. Error-Handling . . . . . . . . . . . . . . . . . . . . . . . 25 10. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 25
11. Future NLRI Extensions . . . . . . . . . . . . . . . . . . . 25 11. Future NLRI Extensions . . . . . . . . . . . . . . . . . . . 25
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
12.1. AFI/SAFI Definitions . . . . . . . . . . . . . . . . . . 26 12.1. AFI/SAFI Definitions . . . . . . . . . . . . . . . . . . 26
12.2. Flow Component Definitions . . . . . . . . . . . . . . . 26 12.2. Flow Component Definitions . . . . . . . . . . . . . . . 26
12.3. Extended Community Flow Specification Actions . . . . . 27 12.3. Extended Community Flow Specification Actions . . . . . 27
13. Security Considerations . . . . . . . . . . . . . . . . . . . 30 13. Security Considerations . . . . . . . . . . . . . . . . . . . 30
14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 31 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 32
15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 32
16. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 32
16.1. Normative References . . . . . . . . . . . . . . . . . . 32 16.1. Normative References . . . . . . . . . . . . . . . . . . 32
16.2. Informative References . . . . . . . . . . . . . . . . . 33 16.2. Informative References . . . . . . . . . . . . . . . . . 34
16.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 34 16.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Appendix A. Python code: flow_rule_cmp . . . . . . . . . . . . . 34 Appendix A. Python code: flow_rule_cmp . . . . . . . . . . . . . 35
Appendix B. Comparison with RFC 5575 . . . . . . . . . . . . . . 36 Appendix B. Comparison with RFC 5575 . . . . . . . . . . . . . . 36
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37
1. Introduction 1. Introduction
This document obsoletes both This document obsoletes both
"Dissemination of Flow Specification Rules" [RFC5575] and "Dissemination of Flow Specification Rules" [RFC5575] and
"Clarification of the Flowspec Redirect Extended Community"[RFC7674]. "Clarification of the Flowspec Redirect Extended Community"[RFC7674].
Modern IP routers contain both the capability to forward traffic Modern IP routers contain both the capability to forward traffic
skipping to change at page 4, line 18 skipping to change at page 4, line 18
By expanding routing information with Flow Specifications, the By expanding routing information with Flow Specifications, the
routing system can take advantage of the ACL (Access Control List) or routing system can take advantage of the ACL (Access Control List) or
firewall capabilities in the router's forwarding path. Flow firewall capabilities in the router's forwarding path. Flow
Specifications can be seen as more specific routing entries to a Specifications can be seen as more specific routing entries to a
unicast prefix and are expected to depend upon the existing unicast unicast prefix and are expected to depend upon the existing unicast
data information. data information.
A Flow Specification received from an external autonomous system will A Flow Specification received from an external autonomous system will
need to be validated against unicast routing before being accepted need to be validated against unicast routing before being accepted
(Section 6). The flow specification received from an internal BGP (Section 6). The Flow Specification received from an internal BGP
peer within the same autonomous system (per [RFC4271]) is assumed to peer within the same autonomous system [RFC4271] is assumed to have
have been validated prior to transmission within the iBGP mesh of an been validated prior to transmission within the iBGP mesh of an
autonomous system. If the aggregate traffic flow defined by the autonomous system. If the aggregate traffic flow defined by the
unicast destination prefix is forwarded to a given BGP peer, then the unicast destination prefix is forwarded to a given BGP peer, then the
local system can install more specific Flow Specifications that may local system can install more specific Flow Specifications that may
result in different forwarding behavior, as requested by this system. result in different forwarding behavior, as requested by this system.
From an operational perspective, the utilization of BGP as the From an operational perspective, the utilization of BGP as the
carrier for this information allows a network service provider to carrier for this information allows a network service provider to
reuse both internal route distribution infrastructure (e.g., route reuse both internal route distribution infrastructure (e.g., route
reflector or confederation design) and existing external reflector or confederation design) and existing external
relationships (e.g., inter-domain BGP sessions to a customer relationships (e.g., inter-domain BGP sessions to a customer
skipping to change at page 5, line 12 skipping to change at page 5, line 12
address similar filtering needs for other BGP address families such address similar filtering needs for other BGP address families such
as IPv6 families [I-D.ietf-idr-flow-spec-v6]. as IPv6 families [I-D.ietf-idr-flow-spec-v6].
2. Definitions of Terms Used in This Memo 2. Definitions of Terms Used in This Memo
AFI - Address Family Identifier. AFI - Address Family Identifier.
AS - Autonomous System. AS - Autonomous System.
Loc-RIB - The Loc-RIB contains the routes that have been selected Loc-RIB - The Loc-RIB contains the routes that have been selected
by the local BGP speaker's Decision Process. by the local BGP speaker's Decision Process [RFC4271].
NLRI - Network Layer Reachability Information. NLRI - Network Layer Reachability Information.
PE - Provider Edge router. PE - Provider Edge router.
RIB - Routing Information Base. RIB - Routing Information Base.
SAFI - Subsequent Address Family Identifier. SAFI - Subsequent Address Family Identifier.
VRF - Virtual Routing and Forwarding instance. VRF - Virtual Routing and Forwarding instance.
skipping to change at page 6, line 16 skipping to change at page 6, line 16
(AFI=1, SAFI=2) are handled by BGP without any particular semantics (AFI=1, SAFI=2) are handled by BGP without any particular semantics
being associated with them until installed in the Loc-RIB. being associated with them until installed in the Loc-RIB.
Standard BGP policy mechanisms, such as UPDATE filtering by NLRI Standard BGP policy mechanisms, such as UPDATE filtering by NLRI
prefix as well as community matching and manipulation, must apply to prefix as well as community matching and manipulation, must apply to
the Flow Specification defined NLRI-type, especially in an inter- the Flow Specification defined NLRI-type, especially in an inter-
domain environment. Network operators can also control propagation domain environment. Network operators can also control propagation
of such routing updates by enabling or disabling the exchange of a of such routing updates by enabling or disabling the exchange of a
particular (AFI, SAFI) pair on a given BGP peering session. particular (AFI, SAFI) pair on a given BGP peering session.
4. Dissemination of IPv4 FLow Specification Information 4. Dissemination of IPv4 Flow Specification Information
This document defines a Flow Specification NLRI type (Figure 1) that This document defines a Flow Specification NLRI type (Figure 1) that
may include several components such as destination prefix, source may include several components such as destination prefix, source
prefix, protocol, ports, and others (see Section 4.2 below). prefix, protocol, ports, and others (see Section 4.2 below).
This NLRI information is encoded using MP_REACH_NLRI and This NLRI information is encoded using MP_REACH_NLRI and
MP_UNREACH_NLRI attributes as defined in [RFC4760]. Whenever the MP_UNREACH_NLRI attributes as defined in [RFC4760]. When advertising
corresponding application does not require Next Hop information, this Flow Specifications, the Length of Next Hop Network Address SHOULD be
shall be encoded as a 0-octet length Next Hop in the MP_REACH_NLRI set to 0. The Network Address of Next Hop field MUST be ignored.
attribute (if a non 0-octet Next Hop is present it should be ignored
on receipt).
The NLRI field of the MP_REACH_NLRI and MP_UNREACH_NLRI is encoded as The NLRI field of the MP_REACH_NLRI and MP_UNREACH_NLRI is encoded as
a 1- or 2-octet NLRI length field followed by a variable-length NLRI one or more 2-tuples of the form <length, NLRI value>. It consists
value. The NLRI length is expressed in octets. of a 1- or 2-octet length field followed by a variable-length NLRI
value. The length is expressed in octets.
+-------------------------------+ +-------------------------------+
| length (0xnn or 0xfnnn) | | length (0xnn or 0xfnnn) |
+-------------------------------+ +-------------------------------+
| NLRI value (variable) | | NLRI value (variable) |
+-------------------------------+ +-------------------------------+
Figure 1: Flow Specification NLRI for IPv4 Figure 1: Flow Specification NLRI for IPv4
Implementations wishing to exchange Flow Specification MUST use BGP's Implementations wishing to exchange Flow Specification MUST use BGP's
Capability Advertisement facility to exchange the Multiprotocol Capability Advertisement facility to exchange the Multiprotocol
Extension Capability Code (Code 1) as defined in [RFC4760]. The Extension Capability Code (Code 1) as defined in [RFC4760]. The
(AFI, SAFI) pair carried in the Multiprotocol Extension Capability (AFI, SAFI) pair carried in the Multiprotocol Extension Capability
MUST be (AFI=1, SAFI=133) for IPv4 Flow Specification, and (AFI=1, MUST be (AFI=1, SAFI=133) for IPv4 Flow Specification, and (AFI=1,
SAFI=134) for VPNv4 Flow Specification. SAFI=134) for VPNv4 Flow Specification.
The Flow Specification NLRI is considered a Typed NLRI in the sense
of Section 5.4 of [RFC7606]. See also Section 4.2 on unknown
component type handling.
4.1. Length Encoding 4.1. Length Encoding
o If the NLRI length is smaller than 240 (0xf0 hex) octets, the o If the NLRI length is smaller than 240 (0xf0 hex) octets, the
length field can be encoded as a single octet. length field can be encoded as a single octet.
o Otherwise, it is encoded as an extended-length 2-octet value in o Otherwise, it is encoded as an extended-length 2-octet value in
which the most significant nibble of the first byte is all ones. which the most significant nibble of the first byte is all ones.
In Figure 1 above, values less-than 240 are encoded using two hex In Figure 1 above, values less-than 240 are encoded using two hex
digits (0xnn). Values above 239 are encoded using 3 hex digits digits (0xnn). Values above 239 are encoded using 3 hex digits
skipping to change at page 7, line 30 skipping to change at page 7, line 30
The Flow Specification NLRI value consists of a list of optional The Flow Specification NLRI value consists of a list of optional
components and is encoded as follows: components and is encoded as follows:
Encoding: <[component]+> Encoding: <[component]+>
A specific packet is considered to match the Flow Specification when A specific packet is considered to match the Flow Specification when
it matches the intersection (AND) of all the components present in it matches the intersection (AND) of all the components present in
the Flow Specification. the Flow Specification.
Components must follow strict type ordering by increasing numerical Components MUST follow strict type ordering by increasing numerical
order. A given component type may (exactly once) or may not be order. A given component type may (exactly once) or may not be
present in the Flow Specification. If present, it MUST precede any present in the Flow Specification. If present, it MUST precede any
component of higher numeric type value. component of higher numeric type value.
All combinations of components within a single Flow Specification are All combinations of components within a single Flow Specification are
allowed. However, some combinations cannot match any packets (ie. allowed. However, some combinations cannot match any packets (e.g.
"ICMP Type AND Port" will never match any packets), and thus SHOULD "ICMP Type AND Port" will never match any packets), and thus SHOULD
NOT be propagated by BGP. NOT be propagated by BGP.
An advertisement containing an unknown Flow Specification component
type should be discarded as specified in Section 5.4 of [RFC7606].
It needs to be pointed out that the encoding of the NLRI as a 2-tuple
<length, NLRI value> allows to skip over a NLRI value (the NLRI that
value should be discarded).
Except for an unknown component type (see above), a NLRI value not
encoded as specified in Section 4.2 is considered malformed and error
handling according to Section 10 is performed.
4.2.1. Operators 4.2.1. Operators
Most of the components described below make use of comparison Most of the components described below make use of comparison
operators. Which of the two operators is used is defined by the operators. Which of the two operators is used is defined by the
components in Section 4.2.2. The operators are encoded as a single components in Section 4.2.2. The operators are encoded as a single
octet. octet.
4.2.1.1. Numeric Operator (numeric_op) 4.2.1.1. Numeric Operator (numeric_op)
This operator is encoded as shown in Figure 2. This operator is encoded as shown in Figure 2.
skipping to change at page 8, line 38 skipping to change at page 9, line 5
lt - less than comparison between data and value. lt - less than comparison between data and value.
gt - greater than comparison between data and value. gt - greater than comparison between data and value.
eq - equality between data and value. eq - equality between data and value.
The bits lt, gt, and eq can be combined to produce common relational The bits lt, gt, and eq can be combined to produce common relational
operators such as "less or equal", "greater or equal", and "not equal operators such as "less or equal", "greater or equal", and "not equal
to" as shown in Table 1. to" as shown in Table 1.
+----+----+----+----------------------------------+ +----+----+----+-----------------------------------+
| lt | gt | eq | Resulting operation | | lt | gt | eq | Resulting operation |
+----+----+----+----------------------------------+ +----+----+----+-----------------------------------+
| 0 | 0 | 0 | false (independent of the value) | | 0 | 0 | 0 | false (independent of the value) |
| 0 | 0 | 1 | == (equal) | | 0 | 0 | 1 | == (equal) |
| 0 | 1 | 0 | > (greater than) | | 0 | 1 | 0 | > (greater than) |
| 0 | 1 | 1 | >= (greater than or equal) | | 0 | 1 | 1 | >= (greater than or equal) |
| 1 | 0 | 0 | < (less than) | | 1 | 0 | 0 | < (less than) |
| 1 | 0 | 1 | <= (less than or equal) | | 1 | 0 | 1 | <= (less than or equal) |
| 1 | 1 | 0 | != (not equal value) | | 1 | 1 | 0 | != (not equal value) |
| 1 | 1 | 1 | true (independent of the value) | | 1 | 1 | 1 | true (independent of the value) |
+----+----+----+----------------------------------+ +----+----+----+-----------------------------------+
Table 1: Comparison operation combinations Table 1: Comparison operation combinations
4.2.1.2. Bitmask Operator (bitmask_op) 4.2.1.2. Bitmask Operator (bitmask_op)
This operator is encoded as shown in Figure 3. This operator is encoded as shown in Figure 3.
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
+---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+
| e | a | len | 0 | 0 |not| m | | e | a | len | 0 | 0 |not| m |
skipping to change at page 14, line 13 skipping to change at page 14, line 26
192.0.2.0/24 and TCP port 25". 192.0.2.0/24 and TCP port 25".
+--------+----------------+----------+----------+ +--------+----------------+----------+----------+
| length | destination | protocol | port | | length | destination | protocol | port |
+--------+----------------+----------+----------+ +--------+----------------+----------+----------+
| 0x0b | 01 18 c0 00 02 | 03 81 06 | 04 81 19 | | 0x0b | 01 18 c0 00 02 | 03 81 06 | 04 81 19 |
+--------+----------------+----------+----------+ +--------+----------------+----------+----------+
Decoded: Decoded:
+-------+------------+------------------------------+ +-------+------------+-------------------------------+
| Value | | | | Value | | |
+-------+------------+------------------------------+ +-------+------------+-------------------------------+
| 0x0b | length | 11 octets (len<240 1-octet) | | 0x0b | length | 11 octets (len<240 1-octet) |
| 0x01 | type | Type 1 - Destination Prefix | | 0x01 | type | Type 1 - Destination Prefix |
| 0x18 | length | 24 bit | | 0x18 | length | 24 bit |
| 0xc0 | prefix | 192 | | 0xc0 | prefix | 192 |
| 0x00 | prefix | 0 | | 0x00 | prefix | 0 |
| 0x02 | prefix | 2 | | 0x02 | prefix | 2 |
| 0x03 | type | Type 3 - IP Protocol | | 0x03 | type | Type 3 - IP Protocol |
| 0x81 | numeric_op | end-of-list, value size=1, = | | 0x81 | numeric_op | end-of-list, value size=1, == |
| 0x06 | value | IP Protocol 6 = TCP | | 0x06 | value | 6 (TCP) |
| 0x04 | type | Type 4 - Port | | 0x04 | type | Type 4 - Port |
| 0x81 | numeric_op | end-of-list, value size=1, = | | 0x81 | numeric_op | end-of-list, value size=1, == |
| 0x19 | value | 25 | | 0x19 | value | 25 |
+-------+------------+------------------------------+ +-------+------------+-------------------------------+
This constitutes a NLRI with a NLRI length of 11 octets. This constitutes a NLRI with a NLRI length of 11 octets.
4.3.2. Example 2 4.3.2. Example 2
An example of a Flow Specification NLRI encoding for: "all packets to An example of a Flow Specification NLRI encoding for: "all packets to
192.0.2.0/24 from 203.0.113.0/24 and port {range [137, 139] or 192.0.2.0/24 from 203.0.113.0/24 and port {range [137, 139] or
8080}". 8080}".
+--------+----------------+----------------+-------------------------+ +--------+----------------+----------------+-------------------------+
| length | destination | source | port | | length | destination | source | port |
+--------+----------------+----------------+-------------------------+ +--------+----------------+----------------+-------------------------+
| 0x12 | 01 18 c0 00 02 | 02 18 cb 00 71 | 04 03 89 45 8b 91 1f 90 | | 0x12 | 01 18 c0 00 02 | 02 18 cb 00 71 | 04 03 89 45 8b 91 1f 90 |
+--------+----------------+----------------+-------------------------+ +--------+----------------+----------------+-------------------------+
Decoded: Decoded:
+--------+------------+------------------------------+ +--------+------------+-------------------------------+
| Value | | | | Value | | |
+--------+------------+------------------------------+ +--------+------------+-------------------------------+
| 0x12 | length | 18 octets (len<240 1-octet) | | 0x12 | length | 18 octets (len<240 1-octet) |
| 0x01 | type | Type 1 - Destination Prefix | | 0x01 | type | Type 1 - Destination Prefix |
| 0x18 | length | 24 bit | | 0x18 | length | 24 bit |
| 0xc0 | prefix | 192 | | 0xc0 | prefix | 192 |
| 0x00 | prefix | 0 | | 0x00 | prefix | 0 |
| 0x02 | prefix | 2 | | 0x02 | prefix | 2 |
| 0x02 | type | Type 2 - Source Prefix | | 0x02 | type | Type 2 - Source Prefix |
| 0x18 | length | 24 bit | | 0x18 | length | 24 bit |
| 0xcb | prefix | 203 | | 0xcb | prefix | 203 |
| 0x00 | prefix | 0 | | 0x00 | prefix | 0 |
| 0x71 | prefix | 113 | | 0x71 | prefix | 113 |
| 0x04 | type | Type 4 - Port | | 0x04 | type | Type 4 - Port |
| 0x03 | numeric_op | value size=1, >= | | 0x03 | numeric_op | value size=1, >= |
| 0x89 | value | 137 | | 0x89 | value | 137 |
| 0x45 | numeric_op | "AND", value size=1, <= | | 0x45 | numeric_op | "AND", value size=1, <= |
| 0x8b | value | 139 | | 0x8b | value | 139 |
| 0x91 | numeric_op | end-of-list, value size=2, = | | 0x91 | numeric_op | end-of-list, value size=2, == |
| 0x1f90 | value | 8080 | | 0x1f90 | value | 8080 |
+--------+------------+------------------------------+ +--------+------------+-------------------------------+
This constitutes a NLRI with a NLRI length of 18 octets. This constitutes a NLRI with a NLRI length of 18 octets.
4.3.3. Example 3 4.3.3. Example 3
An example of a Flow Specification NLRI encoding for: "all packets to An example of a Flow Specification NLRI encoding for: "all packets to
192.0.2.1/32 and fragment { DF or FF } (matching packet with DF bit 192.0.2.1/32 and fragment { DF or FF } (matching packet with DF bit
set or First Fragments) set or First Fragments)
+--------+-------------------+----------+ +--------+-------------------+----------+
skipping to change at page 18, line 27 skipping to change at page 18, line 27
this step is used to validate that the NEXT_HOP attribute of a given this step is used to validate that the NEXT_HOP attribute of a given
route is resolvable. route is resolvable.
The concept can be extended, in the case of the Flow Specification The concept can be extended, in the case of the Flow Specification
NLRI, to allow other validation procedures. NLRI, to allow other validation procedures.
The validation process described below validates Flow Specifications The validation process described below validates Flow Specifications
against unicast routes received over the same AFI but the associated against unicast routes received over the same AFI but the associated
unicast routing information SAFI: unicast routing information SAFI:
Flow specification received over SAFI=133 will be validated Flow Specification received over SAFI=133 will be validated
against routes received over SAFI=1 against routes received over SAFI=1
Flow specification received over SAFI=134 will be validated Flow Specification received over SAFI=134 will be validated
against routes received over SAFI=128 against routes received over SAFI=128
By default a Flow Specification NLRI MUST be validated such that it By default a Flow Specification NLRI MUST be validated such that it
is considered feasible if and only if all of the below is true: is considered feasible if and only if all of the below is true:
a) A destination prefix component is embedded in the Flow a) A destination prefix component is embedded in the Flow
Specification. Specification.
b) The originator of the Flow Specification matches the originator b) The originator of the Flow Specification matches the originator
of the best-match unicast route for the destination prefix of the best-match unicast route for the destination prefix
skipping to change at page 22, line 7 skipping to change at page 22, line 7
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Tr. Action Field (cont.) |S|T| | Tr. Action Field (cont.) |S|T|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: Traffic-action Extended Community Encoding Figure 5: Traffic-action Extended Community Encoding
where S and T are defined as: where S and T are defined as:
o T: Terminal Action (bit 47): When this bit is set, the traffic o T: Terminal Action (bit 47): When this bit is set, the traffic
filtering engine will evaluate any subsequent Flow Specifications filtering engine will evaluate any subsequent Flow Specifications
(as defined by the ordering procedure). If not set, the (as defined by the ordering procedure Section 5.1). If not set,
evaluation of the traffic filters stops when this Flow the evaluation of the traffic filters stops when this Flow
Specification is evaluated. Specification is evaluated.
o S: Sample (bit 46): Enables traffic sampling and logging for this o S: Sample (bit 46): Enables traffic sampling and logging for this
Flow Specification (only effective when set). Flow Specification (only effective when set).
o Traffic Action Field: Other Traffic Action Field (see Section 12) o Traffic Action Field: Other Traffic Action Field (see Section 12)
bits unused in this specification. bits unused in this specification. These bits SHOULD be set to 0
on encoding, and MUST be ignored during decoding.
The use of the Terminal Action (bit 47) may result in more than one The use of the Terminal Action (bit 47) may result in more than one
Flow Specification matching a particular traffic flow. All the Flow Specification matching a particular traffic flow. All the
Traffic Filtering Actions from these Flow Specifications shall be Traffic Filtering Actions from these Flow Specifications shall be
collected and applied. In case of interfering Traffic Filtering collected and applied. In case of interfering Traffic Filtering
Actions it is an implementation decision which Traffic Filtering Actions it is an implementation decision which Traffic Filtering
Actions are selected. See also Section 7.7. Actions are selected. See also Section 7.7.
Interferes with: No other BGP Flow Specification Traffic Filtering Interferes with: No other BGP Flow Specification Traffic Filtering
Action in this document. Action in this document.
skipping to change at page 23, line 29 skipping to change at page 23, line 29
o DSCP: new DSCP value for the transiting IP packet. o DSCP: new DSCP value for the transiting IP packet.
o reserved, r.: SHOULD be set to 0 on encoding, and MUST be ignored o reserved, r.: SHOULD be set to 0 on encoding, and MUST be ignored
during decoding. during decoding.
Interferes with: No other BGP Flow Specification Traffic Filtering Interferes with: No other BGP Flow Specification Traffic Filtering
Action in this document. Action in this document.
7.6. Interaction with other Filtering Mechanisms in Routers 7.6. Interaction with other Filtering Mechanisms in Routers
Implementations SHOULD provide mechanisms that map an arbitrary BGP Implementations should provide mechanisms that map an arbitrary BGP
community value (normal or extended) to Traffic Filtering Actions community value (normal or extended) to Traffic Filtering Actions
that require different mappings in different systems in the network. that require different mappings in different systems in the network.
For instance, providing packets with a worse-than-best-effort, per- For instance, providing packets with a worse-than-best-effort, per-
hop behavior is a functionality that is likely to be implemented hop behavior is a functionality that is likely to be implemented
differently in different systems and for which no standard behavior differently in different systems and for which no standard behavior
is currently known. Rather than attempting to define it here, this is currently known. Rather than attempting to define it here, this
can be accomplished by mapping a user-defined community value to can be accomplished by mapping a user-defined community value to
platform-/network-specific behavior via user configuration. platform-/network-specific behavior via user configuration.
7.7. Considerations on Traffic Filtering Action Interference 7.7. Considerations on Traffic Filtering Action Interference
skipping to change at page 24, line 26 skipping to change at page 24, line 26
filtering requirements than Internet service providers. But also filtering requirements than Internet service providers. But also
Internet service providers may use those VPNs for scenarios like Internet service providers may use those VPNs for scenarios like
having the Internet routing table in a VRF, resulting in the same having the Internet routing table in a VRF, resulting in the same
traffic filtering requirements as defined for the global routing traffic filtering requirements as defined for the global routing
table environment within this document. This document defines an table environment within this document. This document defines an
additional BGP NLRI type (AFI=1, SAFI=134) value, which can be used additional BGP NLRI type (AFI=1, SAFI=134) value, which can be used
to propagate Flow Specification in a BGP/MPLS VPN environment. to propagate Flow Specification in a BGP/MPLS VPN environment.
The NLRI format for this address family consists of a fixed-length The NLRI format for this address family consists of a fixed-length
Route Distinguisher field (8 bytes) followed by the Flow Route Distinguisher field (8 bytes) followed by the Flow
Specification NLRI value Section 4.2. The NLRI length field shall Specification NLRI value (Section 4.2). The NLRI length field shall
include both the 8 bytes of the Route Distinguisher as well as the include both the 8 bytes of the Route Distinguisher as well as the
subsequent Flow Specification NLRI value. The resulting encoding is subsequent Flow Specification NLRI value. The resulting encoding is
shown in Figure 7. shown in Figure 7.
+------------------------------+ +------------------------------+
| length (0xnn or 0xfn nn) | | length (0xnn or 0xfn nn) |
+------------------------------+ +------------------------------+
| Route Distinguisher (8 bytes)| | Route Distinguisher (8 bytes)|
+------------------------------+ +------------------------------+
| NLRI value (variable) | | NLRI value (variable) |
skipping to change at page 25, line 23 skipping to change at page 25, line 23
Traffic filtering applications require monitoring and traffic Traffic filtering applications require monitoring and traffic
statistics facilities. While this is an implementation specific statistics facilities. While this is an implementation specific
choice, implementations SHOULD provide: choice, implementations SHOULD provide:
o A mechanism to log the packet header of filtered traffic. o A mechanism to log the packet header of filtered traffic.
o A mechanism to count the number of matches for a given Flow o A mechanism to count the number of matches for a given Flow
Specification. Specification.
10. Error-Handling 10. Error Handling
Error handling according to [RFC7606] SHOULD apply to this Error handling according to [RFC7606] and [RFC4760] applies to this
specification. specification.
This document introduces Traffic Filtering Action Extended This document introduces Traffic Filtering Action Extended
Communities. Malformed Traffic Filtering Action Extended Communities Communities. Malformed Traffic Filtering Action Extended Communities
in the sense of [RFC7606] Section 7.14. are Extended Community values in the sense of [RFC7606] Section 7.14. are Extended Community values
that cannot be decoded according to Section 7 of this document. that cannot be decoded according to Section 7 of this document.
11. Future NLRI Extensions 11. Future NLRI Extensions
Future Flow Specification extensions may introduce new Flow Future Flow Specification extensions may introduce new Flow
Specification components. In order to facilitate such extensions of Specification components. If a receiving BGP speaker decodes an
the Flow Specification NLRI, in addition to the cases described in unknown Flow Specification component type it is unable to continue
[RFC7606], if BGP encounters an unknown Flow Specification component decoding the following Flow Specification components in the same NLRI
in an UPDATE message, it SHOULD also treat this message as Treat-as- value and MUST discard this NLRI value and all its components as
withdraw as specified in [RFC7606] Section 2. described in Section 4.2 for further processing. Since the NLRI
field encoding (Section 4) is defined in the form of a 2-tuple
<length, NLRI value> message decoding can skip over the NLRI value
and continue with subsequent NLRI and message decoding.
The specification of a new Flow Specification Component Type SHOULD The specification of a new Flow Specification Component Type MUST
clearly identify what the criteria used to match packets forwarded by clearly identify what the criteria used to match packets forwarded by
the router is. This criteria should be meaningful across router hops the router is. This criteria should be meaningful across router hops
and not depend on values that change hop-by-hop such as TTL or Layer and not depend on values that change hop-by-hop such as TTL or Layer
2 encapsulation. 2 encapsulation.
Such extensions SHOULD also specify a way to encode an "always-match" Such extensions SHOULD also specify a way to encode an "always-match"
match condition within the newly introduced components (this is a match condition within the newly introduced components (this is a
match condition, encoded with the newly introduced components: If match condition, encoded with the newly introduced components: If
present on its own, matches all flows). This match condition can be present on its own, matches all flows). This match condition can be
used to propagate (and apply) certain Flow Specifications only if a used to propagate (and apply) certain Flow Specifications only if a
skipping to change at page 27, line 30 skipping to change at page 27, line 30
+-------+--------------------+-----------------+ +-------+--------------------+-----------------+
Table 4: Registry: Flow Spec Component Types Table 4: Registry: Flow Spec Component Types
In order to manage the limited number space and accommodate several In order to manage the limited number space and accommodate several
usages, the following policies defined by [RFC8126] are used: usages, the following policies defined by [RFC8126] are used:
+--------------+-------------------------------+ +--------------+-------------------------------+
| Type Values | Policy | | Type Values | Policy |
+--------------+-------------------------------+ +--------------+-------------------------------+
| 0 | Specification required | | 0 | Reserved |
| [1 .. 12] | Defined by this specification | | [1 .. 12] | Defined by this specification |
| [13 .. 127] | Specification required | | [13 .. 127] | Specification required |
| [128 .. 255] | First Come First Served | | [128 .. 255] | First Come First Served |
+--------------+-------------------------------+ +--------------+-------------------------------+
Table 5: Flow Spec Component Types Policies Table 5: Flow Spec Component Types Policies
12.3. Extended Community Flow Specification Actions 12.3. Extended Community Flow Specification Actions
The Extended Community Flow Specification Action types defined in The Extended Community Flow Specification Action types defined in
skipping to change at page 28, line 9 skipping to change at page 28, line 9
Extended Community Types". For the purpose of this work (Section 7), Extended Community Types". For the purpose of this work (Section 7),
IANA is requested to update the references to the following entries IANA is requested to update the references to the following entries
according to the table below (Note: This document obsoletes both according to the table below (Note: This document obsoletes both
RFC7674 and RFC5575 and all references to those documents should be RFC7674 and RFC5575 and all references to those documents should be
deleted in the registry below): deleted in the registry below):
+-------+-----------------------------------------------+-----------+ +-------+-----------------------------------------------+-----------+
| Type | Name | Reference | | Type | Name | Reference |
| Value | | | | Value | | |
+-------+-----------------------------------------------+-----------+ +-------+-----------------------------------------------+-----------+
| 0x81 | Generic Transitive Experimental Use Extended | [this | | 0x81 | Generic Transitive Experimental | [this |
| | Community Part 2 (Sub-Types are defined in | document] | | | Use Extended Community Part 2 (Sub-Types are | document] |
| | the "Generic Transitive Experimental Use | | | | defined in the "Generic Transitive | |
| | Extended Community Part 2 Sub-Types" | | | | Experimental Use Extended Community Part 2 | |
| | Registry) | | | | Sub-Types" Registry) | |
| 0x82 | Generic Transitive Experimental Use Extended | [this | | 0x82 | Generic Transitive Experimental | [this |
| | Community Part 3 (Sub-Types are defined in | document] | | | Use Extended Community Part 3 | document] |
| | the "Generic Transitive Experimental Use | | | | (Sub-Types are defined in the "Generic | |
| | Transitive Experimental Use | |
| | Extended Community Part 3 Sub-Types" | | | | Extended Community Part 3 Sub-Types" | |
| | Registry) | | | | Registry) | |
+-------+-----------------------------------------------+-----------+ +-------+-----------------------------------------------+-----------+
Table 6: Registry: BGP Transitive Extended Community Types Table 6: Registry: BGP Transitive Extended Community Types
For the sub-type part of the extended community Traffic Filtering For the sub-type part of the extended community Traffic Filtering
Actions IANA maintains the following registries. IANA is requested Actions IANA maintains the following registries. IANA is requested
to update all names and references according to the tables below and to update all names and references according to the tables below and
assign a new value for the "Flow spec traffic-rate-packets" Sub-Type assign a new value for the "Flow spec traffic-rate-packets" Sub-Type
(Note: This document obsoletes both RFC7674 and RFC5575 and all (Note: This document obsoletes both RFC7674 and RFC5575 and all
references to those documents should be deleted from the registries references to those documents should be deleted from the registries
below). below).
+----------+--------------------------------------------+-----------+ +----------+--------------------------------------------+-----------+
| Sub-Type | Name | Reference | | Sub-Type | Name | Reference |
| Value | | | | Value | | |
+----------+--------------------------------------------+-----------+ +----------+--------------------------------------------+-----------+
| 0x06 | Flow spec traffic-rate-bytes | [this | | 0x06 | Flow spec traffic-rate-bytes | [this |
| | | document] |
| TBD | Flow spec traffic-rate-packets | [this |
| | | document] | | | | document] |
| 0x07 | Flow spec traffic-action (Use of the | [this | | TBD | Flow spec traffic-rate-packets | [this |
| | "Value" field is defined in the "Traffic | document] |
| | Action Fields" registry) | |
| 0x08 | Flow spec rt-redirect AS-2byte format | [this |
| | | document] | | | | document] |
| 0x09 | Flow spec traffic-remarking | [this | | 0x07 | Flow spec traffic-action (Use | [this |
| | of the "Value" field is defined in the | document] |
| | "Traffic Action Fields" registry) | |
| 0x08 | Flow spec rt-redirect AS-2byte | [this |
| | format | document] |
| 0x09 | Flow spec traffic-remarking | [this |
| | | document] | | | | document] |
+----------+--------------------------------------------+-----------+ +----------+--------------------------------------------+-----------+
Table 7: Registry: Generic Transitive Experimental Use Extended Table 7: Registry: Generic Transitive Experimental Use Extended
Community Sub-Types Community Sub-Types
+----------------+--------------------------------+-----------------+ +------------+----------------------------------------+-------------+
| Sub-Type Value | Name | Reference | | Sub-Type | Name | Reference |
+----------------+--------------------------------+-----------------+ | Value | | |
| 0x08 | Flow spec rt-redirect IPv4 | [this document] | +------------+----------------------------------------+-------------+
| | format | | | 0x08 | Flow spec rt-redirect IPv4 | [this |
+----------------+--------------------------------+-----------------+ | | format | document] |
+------------+----------------------------------------+-------------+
Table 8: Registry: Generic Transitive Experimental Use Extended Table 8: Registry: Generic Transitive Experimental Use Extended
Community Part 2 Sub-Types Community Part 2 Sub-Types
+---------------+----------------------------------+----------------+ +------------+----------------------------------------+-------------+
| Sub-Type | Name | Reference | | Sub-Type | Name | Reference |
| Value | | | | Value | | |
+---------------+----------------------------------+----------------+ +------------+----------------------------------------+-------------+
| 0x08 | Flow spec rt-redirect AS-4byte | [this | | 0x08 | Flow spec rt-redirect AS- | [this |
| | format | document] | | | 4byte format | document] |
+---------------+----------------------------------+----------------+ +------------+----------------------------------------+-------------+
Table 9: Registry: Generic Transitive Experimental Use Extended Table 9: Registry: Generic Transitive Experimental Use Extended
Community Part 3 Sub-Types Community Part 3 Sub-Types
Furthermore IANA is requested to update the reference for the Furthermore IANA is requested to update the reference for the
registries "Generic Transitive Experimental Use Extended Community registries "Generic Transitive Experimental Use Extended Community
Part 2 Sub-Types" and "Generic Transitive Experimental Use Extended Part 2 Sub-Types" and "Generic Transitive Experimental Use Extended
Community Part 3 Sub-Types" to [this document]. Community Part 3 Sub-Types" to [this document].
The "traffic-action" extended community (Section 7.3) defined in this The "traffic-action" extended community (Section 7.3) defined in this
skipping to change at page 30, line 25 skipping to change at page 30, line 25
Where the above mechanisms are not in place, this could open the door Where the above mechanisms are not in place, this could open the door
to further denial-of-service attacks such as unwanted traffic to further denial-of-service attacks such as unwanted traffic
filtering, remarking or redirection. filtering, remarking or redirection.
Deployment of specific relaxations of the validation within an Deployment of specific relaxations of the validation within an
administrative boundary of a network, defined by an AS or an AS- administrative boundary of a network, defined by an AS or an AS-
Confederation boundary, may be useful in some networks for quickly Confederation boundary, may be useful in some networks for quickly
distributing filters to prevent denial-of-service attacks. For a distributing filters to prevent denial-of-service attacks. For a
network to utilize this relaxation, the BGP policies must support network to utilize this relaxation, the BGP policies must support
additional filtering since the origin AS field is empty. additional filtering since the origin AS field is empty.
Specifications relaxing the validation restrictions SHOULD contain Specifications relaxing the validation restrictions MUST contain
security considerations that provide details on the required security considerations that provide details on the required
additional filtering. For example, the use of [RFC6811] to enhance additional filtering. For example, the use of [RFC6811] to enhance
filtering within an AS confederation. filtering within an AS confederation.
Inter-provider routing is based on a web of trust. Neighboring Inter-provider routing is based on a web of trust. Neighboring
autonomous systems are trusted to advertise valid reachability autonomous systems are trusted to advertise valid reachability
information. If this trust model is violated, a neighboring information. If this trust model is violated, a neighboring
autonomous system may cause a denial-of-service attack by advertising autonomous system may cause a denial-of-service attack by advertising
reachability information for a given prefix for which it does not reachability information for a given prefix for which it does not
provide service (unfiltered address space hijack). Since validation provide service (unfiltered address space hijack). Since validation
of the Flow Specification is tied to the announcement of the best of the Flow Specification is tied to the announcement of the best
unicast route, this may also cause this validation to fail and unicast route, this may also cause this validation to fail and
consequently prevent Flow Specifications from being accepted by a consequently prevent Flow Specifications from being accepted by a
peer. Possible mitigations are [RFC6811] and [RFC8205]. peer. Possible mitigations are [RFC6811] and [RFC8205].
On IXPs routes are often exchanged via route servers which do not
extend the AS_PATH. In such cases it is not possible to enforce the
left-most AS in the AS_PATH to be the neighbor AS (the AS of the
route server). Since the validation of Flow Specification
(Section 6) depends on this, additional care must be taken. It is
advised to use a strict inbound route policy in such scenarios.
Enabling firewall-like capabilities in routers without centralized Enabling firewall-like capabilities in routers without centralized
management could make certain failures harder to diagnose. For management could make certain failures harder to diagnose. For
example, it is possible to allow TCP packets to pass between a pair example, it is possible to allow TCP packets to pass between a pair
of addresses but not ICMP packets. It is also possible to permit of addresses but not ICMP packets. It is also possible to permit
packets smaller than 900 or greater than 1000 bytes to pass between a packets smaller than 900 or greater than 1000 bytes to pass between a
pair of addresses, but not packets whose length is in the range 900- pair of addresses, but not packets whose length is in the range 900-
1000. Such behavior may be confusing and these capabilities should 1000. Such behavior may be confusing and these capabilities should
be used with care whether manually configured or coordinated through be used with care whether manually configured or coordinated through
the protocol extensions described in this document. the protocol extensions described in this document.
Flow Specification BGP speakers (e.g. automated DDoS controllers) not Flow Specification BGP speakers (e.g. automated DDoS controllers) not
properly programmed, algorithms that are not performing as expected, properly programmed, algorithms that are not performing as expected,
or simply rogue systems may announce unintended Flow Specifications, or simply rogue systems may announce unintended Flow Specifications,
send updates at a high rate or generate a high number of Flow send updates at a high rate or generate a high number of Flow
Specifications. This may stress the receiving systems, exceed their Specifications. This may stress the receiving systems, exceed their
maximum capacity or may lead to unwanted Traffic Filtering Actions maximum capacity or may lead to unwanted Traffic Filtering Actions
being applied to flows. being applied to flows.
When BGP decodes an unknown Flow Specification component type, as of
Section 4.2 it needs to discard the NLRI and skip over the remaining
undecoded octets to the following NLRI or to the end of the list.
Skipping over unknown octets of the to be discarded NLRI is the
specified behaviour for a Type NLRI in Section 5.4 [RFC7606]. While
this is not intrinsic to the Flow Specification NLRI in particular,
it needs to be pointed out that, carefully crafted wrong NLRI length
fields may lead to synchronisation issues between BGP senders and
receivers.
While the general verification of the Flow Specification NLRI is While the general verification of the Flow Specification NLRI is
specified in this document (Section 6) the Traffic Filtering Actions specified in this document (Section 6) the Traffic Filtering Actions
received by a third party may need custom verification or filtering. received by a third party may need custom verification or filtering.
In particular all non traffic-rate actions may allow a third party to In particular all non traffic-rate actions may allow a third party to
modify packet forwarding properties and potentially gain access to modify packet forwarding properties and potentially gain access to
other routing-tables/VPNs or undesired queues. This can be avoided other routing-tables/VPNs or undesired queues. This can be avoided
by proper filtering/screening of the Traffic Filtering Action by proper filtering/screening of the Traffic Filtering Action
communities at network borders and only exposing a predefined subset communities at network borders and only exposing a predefined subset
of Traffic Filtering Actions (see Section 7) to third parties. One of Traffic Filtering Actions (see Section 7) to third parties. One
way to achieve this is by mapping user-defined communities, that can way to achieve this is by mapping user-defined communities, that can
skipping to change at page 31, line 33 skipping to change at page 32, line 7
This extension adds additional information to Internet routers. This extension adds additional information to Internet routers.
These are limited in terms of the maximum number of data elements These are limited in terms of the maximum number of data elements
they can hold as well as the number of events they are able to they can hold as well as the number of events they are able to
process in a given unit of time. Service providers need to consider process in a given unit of time. Service providers need to consider
the maximum capacity of their devices and may need to limit the the maximum capacity of their devices and may need to limit the
number of Flow Specifications accepted and processed. number of Flow Specifications accepted and processed.
14. Contributors 14. Contributors
Barry Greene, Pedro Marques, Jared Mauch, Danny McPherson, and Barry Greene, Pedro Marques, Jared Mauch and Nischal Sheth were
Nischal Sheth were authors on [RFC5575], and therefore are authors on [RFC5575], and therefore are contributing authors on this
contributing authors on this document. document.
15. Acknowledgements 15. Acknowledgements
The authors would like to thank Yakov Rekhter, Dennis Ferguson, Chris The authors would like to thank Yakov Rekhter, Dennis Ferguson, Chris
Morrow, Charlie Kaufman, and David Smith for their comments for the Morrow, Charlie Kaufman, and David Smith for their comments for the
comments on the original [RFC5575]. Chaitanya Kodeboyina helped comments on the original [RFC5575]. Chaitanya Kodeboyina helped
design the flow validation procedure; and Steven Lin and Jim Washburn design the flow validation procedure; and Steven Lin and Jim Washburn
ironed out all the details necessary to produce a working ironed out all the details necessary to produce a working
implementation in the original [RFC5575]. implementation in the original [RFC5575].
skipping to change at page 33, line 49 skipping to change at page 34, line 22
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
16.2. Informative References 16.2. Informative References
[I-D.ietf-idr-flow-spec-v6] [I-D.ietf-idr-flow-spec-v6]
McPherson, D., Raszuk, R., Pithawala, B., Loibl, C., Raszuk, R., and S. Hares, "Dissemination of
akarch@cisco.com, a., and S. Hares, "Dissemination of Flow Flow Specification Rules for IPv6", draft-ietf-idr-flow-
Specification Rules for IPv6", draft-ietf-idr-flow-spec- spec-v6-10 (work in progress), November 2019.
v6-09 (work in progress), November 2017.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, DOI 10.17487/RFC4303, December 2005, RFC 4303, DOI 10.17487/RFC4303, December 2005,
<https://www.rfc-editor.org/info/rfc4303>. <https://www.rfc-editor.org/info/rfc4303>.
[RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J.,
and D. McPherson, "Dissemination of Flow Specification and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
<https://www.rfc-editor.org/info/rfc5575>. <https://www.rfc-editor.org/info/rfc5575>.
skipping to change at page 36, line 17 skipping to change at page 36, line 36
This document includes numerous editorial changes to [RFC5575]. It This document includes numerous editorial changes to [RFC5575]. It
also completely incorporates the redirect action clarification also completely incorporates the redirect action clarification
document [RFC7674]. It is recommended to read the entire document. document [RFC7674]. It is recommended to read the entire document.
The authors, however want to point out the following technical The authors, however want to point out the following technical
changes to [RFC5575]: changes to [RFC5575]:
Section 1 introduces the Flow Specification NLRI. In [RFC5575] Section 1 introduces the Flow Specification NLRI. In [RFC5575]
this NLRI was defined as an opaque-key in BGPs database. This this NLRI was defined as an opaque-key in BGPs database. This
specification has removed all references to a opaque-key property. specification has removed all references to a opaque-key property.
BGP is able to understand the NLRI encoding. This change also BGP is able to understand the NLRI encoding. This change also
resulted in a new section regarding error-handling and resulted in a new section regarding error handling and
extensibility (Section 10 and Section 11). extensibility (Section 10 and Section 11).
Section 4.2.2.3 defines a numeric operator and comparison bit Section 4.2.2.3 defines a numeric operator and comparison bit
combinations. In [RFC5575] the meaning of those bit combination combinations. In [RFC5575] the meaning of those bit combination
was not explicitly defined and left open to the reader. was not explicitly defined and left open to the reader.
Section 4.2.2.3 - Section 4.2.2.8, Section 4.2.2.10, Section 4.2.2.3 - Section 4.2.2.8, Section 4.2.2.10,
Section 4.2.2.11 make use of the above numeric operator. The Section 4.2.2.11 make use of the above numeric operator. The
allowed length of the comparison value was not consistently allowed length of the comparison value was not consistently
defined in [RFC5575]. defined in [RFC5575].
 End of changes. 52 change blocks. 
138 lines changed or deleted 172 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/