]> BGP Flow Specification Filter for MPLS Label Huawei
lucy.yong@huawei.com
Huawei
7453 Hickory Hill Saline MI 48176 USA shares@ndzh.com
Huawei
101 Software Avenue, Yuhuatai District Nanjing 210012 China liangqiandeng@huawei.com
Huawei
101 Software Avenue, Yuhuatai District Nanjing 210012 China youjianjie@huawei.com
Routing Area IDR Working Group RFC Request for Comments I-D Internet-Draft BGP Flow Specification MPLS Match This draft proposes BGP flow specification rules that are used to filter MPLS labeled packets.
Introduction BGP Flow Specification (BGP-FS) is an extension to that allows for the dissemination of traffic flow specification rules via BGP (). BGP-FS policies have a match condition that may be n-tuple match in a policy, and an action that modifies the packet and forwards/drops the packet. Via BGP, new filter rules can be sent to all BGP peers simultaneously without changing router configuration, and the BGP peer can install these routes in the forwarding table. The typical application of BGP-FS is to automate the distribution of traffic filter lists to routers for DDOS mitigation. defines a new BGP Network Layer Reachability Information (NLRI) format used to distribute traffic flow specification rules. NLRI (AFI=1, SAFI=133) is for IPv4 unicast filtering. NLRI (AFI=1, SAFI=134)is for BGP/MPLS VPN filtering. defines flow-spec extension for IPv6 data packets. extends the flow-spec rules for layer 2 Ethernet packets (AFI=25, SAFI=133, SAFI=134). All these flow specifications match parts only reflect single layer IP (source/destination IP prefix, protocol type, ports, etc.) and Ethernet information with matches for source/destination MAC provides updates to to resolve unclear sections in text and conflicts with interactions of filtering actions. MPLS technologies have been widely deployed in WAN networks. MPLS label stack is the foundation for label switched data plane. A label on a label stack may represent a label switch path (LSP), application identification such as Pseudo Wire (PW), a reserved label that triggers a specific data plane action, or etc. The data plane label switching operations includes pop, push, or swap label on the label stack. For value added services, it is valuable for a MPLS network to have BGP-FS policy filter that matches on the MPLS portion of a packet and an action to modify the MPLS packet header and/or monitor the packets that match the policy. This document specifies an MPLS match filter. specifies a BGP action to modify the MPLS label. describes the following two options for extending : creating a version 2 of BGP Flow Specification which can run in parallel to the original BGP Flow specification. Version 2 may also include improved security features (ROAs or ) This MPLS match option can be used for RFC5575 (, ) or version 2 of the flow specification.
The Flow Specification Encoding for MPLS Match This document proposes new flow specifications rules that is encoded in NLRI.
Type TBD1- MPLS Match1
Function: The match1 applies to MPLS Label field on the label stack.
Encoding: <type(1 octet), length(1 octet), [operator,value]+>.
It contains a set of {operator, value} pairs that are used for matching filter.
The operator byte is encoded as:
where:
e - end of list bit:
Set in the last {op, value} pair in the list.
a - AND bit:
If unset, the previous term is logically ORed with the current one. If set, the operation is a logical AND. It should be unset in the first operator byte of a sequence. The AND operator has higher priority than OR for the purposes of evaluating logical expressions.
i - before bit:
If unset, apply matching filter before MPLS label data plane action; if set, apply matching filter after MPLS label data plane action.
pos - the label position indication bits:
where:
00:any position on the label stack
- the presented label value is used to match any label on the label stack. When apply it, at least one label on the stack match the value
01:top label indication-
the presented label value MUST be used to match the top label on the label stack.
10: bottom label indication-
If it is set, the presented label value MUST match the bottom label on the label stack. When it is clear, the present label value can match to any label on the label stack
11:
(for reserved labels)
The value field is encoded as:
Type TBD2 - MPLS Match2
Function: MPLS Match2 applies to MPLS Label experiment bits (EXP) on the top label in the label stack.
Encoding: <type (1 octet), [op, value]+>
[op,value] - Defines a list of {operation, value} pairs used to match 3-bit exp field on the top label of packets .
Values are encoded using a single byte, where the five most significant bits are zero and the three least significant bits contain the exp value.
Deployment Example: DDoS Traffic In this example, 5 local policy rules in the filter-based RIBs (FB-RB, aka Policy Routing) will match n-tuples (destination IP address, Destination Port, source IP address, Source IP Address, protocols (ICMP and STCP). These policy rules can be created by standard yang modules for filter-based RIBS (configuration, and ephemeral configuration) or ACLs, or vendor based policy. These policies will put the DDoS attack data onto one LSP (LSP1) in order to send the DDoS traffic to the IDS/IPS processing attached to PE2. The MPLS Filter allows the BGP Flow specification to match on the LSP label rather than the IP address so that PE2 (with the FB-RIBs on PE2) can forward the traffic to a set of IDS/IPS machines. The BGP Flow Specification (BGP-FS) can forward this simple match policy along with an action policy that constraints the traffic on this Flow to a certain rate (bytes/second). | +---------+ +-----+ +-----+ +-----+ ===| PE1 |---|IBGP |----|IBGP |----| PE2 |--IDS-1/IPS | Filters | | | | | | |--IDS-2/IPS +---------+ +-----+ +-----+ +-----+ |-------------------------------| MPLS travel on LSP-1 with label-1 BGP Flow Specification Filter 1 BGP Flow Specification Match Policy Destination IP address (0/0) [Required by RFC5575] MPLS Label match (label-1) Action Policy Traffic-rate (n bytes) ]]>
Security Considerations The validation of BGP Flow Specification policy relies on the security of the BGP protocol and RFC 5575 checks (, ) for BGP Flow specification version 1 and BGP Flow specification version 2 (). For Option 1, the MPLS Match can be one of the match filtes, and and the final match is an "AND" of all the filters. Match filters are tested in the order specified in and/or an RFC5575bis document.
IANA Considerations This section complies with IANA is requested to a new entry in "Flow Spec component types registry" with the following values:
References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Multiprotocol Label Switching Architecture This document specifies the architecture for Multiprotocol Label Switching (MPLS). [STANDARDS-TRACK] MPLS Label Stack Encoding This document specifies the encoding to be used by an LSR in order to transmit labeled packets on Point-to-Point Protocol (PPP) data links, on LAN data links, and possibly on other data links as well. This document also specifies rules and procedures for processing the various fields of the label stack encoding. [STANDARDS-TRACK] A Border Gateway Protocol 4 (BGP-4) This document discusses the Border Gateway Protocol (BGP), which is an inter-Autonomous System routing protocol. The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information traverses. This information is sufficient for constructing a graph of AS connectivity for this reachability from which routing loops may be pruned, and, at the AS level, some policy decisions may be enforced. BGP-4 provides a set of mechanisms for supporting Classless Inter-Domain Routing (CIDR). These mechanisms include support for advertising a set of destinations as an IP prefix, and eliminating the concept of network "class" within BGP. BGP-4 also introduces mechanisms that allow aggregation of routes, including aggregation of AS paths. This document obsoletes RFC 1771. [STANDARDS-TRACK] Dissemination of Flow Specification Rules This document defines a new Border Gateway Protocol Network Layer Reachability Information (BGP NLRI) encoding format that can be used to distribute traffic flow specifications. This allows the routing system to propagate information regarding more specific components of the traffic aggregate defined by an IP destination prefix. Additionally, it defines two applications of that encoding format: one that can be used to automate inter-domain coordination of traffic filtering, such as what is required in order to mitigate (distributed) denial-of-service attacks, and a second application to provide traffic filtering in the context of a BGP/MPLS VPN service. The information is carried via the BGP, thereby reusing protocol algorithms, operational experience, and administrative processes such as inter-provider peering agreements. [STANDARDS-TRACK] IANA Registries for BGP Extended Communities This document reorganizes the IANA registries for the type values and sub-type values of the BGP Extended Communities attribute and the BGP IPv6-Address-Specific Extended Communities attribute. This is done in order to remove interdependencies among the registries, thus making it easier for IANA to determine which codepoints are available for assignment in which registries. This document also clarifies the information that must be provided to IANA when requesting an allocation from one or more of these registries. These changes are compatible with the existing allocations and thus do not affect protocol implementations. The changes will, however, impact the "IANA Considerations" sections of future protocol specifications. This document updates RFC 4360 and RFC 5701. Informative References Dissemination of Flow Specification Rules for IPv6 next layer Telekom GmbH Bloomberg LP Huawei "Dissemination of Flow Specification Rules" (RFC 8955) provides a Border Gateway Protocol (BGP) extension for the propagation of traffic flow information for the purpose of rate limiting or filtering IPv4 protocol data packets. This document extends RFC 8955 with IPv6 functionality. It also updates RFC 8955 by changing the IANA Flow Spec Component Types registry. BGP Dissemination of L2 Flow Specification Rules Huawei Technologies Futurewei Technologies Cisco Systems Huawei Technologies This document defines a Border Gateway Protocol (BGP) Flow Specification (flowspec) extension to disseminate Ethernet Layer 2 (L2) and Layer 2 Virtual Private Network (L2VPN) traffic filtering rules either by themselves or in conjunction with L3 flowspecs. AFI/SAFI 6/133 and 25/134 are used for these purposes. New component types and two extended communities are also defined. Carrying Label Information for BGP FlowSpec This document specifies a method in which the label mapping information for a particular FlowSpec rule is piggybacked in the same Border Gateway Protocol (BGP) Update message that is used to distribute the FlowSpec rule. Based on the proposed method, the Label Switching Routers (LSRs) (except the ingress LSR) on the Label Switched Path (LSP) can use label to indentify the traffic matching a particular FlowSpec rule; this facilitates monitoring and traffic statistics for FlowSpec rules. BGP Flow Specification Version 2 Hickory Hill Consulting Futurewei Technologies ATT Verizon BGP flow specification version 1 (FSv1), defined in RFC 8955, RFC 8956, and RFC 9117 describes the distribution of traffic filter policy (traffic filters and actions) distributed via BGP. Multiple applications have used BGP FSv1 to distribute traffic filter policy. These applications include the following: mitigation of denial of service (DoS), enabling traffic filtering in BGP/MPLS VPNs, centralized traffic control of router firewall functions, and SFC traffic insertion. During the deployment of BGP FSv1 a number of issues were detected due to lack of consistent TLV encoding for rules for flow specifications, lack of user ordering of filter rules and/or actions, and lack of clear definition of interaction with BGP peers not supporting FSv1. Version 2 of the BGP flow specification (FSv2) protocol addresses these features. In order to provide a clear demarcation between FSv1 and FSv2, a different NLRI encapsulates FSv2. Dissemination of Flow Specification Rules This document updates RFC5575 which defines a Border Gateway Protocol Network Layer Reachability Information (BGP NLRI) encoding format that can be used to distribute traffic flow specifications. This allows the routing system to propagate information regarding more specific components of the traffic aggregate defined by an IP destination prefix. This draft specifies IPv4 traffic flow specifications via a BGP NLRI which carries traffic flow specification filter, and an Extended community value which encodes actions a routing system can take if the packet matches the traffic flow filters. The flow filters and the actions are processed in a fixed order. Other drafts specify IPv6, MPLS addresses, L2VPN addresses, and NV03 encapsulation of IP addresses. This document updates RFC5575 to correct unclear specifications in the flow filters and to provide rules for actions which interfere (e.g. redirection of traffic and flow filtering). Applications which use the bgp flow specification are: 1) application which automate of inter-domain coordination of traffic filtering, such as what is required in order to mitigate (distributed) denial- of-service attacks; 2) application which control traffic filtering in the context of a BGP/MPLS VPN service, and 3) applications with centralized control of traffic in a SDN or NFV context. Some of deployments of these three applications can be handled by the strict ordering of the BGP NLRI traffic flow filters, and the strict actions encoded in the Extended Community Flow Specification actions. Revised Validation Procedure for BGP Flow Specifications AT&T Cisco Cisco Cisco Sproute Networks This document describes a modification to the validation procedure defined for the dissemination of BGP Flow Specifications. The dissemination of BGP Flow Specifications as specified in RFC 8955 requires that the originator of the Flow Specification match the originator of the best-match unicast route for the destination prefix embedded in the Flow Specification. For an Internal Border Gateway Protocol (iBGP) received route, the originator is typically a border router within the same autonomous system (AS). The objective is to allow only BGP speakers within the data forwarding path to originate BGP Flow Specifications. Sometimes it is desirable to originate the BGP Flow Specification from any place within the autonomous system itself, for example, from a centralized BGP route controller. However, the validation procedure described in RFC 8955 will fail in this scenario. The modification proposed herein relaxes the validation rule to enable Flow Specifications to be originated within the same autonomous system as the BGP speaker performing the validation. Additionally, this document revises the AS_PATH validation rules so Flow Specifications received from an External Border Gateway Protocol (eBGP) peer can be validated when such a peer is a BGP route server. This document updates the validation procedure in RFC 8955.