]> SRv6 Group Based Policy
yutianpengietf@163.com
Routing Area Source Packet Routing in Networking This document extends the Segment Routing over IPv6 (SRv6) Network Programming framework by incorporating group-based policy capabilities.
Introduction The Group-based Policy (GBP) initially was .It abstractions provide an intent-driven declarative policy model that presents simplified application-oriented interfaces to the user. Group-Based Policy (GBP) is a critical concept in networking and security, particularly in environments like Software-Defined Networking (SDN), cloud computing, and enterprise networks. It provides a flexible and scalable way to manage network policies based on groups of endpoints rather than individual devices, IP addresses, or flows.
Specification of Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .
Terminology GBP: Group-based Policy described in EVPN: BGP MPLS-Based Ethernet VPN defined in .
SRv6 SIDs with GBP This documents defines the behaviors of END.DX6 with GBP, END.DX4 with GBP, END.DT6 with GBP, END.DT4 with GBP, END.DT46 with GBP, END.DT2U with GBP by allowing these SID behaviors taking an argument: "Arg.Src-GBP-ID". The Src-GBP-ID info allows endpoint node to determine the behavior (allowed or denied) when traffic is being forwarded to specific host. The allocation of the GBP-id argument values planned gloabally, and the behavior of traffic from one Src-GBP-ID to another Dst-GBP-ID is specified locally. The SRv6 SIDs with the GBP argument mentioned in this document is not signaled to other nodes via the control plane, which means they are local significant only. The control plane process described in still applies. Group 0 is the default group based policy ID. If no group based policy is specified, then value 0 is used. The default behavior of the group 0 is implementation defined and SHOULD be configurable (allowed/denied).
END.DX6 with GBP When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DX6 with GBP SID, N does the following:
When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DX4 with GBP SID, N does the following:
When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DT6 with GBP SID, N does the following: An implementation which is hardware based might be restricted to the pipeline of the ASCI. The process below is also possible. The difference is that oIF is impossible to be part of the GBP match criteria.
When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DT4 with GBP SID, N does the following: An implementation which is hardware based might be restricted to the pipeline of the ASCI. The process below is also possible. The difference is that oIF is impossible to be part of the GBP match criteria.
When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DT46 with GBP SID, N does the following: An implementation which is hardware based might be restricted to the pipeline of the ASCI. The process below is also possible. The difference is that oIF is impossible to be part of the GBP match criteria.
When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DT4 SID, N does the following: An implementation which is hardware based might be restricted to the pipeline of the ASCI. The process below is also possible. The difference is that oIF is impossible to be part of the GBP match criteria.
Source Node Behavior The souce node can use various clarification methods to identify the Src-GBP-ID of a host it belongs to. When encapsulating the SRv6 header, the Src-GBP-ID is encapsulated into the argument part of the packet.
IANA Considerations This document requests the IANA to allocate, within the "SRv6 Endpoint Behaviors" sub-registry beloto the top-level "Segment-routing with IPv6 dataplane (SRv6) Parameters" registry, the following allocations:
Value Description Reference
TBA1 END.DX6 with GBP [This document]
TBA2 END.DX4 with GBP [This document]
TBA3 END.DT6 with GBP [This document]
TBA4 END.DT4 with GBP [This document]
TBA4 END.DT46 with GBP [This document]
TBA4 END.DT2U with GBP [This document]
Security Considerations The mechanism described in this document leverage the security rules defined in Section 7 of RFC8986.
References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Segment Routing over IPv6 (SRv6) Network Programming The Segment Routing over IPv6 (SRv6) Network Programming framework enables a network operator or an application to specify a packet processing program by encoding a sequence of instructions in the IPv6 packet header. Each instruction is implemented on one or several nodes in the network and identified by an SRv6 Segment Identifier in the packet. This document defines the SRv6 Network Programming concept and specifies the base set of SRv6 behaviors that enables the creation of interoperable overlays with underlay optimization. Informative References Group Based Policy OpenStack BGP MPLS-Based Ethernet VPN This document describes procedures for BGP MPLS-based Ethernet VPNs (EVPN). The procedures described here meet the requirements specified in RFC 7209 -- "Requirements for Ethernet VPN (EVPN)". BGP Overlay Services Based on Segment Routing over IPv6 (SRv6) This document defines procedures and messages for SRv6-based BGP services, including Layer 3 Virtual Private Network (L3VPN), Ethernet VPN (EVPN), and Internet services. It builds on "BGP/MPLS IP Virtual Private Networks (VPNs)" (RFC 4364) and "BGP MPLS-Based Ethernet VPN" (RFC 7432).
Appendix 1 Examples of GBP Usage This section describes the examples of GBP usage. An implementation is not enforced to achieve all scenarios mentioned in this section. Example 1: Deny traffic from specific Src-GBP-ID = 100 (e.g. traffic from guest network) rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = any, action: deny Example 2: Deny traffic from specific Src-GBP-ID = 100 to Dst-GBP-ID = 200 (e.g. traffic from untrusted host to server) rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = 200, action: deny Example 3: Redirect L3 traffic from specific Src-GBP-ID = 100 to Dst-GBP-ID = 200 (e.g. to a cleaning device) rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = 200, action: redirect Example 4: RSPAN traffic from specific Src-GBP-ID = 100 to Dst-GBP-ID = 200 (e.g. to a monitoring device) rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = 200, action: RSPAN