Network Working Group Z. Li Internet-Draft S. Zhuang Intended status: Standards Track N. Wu Expires: September 22, 2016 Huawei Technologies March 21, 2016 BGP FlowSpec Redirect to Generalized Segment ID Action draft-li-idr-flowspec-redirect-generalized-sid-00 Abstract This document defines a new type of the redirect extended community, called as Redirect to Generalized Segment ID Extended Community. When activated, the Redirect to Generalized Segment ID Extended Community is used by BGP FlowSpec Controller to signal the specific redirecting action to BGP Flowspec Client, and then the BGP Flowspec Client will use the Generalized Segment ID and the Segment Type to find a local forwarding entity in a local mapping table. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 22, 2016. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. Li, et al. Expires September 22, 2016 [Page 1] Internet-Draft FlowSpec Redirect to GSID Action March 2016 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Definitions and Acronyms . . . . . . . . . . . . . . . . . . 3 3. Redirect to Generalized Segment ID Extended Community . . . . 3 4. Using Redirect to Generalized Segment ID Extended Community . 5 5. Validation Procedures . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction Segment Routing [I-D.ietf-spring-segment-routing] for unicast traffic has been proposed to cope with the usecases in traffic engineering, fast re-reroute, service chain, etc. Segment Path Programming (SPP) [I-D.li-spring-segment-path-programming] generalizes more use cases based on segment and proposes the concept of Segment Path Programming. In the field of Segment Path Programming: 1. The Segment used in the programmed segment path is not only used in the forwarding plane, but also used in the control plane. 2. The programmed segment path is not only used in the transport layer, but also used in the service layer. [RFC5575] defines the flow specification (FlowSpec) that allows to convey flow specifications and traffic Action/Rules associated (rate- limiting, redirect, remark ...). BGP Flow specifications are encoded within the MP_REACH_NLRI and MP_UNREACH_NLRI attributes. Rules (Actions associated) are encoded in Extended Community attribute. The BGP Flow Specification function allows BGP Flow Specification routes that carry traffic policies to be transmitted to BGP Flow Specification peers to control attack traffic. Now the drafts of BGP Flowspec for redirecting to VRF/IP/Tunnel keep the traditional way to extend BGP FlowSpec to redirect to an entity Li, et al. Expires September 22, 2016 [Page 2] Internet-Draft FlowSpec Redirect to GSID Action March 2016 with explicit meaning which has been defined clearly in the existing work. We can reuse some work of segment routing and generalize the concept of Segment, and then it can provide a base for the abstracted view of different forwarding entities. Since now segment ID can be the indicator of interface, node, tunnel, if we do not map segment ID to MPLS label or IPv6 address, it can be an identifier of all kinds of forwarding entities in the control plane which can be used outside. This document defines a new type of the redirect extended community, called as Redirect to Generalized Segment ID Extended Community. When activated, the Redirect to Generalized Segment ID Extended Community is used by BGP FlowSpec Controller to signal the specific redirecting action to BGP Flowspec Client, and then the BGP Flowspec Client will use the Generalized Segment ID and Segment Type to find a local forwarding entity in a local mapping table. Existing technologies (BGP, IGP, LDP, SR, RSVP, Manual-Config, etc... ) can be used to setup the mapping tables per segment type. 2. Definitions and Acronyms o FS: Flow Specification o SR: Segment Routing o SID: Segment Identifier o GSID: Generalized Segment ID o SPP: Segment Path Programming 3. Redirect to Generalized Segment ID Extended Community This document defines a new type of the redirect extended community, called as Redirect to Generalized Segment ID Extended Community. This extended community is a new transitive extended community with the Type is TBD1 and the Sub-Type field is TBD2. This document defines the following Redirect to Generalized Segment ID Extended Community: Li, et al. Expires September 22, 2016 [Page 3] Internet-Draft FlowSpec Redirect to GSID Action March 2016 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=TBD1 | Sub-Type=TBD2 | Flags(1 octet)| Segment Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Generalized Segment ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: Redirect to Generalized Segment ID Extended Community Format Where: Type: 1 octet, to be assigned by IANA Sub-Type: 1 octet, to be assigned by IANA Flags: 1 octet field, TBD Segment Type: 1 octet, Per [I-D.li-spring-segment-path-programming], the Segment Type includes: o 1 - Node Segment o 2 - Agency Segment o 3 - AS (Autonomous System) Segment o 4 - Anycast Segment o 5 - Multicast Segment o 6 - Tunnel Segment (Tunnel Binding Segment ) o 7 - VPN Segment o 8 - OAM Segment o 9 - ECMP (Equal Cost Multi-Path) Segment o 10 - QoS Segment o 11 - Bandwidth-Guarantee Segment o 12 - Security Segment o 13 - Multi-Topology Segment o etc. Li, et al. Expires September 22, 2016 [Page 4] Internet-Draft FlowSpec Redirect to GSID Action March 2016 Generalized Segment ID: 4 octets, it can be used to find a local forwarding entity in the mapping table designated by the Segment Type. 4. Using Redirect to Generalized Segment ID Extended Community In the transport layers, there can be multiple tunnels with different constraints to one specific destination. In the traditional way, the tunnel is set up by the distributed forwarding nodes. As the PCE- initiated LSP setup [I-D.ietf-pce-pce-initiated-lsp]is introduced, the tunnel setup can be triggered by the central controlled way. In order to satisfy the different service requirements, it is necessary to provide the capability to flexibly map the service to different tunnels. Since the central control point has enough information based on the whole network view, it can be an effective way to map the service to the tunnel by the central point and advertise the mapping information to the end-points of the service to guide the mapping in the forwarding node. The method to implement mapping service to tunnels can directly introduce the tunnel attribute to specify the tunnel proposed by [I- D.li-idr-mpls-path-programming]. [I-D.li-spring-tunnel-segment] proposes one new type of segment, Tunnel Segment, which can provide an alternative way to implement mapping service to tunnels. In the following figure, the central controller can trigger to set up the MPLS TE tunnels through PCE-initiated LSP and allocate Segment ID for the tunnel in the Node-1. +------------+ | Central | | Controller | +------------+ ^ Tunnel Binding | SID (Z) | .-----. | ( ) V .--( )--. +-------+ ( ) +-------+ | |_( IP/MPLS Network )_| | |Node-1 | ( ================> ) |Node-2 | +-------+ (MPLS TE/IP Tunnel) +-------+ '--( )--' ( ) '-----' Figure 2: Using Tunnel Segment for Mapping Service to Tunnel Li, et al. Expires September 22, 2016 [Page 5] Internet-Draft FlowSpec Redirect to GSID Action March 2016 The central controller can send a flowspec route to Node-1 with a 'Redirect to Generalized Segment ID' Extended Community to map a specfic service to the tunnel segment identified by the Segment Type and Generalized Segment ID. When Node-1 receives a flowspec route with a 'Redirect to Generalized Segment ID' Extended Community. It installs a traffic filtering rule that matches the packets described by the NLRI field and redirects them to the tunnel with the Generalized Segment ID. 5. Validation Procedures The validation check described in [RFC 5575] and revised in [I-D.ietf-idr-bgp-flowspec-oid] SHOULD be applied by default to received flowspec routes with a Redirect to Generalized Segment ID Extended Community. This means that a flowspec route with a destination prefix subcomponent SHOULD NOT be accepted from an EBGP peer unless that peer also advertised the best path for the matching unicast route. 6. IANA Considerations TBD. 7. Security Considerations TBD. 8. Acknowledgements TBD. 9. References [I-D.ietf-idr-bgp-flowspec-oid] Uttaro, J., Filsfils, C., Smith, D., Alcaide, J., and P. Mohapatra, "Revised Validation Procedure for BGP Flow Specifications", draft-ietf-idr-bgp-flowspec-oid-03 (work in progress), March 2016. [I-D.ietf-isis-segment-routing-extensions] Previdi, S., Filsfils, C., Bashandy, A., Gredler, H., Litkowski, S., Decraene, B., and J. Tantsura, "IS-IS Extensions for Segment Routing", draft-ietf-isis-segment- routing-extensions-06 (work in progress), December 2015. Li, et al. Expires September 22, 2016 [Page 6] Internet-Draft FlowSpec Redirect to GSID Action March 2016 [I-D.ietf-spring-segment-routing] Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., and R. Shakir, "Segment Routing Architecture", draft-ietf- spring-segment-routing-07 (work in progress), December 2015. [I-D.li-spring-segment-path-programming] Li, Z. and I. Milojevic, "Segment Path Programming (SPP)", draft-li-spring-segment-path-programming-00 (work in progress), October 2015. [I-D.li-spring-tunnel-segment] Li, Z. and N. Wu, "Tunnel Segment in Segment Routing", draft-li-spring-tunnel-segment-01 (work in progress), March 2016. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 10.17487/RFC4271, January 2006, . [RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter, "Multiprotocol Extensions for BGP-4", RFC 4760, DOI 10.17487/RFC4760, January 2007, . [RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement with BGP-4", RFC 5492, DOI 10.17487/RFC5492, February 2009, . [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., and D. McPherson, "Dissemination of Flow Specification Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, . Authors' Addresses Li, et al. Expires September 22, 2016 [Page 7] Internet-Draft FlowSpec Redirect to GSID Action March 2016 Zhenbin Li Huawei Technologies Huawei Bld., No.156 Beiqing Rd. Beijing 100095 China Email: lizhenbin@huawei.com Shunwan Zhuang Huawei Technologies Huawei Bld., No.156 Beiqing Rd. Beijing 100095 China Email: zhuangshunwan@huawei.com Nan Wu Huawei Technologies Huawei Bld., No.156 Beiqing Rd. Beijing 100095 China Email: eric.wu@huawei.com Li, et al. Expires September 22, 2016 [Page 8]