IDR Working Group G. Van de Velde, Ed. Internet-Draft Nokia Intended status: Standards Track K. Patel Expires: June 23, 2018 Arrcus Z. Li Huawei Technologies December 20, 2017 Flowspec Indirection-id Redirect draft-ietf-idr-flowspec-path-redirect-03 Abstract This document defines a new extended community known as flowspec redirect-to-indirection-id. This extended community triggers advanced redirection capabilities to flowspec clients. When activated, this flowspec extended community is used by a flowspec client to find the corresponding next-hop information within a indirection-id mapping table. The functionality detailed in this document allows a network controller to decouple the BGP flowspec redirection instruction from the selected redirection path itself. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on June 23, 2018. Van de Velde, et al. Expires June 23, 2018 [Page 1] Internet-Draft Flowspec Indirection-id Redirect December 2017 Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. indirection-id and indirection-id table . . . . . . . . . . . 3 3. Use Case Scenarios . . . . . . . . . . . . . . . . . . . . . 3 3.1. Redirection shortest Path tunnel . . . . . . . . . . . . 3 3.2. Redirection to path-engineered tunnels . . . . . . . . . 4 3.3. Redirection to complex dynamically constructed tunnels . 5 4. redirect-to-indirection-id Community . . . . . . . . . . . . 6 5. Redirect using localised indirection-id mapping table . . . . 8 6. Validation Procedures . . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 9. Contributor Addresses . . . . . . . . . . . . . . . . . . . . 9 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 11.1. Normative References . . . . . . . . . . . . . . . . . . 11 11.2. Informative References . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction Flowspec is an extension to BGP that allows for the dissemination of traffic flow specification rules. This has many possible applications but the primary one for many network operators is the distribution of traffic filtering actions for DDoS mitigation. The flow-spec standard RFC5575 [2] defines a redirect-to-VRF action for policy-based forwarding, but this mechanism is not always sufficient, particularly if the redirected traffic needs to be steered onto an explicite path. Every flowspec policy route is effectively a rule, consisting of two parts. The first part, encoded in the NLRI field, provides Van de Velde, et al. Expires June 23, 2018 [Page 2] Internet-Draft Flowspec Indirection-id Redirect December 2017 information about the traffic matching the policy rule. the second part, encoded in one or more BGP extended communities, provides policy instructions for traffic handling on the flowspec client. The flowspec standard RFC5575 [2] defines widely-used filter actions such as discard and rate limit; it also defines a redirect-to-VRF action for policy-based forwarding. Using the redirect-to-VRF action to steer traffic towards an alternate destination is useful for DDoS mitigation, however using this methodology can be cumbersome when there is need to steer the traffic onto an explicitely defined traffic path. This draft specifies a redirect-to-indirection-id flowspec action making use of a 32-bit indirection-id using a new extended community. Each indirection-id serves as anchor point, for policy-based forwarding onto an explicite path by a flowspec client. 2. indirection-id and indirection-id table The indirection-id is a 32-bit unsigned number, used as anchor point on a flowspec client for policy-based forwarding onto an explicite path by a flowspec client. The indirection-id table is the table construct of indirection-id values, ordered by indirection-id type. Each entry in this table contains policy-based forwarding instructions. The configuration of the indirection-id table on a flowspec client is localised on each router and MAY happen out-of-band from BGP flowspec. For some use-case scenarios the indirection-id type provides additional (maybe even fully sufficient) context for a flowspec client for policy based forwarding, making a localized indirection-id table obsolete. For example, when the indirection-id refers to a MPLS segment routing node-id [6], then the indirection-id provides sufficient information for a segment routing lookup on the flowspec client. 3. Use Case Scenarios This section describes a few use-case scenarios when deploying redirect-to-indirection-id. 3.1. Redirection shortest Path tunnel Description: The first use-case describes an example where a single flowspec route is sent from a BGP flowspec controller to many BGP flowspec clients. This BGP flowspec route carries the redirect-to-indirection-id to all Van de Velde, et al. Expires June 23, 2018 [Page 3] Internet-Draft Flowspec Indirection-id Redirect December 2017 flowspec clients to redirect matching dataflows onto a shortest-path tunnel pointing towards a single remote destination. In this first use-case scenario, each flowspec client receives flowspec routes. The received flowspec routes have the extended redirect-to-indirection-id community attached. Each redirect-to- indirection-id community embeds two relevant components: (1) 32-bit indirection-id and (2) indirection-id type. These two components provide the flowspec client with sufficient information for policy based forwarding to steer and encapsulate the data-packet accordingly to a shortest path tunnel to a remote end-point. Requirements: For redirect to shortest path tunnel it is required that the tunnel MUST be operational and allow packets to be steered over the shortest path between tunnel head- and tail-end. Example: Indirection-ID community types to be used: o 0 (localised ID): When the intent is to use a localised Indirection-id table, configured through out-of-band procedures. o 1 or 2 (Node ID's): This type can be used when the goal is to use MPLS based Segment Routing towards a remote destination. In this use-case scenario the flowspec rule contains a SR (Segment Routing) node SID to steer traffic towards. 3.2. Redirection to path-engineered tunnels Description: The second use-case describes an example where a single flowspec route is sent from a BGP flowspec controller to many BGP flowspec clients. This BGP flowspec route carries policy information to steer traffic upon a path-engineered tunnel. It is assumed that the path engineered tunnels are configured using out-of-band from BGP flowspec. Segment Routing Example: For this example the indirection-id type points towards a Segment Routing Binding SID. The Binding SID is a segment identifier value (as per segment routing definitions in [I-D.draft-ietf-spring- segment-routing] [6]) used to associate an explicit path. The Binding SID and corresponding path engineered tunnel may for example be setup by a controller using BGP as specified in [I-D.sreekantiah- idr-segment-routing-te] [5] or alternatly by using PCEP as detailed Van de Velde, et al. Expires June 23, 2018 [Page 4] Internet-Draft Flowspec Indirection-id Redirect December 2017 in draft-ietf-pce-segment-routing [7]. To conclude, when a BGP speaker at some point in time receives a flow-spec route with an extended 'redirect-to-indirection-id' community, it installs a policy-based forwarding rule to redirect packets onto an explicit path associated with the corresponding Binding SID. The encoding of the Binding SID within the redirect-to-indirection-id extended community is specified in section 4. Requirements: For redirect to path engineered tunnels it is required that the tunnel MUST be operational and allow packets to be steered over the engineered path between tunnel head- and tail-end. Example: Indirection-ID community types to be used: o 0 (localised ID): When the intent is to policy-based steer traffic using Indirection. The engineered path is configured through out- of-band procedures and uses the 32-bit Indirection-id as local anchor point on the local flowspec client. o 2 or 3 (Binding Segment ID's): This type can be used when the goal is to use MPLS based Segment Routing towards an out-of-band configured explicite path. o 5 (Tunnel ID): When the intent is to policy-based steer traffic using a global tunnel-id. The engineered path is configured through out-of-band procedures and uses the 32-bit Indirection-id as global anchor point on the local flowspec client. 3.3. Redirection to complex dynamically constructed tunnels Description: A third use-case describes the application and redirection towards complex dynamically constructed tunnels. For this use-case a BGP flowspec controller injects a single flowspec route with two unique 'redirect-to-indirection-id' communities attached, each community tagged with a different Sequence-ID (S-ID). A flowspec client may use the Sequence-ID (S-ID) to sequence the flowspec redirect information. A common use-case scenario would for example be the dynamic construction of Segment Routing Central Egress Path Engineered tunnel [4] or next-next-hop tunnels. Segment Routing Example: i.e. a classic Segment Routing example using complex tunnels is found in DDoS mitigation and traffic offload. Suspicious traffic (e.g. Van de Velde, et al. Expires June 23, 2018 [Page 5] Internet-Draft Flowspec Indirection-id Redirect December 2017 dirty traffic flows) may be policy-based routed into a purpose built Segment Routing Central Egress Path Engineered tunnel [4]. For this complex dynamic redirect tunnel construction, a first redirect-to- indirection-id (i.e. S-ID=0) may be used to redirect traffic into a tunnel towards a particular egress router, while a second redirect- to-indirection-id (i.e. S-ID=1) is used to steer traffic beyond the particular egress router towards a pre-identified interface/peer. From data-plane perspective, the principles documented by [4] are valid for this use case scenario. Requirements: To achieve redirection towards complex dynamically constructed tunnels, various indirection-id communities are imposed upon the flowspec route and are sequenced using the Sequence ID (S-ID). For redirect to complex dynamic engineered tunnels it is required that the tunnel MUST be operational and allow packets to be steered over the engineered path between tunnel head- and tail-end. Example: Indirection-ID community types to be used: o 0 (localised ID) with S-ID: When the intent is to construct a dynamic engineered tunnel, then a sequence of localised indirection-ids may be used. The Sequence ID (S-ID) MUST be used to sequence multiple redirect-to-indirection-id actions to construct a more complex path engineered tunnel. The construction of the localised indirection-id table is done out-of-band and is outside scope of this document. 4. redirect-to-indirection-id Community This document defines a new BGP extended community known as a Redirect-to-indirection-id extended community. This extended community is a new transitive extended community with the Type and the Sub-Type field to be assigned by IANA. The format of this extended community is show in Figure 1. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Sub-Type | Flags(1 octet)| Indirection ID| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Generalized indirection_id | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1 Van de Velde, et al. Expires June 23, 2018 [Page 6] Internet-Draft Flowspec Indirection-id Redirect December 2017 The meaning of the extended community fields are as follows: Type: 1 octet to be assigned by IANA. Sub-Type: 1 octet to be assigned by IANA. Flags: 1 octet field. Following Flags are defined. 0 1 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | RES | S-ID |C| +-+-+-+-+-+-+-+-+ Figure 2 The least-significant Flag bit is defined as the 'C' (or copy) bit. When the 'C' bit is set the redirection applies to copies of the matching packets and not to the original traffic stream. The 'S-ID' field identifies a 4 bit Sequence ID field. This field is used to provide a flowspec client an indication how and where to sequence the received indirection-ids. The Sequence ID value 0 indicates that Sequence ID field is NOT set and SHOULD be ignored. A single flowspec rule MUST NOT have more as one indirection-id per S-ID. On a flowspec client the indirection-id with lowest S-ID MUST be imposed first for any given flowspec entry. All bits other than the 'C' and 'S-ID' bits MUST be set to 0 by the originating BGP speaker and ignored by receiving BGP speakers. Indirection ID: 1 octet value. This draft defines following indirection-id Types: 0 - Localised ID (The flowspec client uses the received indirection-id to lookup forwarding information within the localised indirection-id table. The allocation and programming of the localised indirection-id table is outside scope of the document) 1 - Node ID with SID/index in MPLS-based Segment Routing (This means indirection-id is mapped to an MPLS label using the index as a global offset in the SID/label space) Van de Velde, et al. Expires June 23, 2018 [Page 7] Internet-Draft Flowspec Indirection-id Redirect December 2017 2 - Node ID with SID/label in MPLS-based Segment Routing (This means indirection-id is mapped to an MPLS label using the label as global label) 3 - Binding Segment ID with SID/index in MPLS-based Segment Routing (This means indirection-id is mapped to an MPLS binding label using the index as a global offset in the SID/label space) [I-D.draft-ietf-spring-segment-routing] [6] 4 - Binding Segment ID with SID/label in MPLS-based Segment Routing (This means indirection-id is mapped to an MPLS binding label using the index as a global offset in the SID/label space) [I-D.draft-ietf-spring-segment-routing] [6] 5 - Tunnel ID (Tunnel ID is a global value in a network single administrative domain identifying tunnel information. The allocation of the Tunnel ID is out of the scope of the document.) 5. Redirect using localised indirection-id mapping table When a BGP flowspec client receives a flowspec policy route with a redirect-to-indirection-id extended community attached and the route represents the best BGP path, it will install a flowspec policy-based forwarding rule matching the tupples described by the flowpsec NLRI field and consequently redirects the flow (C=0) or copies the flow (C=1) using the information identified by the 'redirect-to- indirection-id' community. 6. Validation Procedures The validation check described in RFC5575 [2] and revised in [3] SHOULD be applied by default by a flowspec client, for received flowspec policy routes containing a 'redirect-to-indirection-id' extended community. This means that a flow-spec route with a destination prefix subcomponent SHOULD NOT be accepted from an EBGP peer unless that peer also advertised the best path for the matching unicast route. While it MUST NOT happen, and is seen as invalid combination, it is possible from a semantics perspective to have multiple clashing redirect actions defined within a single flowspec rule. For best and consistant with legacy implementations, the redirect functionality as documented by RFC5575 MUST NOT be broken, and hence when a clash occurs, then RFC5575 based redirect MUST take priority. Additionally, if the 'redirect-to-indirection-id' does not result in a valid redirection, then the flowspec rule MUST be processed as if the 'redirect-to-indirection-id' community was not attached to the flowspec route and MUST provide an indication within the BGP routing Van de Velde, et al. Expires June 23, 2018 [Page 8] Internet-Draft Flowspec Indirection-id Redirect December 2017 table that the respective 'redirect-to-indirection-id' resulted in an invalid redirection action. 7. Security Considerations A system using 'redirect-to-indirection-id' extended community can cause during the redirect mitigation of a DDoS attack result in overflow of traffic received by the mitigation infrastructure. 8. Acknowledgements This document received valuable comments and input from IDR working group including Adam Simpson, Mustapha Aissaoui, Jan Mertens, Robert Raszuk, Jeff Haas, Susan Hares and Lucy Yong. 9. Contributor Addresses Below is a list of other contributing authors in alphabetical order: Van de Velde, et al. Expires June 23, 2018 [Page 9] Internet-Draft Flowspec Indirection-id Redirect December 2017 Arjun Sreekantiah Cisco Systems 170 W. Tasman Drive San Jose, CA 95134 USA Email: asreekan@cisco.com Nan Wu Huawei Technologies Huawei Bld., No. 156 Beiquing Rd Beijing 100095 China Email: eric.wu@huawei.com Shunwan Zhuang Huawei Technologies Huawei Bld., No. 156 Beiquing Rd Beijing 100095 China Email: zhuangshunwan@huawei.com Wim Henderickx Nokia Antwerp BE Email: wim.henderickx@nokia.com Figure 3 10. IANA Considerations This document requests a new type and sub-type for the redirect-to- indirection-id Extended community from the "Transitive Extended community" registry. The Type name shall be "Redirect-to- indirection-id Extended Community" and the Sub-type name shall be 'Flow-spec Redirect to 32-bit Path-id'. In addition, this document requests IANA to create a new registry for redirect-to-indirection-id Extended Community INDIRECTION-IDs as follows: Van de Velde, et al. Expires June 23, 2018 [Page 10] Internet-Draft Flowspec Indirection-id Redirect December 2017 Under "Transitive Extended Community:" Registry: "Redirect Extended Community indirection_id" Reference: [RFC-To-Be] Registration Procedure(s): First Come, First Served Registry: "Redirect Extended Community indirection_id" Value Code Reference 0 Localised ID [RFC-To-Be] 1 Node ID [RFC-To-Be] 2 Binding ID [RFC-To-Be] 3 Tunnel ID [RFC-To-Be] Figure 4 11. References 11.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, . [2] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., and D. McPherson, "Dissemination of Flow Specification Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, . 11.2. Informative References [3] Uttaro, J., Filsfils, C., Alcaide, J., and P. Mohapatra, "Revised Validation Procedure for BGP Flow Specifications", January 2014. [4] Filsfils, C., Previdi, S., Aries, E., Ginsburg, D., and D. Afanasiev, "Segment Routing Centralized Egress Peer Engineering", October 2015. [5] Sreekantiah, A., Filsfils, C., Previdi, S., Sivabalan, S., Mattes, P., and S. Lin, "Segment Routing Traffic Engineering Policy using BGP", October 2015. Van de Velde, et al. Expires June 23, 2018 [Page 11] Internet-Draft Flowspec Indirection-id Redirect December 2017 [6] Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., Shakir, R., Bashandy, A., Horneffer, M., Henderickx, W., Tantsura, J., Crabbe, E., Milojevic, I., and S. Ytti, "Segment Routing Architecture", December 2015. [7] Sivabalan, S., Medved, M., Filsfils, C., Litkowski, S., Raszuk, R., Bashandy, A., Lopez, V., Tantsura, J., Henderickx, W., Hardwick, J., Milojevic, I., and S. Ytti, "PCEP Extensions for Segment Routing", December 2015. Authors' Addresses Gunter Van de Velde (editor) Nokia Antwerp BE Email: gunter.van_de_velde@nokia.com Keyur Patel Arrcus USA Email: keyur@arrcus.com Zhenbin Li Huawei Technologies Huawei Bld., No. 156 Beiquing Rd Beijing 100095 China Email: lizhenbin@huawei.com Van de Velde, et al. Expires June 23, 2018 [Page 12]