Internet DRAFT - draft-guichard-spring-srv6-simplified-firewall

draft-guichard-spring-srv6-simplified-firewall







SPRING                                                  J. Guichard, Ed.
Internet-Draft                               Futurewei Technologies Ltd.
Intended status: Informational                               C. Filsfils
Expires: October 9, 2020                             Cisco Systems, Inc.
                                                              D. Bernier
                                                             Bell Canada
                                                                   Z. Li
                                                     Huawei Technologies
                                                            F. Clad, Ed.
                                                            P. Camarillo
                                                           A. AbdelSalam
                                                     Cisco Systems, Inc.
                                                          April 07, 2020


  Simplifying Firewall Rules with Network Programming and SRH Metadata
           draft-guichard-spring-srv6-simplified-firewall-02

Abstract

   A clear application of the SRv6 Network Programming model consists in
   steering, in a stateless manner, packets through a Service Function
   Chain (SFC).  Each Service Function (SF) is identified by a segment.
   Each SF can enrich its operation thanks to metadata present in the
   SRH.

   This document describes a practical use-case where the SF is a
   firewall and the metadata helps to drastically decrease the number of
   rules that need to be maintained by the operation team.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 9, 2020.





Guichard, et al.         Expires October 9, 2020                [Page 1]

Internet-Draft          SRv6 Simplified Firewall              April 2020


Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Use-case overview . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Demo availability . . . . . . . . . . . . . . . . . . . . . .   5
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   5
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   The Segment Routing architecture is defined in [RFC8402].

   The IPv6 instantiation of Segment Routing, also known as SRv6,
   leverages the Segment Routing Header (SRH) defined in [RFC8754] to
   encode a list of segments, as well as some complementary information
   in an IPv6 header.  [I-D.ietf-spring-srv6-network-programming] builds
   upon the base SRv6 definition and introduces the concept of network
   programming.  In a sense, the list of segments in the SRH is the
   source code of a network program, while the SRH TLVs represent the
   memory of that program.

   Furthermore, [I-D.ietf-spring-sr-service-programming] describes how
   segments can be associated with Service Functions and defines SRH
   TLVs specifically designed for carrying service metadata.  Together,
   these documents define an integrated solution for underlay, overlay
   and SFC that uses a single header and does not require any per-flow
   state in the network fabric.




Guichard, et al.         Expires October 9, 2020                [Page 2]

Internet-Draft          SRv6 Simplified Firewall              April 2020


2.  Use-case overview

   In an SR domain, firewall policies are applied to control how the
   various endpoints, users or applications are allowed to communicate
   between each other.  These entities are categorized into classes for
   the purpose of applying policies to pools rather than individual
   entities.  For example, the endpoints in Class1 may be allowed to
   communicate with those in either Class3 or Class4, but Class2 is can
   only communicate with Class4, and Class5 cannot communicate with any
   other class.

   A reference diagram is depicted on Figure 1.  An SRv6-enabled network
   interconnects 4 classes (Class1..4) and a firewall appliance is in
   charge of enforcing the network policies.

                    +--------------------------------+
   +-------+        |          SRv6 domain           |        +-------+
   |Class1 |-+      |                                |      +-|Class3 |
   +-------+ | +----+----+     +----------+     +----+----+ | +-------+
             +-| Node A  |     |    F1    |     | Node B  |-+
             +-|(ingress)|-----|(firewall)|-----|(egress) |-+
   +-------+ | +----+----+     +----------+     +----+----+ | +-------+
   |Class2 |-+      |     --------------------->     |      +-|Class4 |
   +-------+        |                                |        +-------+
                    +--------------------------------+

                          Figure 1: Base diagram

   Node A is configured to steer the traffic coming from Class1 or
   Class2 and headed to Class3 or Class4 into an SRv6 service policy to
   Node B, via the firewall F1.  As part of the steering process, Node A
   identifies the source and destination classes, encapsulates the
   traffic and attaches an SRH that contains the SR Policy SID-list, as
   well as the class information in the SRH TLVs.  The procedure to
   identify the traffic classes is out of the scope of this document.

   Node B is similarly configured to handle flows in the reverse
   direction.

   The firewall F1 reads the SRH TLVs and decides to forward or drop the
   traffic based on the combination of the source and destination
   classes.  The availability of class metadata allows the firewall
   rule-set size to scale with the number of valid (source class,
   destination class) pairs.  This drastically simplifies the firewall
   configuration and operation compared to a traditional 5-tuple-based
   model with tens of thousands of entries.





Guichard, et al.         Expires October 9, 2020                [Page 3]

Internet-Draft          SRv6 Simplified Firewall              April 2020


   In Figure 2, a traffic flow from Class1 to Class3 is steered into the
   SRv6 Policy "<B:F1:A::, B:B:D3::>", where "B:F1:A::" represents a
   service SID instantiated on the firewall F1 and "B:B:D3::" is an
   End.DX4 SID on the egress node B that sends the inner packet to
   Class3.  The SRH "S-class" and "D-class" TLVs respectively represent
   the source and destination class identifiers.  This traffic flow is
   allowed to traverse the firewall and reaches its final destination in
   Class3.

                    +--------------------------------+
                    |          SRv6 domain           |
                    |                                |
   +-------+   +----+----+     +----------+     +----+----+   +-------+
   |Class1 |---| Node A  |     |    F1    |     | Node B  |---|Class3 |
   +-------+   |(ingress)|-----|(firewall)|-----|(egress) |   +-------+
               +----+----+     +----------+     +----+----+
            -->     |     --------------------->     |     -->
                    |                                |
                    +--------------------------------+

   +--------------+ +--------------+  +--------------+ +--------------+
   |IP4(10.0.1.12,| |  IP6(A, F1)  |  |  IP6(A, B)   | |IP4(10.0.1.12,|
   |    10.3.0.34)| +--------------+  +--------------+ |    10.3.0.34)|
   +--------------+ |SRH(B:B:D3::, |  |SRH(B:B:D3::, | +--------------+
                    |B:F1:A::;SL=1;|  |B:F1:A::;SL=0;|
                    |  S-class=Cl1;|  |  S-class=Cl1;|
                    |  D-class=Cl3)|  |  D-class=Cl3)|
                    +--------------+  +--------------+
                    |IP4(10.0.1.12,|  |IP4(10.0.1.12,|
                    |    10.3.0.34)|  |    10.3.0.34)|
                    +--------------+  +--------------+

               Figure 2: Traffic flow from Class1 to Class3

   In Figure 3, a traffic flow from Class2 to Class3 is steered into the
   exact same SRv6 Policy "<B:F1:A::, B:B:D3::>".  The SRH "S-class" and
   "D-class" TLVs are similarly populated with the source and
   destination class identifiers.  However, "S-class=Cl2" and
   "D-class=Cl3" does not match an authorized class combination on the
   firewall.  The traffic is considered as invalid and dropped at F1.











Guichard, et al.         Expires October 9, 2020                [Page 4]

Internet-Draft          SRv6 Simplified Firewall              April 2020


                    +--------------------------------+
                    |          SRv6 domain           |
                    |                                |
   +-------+   +----+----+     +----------+     +----+----+   +-------+
   |Class2 |---| Node A  |     |    F1    |     | Node B  |---|Class3 |
   +-------+   |(ingress)|-----|(firewall)|-----|(egress) |   +-------+
               +----+----+     +----------+     +----+----+
            -->     |     --------> X                |
                    |                                |
                    +--------------------------------+

   +--------------+ +--------------+
   |IP4(10.0.1.12,| |  IP6(A, F1)  |
   |    10.3.0.34)| +--------------+
   +--------------+ |SRH(B:B:D3::, |
                    |B:F1:A::;SL=1;|
                    |  S-class=Cl2;|
                    |  D-class=Cl3)|
                    +--------------+
                    |IP4(10.0.1.12,|
                    |    10.3.0.34)|
                    +--------------+

               Figure 3: Traffic flow from Class2 to Class3

3.  Demo availability

   A working demo is available, using FD.io VPP [FDio] instances as
   ingress and egress routers and the iptables-based SERA firewall
   [SERA].

4.  IANA Considerations

   To be updated.

5.  Security Considerations

   To be updated.

6.  Acknowledgements

   To be updated.

7.  References







Guichard, et al.         Expires October 9, 2020                [Page 5]

Internet-Draft          SRv6 Simplified Firewall              April 2020


7.1.  Normative References

   [RFC8402]  Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L.,
              Decraene, B., Litkowski, S., and R. Shakir, "Segment
              Routing Architecture", RFC 8402, DOI 10.17487/RFC8402,
              July 2018, <https://www.rfc-editor.org/info/rfc8402>.

   [RFC8754]  Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J.,
              Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header
              (SRH)", RFC 8754, DOI 10.17487/RFC8754, March 2020,
              <https://www.rfc-editor.org/info/rfc8754>.

7.2.  Informative References

   [FDio]     "The Fast Data Project", The Linux Foundation , 2018,
              <https://fd.io>.

   [I-D.ietf-spring-sr-service-programming]
              Clad, F., Xu, X., Filsfils, C., daniel.bernier@bell.ca,
              d., Li, C., Decraene, B., Ma, S., Yadlapalli, C.,
              Henderickx, W., and S. Salsano, "Service Programming with
              Segment Routing", draft-ietf-spring-sr-service-
              programming-02 (work in progress), March 2020.

   [I-D.ietf-spring-srv6-network-programming]
              Filsfils, C., Camarillo, P., Leddy, J., Voyer, D.,
              Matsushima, S., and Z. Li, "SRv6 Network Programming",
              draft-ietf-spring-srv6-network-programming-15 (work in
              progress), March 2020.

   [SERA]     Abdelsalam, A., Salsano, S., Clad, F., Camarillo, P., and
              C. Filsfils, "SERA: SEgment Routing Aware Firewall for
              Service Function Chaining scenarios", IFIP Networking ,
              May 2018.

Authors' Addresses

   James N Guichard (editor)
   Futurewei Technologies Ltd.

   Email: james.n.guichard@futurewei.com


   Clarence Filsfils
   Cisco Systems, Inc.

   Email: cf@cisco.com




Guichard, et al.         Expires October 9, 2020                [Page 6]

Internet-Draft          SRv6 Simplified Firewall              April 2020


   Daniel Bernier
   Bell Canada

   Email: daniel.bernier@bell.ca


   Zhenbin Li
   Huawei Technologies

   Email: lizhenbin@huawei.com


   Francois Clad (editor)
   Cisco Systems, Inc.

   Email: fclad@cisco.com


   Pablo Camarillo
   Cisco Systems, Inc.

   Email: pcamaril@cisco.com


   Ahmed AbdelSalam
   Cisco Systems, Inc.

   Email: ahabdels@cisco.com























Guichard, et al.         Expires October 9, 2020                [Page 7]