IDR Working Group G. Van de Velde, Ed. Internet-Draft Nokia Intended status: Standards Track K. Patel Expires: September 3, 2017 Arrcus Z. Li Huawei Technologies March 2, 2017 Flowspec Indirection-id Redirect draft-ietf-idr-flowspec-path-redirect-01 Abstract Flowspec is an extension to BGP that allows for the dissemination of traffic flow specification rules. This has many possible applications but the primary one for many network operators is the distribution of traffic filtering actions for DDoS mitigation. The flow-spec standard RFC5575 [2] defines a redirect-to-VRF action for policy-based forwarding but this mechanism is not always sufficient, particularly if the redirected traffic needs to be steered into an engineered path or into a service plane. This document defines a new extended community known as redirect-to- indirection-id (32-bit) flowspec action to provide advanced redirection capabilities on flowspec clients. When activated, the flowspec extended community is used by a flowspec client to find the correct next-hop entry within a localised indirection-id mapping table. The functionality present in this draft allows a network controller to decouple flowspec functionality from the creation and maintainance of the network's service plane itself including the setup of tunnels and other service constructs that could be managed by other network devices. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Van de Velde, et al. Expires September 3, 2017 [Page 1] Internet-Draft Flowspec Indirection-id Redirect March 2017 Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 3, 2017. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. indirection-id and indirection-id table . . . . . . . . . . . 3 3. Use Case Scenarios . . . . . . . . . . . . . . . . . . . . . 4 3.1. Redirection shortest Path tunnel . . . . . . . . . . . . 4 3.2. Redirection to path-engineered tunnels . . . . . . . . . 5 3.3. Redirection to complex dynamically constructed tunnels . 6 4. Redirect to indirection-id Community . . . . . . . . . . . . 7 5. Redirect using localised indirection-id mapping table . . . . 8 6. Validation Procedures . . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 9. Contributor Addresses . . . . . . . . . . . . . . . . . . . . 9 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 11.1. Normative References . . . . . . . . . . . . . . . . . . 11 11.2. Informative References . . . . . . . . . . . . . . . . . 12 Appendix A. Additional indirection_id types waiting for use-case description . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Van de Velde, et al. Expires September 3, 2017 [Page 2] Internet-Draft Flowspec Indirection-id Redirect March 2017 1. Introduction Flowspec RFC5575 [2] is an extension to BGP that allows for the dissemination of traffic flow specification rules. This has many possible applications, however the primary one for many network operators is the distribution of traffic filtering actions for DDoS mitigation. Every flowspec policy route is effectively a rule, consisting of a matching part (encoded in the NLRI field) and an action part (encoded in one or more BGP extended communities). The flow-spec standard RFC5575 [2] defines widely-used filter actions such as discard and rate limit; it also defines a redirect-to-VRF action for policy-based forwarding. Using the redirect-to-VRF action to steer traffic towards an alternate destination is useful for DDoS mitigation but using this technology can be cumbersome when there is need to steer the traffic onto an engineered traffic path. This draft proposes a new redirect-to-indirection-id flowspec action facilitating an anchor point for policy-based forwarding onto an engineered path or into a service plane. The flowspec client consuming and utilizing the new flowspec indirection-id extended- community constructs the redirection information based upon information found within a localised indirection-id mapping table. The localised mapping table is a table construct, sequenced by a table key, providing next-hop information. The redirect-to-indirection-id flowspec action is encoded in a newly defined BGP extended community. The type of redirection is identified as an extended community indirection-id type field. This draft defines the indirection-id extended-community and a few wellknown indirection-id types. The specific mechanics to construct a localised indirection-id mapping table are out-of-scope of this document. 2. indirection-id and indirection-id table An indirection-id is an abstract number (32-bit value) used as identifier for a localised indirection decision. The indirection-id will allow a flowspec client to redirect traffic into a service plane or consequently onto an engineered traffic path. For example, when a BGP flowspec controller signals a flowspec client the indirection-id extended community, then the flowspec client uses the indirection-id to make a recursive lookup to find the next-hop information. The indirection-id is used to find the corresponding next-hop information within the localised indirection mapping table. Van de Velde, et al. Expires September 3, 2017 [Page 3] Internet-Draft Flowspec Indirection-id Redirect March 2017 The indirection-id table is localised on the router. The indirection-id table is constructed out of table keys, each mapped to localised redirection information. Each table key is composed by the combining indirection-id type and an indirection-id 32-bit value. Each entry in the indirection-table key maps to sufficient information (parameters regarding encapsulation, egress-interface, QoS, etc...) to successfully redirect traffic according flowspec controller expectations. 3. Use Case Scenarios This section describes use-case scenarios when deploying redirect-to- indirection-id. 3.1. Redirection shortest Path tunnel Example: Indirection-ID community types to be used: o 0 (localised ID): When the intent is to use a localised Indirection-id table on the flowspec client o 1 (Node ID): When the intent is to use a Segment Routing based Indirection-id table on the flowspec client Description: The first use-case describes an example where a single flowspec route (i.e. flowspec_route#1) is sent by a flowspec controller to many BGP flowspec clients. This single flowspec route will instruct all Flowspec clients to redirect matching dataflows onto a shortest-path tunnel pointing towards a single IP destination address. For this first use-case scenario, each flowspec client receives a flowspec route (flowspec_route#1) which has the redirect-to- indirection-id extended community attached. The extended redirect- to-indirection-id community contains the table key consisting out of the indirection-id type and indirection-id 32-bit value. The table key is used on the flowspec client to map to the corresponding next- hop information within the local indirection-id table. The finite result of this operation is a remote tunnel end-point IP address together with accordingly sufficient tunnel encapsulation information to forward and encapsulate the data-packet accordingly. Requirements: For redirect to shortest path tunnel it is required that the tunnel MUST be operational and allow packets to be exchanged between tunnel head- and tail-end. Van de Velde, et al. Expires September 3, 2017 [Page 4] Internet-Draft Flowspec Indirection-id Redirect March 2017 3.2. Redirection to path-engineered tunnels Example: Indirection-ID community types to be used: o 0 (localised ID): When the intent is to use a localised Indirection-id table on the flowspec client o 6 (Binding Segment ID): When the intent is to use a Segment Routing based Indirection-id table on the flowspec client Description: The second use-case describes an example where a flowspec controler injects a single flowspec route which gets distributed to many BGP flowspec clients. This single flowspec route intends to instruct all Flowspec clients to redirect corresponding dataflows onto a path engineered tunnel. It is expected that each of the path engineered tunnels is instantiated by out-of-band mechanisms. Each used path engineered tunnel has a unque table key identifier. consequently, the table key uniquely identifies exactly -one- path engineered tunnel. In this use-case example, the flowspec controller sends a flowspec route to each of the flowspec clients and this flowspec route has a redirect-to-indirection-id extended community attached. The redirect-to-indirection-id extended community embeds table key information and hence provides sufficient information to select the corresponding path-engineered tunnel to redirect the packet according the flowspec controller expectations. Segment Routing Example: A concrete embodiment of a Segment Routing use-case example is found in networks where path engineered tunnels are created by a Segment Routing MPLS label stack. In such a deployment, the indirection-id provides an anchorpoint reference to a Segment Routing Binding SID. However, the indirection-id type provides a pointer to the Binding SID semantics to be used. The Binding SID is a segment identifier value (as per segment routing definitions in [I-D.draft-ietf-spring- segment-routing] [6]) used to associate an explicit path. The Binding SID and corresponding path engineered tunnel can for example be setup by a controller using BGP as specified in [I-D.sreekantiah- idr-segment-routing-te] [5] or by using PCEP as detailed in draft- ietf-pce-segment-routing [7]. To conclude, when a BGP speaker at some point in time receives a flow-spec route with an extended 'redirect-to-indirection-id' community, it installs a traffic filtering rule that matches particular packets and redirects them onto an explicit path associated with the corresponding Binding SID. Van de Velde, et al. Expires September 3, 2017 [Page 5] Internet-Draft Flowspec Indirection-id Redirect March 2017 The encoding of the Binding SID within the redirect-to-indirection-id extended community is specified in section 4. Requirements: For redirect to path engineered tunnels it is required that the engineered tunnel MUST be active and allow packets to be exchanged between tunnel head- and tail-end. 3.3. Redirection to complex dynamically constructed tunnels Example: Indirection-ID community types to be used: o 0 (localised ID) with TID: When the intent is to use a localised Indirection-id table, then TID (Table-ID) field could be used to sequence multiple redirect-to-indirection-id actions together to construct a more complex path engineered tunnel. The order of sequencing the redirection information may be identified by using the TID field. Description: A third use-case describes the application and redirection towards complex dynamically constructed tunnels. For this use-case a BGP flowspec controller injects a flowspec route with multiple 'redirect- to-indirection-id' communities attached. A recipient flowspec client may use the Table-ID (TID) field embedded within each 'redirect-to- indirection-id' community to sequence the redirect information. The complex dynamically constructed tunnel is the product of concatenating the available redirect information (i.e. MPLS Segment Routing Labels). Segment Routing Example: i.e. a classic Segment Routing example using complex tunnels is found in DDoS mitigation and traffic offload. Suspicious traffic (e.g. dirty traffic flows) may be steered into a Segment Routing Central Egress Path Engineered tunnel [4]. For this particular complex dynamic redirect tunnel embodiment, a first redirect-to-indirection- id (i.e. TID=0) is used to redirect traffic into a tunnel towards a particlar egress router, while a second redirect-to-indirection-id (i.e. TID=1) is used to steer traffic beyond the particular egress router towards a pre-identified interface/peer. For this DDoS use-case, in its simplest embodiment, the flowspec client must dynamically append 2 MPLS labels. A first MPLS label (the outer label) to steer the original packet to the egress node (and hence using a shortest path tunnel), while a second MPLS label Van de Velde, et al. Expires September 3, 2017 [Page 6] Internet-Draft Flowspec Indirection-id Redirect March 2017 (matching redirect-to-indirection-id with TID=1), the inner label, to steer on the egress router the original packet to a pre-defined interface/peer. The basic data-plane principles are documented by [4]. Requirements: To achieve redirection towards complex dynamically constructed tunnels, for each flowspec route, multiple indirection-ids, each using a unique Tunnel ID may imposed upon a given flowspec policy rule. It is required that there is synchronisation established between the data- and control-plane of all relevant devices involved. Each complex dynamically constructed tunnel MUST be operational and allow packets to be exchanged between tunnel head- and tail-end before it should be used to redirect traffic. 4. Redirect to indirection-id Community This document defines a new BGP extended community known as a Redirect-to-indirection-id extended community. This extended community is a new transitive extended community with the Type and the Sub-Type field to be assigned by IANA. The format of this extended community is show in Figure 1. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Sub-Type | Flags(1 octet)| Indirection ID| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Generalized indirection_id | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1 The meaning of the extended community fields are as follows: Type: 1 octet to be assigned by IANA. Sub-Type: 1 octet to be assigned by IANA. Flags: 1 octet field. Following Flags are defined. Van de Velde, et al. Expires September 3, 2017 [Page 7] Internet-Draft Flowspec Indirection-id Redirect March 2017 0 1 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | RES | TID |C| +-+-+-+-+-+-+-+-+ Figure 2 The least-significant Flag bit is defined as the 'C' (or copy) bit. When the 'C' bit is set the redirection applies to copies of the matching packets and not to the original traffic stream. The 'TID' field identifies a 4 bit Table-id field. This field is used to provide the flowspec client an indication how and where to sequence the received indirection-ids to redirecting traffic. TID value 0 indicates that Table-id field is NOT set and SHOULD be ignored. All bits other than the 'C' and 'TID' bits MUST be set to 0 by the originating BGP speaker and ignored by receiving BGP speakers. Indirection ID: 1 octet value. This draft defines following indirection_id Types: 0 - Localised ID (The flowspec client uses the received indirection-id to lookup the redirection information in the localised indirection-id table.) 1 - Node ID (The flowspec client uses the received indirection-id as a Segment Routing Node ID to redirect traffic towards) 6 - Binding Segment ID (The flowspec client uses the received indirection-id as a Segment Routing Binding Segment ID to redirect traffic towards) [I-D.draft-ietf-spring-segment-routing] [6] 5. Redirect using localised indirection-id mapping table When a BGP flowspec client receives a flowspec policy route with a 'redirect to indirection-id' extended community attached and the route represents the best BGP path, it will install a flowspec traffic filtering rule matching the IP tupples described by the flowpsec NLRI field and consequently redirects the flow (C=0) or copies the flow (C=1) using the information identified by the 'redirect-to-indirection-id' community. Van de Velde, et al. Expires September 3, 2017 [Page 8] Internet-Draft Flowspec Indirection-id Redirect March 2017 6. Validation Procedures The validation check described in RFC5575 [2] and revised in [3] SHOULD be applied by default to received flow-spec routes with a 'redirect to indirection-id' extended community. This means that a flow-spec route with a destination prefix subcomponent SHOULD NOT be accepted from an EBGP peer unless that peer also advertised the best path for the matching unicast route. While it MUST NOT happen, and is seen as invallid combination, it is possible from a semenatics perspective to have multiple clashing redirect actions defined within a single flowspec rule. For best and consistant RFC5575 flowspec redirect behavior the redirect as documented by RFC5575 MUST not be broken, and hence when a clash occurs, then RFC5575 based redirect SHOULD take priority. Additionally, if the 'redirect to indirection-id' does not result in a valid redirection, then the flowspec rule must be processed as if the 'redirect to indirection-id' community was not attached to the flowspec route and MUST provide an indication within the BGP routing table that the respective 'redirect to indirection-id' resulted in an invalid redirection action. 7. Security Considerations A system using 'redirect-to-indirection-id' extended community can cause during the redirect mitigation of a DDoS attack result in overflow of traffic received by the mitigation infrastructure. 8. Acknowledgements This document received valuable comments and input from IDR working group including Adam Simpson, Mustapha Aissaoui, Jan Mertens, Robert Raszuk, Jeff Haas, Susan Hares and Lucy Yong. 9. Contributor Addresses Below is a list of other contributing authors in alphabetical order: Van de Velde, et al. Expires September 3, 2017 [Page 9] Internet-Draft Flowspec Indirection-id Redirect March 2017 Arjun Sreekantiah Cisco Systems 170 W. Tasman Drive San Jose, CA 95134 USA Email: asreekan@cisco.com Nan Wu Huawei Technologies Huawei Bld., No. 156 Beiquing Rd Beijing 100095 China Email: eric.wu@huawei.com Shunwan Zhuang Huawei Technologies Huawei Bld., No. 156 Beiquing Rd Beijing 100095 China Email: zhuangshunwan@huawei.com Wim Henderickx Nokia Antwerp BE Email: wim.henderickx@nokia.com Figure 3 10. IANA Considerations This document requests a new type and sub-type for the Redirect to indirection-id Extended community from the "Transitive Extended community" registry. The Type name shall be "Redirect to indirection-id Extended Community" and the Sub-type name shall be 'Flow-spec Redirect to 32-bit Path-id'. In addition, this document requests IANA to create a new registry for Redirect to indirection-id Extended Community INDIRECTION-IDs as follows: Van de Velde, et al. Expires September 3, 2017 [Page 10] Internet-Draft Flowspec Indirection-id Redirect March 2017 Under "Transitive Extended Community:" Registry: "Redirect Extended Community indirection_id" Reference: [RFC-To-Be] Registration Procedure(s): First Come, First Served Registry: "Redirect Extended Community indirection_id" Value Code Reference 0 Localised ID [RFC-To-Be] 1 Node ID [RFC-To-Be] 2 Agency ID [RFC-To-Be] 3 AS (Autonomous System) ID [RFC-To-Be] 4 Anycast ID [RFC-To-Be] 5 Multicast ID [RFC-To-Be] 6 Tunnel ID (Tunnel Binding ID ) [RFC-To-Be] 7 VPN ID [RFC-To-Be] 8 OAM ID [RFC-To-Be] 9 ECMP (Equal Cost Multi-Path) ID [RFC-To-Be] 10 QoS ID [RFC-To-Be] 11 Bandwidth-Guarantee ID [RFC-To-Be] 12 Security ID [RFC-To-Be] 13 Multi-Topology ID [RFC-To-Be] Figure 4 11. References 11.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, . [2] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., and D. McPherson, "Dissemination of Flow Specification Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, . Van de Velde, et al. Expires September 3, 2017 [Page 11] Internet-Draft Flowspec Indirection-id Redirect March 2017 11.2. Informative References [3] Uttaro, J., Filsfils, C., Alcaide, J., and P. Mohapatra, "Revised Validation Procedure for BGP Flow Specifications", January 2014. [4] Filsfils, C., Previdi, S., Aries, E., Ginsburg, D., and D. Afanasiev, "Segment Routing Centralized Egress Peer Engineering", October 2015. [5] Sreekantiah, A., Filsfils, C., Previdi, S., Sivabalan, S., Mattes, P., and S. Lin, "Segment Routing Traffic Engineering Policy using BGP", October 2015. [6] Filsfils, C., Previdi, S., Decraene, B., Litkowski, S., Shakir, R., Bashandy, A., Horneffer, M., Henderickx, W., Tantsura, J., Crabbe, E., Milojevic, I., and S. Ytti, "Segment Routing Architecture", December 2015. [7] Sivabalan, S., Medved, M., Filsfils, C., Litkowski, S., Raszuk, R., Bashandy, A., Lopez, V., Tantsura, J., Henderickx, W., Hardwick, J., Milojevic, I., and S. Ytti, "PCEP Extensions for Segment Routing", December 2015. Appendix A. Additional indirection_id types waiting for use-case description This section is a placeholder and collection of potential additional indirection_id types. The current use-cases do not require these particular indirection types, however at later stage when use-cases are identified they may be added to the body of teh draft. 2 - Agency ID (The flowspec client uses the received indirection-id as a Segment Routing Agency ID to redirect traffic towards) 3 - AS (Autonomous System) ID (The flowspec client uses the received indirection-id as a Segment Routing Autonomous System ID to redirect traffic towards) 4 - Anycast ID (The flowspec client uses the received indirection-id as a Segment Routing Anycast ID to redirect traffic towards) 5 - Multicast ID (The flowspec client uses the received indirection- id as a Segment Routing Multicast ID to redirect traffic towards) 7 - VPN ID (The flowspec client uses the received indirection-id as a Segment Routing VPN ID to redirect traffic towards) Van de Velde, et al. Expires September 3, 2017 [Page 12] Internet-Draft Flowspec Indirection-id Redirect March 2017 8 - OAM ID (The flowspec client uses the received indirection-id as a Segment Routing OAM ID to redirect traffic towards) 9 - ECMP (Equal Cost Multi-Path) ID (The flowspec client uses the received indirection-id as a Segment Routing PeerSet ID to redirect traffic towards) 10 - QoS ID (The flowspec client uses the received indirection-id as a Segment Routing QoS ID to redirect traffic towards) 11 - Bandwidth-Guarantee ID (The flowspec client uses the received indirection-id as a Segment Routing Bandwidth-Guarantee ID to redirect traffic towards) 12 - Security ID (The flowspec client uses the received indirection- id as a Segment Routing Security ID to redirect traffic towards) 13 - Multi-Topology ID (The flowspec client uses the received indirection-id as a Segment Routing Multi-Topology ID to redirect traffic towards) Authors' Addresses Gunter Van de Velde (editor) Nokia Antwerp BE Email: gunter.van_de_velde@nokia.com Keyur Patel Arrcus USA Email: keyur@arrcus.com Zhenbin Li Huawei Technologies Huawei Bld., No. 156 Beiquing Rd Beijing 100095 China Email: lizhenbin@huawei.com Van de Velde, et al. Expires September 3, 2017 [Page 13]