Network Working Group Dan Ma Internet-Draft Cisco Systems Updates: RFC5575 Aug 10, 2014 Intended status: Standards Track Expires: Jan 31, 2015 Dissemination of Flow Specification Rules for MPLS Flow draft-ma-idr-flowspec-mpls-00 Abstract Dissemination of Flow Specification Rules [RFC5575] specifies BGP SAFI 133/134 and NLRI types/extended communities to propagate the native IP flow information for the purpose of dropping, rate limiting or filtering. This proposal extends the current [RFC5575], adds more specifications to propagate MPLS flow information. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on Dec 31, 2014. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. MPLS Flow Specification encoding in BGP . . . . . . . . . . . 3 3. MPLS Flow Specification Traffic Filtering Action changes . . 4 4. Security considerations . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 7.2. Informative References . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction BGP Flowspec is a new mechanism to assist in DDOS mitigation, which has many advantages like flow application aware filtering/redirect /mirroring, dynamic and adaptive to flow, easy to disseminate via new BGP SAFI/NLRI(SAFI=133/134). Currently BGP Flowspec RFC5575 and other drafts define many flow specification types like IP source/destination address, IP protocol, TCP/UDP source/destination port, DSCP, packet length etc, but all these types are for native IP flows, they only can be applied between PE-CE or applied for other native IP packets scenarios. But we also have requirement to mitigate DDoS attack traffic on Inter-AS ASBR or on CSC-PE/CSC-CE to prevent DDoS traffic flowing into Service Provider core network. Since the traffic between AS or between CSC are MPLS flows, so BGP Flowspec needs support MPLS type. Internet traffic flowing through MPLS LSP also has this requirement. With the hardware chip develops, today more and more applications can classify and operate MPLS flows like OpenFlow/ACL, so BGP Flowspec should also have this capability. With MPLS flow support in BGP Flowspec, Service Provider administrator/ operator has more flexibility/capability to mitigate DDoS attack traffic coming from another AS or from Tier-2 service provider CSC-CE. In this document authors propose a subset of new NLRI types and extended communities to extend Dissemination of Flow Specification Rules [RFC5575] for MPLS flow. This specification should be treated as an extension of base [RFC5575] specification for MPLS flow. It only defines the delta changes required to support MPLS flow while all other definitions and operation mechanisms of Dissemination of Flow Specification Rules will remain in the main specification and will not be repeated here. 2. MPLS Flow Specification encoding in BGP The [RFC5575] defines a new SAFIs (133 for IPv4) and (134 for VPNv4) applications in order to carry corresponding to each such application flow specification. This document proposes the following specifications for MPLS flow to extend [RFC5575]: Type 14 - MPLS label Encoding: Defines a list of {operation, value} pairs used to match MPLS label. Values are encoded as 1- or 2-byte quantities. Type 15 - MPLS label TTL Encoding: Defines a list of {operation, value} pairs used to match MPLS label TTL. Values are encoded as 1- or 2-byte quantities. Type 16 - MPLS label EXP Encoding: Defines a list of {operation, value} pairs used to match MPLS label EXP. Values are encoded as 1- or 2-byte quantities. Type 17 - MPLS label BoS bit Encoding: Defines a list of {operation, value} pairs used to match MPLS label bottom of stack bit. Values are encoded as 1- or 2-byte quantities. 3. MPLS Flow Specification Traffic Actions +--------+--------------------+--------------------------+ | type | extended community | encoding | +--------+--------------------+--------------------------+ | 0x8006 | traffic-rate | 2-byte as#, 4-byte float | | 0x8007 | traffic-action | bitmask | | 0x8008 | redirect | 6-byte Route Target | | 0x8009 | traffic-marking | DSCP value | +--------+--------------------+--------------------------+ Besides to support the above extended communities per RFC5575, this document also proposes the following BGP extended communities specifications for MPLS flow to extend [RFC5575]: +--------+--------------------+--------------------------+ | type | extended community | encoding | +--------+--------------------+--------------------------+ | 0x800A | MPLS EXP marking | EXP vale | | 0x800B | MPLS TTL setting | TTL value | | 0x800C | Label-action | bitmask | +--------+--------------------+--------------------------+ 0x080A - MPLS EXP marking The MPLS EXP marking extended community instructs a system to modify the EXP bits of a transiting MPLS packet to the corresponding value. This extended community is encoded as a sequence of 5 zero bytes followed by the EXP value encoded in the 3 least significant bits of 6th byte. 0x080B - MPLS TTL setting The MPLS TTL setting extended community instructs a system to modify the TTL bits of a transiting MPLS packet to the corresponding value. This extended community is encoded as a sequence of 5 zero bytes followed by the TTL value encoded in 6th byte. 0x080C - Label action The Label-action extended community consists of 6 bytes of which only the 4 least significant bits of the 6th byte (from left to right) are currently defined. 40 41 42 43 44 45 46 47 +---+---+---+---+---+---+---+---+ | Unassigned | U | S | H | P | +---+---+---+---+---+---+---+---+ * Pop Action (bit 47): Enable label pop for MPLS flow When this bit is set. * Push Action (bit 46): Enable label push for MPLS flow When this bit is set. * Swap Action (bit 45): Enable label swap for MPLS flow When this bit is set. * Unlabel Action (bit 44): Enable unlabel for MPLS flow When this bit is set. 4. Security considerations No new security issues are introduced to the BGP protocol by this specification. 5. IANA Considerations IANA is requested to create and maintain a new registry entitled: "Flow spec MPLS Component Types": Type 14 - MPLS label Type 15 - MPLS label TTL Type 16 - MPLS label EXP Type 17 - MPLS label BoS bit IANA is requested to update the reference for the following assignment in the "BGP Extended Communities Type - extended, transitive" registry: Type value Name Reference ---------- ---------------------------------------- --------- 0x080A Flow spec MPLS EXP marking [this document] 0x080B Flow spec MPLS TTL setting [this document] 0x080C Flow spec Label action [this document] The "label-action" extended community defined in this document has 46 unused bits, which can be used to convey additional meaning. IANA created and maintains a new registry entitled: "Label Action Fields". These values should be assigned via IETF Review rules only. The following Label-action fields have been allocated: 47 Pop 46 Push 45 Swap 44 Unlabel 0-43 Unassigned 6. Acknowledgments Authors would like to thank for their valuable input. 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 7.2. Informative References [RFC5575] P. Marques, N. Sheth, R. Raszuk, B. Greene, J. Mauch, D. McPherson, "Dissemination of Flow Specification Rules", RFC 5575, August 2009. [IPV6-FLOW] R. Raszuk, B. Pithawala, D. McPherson, "Dissemination of Flow Specification Rules for IPv6", draft-ietf-idr-flow-spec-v6-00, June 2011. [VALIDATE] Uttaro, J., Filsfils, C., Mohapatra, P., Smith, D., "Revised Validation Procedure for BGP Flow Specifications", draft-ietf-idr-bgp-flowspec-oid- 00, June 2012. Authors' Addresses Dan Ma Cisco Systems 170 West Tasman Drive San Jose, CA 95134 US Email: danma@cisco.com