Isis Working Group J. You Internet-Draft Q. Liang Intended status: Standards Track Huawei Expires: December 31, 2015 K. Patel Cisco Systems P. Fan China Mobile June 29, 2015 IS-IS Extensions for Flow Specification draft-you-isis-flowspec-extensions-01 Abstract Dissemination of the Traffic flow information was first introduced in the BGP protocol [RFC5575]. FlowSpec routes are used to distribute traffic filtering rules that are used to filter Denial-of-Service (DoS) attacks. For the networks that only deploy an IGP (Interior Gateway Protocol) (e.g., IS-IS), it is required that the IGP is extended to distribute Flow Specification or FlowSpec routes. This document discusses the use cases for distributing flow specification (FlowSpec) routes using IS-IS. Furthermore, this document defines a new IS-IS FlowSpec Reachability TLV encoding format that can be used to distribute FlowSpec routes, its validation procedures for imposing the filtering information on the routers, and a capability to indicate the support of FlowSpec functionality. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any You, et al. Expires December 31, 2015 [Page 1] Internet-Draft ISIS FlowSpec June 2015 time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on December 31, 2015. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Use Cases for IS-IS based FlowSpec Distribution . . . . . . . 4 3.1. IS-IS Campus Network . . . . . . . . . . . . . . . . . . 4 3.2. BGP/MPLS VPN . . . . . . . . . . . . . . . . . . . . . . 4 3.2.1. Traffic Analyzer Deployed in Provider Network . . . . 5 3.2.2. Traffic Analyzer Deployed in Customer Network . . . . 6 3.2.3. Policy Configuration . . . . . . . . . . . . . . . . 6 4. IS-IS Extensions for FlowSpec Routes . . . . . . . . . . . . 7 4.1. FlowSpec Filters sub-TLV . . . . . . . . . . . . . . . . 8 4.1.1. Order of Traffic Filtering Rules . . . . . . . . . . 9 4.1.2. Validation Procedure . . . . . . . . . . . . . . . . 10 4.2. FlowSpec Action sub-TLV . . . . . . . . . . . . . . . . . 10 4.2.1. Traffic-rate . . . . . . . . . . . . . . . . . . . . 11 4.2.2. Traffic-action . . . . . . . . . . . . . . . . . . . 11 4.2.3. Traffic-marking . . . . . . . . . . . . . . . . . . . 12 4.2.4. Redirect-to-IP . . . . . . . . . . . . . . . . . . . 12 5. Redistribution of FlowSpec Routes . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 6.1. FlowSpec reachability TLV . . . . . . . . . . . . . . . . 13 6.2. FlowSpec Filters sub-TLV . . . . . . . . . . . . . . . . 13 6.3. FlowSpec Action sub-TLV . . . . . . . . . . . . . . . . . 13 7. Security considerations . . . . . . . . . . . . . . . . . . . 13 8. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 14 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 9.1. Normative References . . . . . . . . . . . . . . . . . . 14 You, et al. Expires December 31, 2015 [Page 2] Internet-Draft ISIS FlowSpec June 2015 9.2. Informative References . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 1. Introduction [RFC5575] defines Border Gateway Protocol protocol extensions that can be used to distribute traffic flow specifications. One application of this encoding format is to automate inter-domain coordination of traffic filtering, such as what is required in order to mitigate (distributed) denial-of-service attacks. [RFC5575] allows flow specifications received from an external autonomous system to be forwarded to a given BGP peer. However, in order to block the attack traffic more effectively, it is better to distribute the BGP FlowSpec routes to the customer network, which is much closer to the attacker. For the networks deploying only an IGP (e.g., IS-IS), it is expected to extend the IGP (IS-IS in this document) to distribute FlowSpec routes. This document discusses the use cases for distributing FlowSpec routes using IS-IS. Furthermore, this document also defines a new IS-IS FlowSpec Reachability TLV encoding format that can be used to distribute FlowSpec routes to the edge routers in the customer network, its validation procedures for imposing the filtering information on the routers, and a capability to indicate the support of Flowspec functionality. The semantic content of the FlowSpec extensions defined in this document are identical to the corresponding extensions to BGP ([RFC5575] and [I-D.ietf-idr-flow-spec-v6]). In order to avoid repetition, this document only concentrates on those parts of specification where IS-IS is different from BGP. The IS-IS flowspec extensions defined in this document can be used to mitigate the impacts of DoS attacks. 2. Terminology This section contains definitions for terms used frequently throughout this document. However, many additional definitions can be found in [ISO-10589] and [RFC5575]. Flow Specification (FlowSpec): A flow specification is an n-tuple consisting of several matching criteria that can be applied to IP traffic, including filters and actions. Each FlowSpec consists of a set of filters and a set of actions. You, et al. Expires December 31, 2015 [Page 3] Internet-Draft ISIS FlowSpec June 2015 3. Use Cases for IS-IS based FlowSpec Distribution For the networks deploying only an IGP (e.g., IS-IS), it is expected to extend the IGP (IS-IS in this document) to distribute FlowSpec routes, because when the FlowSpec routes are installed in the customer network, they are closer to the attacker than when they are installed in the provider network. Consequently, the attack traffic could be blocked or the suspicious traffic could be limited to a low rate as early as possible. The following sub-sections discuss the use cases for IS-IS based FlowSpec route distribution. 3.1. IS-IS Campus Network For networks not deploying BGP, for example, the campus network using IS-IS, it is expected to extend IS-IS to distribute FlowSpec routes as shown in Figure 1. In this kind of network, the traffic analyzer could be deployed with a router, then the FlowSpec routes from the traffic analyzer need to be distributed to the other routers in this domain using IS-IS. +--------+ |Traffic | +---+Analyzer| | +--------+ | |FlowSpec | | +--+-------+ +----------+ +--------+ | Router A +-----------+ Router B +--------+Attacker| +----------+ +----------+ +--------+ | | | | IS-IS FlowSpec | Attack Traffic | | | | Figure 1: IS-IS Campus Network 3.2. BGP/MPLS VPN [RFC5575] defines a BGP NLRI encoding format to distribute traffic flow specifications in BGP deployed network. However, in the BGP/ MPLS VPN scenario, the IGP (e.g., IS-IS or OSPF) is used between the PE (Provider Edge) and CE (Customer Edge) in many deployments. In order to distribute the FlowSpec routes to the customer network, the IGP needs to support FlowSpec route distribution. The FlowSpec You, et al. Expires December 31, 2015 [Page 4] Internet-Draft ISIS FlowSpec June 2015 routes are usually generated by the traffic analyzer or the traffic policy center in the network. Depending on the location of the traffic analyzer deployment, two different distribution scenarios are discussed below. 3.2.1. Traffic Analyzer Deployed in Provider Network The traffic analyzer (also acting as the traffic policy center) could be deployed in the provider network as shown in Figure 2. If the traffic analyzer detects attack traffic from the customer network VPN1, it would generate the FlowSpec routes for preventing DoS attacks. FlowSpec routes with a Route Distinguisher (RD) in the Network Layer Reachability information (NRLI) corresponding to VPN1 are distributed from the traffic analyzer to the PE1 to which the traffic analyzer is attached. If the traffic analyzer is also a BGP speaker, it can distribute the FlowSpec routes using BGP [RFC5575]. Then the PE1 distributes the FlowSpec routes further to the PE2. Finally, the FlowSpec routes need to be distributed from PE2 to the CE2 using IS-IS, i.e., to the customer network VPN1. As an attacker is more likely in the customer network, FlowSpec routes installed directly on CE2 could mitigate the impact of DoS attacks better. +--------+ |Traffic | +---+Analyzer| ----------- | +--------+ //- -\\ | /// \\\ |FlowSpec / \ | // \\ | | | +--+--+ +-----+ | +-----+ +--------+ | | PE1 +-------+ PE2 +-------+--+ CE2 +-------+Attacker| | +-----+ +-----+ | +-----+ +--------+ | | | | | | | | | | BGP FlowSpec | IS-IS FlowSpec | Attack Traffic| | | | \\ | | // \ / \\\ VPN1 /// \\-- --// --------- Figure 2: Traffic Analyzer deployed in Provider Network You, et al. Expires December 31, 2015 [Page 5] Internet-Draft ISIS FlowSpec June 2015 3.2.2. Traffic Analyzer Deployed in Customer Network The traffic analyzer (also acting as the traffic policy center) could be deployed in the customer network as shown in Figure 3. If the traffic analyzer detects attack traffic, it would generate FlowSpec routes to prevent associated DoS attacks. Then the FlowSpec routes would be distributed from the traffic analyzer to the CE1 using IS-IS or another policy protocol (e.g., RESTful API over HTTP). Furthermore, the FlowSpec routes need to be distributed throughout the provider network via PE1/PE2 to CE2, i.e., to the remote customer network VPN1 Site1. If the FlowSpec routes installed on the CE2, it could block the attack traffic as close to the source of the attack as possible. +--------+ |Traffic | +---+Analyzer| | +--------+ -------- | //-- --\\ |FlowSpec // \\ | / \ | // \\ +--+--+ +-----+ +-----+ | +-----+ +--------+ | | CE1 +--------+ PE1 +-------+ PE2 +--------+-+ CE2 +-------+Attacker| | +-----+ +-----+ +-----+ | +-----+ +--------+ | | | | | | | | | | |IS-IS FlowSpec | BGP FlowSpec| IS-IS FlowSpec | Attack Traffic | | | | | | | | | | | \\ // \ VPN1 Site1 / \\ // \\-- --// -------- Figure 3: Traffic Analyzer deployed in Customer Network 3.2.3. Policy Configuration The CE or PE could deploy local filtering policies to filter IS-IS FlowSpec rules, for example, deploying a filtering policy to filter the incoming IS-IS FlowSpec rules in order to prevent illegal or invalid FlowSpec rules from being applied. The PE should configure FlowSpec importing policies to control importing action between the BGP IP/VPN FlowSpec RIB and the IS-IS Instance FlowSpec RIB. Otherwise, the PE couldn't transform a BGP You, et al. Expires December 31, 2015 [Page 6] Internet-Draft ISIS FlowSpec June 2015 IP/VPN FlowSpec rule to an IS-IS FlowSpec rule or transform an IS-IS FlowSpec rule to a BGP IP/VPN FlowSpec rule. 4. IS-IS Extensions for FlowSpec Routes This document defines a new IS-IS TLV, i.e. the FlowSpec reachability TLV (TLV type: TBD1), which would be carried in an LSP (Link State Protocol) Data Unit [ISO-10589], to describe the FlowSpec routes. The FlowSpec Reachability TLV carries one or more FlowSpec entries. Each FlowSpec entry consists of FlowSpec filters (FlowSpec filters sub-TLVs) and corresponding FlowSpec actions (FlowSpec Action sub- TLVs). The FlowSpec Reachability TLV is defined below in Figure 4: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type (TBD1) | Length | Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length 1 | FlowSpec Entry 1 (variable) | +-+-+-+-+-+-+-+-+ + ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length 2 | FlowSpec Entry 2 (variable) | +-+-+-+-+-+-+-+-+ + ~ ~ + + | Figure 4: FlowSpec Reachability TLV Type: 1 octet. Type code is TBD1. Length: 1 octet. The length field defines the length of the value portion in octets (thus a TLV with no value portion would have a length of 0). Value: variable. The value field contains a "Flags" field and one or more 2-tuples consisting of the Length and the FlowSpec entry. Each 2-tuple starts with 1 octet of Length, and followed by a variable length FlowSpec entry, which consists of FlowSpec filters sub-TLVs and corresponding FlowSpec action sub-TLVs. The length specifies the number of bytes of the FlowSpec entry. Flags: One octet Field identifying Flags You, et al. Expires December 31, 2015 [Page 7] Internet-Draft ISIS FlowSpec June 2015 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Reserved |L| +-+-+-+-+-+-+-+-+ The least significant bit L is defined as a Leaking enable bit. If set, the FlowSpec Reachability TLV SHOULD be flooded across the entire routing domain. If the L flag is not set, the FlowSpec Reachability TLV MUST NOT be leaked between levels. This bit MUST NOT be altered during the TLV leaking. This Flags may be modified by the IS-IS Speaker according to a local policy. 4.1. FlowSpec Filters sub-TLV IS-IS FlowSpec filters sub-TLV is one component of FlowSpec entry, carried in the FlowSpec reachability TLV. It is defined below in Figure 5. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Type(TBD2/TBD3)| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | | +-+-+-+-+-+-+-+-+ + ~ Filters (variable) ~ + + | ... | Figure 5: IS-IS FlowSpec Filters sub-TLV Type: the TLV type (Type Code: TBD2 for IPv4 FlowSpec filters, TBD3 for IPv6 FlowSpec filters) Length: the size of the value field in octets Flags: One octet Field identifying Flags 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Reserved |S| +-+-+-+-+-+-+-+-+ The least significant bit S is defined as a strict filter check bit. If set, strict validation rules outlined in the validation section Section 4.1.2 need to be enforced. You, et al. Expires December 31, 2015 [Page 8] Internet-Draft ISIS FlowSpec June 2015 Filters: the same as "flow-spec NLRI value" defined in [RFC5575] and [I-D.ietf-idr-flow-spec-v6]. Table 1: IS-IS Supported FlowSpec Filters +------+------------------------+------------------------------+ | Type | Description | RFC/ WG draft | +------+------------------------+------------------------------+ | 1 | Destination IPv4 Prefix| RFC5575 | | | Destination IPv6 Prefix| I-D.ietf-idr-flow-spec-v6 | +------+------------------------+------------------------------+ | 2 | Source IPv4 Prefix | RFC5575 | | | Source IPv6 Prefix | I-D.ietf-idr-flow-spec-v6 | +------+------------------------+------------------------------+ | 3 | IP Protocol | RFC5575 | | | Next Header | I-D.ietf-idr-flow-spec-v6 | +------+------------------------+------------------------------+ | 4 | Port | RFC5575 | +------+------------------------+------------------------------+ | 5 | Destination port | RFC5575 | +------+------------------------+------------------------------+ | 6 | Source port | RFC5575 | +------+------------------------+------------------------------+ | 7 | ICMP type | RFC5575 | +------+------------------------+------------------------------+ | 8 | ICMP code | RFC5575 | +------+------------------------+------------------------------+ | 9 | TCP flags | RFC5575 | +------+------------------------+------------------------------+ | 10 | Packet length | RFC5575 | +------+------------------------+------------------------------+ | 11 | DSCP | RFC5575 | +------+------------------------+------------------------------+ | 12 | Fragment | RFC5575 | +------+------------------------+------------------------------+ | 13 | Flow Label | I-D.ietf-idr-flow-spec-v6 | +------+------------------------+------------------------------+ 4.1.1. Order of Traffic Filtering Rules With traffic filtering rules, more than one rule may match a particular traffic flow. The order of applying the traffic filter rules is the same as described in Section 5.1 of [RFC5575] and in Section 3.1 of [I-D.ietf-idr-flow-spec-v6]. You, et al. Expires December 31, 2015 [Page 9] Internet-Draft ISIS FlowSpec June 2015 4.1.2. Validation Procedure [RFC5575] defines a validation procedure for BGP FlowSpec rules, and [I-D.ietf-idr-bgp-flowspec-oid] describes a modification to the validation procedure defined in [RFC5575] for the dissemination of BGP flow specifications. The IS-IS FlowSpec should support similar features to mitigate the unnecessary application of traffic filter rules. The IS-IS FlowSpec validation procedure is described as follows. When a router receives a FlowSpec rule including a destination prefix filter from its neighbor router, it should consider the prefix filter as a valid filter unless the S bit in the flags field of Filter TLV is set. If the S bit is set, then the FlowSpec rule is considered valid if and only if: The originator of the FlowSpec rule matches the originator of the best-match unicast route for the destination prefix embedded in the FlowSpec. The former rule allows any centralized controller to originate the prefix filter and advertise it within a given IS-IS network. The latter rule, also known as a Strict Validation rule, allows strict checking and enforces that the originator of the FlowSpec filter is also the originator of the destination prefix. When multiple equal-cost paths exist in the routing table entry, each path could end up having a separate set of FlowSpec rules. When a router receives a FlowSpec rule not including a destination prefix filter from its neighbor router, the validation procedure described above is not applicable. The FlowSpec filter validation state is used by an IS-IS speaker when the filter is considered for an installation in its FIB. An IS-IS speaker MUST flood IS-IS LSP containing a FlowSpec Reachability TLV as per the rules defined in [ISO-10589] regardless of the validation state of the prefix filters. 4.2. FlowSpec Action sub-TLV There are one or more FlowSpec Action TLVs associated with a FlowSpec Filters TLV. Different FlowSpec Filters TLV could have the same FlowSpec Action TLVs. The following IS-IS FlowSpec action TLVs, except Redirect, are same as defined in [RFC5575]. You, et al. Expires December 31, 2015 [Page 10] Internet-Draft ISIS FlowSpec June 2015 Redirect: IPv4 or IPv6 address. This IP address may correspond to a tunnel, i.e., the redirect allows the traffic to be redirected to a directly attached next-hop or a next-hop requiring a route lookup. Table 2: Traffic Filtering Actions in [RFC5575], etc. +-------+-----------------+---------------------------------------+ | type | FlowSpec Action | RFC/WG draft | +-------+-----------------+---------------------------------------+ | 0x8006| traffic-rate | RFC5575 | | | | | | 0x8007| traffic-action | RFC5575 | | | | | | 0x8108| redirect-to-IPv4| I-D.ietf-idr-flowspec-redirect-rt-bis | | | | | 0x800b| redirect-to-IPv6| I-D.ietf-idr-flow-spec-v6 | | | | | | 0x8009| traffic-marking | RFC5575 | +-------+-----------------+---------------------------------------+ 4.2.1. Traffic-rate Traffic-rate TLV is encoded as: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TBD4 | 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Traffic-rate | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Traffic-rate: the same as defined in [RFC5575]. 4.2.2. Traffic-action Traffic-action TLV is encoded as: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TBD5 | 2 | Reserved |S|T| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ S flag and T flag: the same as defined in [RFC5575]. You, et al. Expires December 31, 2015 [Page 11] Internet-Draft ISIS FlowSpec June 2015 4.2.3. Traffic-marking Traffic-marking TLV is encoded as: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TBD6 | 2 | Reserved | DSCP Value| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ DSCP value: the same as defined in [RFC5575]. 4.2.4. Redirect-to-IP Redirect-to-IPv4 is encoded as: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TBD7 | 6 | Reserved |C| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Redirect to IPv6 TLV is encoded as: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TBD8 | 18 | Reserved |C| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | IPv6 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IPv4/6 Address: the redirection target address. 'C' (or copy) bit: when the 'C' bit is set, the redirection applies to copies of the matching packets and not to the original traffic stream [I-D.ietf-idr-flowspec-redirect-ip]. 5. Redistribution of FlowSpec Routes In certain scenarios, FlowSpec routes MAY get redistributed from one protocol domain to another; specifically from BGP to IS-IS and vice- versa. When redistributed from BGP, the IS-IS speaker SHOULD You, et al. Expires December 31, 2015 [Page 12] Internet-Draft ISIS FlowSpec June 2015 generate a FlowSpec Reachability TLV for the redistributed routes and announce it within an IS-IS domain. An implementation MAY provide an option for an IS-IS speaker to announce a redistributed FlowSpec route within an IS-IS domain regardless of being installed in its local FIB. An implementation MAY impose an upper bound on number of FlowSpec routes that an IS-IS router MAY advertise. 6. IANA Considerations This document defines the following new IS-IS TLV types, which need to be reflected in the IS-IS TLV codepoint registry. 6.1. FlowSpec reachability TLV +------+---------------------------------+-----+-----+-----+ | Type | Description | IIH | LSP | SNP | +------+---------------------------------+-----+-----+-----+ | TBD1 | The FlowSpec Reachability TLV | n | y | n | +------+---------------------------------+-----+-----+-----+ 6.2. FlowSpec Filters sub-TLV +--------+-----------------------+--------------------------+ | Type | Description | encoding | +--------+-----------------------+--------------------------+ | TBD2 |The FlowSpec filters | flow-spec NLRI value | | TBD3 | sub-TLV | [RFC5575] | | | |I-D.ietf-idr-flow-spec-v6 | +--------+-----------------------+--------------------------+ 6.3. FlowSpec Action sub-TLV This document defines a group of FlowSpec actions. The following TLV types need to be assigned: Type TBD4 - traffic-rate Type TBD5 - traffic-action Type TBD6 - traffic-marking Type TBD7 - redirect to IPv4 Type TBD8 - redirect to IPv6 7. Security considerations This extension to IS-IS does not change the underlying security issues inherent in the existing IS-IS. Implementations must assure that malformed TLV and Sub-TLV permutations do not result in errors which cause hard IS-IS failures. You, et al. Expires December 31, 2015 [Page 13] Internet-Draft ISIS FlowSpec June 2015 8. Acknowledgement TBD. 9. References 9.1. Normative References [ISO-10589] ISO, "Intermediate System to Intermediate System intra- domain routeing information exchange protocol for use in conjunction with the protocol for providing the connectionless-mode network service (ISO 8473)", International Standard 10589: 2002, Second Edition, 2002. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended Communities Attribute", RFC 4360, February 2006. [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., and D. McPherson, "Dissemination of Flow Specification Rules", RFC 5575, August 2009. 9.2. Informative References [I-D.ietf-idr-bgp-flowspec-oid] Uttaro, J., Filsfils, C., Smith, D., Alcaide, J., and P. Mohapatra, "Revised Validation Procedure for BGP Flow Specifications", draft-ietf-idr-bgp-flowspec-oid-02 (work in progress), January 2014. [I-D.ietf-idr-flow-spec-v6] Raszuk, R., Pithawala, B., McPherson, D., and A. Andy, "Dissemination of Flow Specification Rules for IPv6", draft-ietf-idr-flow-spec-v6-06 (work in progress), November 2014. [I-D.ietf-idr-flowspec-redirect-ip] Uttaro, J., Haas, J., Texier, M., Andy, A., Ray, S., Simpson, A., and W. Henderickx, "BGP Flow-Spec Redirect to IP Action", draft-ietf-idr-flowspec-redirect-ip-02 (work in progress), February 2015. You, et al. Expires December 31, 2015 [Page 14] Internet-Draft ISIS FlowSpec June 2015 [I-D.ietf-idr-flowspec-redirect-rt-bis] Haas, J., "Clarification of the Flowspec Redirect Extended Community", draft-ietf-idr-flowspec-redirect-rt-bis-04 (work in progress), April 2015. Authors' Addresses Jianjie You Huawei 101 Software Avenue, Yuhuatai District Nanjing, 210012 China Email: youjianjie@huawei.com Qiandeng Liang Huawei 101 Software Avenue, Yuhuatai District Nanjing, 210012 China Email: liangqiandeng@huawei.com Keyur Patel Cisco Systems 170 W. Tasman Drive San Jose, CA 95124 95134 USA Email: keyupate@cisco.com Peng Fan China Mobile Email: fanpeng@chinamobile.com You, et al. Expires December 31, 2015 [Page 15]