Internet DRAFT - draft-ma-idr-flowspec-mpls
draft-ma-idr-flowspec-mpls
Network Working Group Dan Ma
Internet-Draft Cisco Systems
Updates: RFC5575 Aug 10, 2014
Intended status: Standards Track
Expires: Jan 31, 2015
Dissemination of Flow Specification Rules for MPLS Flow
draft-ma-idr-flowspec-mpls-00
Abstract
Dissemination of Flow Specification Rules [RFC5575] specifies BGP SAFI
133/134 and NLRI types/extended communities to propagate the native IP
flow information for the purpose of dropping, rate limiting or filtering.
This proposal extends the current [RFC5575], adds more specifications to
propagate MPLS flow information.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on Dec 31, 2014.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. MPLS Flow Specification encoding in BGP . . . . . . . . . . . 3
3. MPLS Flow Specification Traffic Filtering Action changes . . 4
4. Security considerations . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1. Normative References . . . . . . . . . . . . . . . . . . 6
7.2. Informative References . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
BGP Flowspec is a new mechanism to assist in DDOS mitigation, which
has many advantages like flow application aware filtering/redirect
/mirroring, dynamic and adaptive to flow, easy to disseminate via
new BGP SAFI/NLRI(SAFI=133/134).
Currently BGP Flowspec RFC5575 and other drafts define many flow
specification types like IP source/destination address, IP protocol,
TCP/UDP source/destination port, DSCP, packet length etc, but all
these types are for native IP flows, they only can be applied
between PE-CE or applied for other native IP packets scenarios.
But we also have requirement to mitigate DDoS attack traffic on
Inter-AS ASBR or on CSC-PE/CSC-CE to prevent DDoS traffic flowing
into Service Provider core network. Since the traffic between AS or
between CSC are MPLS flows, so BGP Flowspec needs support MPLS type.
Internet traffic flowing through MPLS LSP also has this requirement.
With the hardware chip develops, today more and more applications can
classify and operate MPLS flows like OpenFlow/ACL, so BGP Flowspec
should also have this capability.
With MPLS flow support in BGP Flowspec, Service Provider administrator/
operator has more flexibility/capability to mitigate DDoS attack traffic
coming from another AS or from Tier-2 service provider CSC-CE.
In this document authors propose a subset of new NLRI types and
extended communities to extend Dissemination of Flow Specification
Rules [RFC5575] for MPLS flow.
This specification should be treated as an extension of base
[RFC5575] specification for MPLS flow. It only defines the
delta changes required to support MPLS flow while all other
definitions and operation mechanisms of Dissemination of Flow
Specification Rules will remain in the main specification and will
not be repeated here.
2. MPLS Flow Specification encoding in BGP
The [RFC5575] defines a new SAFIs (133 for IPv4) and (134 for VPNv4)
applications in order to carry corresponding to each such application
flow specification.
This document proposes the following specifications for MPLS flow to
extend [RFC5575]:
Type 14 - MPLS label
Encoding: <type (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match MPLS
label. Values are encoded as 1- or 2-byte quantities.
Type 15 - MPLS label TTL
Encoding: <type (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match MPLS
label TTL. Values are encoded as 1- or 2-byte quantities.
Type 16 - MPLS label EXP
Encoding: <type (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match MPLS
label EXP. Values are encoded as 1- or 2-byte quantities.
Type 17 - MPLS label BoS bit
Encoding: <type (1 octet), [op, value]+>
Defines a list of {operation, value} pairs used to match MPLS
label bottom of stack bit. Values are encoded as 1- or 2-byte
quantities.
3. MPLS Flow Specification Traffic Actions
+--------+--------------------+--------------------------+
| type | extended community | encoding |
+--------+--------------------+--------------------------+
| 0x8006 | traffic-rate | 2-byte as#, 4-byte float |
| 0x8007 | traffic-action | bitmask |
| 0x8008 | redirect | 6-byte Route Target |
| 0x8009 | traffic-marking | DSCP value |
+--------+--------------------+--------------------------+
Besides to support the above extended communities per RFC5575, this
document also proposes the following BGP extended communities
specifications for MPLS flow to extend [RFC5575]:
+--------+--------------------+--------------------------+
| type | extended community | encoding |
+--------+--------------------+--------------------------+
| 0x800A | MPLS EXP marking | EXP vale |
| 0x800B | MPLS TTL setting | TTL value |
| 0x800C | Label-action | bitmask |
+--------+--------------------+--------------------------+
0x080A - MPLS EXP marking
The MPLS EXP marking extended community instructs a system to modify
the EXP bits of a transiting MPLS packet to the corresponding value.
This extended community is encoded as a sequence of 5 zero bytes
followed by the EXP value encoded in the 3 least significant bits of 6th
byte.
0x080B - MPLS TTL setting
The MPLS TTL setting extended community instructs a system to modify
the TTL bits of a transiting MPLS packet to the corresponding value.
This extended community is encoded as a sequence of 5 zero bytes
followed by the TTL value encoded in 6th byte.
0x080C - Label action
The Label-action extended community consists of 6 bytes of which only
the 4 least significant bits of the 6th byte (from left to right) are
currently defined.
40 41 42 43 44 45 46 47
+---+---+---+---+---+---+---+---+
| Unassigned | U | S | H | P |
+---+---+---+---+---+---+---+---+
* Pop Action (bit 47): Enable label pop for MPLS flow When this bit
is set.
* Push Action (bit 46): Enable label push for MPLS flow When this bit
is set.
* Swap Action (bit 45): Enable label swap for MPLS flow When this bit
is set.
* Unlabel Action (bit 44): Enable unlabel for MPLS flow When this bit
is set.
4. Security considerations
No new security issues are introduced to the BGP protocol by this
specification.
5. IANA Considerations
IANA is requested to create and maintain a new registry entitled:
"Flow spec MPLS Component Types":
Type 14 - MPLS label
Type 15 - MPLS label TTL
Type 16 - MPLS label EXP
Type 17 - MPLS label BoS bit
IANA is requested to update the reference for the following
assignment in the "BGP Extended Communities Type - extended,
transitive" registry:
Type value Name Reference
---------- ---------------------------------------- ---------
0x080A Flow spec MPLS EXP marking [this document]
0x080B Flow spec MPLS TTL setting [this document]
0x080C Flow spec Label action [this document]
The "label-action" extended community defined in this document has
46 unused bits, which can be used to convey additional meaning. IANA
created and maintains a new registry entitled: "Label Action Fields".
These values should be assigned via IETF Review rules only. The
following Label-action fields have been allocated:
47 Pop
46 Push
45 Swap
44 Unlabel
0-43 Unassigned
6. Acknowledgments
Authors would like to thank for their valuable input.
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
7.2. Informative References
[RFC5575] P. Marques, N. Sheth, R. Raszuk, B. Greene, J.
Mauch, D. McPherson, "Dissemination of Flow
Specification Rules", RFC 5575, August 2009.
[IPV6-FLOW] R. Raszuk, B. Pithawala, D. McPherson,
"Dissemination of Flow Specification Rules for
IPv6", draft-ietf-idr-flow-spec-v6-00, June 2011.
[VALIDATE] Uttaro, J., Filsfils, C., Mohapatra, P., Smith, D.,
"Revised Validation Procedure for BGP Flow
Specifications", draft-ietf-idr-bgp-flowspec-oid-
00, June 2012.
Authors' Addresses
Dan Ma
Cisco Systems
170 West Tasman Drive
San Jose, CA 95134
US
Email: danma@cisco.com
