| Internet-Draft | BGP FlowSpec v2 | July 2021 |
| Hares | Expires 13 January 2022 | [Page] |
BGP flow specification version 1 (RFC8955, RFC8956) describes the distribution of traffic filter policy (traffic filters and actions) which are distributed via BGP to BGP peers. Multiple applications utilize the BGP distributed traffic filter policy. These applications include: (1) mitigation of Denial of Service (DoS), (2) enabling of traffic filtering in BGP/MPLS VPNS, (3)centralized traffic control for networks utilizing either SDN control of router firewall functions. During the deployment of BGP flow specification v1, the following issues were detected: 1) problems due to the lack of clear TLV encoding for rules for flow specifications, 2) desire to order filters rules, and 3) ordering of actions to provide deterministic actions. Version 2 of the BGP flow specification protocol addresses these features.¶
BGP Flow Specification v2 is encapsulated in a different NLRI which encapsulates previous flow specification informatino.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 13 January 2022.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
BGP ([RFC4271]) flow specification (see [RFC8955] and [RFC8956]) describes the distribution of traffic filter policy (traffic filters and actions) which are distributed via BGP to BGP peers. The traffic filter policy is applied when packets are received on a router with the flow specification function turned on. Multiple applications utilize the BGP distributed traffic filter policy. These applications include: (1) mitigation of Denial of Service (DoS), (2) enabling of traffic filtering in BGP/MPLS VPNS, and (3)centralized traffic control for networks utilizing either SDN control of router firewall functions. During the deployment of BGP flow specification v1, the following issues were detected:¶
Version 2 of the BGP flow specification protocol addresses these features.¶
This document describes distribution of three new BGP Flow Specification NLRI (3 AFIs (1, 2, and 6) with SAFI (TBD) that allow user-ordered list of traffic match filters, and user-ordered traffic match actions encoded in BGP Wide Communities. This document contains a overview in this section and the following other sections:¶
This section reviews the existing flow specification and provides a logical description of ordered flow specification.¶
If one considers the reception of the packet as an event, then BGP flow specification describes a set of minimalistic Event-MatchCondition-Action (ECA) policies where the match-condition is defined in the BGP NLRI, and the action is defined either by the default condition (accept traffic) or actions defined in Extended BGP Community values [RFC4360].¶
The initial set of policy [RFC8955] and [RFC8956] for this policy includes 13 types of match filters encoded the following: specific AFI/SAFIs for the IPv4 and IPv6 AFIs:¶
The 13 types of filters are the following:¶
The actions proposed in [RFC8955] and [RFC8956] for exclusion on Extended Community (0xttss) are the following:¶
The flow specification filers and actions combine to make up flow specification rules associated with an NRLI. The Extended Communities for actions can be attached to a single rule or multiple rules. Figure 1 shows a diagram of the flow specification data structures.¶
+--------------------------------------+
| Flow Specification (FS) |
| Policy |
+--------------------------------------+
^ ^ ^
| | |
| | |
+--------^----+ +-------^-------+ +-------------+
| FS Rule1 | | FS Rule | ... | FS rule |
+-------------+ +---------------+ +-------------+
: :
: :
...: :........
: :
+---------V---------+ +----V-------------+
| Rule Condition | | Rule Action |
| in BGP NLRIs | | in BGP extended |
| AFIs: 1 and 2 | | Communities |
| SAFI 133, 134 | | |
+-------------------+ +------------------+
: : : : : :
.....: . :..... .....: . :.....
: : : : : :
+----V---+ +---V----+ +--V---+ +-V------+ +--V-----++--V---+
| Match | | match | |match | | Action | | action ||action|
|Operator| |Variable| |Value | |Operator| |variable|| Value|
|*1 | | | | | |(subtype| | || |
+--------+ +--------+ +------+ +--------+ +--------++------+
*1 match operator may be complex.
Figure 1: BGP Flow Specification Policy
¶
An minimal ordered specification of the rules would include an order indicator per rule. The inclusion of names for each rule, match condition and action allows for logical indirection. The existing extended community which tags multiple NLRIs could be saved as an indirect reference by name. For Flow specification v1 actions, the Extended actions could be assigned default names. The actions could be linked to many NLRIs. Figure 2 below provides a logical diagram of the ordering of rules and the association of names per rule, rule match action, and rule action.¶
Since many policies also group data flow specifications under rule groups, many implementations may order set of rules under a particular group policy. Network Management display of BGP filers may use the Rule Grouping mechanism to display the filters.¶
+--------------------------------+
| Rule Group |
+------------------------------ -+
^ ^ ^
| ---------- |
| | ------
| | |
+--------^-------+ +-------^-----+ +---^-----+
| Rule1 | | Rule2 | ... | Rule-n |
+----------------+ +-------------+ +---------+
: : : :
:.................: : : :
: |.........: : :
+--V--+ +--V--+ : :
| name| |order| .........: :.....
+-----+ +-----+ : :
: :
+----------------V----+ +-----V------- --+
|Rule Match condition | | Rule Action |
+---------------------+ +-----------------+
: : : : : : : :
+--V--+ : : : +--V--+ : : :
| name| : : : |name | : : :
+-----+ : : : +-----+ : : :
: : : : : :...........
: : : : : :
.....: . :..... ..: :..... :
: : : : : :
+----V---+ +---V----+ +--V---+ +-V------++--V-----++--V---+
| Match | | match | |match | | Action || action ||action|
|Operator| |variable| |Value | |Operator||Variable|| Value|
+--------+ +--------+ +------+ +--------++--------++------+
Figure 2: Order Flow Specification Data storage
¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
The BGP Flow Specification version 2 (BGP-FS v2) uses an NRLI with the format for AFIs for IPv4 (AFI = 1), IPv6 (AFI = 2), and L2VPN (L2VPN = 6) with a SAFI of (TBD=xx). This NLRI information is encoded using MP_READ_NRI and MP_UNREACH_NLRI attributes defined in [RFC4760]. Whenever the corresponding application does not require Next-HOP information, this shall be encoded as zero-octet length Next Hop in the MP_REAC_NLRI and ignored upon receipt.¶
Implementations wishing to exchange flow specification rules MUST use BGP's Capability Advertisement facility to exchange the Multiprotocol Extension Capability Code (Code 1) as defined in [RFC4760], and indicate a capability for flow specification v2 (TBD).¶
The AFI/SAFI NLRI for BGP Flow Specification has the format:¶
+------------------------+ |length (2 octets) | +------------------------+ | Sub-TLVs (variable) | | +====================+ | | | order (2 octets) | | | +--------------------+ | | | type (2 octets) | | | +--------------------+ | | | length (2 octets) | | | +--------------------+ | | | value (variable) | | | +====================+ | +------------------------+ Figure 3 -Flow Specification v2 format¶
where:¶
type - is one of the following types¶
Filters are processed in the order specified by the user.¶
The BGP flow specification V2 identifier sub-TLVs use the following format:¶
+------------------------+ |length (2 octets) | +------------------------+ | Sub-TLVs (variable) | | +====================+ | | | order (2 octets) | | | +--------------------+ | | | type = 00 | | | +--------------------+ | | | length (4 octets) | | | +--------------------+ | | | identifier for | | | | rule (variable) | | | +====================+ | +------------------------+ Figure 4 - NRLI revision¶
The octets for the identifier are string of octets of variable length.¶
The BGP flow specification V2 identifier sub-TLVs use the following format:¶
+--------------------------+ |length (2 octets) | +--------------------------+ | Sub-TLVs (variable) | | +======================+ | | | order (2 octets) | | | +----------------------+ | | | type = 01 | | | +----------------------+ | | | length (variable) | | | +----------------------+ | | | value field | | | | AFI/SAFI field (4) | | | | components (variable | | | +======================+ | +--------------------------+ Figure 5 - Flow specification v2 with default Block traffic flow¶
Flow Specification v2 with a default Action of block traffic has the following sub-TLVs in the value field:¶
The BGP flow specification V2 identifier sub-TLVs use the following format:¶
+--------------------------+ |length (2 octets) | +--------------------------+ | Sub-TLVs (variable) | | +======================+ | | | order (2 octets) | | | +----------------------+ | | | type = 01 | | | +----------------------+ | | | length (variable) | | | +----------------------+ | | | value field | | | | AFI/SAFI field (4) | | | | components (variable | | | +======================+ | +--------------------------+ Figure 6 - Flow specification v2 with default permit traffic flow¶
Flow Specification v2 with Filters and Default action of block traffic has the following sub-TLVs in the value field:¶
The BGP flow specification V2 identifier sub-TLVs use the following format:¶
+----------------------------+ |length (2 octets) | +----------------------------+ | Sub-TLVs (variable) | | +=======================+ | | | order (2 octets) | | | +-----------------------+ | | | type = 01 | | | +-----------------------+ | | | length (variable) | | | +-----------------------+ | | | value field | | | | | | | | Action length (4) | | | | Action sub-TLVs (var) | | | | number of filters | | | | [filter 1] | | | | AFI/SAFI field (4) | | | | components (variable) | | | | [filter 2] | | | | AFI/SAFI field (4) | | | | components (variable) | | | | .... | | | +=======================+ | +----------------------------+ Figure 7 - Flow Specification with Actions encoded in NLRI¶
The Flow Specification v2 with action fields applies actions to the AFI/SAFI field. The format of the field is¶
Action SubTLVs (variable) in format Type (2 bytes), length (2 bytes), and value (variable). The types are:¶
[Type (2 bytes)][Extended-Community-type (2 bytes)][6 bytes] Figure 8 - Extended Community action type encoding¶
The Extended community types are the following:¶
Component fields as defined in the following documents:¶
The BGP-FS version 2 actions are passed in a Wide Community [I-D.ietf-idr-wide-bgp-communities] atom with the following format.¶
The BGP-FS version 2 actions are passed in a Wide Community [I-D.ietf-idr-wide-bgp-communities] atom with the following format:¶
+----------------------------+ |length (2 octets) | +----------------------------+ | Sub-TLVs (variable) | | +=======================+ | | | order (2 octets) | | | +-----------------------+ | | | type = 01 | | | +-----------------------+ | | | length (variable) | | | +-----------------------+ | | | value field | | | | | | | | Action length(4) | | | | Atom-id-1 (4) | | | | Atom-id-2 (4) | | | | number of filters | | | | [filter 1] | | | | AFI/SAFI field (4) | | | | components (variable) | | | | [filter 2] | | | | AFI/SAFI field (4) | | | | components (variable) | | | | .... | | | +=======================+ | +----------------------------+ Figure 9 - Flow Specification with IDs for Wide Community Actions¶
The BGP Atom IDs in the Wide Community must contain:¶
+--------------------------+ | Atom ID (4 octets) | +--------------------------+ | order (2 octets) | +--------------------------+ | Action type (2 octets) | +--------------------------+ | Action length (2 octets) | +--------------------------+ | Action Values (variable) | | (multiples of 2 octets) | +--------------------------+ Figure 10 Wide Community Atom¶
where:¶
The BGP Flow Specification (BGP-FS) atom can be part of the Wide Community container (type 1) or the BGP Flow Specification Atom can be part of the BGP Flow Specification container (type 2) which will have:¶
+-----------------------------+ | Source AS Number (4 octets)| +-----------------------------+ | list of atoms (variable) | +-----------------------------+ figure 11¶
This section needs to be discussed with the authors of draft-ietf-idr-flowspec-nv03.¶
This section discusses the optional BGP Security additions for BGP-FS v2 relating to BGPSEC [RFC8205] and ROA.¶
Flow specification v1 ([RFC8955] and [RFC8956]) do not BGP Flow specifications to be passed BGPSEC [RFC8205] BGP Flow Specification v2 can be passed in BGPSEC, but it is not required.¶
BGP Flow Specification v2 can utilize ROAs in the validation. If BGP-FS v2 is used with BGPSEC and ROA, the first thing is to validate the route within BGPSEC and second to utilize BGP ROA to validate the route origin.¶
The BGP-FS peers using both ROA and BGP-FS validation determine that a BGP Flow specification is valid if and only if one of the following cases:¶
If the BGP Flow Specification NLRI has a IPv4 or IPv6 address in destination address match filter and the following is true:¶
If a BGP ROA has not been received that matches the IPv4 or IPv6 destination address in the destination filter, the match filter must abide by the [RFC8955] and [RFC8956] validation rules of:¶
The best match is defined to be the longest-match NLRI with the highest preference.¶
The distribution of Flow Specifications from a centralized server supports mitigation of DoS attacks. [I-D.ietf-idr-bgp-flowspec-oid] suggests the following redefined procedure for validation for this case:¶
A route is valid if the following conditions holds true:¶
This reduced validation mechanism can be used for BGP-FS v2 within a single domain.¶
This section complies with [RFC7153]¶
This document requests:¶
Registry be created for BGP-FS V2 filter component types with the following ranges:¶
Registry be created for BGP-FS v2 action types with the following ranges:¶
The use of ROA improves on [RFC8955] to check the route orgination is valid can improve the validation sequence for a multiple-AS environment. The use of BGPSEC [RFC8205] to secure the packet can increase security of BGP flow specification information sent in the packet.¶
The use of the reduced validation within an AS [I-D.ietf-idr-bgp-flowspec-oid] can provide adequate validation for distribution of flow specification within an single autonomous system for prevention of DDOS.¶
Distribution of flow filters may provide insight into traffic being sent within an AS, but this information should be composite information that does not reveal the traffic patterns of individuals.¶