Filter-Based RIB Information Model
draft-kini-i2rs-fb-rib-info-model-02

Abstract

This document defines an information model for the I2RS Filter-based Routing Information Base (RIB) Yang model. A routing system uses the Filter-based RIBto program FIB entries that process incoming packets by matching on multiple fields within the packet and then performing a specified action on it. The FB-RIB can also specify an action to forward the packet according to the FIB entries programmed using the RIBs of its routing instance.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on April 21, 2016.

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

1. Introduction

1.1. Definition of I2RS Filter Based RIB
1.2. ECA Policy Supported
1.3. I2RS Use Cases Suported by Filter-Based RIB

2. Definitions and Acronyms
3. Filter-Based-RIB module

3.1. FB-RIB entries
3.2. Relationship between RB-RIB Rule Model and RIB Information Model

4. IANA Considerations
5. Security Considerations
6. References

6.1. Normative References:
6.2. Informative References

Authors' Addresses

1. Introduction

The Interface to the Routing System (I2RS) [I-D.ietf-i2rs-architecture] architecture provides dynamic read and write access to the information and state within the routing elements. The I2RS client interacts with the I2RS agent in one or more network routing systems.

This document provides an information module for the I2RS filter Based Routing Information Base (FB-RIB) and describes the I2RS interaction with routing filters within a routing element.

1.1. Definition of I2RS Filter Based RIB

Filter-based routing is a technique used to make packet forwarding decisions based on a filter that is matched to the incoming packets and the specified action. It should be noted that that this is distinct from the static routes in the RIB [I-D.ietf-i2rs-rib-info-model] where the routing is destination ddress based.

A Filter-Based RIB (Routing Information Base) is contained in a routing instance (defined in [I-D.ietf-i2rs-rib-info-model]). It contains a list of filters (match-action conditions), a list of interface the filter-based forwarding operates on. Filter-based RIBs (FB-RIBs) operate only on the interface the FB-RIB are configured on.

A Filter Based RIB uses Event-Condition-Action policy. A Filter-based RIB entry specifies matches on fields in a packet (which may include layer 2 fields, IP header fields, transport or application fields) or size of the packet or interface received on. The matches are contained in an ordered list of filters which contain pairs of match condition-action (aka event-condition-action).

If all matches fail, default action is to forward the packet using FIB entries that were programmed by the Routing Informational Base (RIB) manager described in [I-D.ietf-i2rs-rib-info-model].

Actions in the condition-action pair may impact forwarding or set something in the packet that will impact forwarding. Policy actions are typically applied before applying QoS constraints since policy actions may override QoS constraint.

The Filter-Based RIB resides in ephemeral state as does the I2RS RIB and I2RS topology models.

1.2. ECA Policy Supported

The filter based-RIB uses event-condition-action policy (ECA) rules. The following policies are used in this version of the yang module:

Access lists (ACLs) [I-D.ietf-netmod-acl-model]
Basic network filters [I-D.hares-i2rs-bnp-info-model]

              Ingress filter Matches (for ECA policy)
                           |
                           |
       +-------+--------+--+------+-----+------+----+-----+
       |       |        |         |     |      |    |     |
       |       |        |         |     |      |    |     |
   L3-Header L2-header L4-header VLAN  VN ID  size event ...  

  Figure 1: Possible matching conditions for basic network filters

Proprietary filters may augment these IETF defined ECA rules. The IETF filters support basic filtering plus QOS and load balancing. Below is an example set of match conditions on ingreessI2RS that the basic I2RS FB-RIB can support.

1.3. I2RS Use Cases Suported by Filter-Based RIB

The I2RS use cases which benefit from Filter-Based Routing are:

Protocol independent Use cases and large flow use cases described in [I-D.hares-i2rs-usecase-reqs-summary].
the use cases of steering traffic to their designated service functions that are different than the packet's destinations, and
large flow use cases described in [I-D.hares-i2rs-usecase-reqs-summary]

2. Definitions and Acronyms

CLI: Command Line Interface
FB-RIB: Filter-Based Routing Information Base
FB-Route: The policy rules in the filter-based RIB are prescriptive of the Event-Condition-Action form which is often represented by if Condition then action".
Policy Group: Policy Groups are groups of policy rules. The groups of policy in the basic network policy [I-D.hares-i2rs-bnp-info-model] allow grouping of policy by name. This name allow easier management of customer-based or provider based filters.
RIB IM: RIB Informational Model (RIB IM) [I-D.ietf-i2rs-rib-info-model]
Routing instance: A routing instance, in the context of the FB-FIB is a collection of RIBs, interfaces, and routing parameters. A routing instance creates a logical slice of the router and allows different logical slices; across a set of routers; to communicate with each other.

3. Filter-Based-RIB module

A Filter-Based RIB (FB-RIB)contains an ordered set of filter routes where each filter-route is a match condition followed by an action. An FB-RIB is contained in a routing-instance that is defined in [I-D.ietf-i2rs-rib-info-model] and whose data modelling is done in [I-D.ietf-i2rs-rib-data-model]. An FB-RIB has a list of interfaces that is a subset of the list of interfaces in the routing-instance that it is contained in. An incoming packet on an interface belonging to a FB-RIB is first handled by the FIB programmed using that FB-RIB. If no match action succeeds, then the packet is forwarded using the FIB programmed using the RIB of that routing instance.

An ordered set of filters implies that the insertion of a filter route into a FB-RIB MUST provide the ability to insert a filter route at any specific position and delete of a filter-based route at a specific position. The ability to change a filter route at a specific position combines these two functions (delete an existing filter route rule and add a new policy rule).

Each FB-RIB is contained within a routing instance, but one routing instance (named by an INSTANCE_NAME) can contain multiple FB-RIBs. Each routing instance is associated with a set of interfaces, a router-id, and list of FB-RIBs. Each interface can be associated with at most one FB RIB.

The processing within the FB-RIB process within the routing system is expected to do the following:

When a packet successfully matches match term/entry in a filter-route, the corresponding rule-actions are applied.
If a packet does not match the match term/entry in the filter route, the filter route processing goes to the next term/entry in the order, and looks for a match, within the current filter or goes to the next filter in the list. This continues until either a filter route match term/entry is successfully matched, or no more filters in the list exists.
If no match has been found within list of filters in FB-RIB list, then the packet will be forwarded using the I2RS RIB specified by the FB-RIB if one exists. If no I2RS RIB is specified, the packet will be discarded.

 
         +-------------------------------+
         |     routing instance          |
         +-----------|-------------------+
                     |                
                     |                
            +--------|----+  
            |FB-RIB *list |  
            |             |  
            +--|----------+  
               |             
               ^
              /|\ 
         +-----^-----------------------+
         |        FB-RIB               |              
         +----|------|-------------|---+  
              |  +---|----+  +-----|-----+
              |  | I2 RIB |  |interface* |
              |  | Name   |  | (Names)   |
              |  +--------+  +-----------+
			  |
         +-----------------------+  
         | FB-RIB Ordered List   | 
         |   of filter rules     |
         +-----------|-----------+ 	   
                     | Filter policy list-entries
                     | entries depend on type
                     |  (ACL, Routing, QOS, SFC)  
         +-----------|-----------+
         |    Groups             |
         +-----------|-----------+
                     | Groups depend on type  
         +-----------|--------------+			 
         |      Rules (by type)     |
         |(ordered list of rules of |
         | the form match-action)   |  
         +--------------------------+			 
                     | Entries depend on type  
 
 
	   Figure 2: Routing instance with FB-RIB

Policy definitions
	
ACL types: 
Policy level access-lists 	
group level: access_lists: access-list-entries
rule level:  access_lists: access-list-entries:
               access-list-entry

 
BNP QOS 
Policy level: bnp-eca: bnp-policy-set 
group level:  bnp-eca: bnp-policy-set:rule-group-list:rule-group
rule level:   bnp-eca: bnp-policy-set:rule-group-list:rule-group
              policy-rule-list: policy-rule 		
 
Note: The ACL policy definitions do not provide sufficient
       depth for the I2RS Filter RIB, but 
	   are provided here for early implementations. 
 
Figure 3

3.1. FB-RIB entries

The FB-RIB entries associated with each FB-RIB in a routing instance are:

instance-name (FB-FIB-instance-name): Name of Routing instance
router-id (FB-RIB-router-id): router id associated with the FB-RIB function of the Routing instance
Interface_list(FB-RIB-interface): A list of interfaces that all of the FB-RIB RIBs operate over. This list must be a subset of the interface_list associated with the routing instance.
Default RIB: A RIB contained in the same routing instance that can be used to forward packets when the FIB entries in the FB-RIB list do not match the packets. This Default-RIB forwards based on destination based routing.
FB-RIB Order list of policy (FB-FIB-O-Filters: ordered list of filter rules of the form in [I-D.hares-i2rs-bnp-info-model]

 module: FB-RIB
 +--FB-RIB-module
    +--rw FB-RIB-instance-name 
    +--rw RB-RIB-router-id 
    |  uses rt:router-id
    +--rw FB-RIB*  [rib-name]
    |  +--rw rib-Name
    |  +--rw rib-afi
    |  +--rw fb-rib-intf* if:inteface-ref
    |  +--rw default-I2RS-RIB
    |  |  +--RIB-name
    |  |    uses i2rs-rib:name 
    |  +--rw fb-rib-status-info 
    |  +--rw fb-rib-update-ref uint64
    |  +--rw fb-rib-Group* 
          +-rw filter-type  // for group
          +-rw order-number // for group 	
            + choice (filter-type)	
              +-case: acl
               uses: acl: access_lists: access-list-entries
			  // operational status augment to group  
               augments: access_lists: access-list-entries
               uses fb-rib-group-order_status;
				
           // operational status augment to individual ACL 
               augments: access_lists:access-list-entries:
			             access-list-entry
			    uses fb-rib-rule-order-status;        			
				
            +--case: bnp-eca Rules 
               uses bnp-eca: bnp-policy-set
                 augments bnp-eca:bnp-policy-set:group-list:group
                     uses fb-rib-group-order_status
                 augment bnp-eca:bnp-policy-set:group-list:group:rule
                     uses fb-rib-rule-order_status				 
			
		  Figure 4: FB RIB Yang Structure

The Top-level Yang structure for the FB-RIB is:

3.2. Relationship between RB-RIB Rule Model and RIB Information Model

The I2RS RIB module is described in [I-D.ietf-i2rs-rib-info-model] and [I-D.ietf-i2rs-rib-data-model]. The I2RS RIB contains a collection of RIBs with the following information per instance:

The set of interfaces indicates which interfaces are associated with this routing instance.
The RIBs specify how incoming traffic is to be forwarded based on destination (E.g. RIB and FB-RIB).
The routing parameters control the information in the RIBs.

A routing instance may have both an I2RS RIB modules and I2RS FB-FIB modules associated with it.

FB-RIB and RIB can not be used at the same time, which means:

If a router doesn’t support filter-based routing, a router MUST use RIB and MUST not use FB-RIB.
If a router supports filter-based routing:
- FB-RIB is used
- Multiple FB-RIBs may exist within a routing instance
- An interface can be associated with at most one FB-RIB
- The Default RIB for a FB-RIB is used if several criteria beyond destination address is not matched.

4. IANA Considerations

TBD.

5. Security Considerations

A I2RS RIB is ephemeral data store that will dyanamically change traffic paths set by the routing configuration. An I2RS FB-RIB provides dynamic Event-Condition-Action policy that will further change the operation of forwarding by allow dyanmic policy and ephemeral RIBs to alter the traffic paths set by routing configuration. Care must be taken in deployments to use the appropriate security and operational control to make use of the tools the I2RS RIB and I2RS FB-RIB provide.

6. References

6.1. Normative References:

[I-D.hares-i2rs-bnp-info-model]	Hares, S., Wu, Q., Tantsura, J. and R. White, "An Information Model for Basic Network Policy and Filter Rules", Internet-Draft draft-hares-i2rs-bnp-info-model-02, March 2015.
[I-D.ietf-i2rs-architecture]	Atlas, A., Halpern, J., Hares, S., Ward, D. and T. Nadeau, "An Architecture for the Interface to the Routing System", Internet-Draft draft-ietf-i2rs-architecture-09, March 2015.
[I-D.ietf-i2rs-rib-data-model]	Wang, L., Ananthakrishnan, H., Chen, M., amit.dass@ericsson.com, a., Kini, S. and N. Bahadur, "A YANG Data Model for Routing Information Base (RIB)", Internet-Draft draft-ietf-i2rs-rib-data-model-01, September 2015.
[I-D.ietf-i2rs-rib-info-model]	Bahadur, N., Kini, S. and J. Medved, "Routing Information Base Info Model", Internet-Draft draft-ietf-i2rs-rib-info-model-07, September 2015.
[I-D.ietf-netmod-acl-model]	Bogdanovic, D., Sreenivasa, K., Huang, L. and D. Blair, "Network Access Control List (ACL) YANG Data Model", Internet-Draft draft-ietf-netmod-acl-model-03, June 2015.

6.2. Informative References

[I-D.hares-i2rs-usecase-reqs-summary]	Hares, S. and M. Chen, "Summary of I2RS Use Case Requirements", Internet-Draft draft-hares-i2rs-usecase-reqs-summary-02, May 2015.
[RFC2119]	Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.

Authors' Addresses

Sriganesh Kini Ericsson EMail: sriganesh.kini@ericsson.com

Susan Hares Huawei 7453 Hickory Hill Saline, MI 48176 USA EMail: shares@ndzh.com

Linda Dunbar Huawei USA EMail: linda.dunbar@huawei.com

Anoop Ghanwani Dell EMail: anoop@alumni.duke.edu

Ram Krishnan Dell EMail: Ramkri123@gmail.com

Dean Bogdanovic Juniper Networks Westford, MA, EMail: deanb@juniper.net

Jeff Tantsura Ericsson EMail: jeff.tantsura@ericsson.com

Russ White Ericsson EMail: russ@riw.us