Internet DRAFT - draft-wlin-bess-group-policy-id-extended-community
draft-wlin-bess-group-policy-id-extended-community
bess W. Lin
Internet-Draft Juniper Networks
Intended status: Standards Track J. Drake
Expires: 22 April 2024 Individual
D. Rao
Cisco Systems
20 October 2023
Group Policy ID BGP Extended Community
draft-wlin-bess-group-policy-id-extended-community-03
Abstract
Group Based Policy can be used to achieve micro or macro segmentation
of user traffic. For Group Based Policy, a Group Policy ID, also
known as Group Policy Tag, is used to represent a logical group that
shares the same policy and access privilege. This specification
defines a new BGP extended community that can be used to propagate
Group Policy ID through a BGP route advertisement in the control
plane. This is to facilitate policy enforcement at the ingress node
when the optimization of network bandwidth is desired.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 22 April 2024.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Lin, et al. Expires 22 April 2024 [Page 1]
Internet-Draft Group Policy ID BGP Extended Community October 2023
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
3. NVO Use Case . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Interconnecting multiple EVPN VXLAN domains . . . . . . . . . 4
5. EVPN Interworking with IPVPN . . . . . . . . . . . . . . . . 5
6. The Group Policy ID Extended Community . . . . . . . . . . . 5
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
8. Security Considerations . . . . . . . . . . . . . . . . . . . 6
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
10.1. Normative References . . . . . . . . . . . . . . . . . . 7
10.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
EVPN: Ethernet Virtual Private Networks, as per [RFC7432].
GBP: Group Based Policy
VXLAN: Virtual Extensible LAN
NVO: Network Virtualization Overlay
NVE: Network Virtualization Edge
DCI: Data Center Interconnect
Lin, et al. Expires 22 April 2024 [Page 2]
Internet-Draft Group Policy ID BGP Extended Community October 2023
2. Introduction
In the virtualized overlay network where EVPN with VXLAN
encapsulation is used as the overlay solution, without external
management software or controller, the propagation of a Group Policy
ID is done through the data plane. The source Group Policy ID is
encoded in the VXLAN header before the user traffic is sent to the
VXLAN tunnel. The encoding format of a Group Policy ID in the VXLAN
header is specified in [I-D.smith-vxlan-group-policy].
When the source Group Policy ID is propagated through the data plane
to the remote VXLAN tunnel endpoint, the policy enforcement is
carried out at the egress node based on both the source and
destination Group Policy tags. The policy rule for the source and
destination Group Policy tags may result in the traffic being dropped
at the remote VXLAN tunnel endpoint which is the egress node. To
send the traffic all the way from an ingress node and then drop it at
an egress node is an inefficient use of the network bandwidth.
To optimize the network bandwidth usage, it may be desirable to have
policy enforcement done at the head-end of a VXLAN tunnel that is the
ingress node for the user traffic. To accomplish this, there is a
need to communicate the destination Group Policy ID from the egress
node to the ingress node. This document defines a Group Policy ID
BGP Extended Community that can be used in the control plane to
achieve the propagation of Group Policy ID from an egress node to an
ingress node.
3. NVO Use Case
In an EVPN VXLAN overlay network, a policy group tag may be assigned
based on the MAC, IP, port, VLAN, etc, or a combination of the above.
Similar to the MAC/IP addresses in the EVPN network, once the Policy
Group ID is known for a local host/server/VM attached to an EVPN
network, its Group Policy ID can be advertised to other Network
Virtualization Edge devices in the control plane through the Group
Policy ID extended community. The scheme used for classification and
allocation of Policy Group IDs used for GBP in an EVPN overlay
network with VXLAN encapsulation is outside the scope of this
document.
Lin, et al. Expires 22 April 2024 [Page 3]
Internet-Draft Group Policy ID BGP Extended Community October 2023
Policy group tag propagation in the EVPN/BGP control plane can be
applied to the EVPN type-2 MAC/IP route[RFC7432], EVPN type-3
Ethernet Inclusive Multicast route [RFC7432] or EVPN type-5 IP host
and prefix route [RFC9136]. If Policy Group ID is allocated for a
MAC address, IP host or prefix address through the GBP classification
scheme, EVPN can encode its Group Policy ID through the Group Policy
ID extended community and advertise it alongside its corresponding
EVPN route.
For the flows that the ingress VXLAN tunnel endpoint has learned its
destination group policy tag through EVPN/BGP control plane
signaling, the policy enforcement can be thus carried out right at
the ingress node. Otherwise, policy enforcement can be carried out
at the egress node. If policy enforcement is carried out at the
head-end VXLAN tunnel, the ingress node MUST set the GBP applied bit,
the A-bit as it is specified in [I-D.smith-vxlan-group-policy], to 1
in the VXLAN header before forwarding the traffic to the VXLAN
tunnel. Otherwise, the ingress node sets the A-bit to 0 in the VXLAN
header.
4. Interconnecting multiple EVPN VXLAN domains
EVPN VXLAN based deployments may comprise of multiple EVPN networks,
domains or sites. In such cases, a VXLAN overlay may extend from an
ingress node to an egress node across different domains; or it may be
divided into multiple stitched overlay segments that are
interconnected via DCI through gateway devices.
In this document, we simply refer to each EVPN network or site as a
EVPN domain or domain for short unless it is explicitly specified
otherwise.
From a control plane point of view, border GWs in each domain may
learn routes of other domains either via direct peering sessions or
via a set of external route reflectors.
In such deployments, the allocation and management of Group Policy
IDs may be done independently in different domains, and consequently
the allocated values scoped to each domain. Therefore, when a group
policy tag is signaled with routes to a different domain, the tag
needs to be translated to a value local to the receiving domain
before it can be used in a group based policy at an ingress node in
that domain.
A domain may receive routes from multiple sender domains. In order
to facilitate simpler and flexible application of translation
policies regardless of the deployed overlay design or control plane
peering model, the advertised Policy ID may also carry with it a
Lin, et al. Expires 22 April 2024 [Page 4]
Internet-Draft Group Policy ID BGP Extended Community October 2023
Scope, which identifies the allocation domain. Any suitable BGP node
in the route distribution path can then consistently translate a
received Policy ID based on the scope.
Scope assignment is done by the administrator or orchestration system
managing the multi-domain deployment. The exact mechanism is out of
the purview of this document.
5. EVPN Interworking with IPVPN
In the EVPN interworking use case as it is specified in the
[I-D.ietf-bess-evpn-ipvpn-interworking], two or more EVPN networks/
domains are interconnected by a layer 3 IP-VPN network with VPN-IPv4/
VPN-IPv6 BGP address families. To support ingress policy
enforcement, the Policy Group ID extended community needs to be
propagated by the GW PEs sitting at the border of an EVPN domain and
IP-VPN domain from one domain to another.
For the Uniform-Propagation-Mode defined in the
[I-D.ietf-bess-evpn-ipvpn-interworking], when propagating an EVPN IP
prefix route across the domain boundary to IP-VPN network, the
Gateway PE SHOULD propagate communities, extended communities and
large communities except for all the EVPN extended communities. The
Policy Group ID extended community defined in this document is a new
transitive Opaque Extend Community. It is not subject to stripping
at the GW PE when the Uniform-Propagation-Mode is used, and SHOULD be
propagated.
6. The Group Policy ID Extended Community
The Group Policy ID BGP Extended Community is a new transitive Opaque
Extended Community with a Type value of 0x03. This extended
community may be advertised along with an EVPN type-2 MAC/IP route,
EVPN type-3 Ethernet Inclusive Multicast route, and EVPN type-5 IP
prefix route. This new Opaque Extended Community enables the EVPN
route it is attached to propagate the Group Policy ID used for Group
Based Policy in the control plane.
When the "Uniformed-Propagation-Mode" is used under the EVPN and
IPVPN interworking use case, the Group Policy ID extended community
is carried over by the GW PE when a route for a given IP or IPv6
prefix is propagated from one domain to another with a different
address family.
Lin, et al. Expires 22 April 2024 [Page 5]
Internet-Draft Group Policy ID BGP Extended Community October 2023
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x03 | Sub-Type | Policy ID Scope |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | Group Policy ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Policy ID Scope: The Policy ID Scope field is 16-bit long, and is an
optional field.
Group Policy ID (GPI): The GPI field is 16-bit long and it encodes
the value of a Group Policy ID.
The reserved fields MUST be set to zero by the sender and ignored by
the receiver.
If the Policy ID Scope is not set, any EVPN VXLAN NVE node that
receives a route with a Group Policy ID may use the received value as
is. If the Scope is set, a node that has the same locally configured
Scope in the received route may use the received Policy ID value. A
node that has a different local Scope than in the received route may
need to translate the received Policy ID to a locally assigned value.
7. IANA Considerations
For the Group Policy ID extended community defined in this document,
IANA has allocated the following codepoint in the Sub-type registry
of Type 0x03 Transitive Opaque Extended Community.
Sub-Type Name Reference
0x17 Group Policy ID Extended Community [this document]
8. Security Considerations
All the security considerations for BGP extended communities can be
applied there. Attackers may alter the value carried in a BGP
extended community. In this case, the Group Policy ID carried in the
Group Policy ID field can be altered by attackers, which could lead
to the wrong policy rule being enforced on the user traffic.
9. Acknowledgements
The authors would like to thank Jeffrey Zhang, Jeff Haas for their
careful review and valuable feedbacks.
Lin, et al. Expires 22 April 2024 [Page 6]
Internet-Draft Group Policy ID BGP Extended Community October 2023
We also would like to thank Prasad Miriyala and Selvakumar Sivaraj
for their contributions.
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A.,
Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based
Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February
2015, <https://www.rfc-editor.org/info/rfc7432>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC9136] Rabadan, J., Ed., Henderickx, W., Drake, J., Lin, W., and
A. Sajassi, "IP Prefix Advertisement in Ethernet VPN
(EVPN)", RFC 9136, DOI 10.17487/RFC9136, October 2021,
<https://www.rfc-editor.org/info/rfc9136>.
10.2. Informative References
[I-D.ietf-bess-evpn-ipvpn-interworking]
Rabadan, J., Sajassi, A., Rosen, E. C., Drake, J., Lin,
W., Uttaro, J., and A. Simpson, "EVPN Interworking with
IPVPN", Work in Progress, Internet-Draft, draft-ietf-bess-
evpn-ipvpn-interworking-09, 9 October 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-bess-
evpn-ipvpn-interworking-09>.
[I-D.smith-vxlan-group-policy]
Smith, M. and L. Kreeger, "VXLAN Group Policy Option",
Work in Progress, Internet-Draft, draft-smith-vxlan-group-
policy-05, 22 October 2018,
<https://datatracker.ietf.org/doc/html/draft-smith-vxlan-
group-policy-05>.
Authors' Addresses
Wen Lin
Juniper Networks
Email: wlin@juniper.net
Lin, et al. Expires 22 April 2024 [Page 7]
Internet-Draft Group Policy ID BGP Extended Community October 2023
John Drake
Individual
Email: je_drake@yahoo.com
Dhananjaya Rao
Cisco Systems
Email: dhrao@cisco.com
Lin, et al. Expires 22 April 2024 [Page 8]