Internet DRAFT - draft-zhou-flowspec-extensions-evpn
draft-zhou-flowspec-extensions-evpn
IDR T. Zhou, Ed.
Internet-Draft R. Chen, Ed.
Intended status: Standards Track H. Wu, Ed.
Expires: 6 January 2024 ZTE Corporation
5 July 2023
BGP Flow Specification for EVPN
draft-zhou-flowspec-extensions-evpn-00
Abstract
[RFC8955] defines BGP flow specification version 1 (FSv1) and
[I-D.ietf-idr-flowspec-v2] defines BGP flow specification (FSv2)
protocol. This document proposes extensions to BGP Flow
Specification Version 2 to support MPLS-based EVPN traffic filtering.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 6 January 2024.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Zhou, et al. Expires 6 January 2024 [Page 1]
�
Internet-Draft BGP-FS for EVPN July 2023
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. EVPN Flow Specification Encoding . . . . . . . . . . . . . . 3
4. EVPN Component Types . . . . . . . . . . . . . . . . . . . . 3
4.1. Type TBD3 - EVPN label (EVI) . . . . . . . . . . . . . . 4
4.2. Type TBD4 - Inner Destination IP . . . . . . . . . . . . 4
4.3. Type TBD5 - Inner source IP . . . . . . . . . . . . . . . 5
4.4. Type TBD6- Inner destination MAC . . . . . . . . . . . . 5
4.5. Type TBD7 - Inner Source MAC . . . . . . . . . . . . . . 5
4.6. Ordering of Traffic Filtering Rules . . . . . . . . . . . 5
5. Encoding of FSV2 Actions (type=2) . . . . . . . . . . . . . . 5
5.1. Redirect to EVPN instance . . . . . . . . . . . . . . . . 6
5.2. Redirect to tunnel with EVPN label . . . . . . . . . . . 7
5.3. EVI action . . . . . . . . . . . . . . . . . . . . . . . 8
6. Consideration on Traffic Filtering Action Interference . . . 9
7. Ordering of Flow Specification . . . . . . . . . . . . . . . 9
7.1. Ordering of Flow Specification NLRI filters . . . . . . . 9
7.2. Ordering of the Actions . . . . . . . . . . . . . . . . . 10
8. Flow Specification Validation . . . . . . . . . . . . . . . . 10
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
10.1. Flow Specification SAFI for MPLS-based EVPN traffic
filtering . . . . . . . . . . . . . . . . . . . . . . . 10
10.2. FSV2 NLRI TLV Types . . . . . . . . . . . . . . . . . . 10
10.3. Filter MPLS-based EVPN Component types . . . . . . . . . 10
10.4. New BGP FSv2 Action types . . . . . . . . . . . . . . . 11
11. Security Considerations . . . . . . . . . . . . . . . . . . . 11
12. Normative References . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction
Border Gateway Protocol Flow Specification is an extension to BGP
which helps BGP peers in the flow classifications and corresponding
flow actions during traffic forwarding. It could be regarded as an
advanced route policy with more specific traffic match abilities and
more kinds of traffic filtering actions. Besides, the usage of Flow
Specification in BGP control plane simplify the dissemination of the
flow specification. Without any configuration to the routers, all of
the BGP Flow Specification clients would receive the BGP Flow
Specification NLRIs as traffic filtering rules. At the beginning of
the application of Flow Specification, it typically aimed at the
mitigation of distributed denial of service attack (DDoS), as an
efficient tools against Internet attack.
Zhou, et al. Expires 6 January 2024 [Page 2]
�
Internet-Draft BGP-FS for EVPN July 2023
The usage of EVPN is more and more frequently. For the advantages in
the control plane with kinds of routing types, EVPN helps a lot in
the packets forwarding within L2 and L3. AS an unique type of L2VPN
technology, the route type and the traffic encapsulation is quite
different in L2 networks, especially simultaneously deployed with
MPLS or SRv6.
This document proposes extensions to BGP Flow Specification Version 2
to support MPLS-based EVPN traffic filtering. AFI/SAFI 25/TBD1 is
used for these purposes. New component types and three FSV2 Actions
are also defined.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. EVPN Flow Specification Encoding
The EVPN NLRI is carried in BGP [RFC4271] using BGP Multiprotocol
Extensions [RFC4760] with an Address Family Identifier (AFI) of
25(L2VPN) and a Subsequent Address Family Identifier (SAFI) of 70
(EVPN). This document specifies a new SAFI (TBD) for FSv2 to be used
with AFI 25(L2VPN) to allow user-ordered lists of traffic match
filters for user-ordered traffic match actions encoded in Communities
(Wide or Extended).
The AFI/SAFI NLRI for BGP Flow Specification version 2 (FSv2) has
been defined in [I-D.ietf-idr-flowspec-v2] section 3. This document
defines a new type for FSv2 TLV of the NRLI as follows.
* TBD2 - BGP/MPLS EVPN Traffic rules
4. EVPN Component Types
The Flow Specification NLRI-type consists of several optional
components, each of which begins with a type field (1 octet) followed
by a variable length parameter.
Zhou, et al. Expires 6 January 2024 [Page 3]
�
Internet-Draft BGP-FS for EVPN July 2023
In BGP MPLS-based EVPN, except the outer encapsulation including
Ethernet header, MPLS label, EVPN label, the payload packets MAY keep
its own Ethernet header and IP header. As mentioned in
[I-D.ietf-idr-flowspec-v2], outer encapsulation were defined for
L2/L3/MPLS components. Here, this document provide EVPN lable and
inner payload encapsulation as new components and types.
For SRv6-based EVPN, the usage of service SID of EVPN type replace
the EVPN label. There is no difference in encapsulation of packet-
forwarding by EVPN routing plane, and reuse the extensions in
[I-D.ietf-idr-flowspec-srv6],
This section provides EVPN label and inner payload encapsulation as
new components and types for MPLS-based EVPN.
4.1. Type TBD3 - EVPN label (EVI)
Encoding:<type (1 octet), length (1 octet), [numeric_op, value]+>
Defines a list of {operation, value} used to match the encapsulation
filed in the forwarding traffic for MPLS-based EVPN.
The value field is encode as:
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EVPN label |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1
Values are encoded for the EVPN label filed in the frame, in the
middle of outer MAC address and inner MAC address. This field is
defined as the label used in the forwarding of routers to identify
the specific user VPN.
4.2. Type TBD4 - Inner Destination IP
Encoding:<type(1 octet), prefix length(1 octet), prefix(variable)>.
Defines the destination IPv4/IPv6 address prefix to match the IP
header of payload.
The length and prefix fields are encoded as in BGP UPDATE message
[RFC4271].
Zhou, et al. Expires 6 January 2024 [Page 4]
�
Internet-Draft BGP-FS for EVPN July 2023
4.3. Type TBD5 - Inner source IP
Encoding:< type(1 octet), prefix length(1 octet), prefix(variable)>.
Defines the source IPv4/IPv6 address prefix to match the IP header of
payload.
The length and prefix fields are encoded as in BGP UPDATE message
[RFC4271].
4.4. Type TBD6- Inner destination MAC
Encoding:<type(1 octet), prefix length(1 octet), MAC prefix>.
Defines the inner destination MAC address prefix to match the inner
layer of the packets(Because of the encapsulation feature of
forwarded packets, there are outer and inner layer MAC addresses).
Prefix length is in bits and the MAC Prefix is fill out with from 1
to 7 padding bits so that it is an integer number of octets. These
padding bits are ignored for matching purposes.
4.5. Type TBD7 - Inner Source MAC
Encoding: <type(1 octet), prefix length(1 octet), MAC prefix>.
Defines the inner source MAC address prefix to match the inner layer
of the packets(Because of the encapsulation feature of forwarded
packets, there are outer and inner layer MAC addresses).
Prefix length is in bits and the MAC Prefix is fill out with from 1
to 7 padding bits so that it is an integer number of octets. These
padding bits are ignored for matching purposes.
4.6. Ordering of Traffic Filtering Rules
This section defines the orders of the traffic filtering rules for
EVPN components, and they are listed below in order of priority: EVPN
label, inner destination IP, inner source IP address, inner
destination MAC address, inner source MAC address.
5. Encoding of FSV2 Actions (type=2)
This document defines a set of extensions for the redirecting action,
including forwarding actions and label actions, and other actions
such as rate-limit, remark, copy, sample and etc are the same as
[I-D.ietf-idr-flowspec-v2].
Zhou, et al. Expires 6 January 2024 [Page 5]
�
Internet-Draft BGP-FS for EVPN July 2023
Most of the traffic filtering actions defined in this document are
designed for a single Flow Specification function, but there are
possibilities that these actions are applied along with other actions
at the same time. So, it becomes important to set orders for these
actions, and if not all traffic filtering actions can be applied to
one traffic flow, they SHOULD be regarded as interfering traffic
filtering actions.
The orders and conflicts of traffic filtering actions is provided in
Section 7.1 of this document, and the general consideration of
traffic action interference is described in Section 6 of this
document.
5.1. Redirect to EVPN instance
SubTLV: TBD8.
Length: 4 octets.
Value field: [1-octet-type][3-octet-VPN information].
The redirect to EVPN instance Community allows the device to forward
the traffic into an EVPN routing instance specifically by the VPN
information fields. If the device match several local instances,
then the instance with lowest Route Distinguisher value can be
selected.
The value field is encoded as:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| T | VPN information |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2
where:
* T: redirect information type. It allows the VPN information to be
route-target or VPN name. 0 represents that the VPN information is
route-target, and 1 represents that the VPN information is the
name of instance.
* VPN information: It indicates the information responding to the
local EVPN instance.
Zhou, et al. Expires 6 January 2024 [Page 6]
�
Internet-Draft BGP-FS for EVPN July 2023
Note: It is appropriate for L2/L3 traffic only.
5.2. Redirect to tunnel with EVPN label
[I-D.ietf-idr-bgp-flowspec-label]defines capabilities steering IP
traffic into SR-TE and RSVP-TE by the indirection ID with the
information of such tunnels. This document defines new traffic
filtering actions to steer both IP traffic and L2 traffic into MPLS
tunnel with EVPN encapsulation.
Extended from Section 5.1 of this document, the redirect to tunnel
with EVPN label Community provide the VPN information and tunnel-id
at the same time to steer the traffic into MPLS tunnel with EVPN
label.
SubTLV: TBD9.
Length: 8 octets.
Value field: [1-octet-type][3-octet-VPN information][4-octet-Tunnel
ID]
The value field is encoded as:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| T | VPN information |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Tunnel ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3
where:
* T: Redirect information type. 0 and 1 are used in Section 5.1, and
2 represents the redirect information including route-target and
tunnel-id, and 3 represents the redirect information including VPN
name and tunnel-id.
* VPN information: It indicates the information responding to the
local EVPN instance.
* Tunnel-id: As described in [I-D.ietf-idr-flowspec-path-redirect].
Note: It is appropriate for L2/L3 traffic only.
Zhou, et al. Expires 6 January 2024 [Page 7]
�
Internet-Draft BGP-FS for EVPN July 2023
5.3. EVI action
Similar to MPLS Action defined in [I-D.ietf-idr-bgp-flowspec-label],
using a set of actions on MPLS label stack to change the packets
forwarding of the device. The EVI action Community apply the label
action of pop, swap and insert.
SubTLV: TBD10.
Length: 8 octets.
Value field: [1-octet-type][3-octet-EVI]
The value field is encoded as:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| T | EVI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4
where:
T: Action type. Where actions:
+=============+=====================================+
| Action Type | Function |
+=============+=====================================+
| 0 | pop the evpn label |
+-------------+-------------------------------------+
| 1 | swap the evpn label with entry |
+-------------+-------------------------------------+
| 2 | insert the evpn label at the bottom |
| | of the label stack with the entry |
+-------------+-------------------------------------+
| 3-255 | reserved |
+-------------+-------------------------------------+
Table 1: Action table
Note: It is appropriate for MPLS labeled traffic only.
Zhou, et al. Expires 6 January 2024 [Page 8]
�
Internet-Draft BGP-FS for EVPN July 2023
6. Consideration on Traffic Filtering Action Interference
It was already recognized that the traffic filtering actions MAY
interfere with each other in [RFC8955]. It is impossible for BGP to
verify the update message during production, propagation and
reception. For specific traffic filtering actions, it SHOULD be
designed properly for that the traffic forwarding goes meaningfully
after mix actions executed.
In this document, all of the new defined redirecting actions SHOULD
be interfered with any other redirecting action. Which means that at
most one Flow Specification update message could contain only one
traffic filtering redirecting action, and any Flow Specification with
more than one redirecting action SHOULD be regarded as invalid, but
its propagation is unaffected.
On the other hand, Flow Specification MAY interfere with the local
route policy on Flow Specification client, it is SUGGESTED to make
the implementation decision of routers to select Flow Specification
as the valid one.
7. Ordering of Flow Specification
In the design of Flow Specification, it is allowed for one Flow
Specification has multi traffic filtering rules and traffic filtering
actions.
In Section 4.6, it defines the orders of traffic filtering rules, and
also there is need to define the orders between different types of
components. This document allows the Flow Specification server to
set the order of traffic filtering types by the filed of order in
NLRI.
This section describes the methods to compare the order of one
Flowpsec to another one, with the same order filed in NLRI. These
Flowpsecs SHOULD be ordered by the default priority of the traffic
filtering rules. Besides, the community used for traffic filtering
actions MAY effect the orders of BGP routes, this document dose not
discuss this issue about route-selecting for BGP communities.
7.1. Ordering of Flow Specification NLRI filters
This document dose not define more Ordering of Flow Specification
NLRI filters than [I-D.ietf-idr-flowspec-v2].
Zhou, et al. Expires 6 January 2024 [Page 9]
�
Internet-Draft BGP-FS for EVPN July 2023
7.2. Ordering of the Actions
This document dose not define more Ordering of the Actions than
[I-D.ietf-idr-flowspec-v2].
8. Flow Specification Validation
This document dose not introduce more Flow Specification Validation
than [RFC8955] and [I-D.ietf-idr-flowspec-v2].
9. Acknowledgements
TBD.
10. IANA Considerations
10.1. Flow Specification SAFI for MPLS-based EVPN traffic filtering
IANA is requested to assign a new SAFI as follows:
Value Description Reference
----- ------------------------------------------ ---------------
TBD1 MPLS-based EVPN traffic filtering [This document]
Figure 5
10.2. FSV2 NLRI TLV Types
IANA is requested to create the following new registry on a new "Flow
Specification v2 TLV Typesā€¯ web page.
Type Use Reference
----- ----------------------------------- ---------------
TBD2 TBD2 - BGP/MPLS EVPN Traffic rules [this document]
Figure 6
10.3. Filter MPLS-based EVPN Component types
IANA is requested to indicate [this draft] as a reference on the
following assignments in the Flow Specification Component Types
Registry:
Zhou, et al. Expires 6 January 2024 [Page 10]
�
Internet-Draft BGP-FS for EVPN July 2023
Value Description Reference
----- ------------------------ ------------------------
TBD3 EVPN label [this document]
TBD4 Inner Destination IP [this document]
TBD5 Inner Source IP [this document]
TBD6 Inner Destination MAC [this document]
TBD7 Inner Source MAC [this document]
Figure 7
10.4. New BGP FSv2 Action types
IANA is requested to indicate [this draft] as a reference on the
following assignments in the Flow Specification Component Types
Registry:
Value Use Reference
----- ---------------------------------- --------------------
TBD8 Redirect to EVPN instance [this document]
TBD9 Redirect to tunnel with EVPN label [this document]
TBD10 EVI action [this document]
Figure 8
11. Security Considerations
This document dose not introduce more Security Consideration than
[RFC8955] and [I-D.ietf-idr-flowspec-v2].
12. Normative References
[I-D.ietf-idr-bgp-flowspec-label]
liangqiandeng, Hares, S., You, J., Raszuk, R., and D. Ma,
"Carrying Label Information for BGP FlowSpec", Work in
Progress, Internet-Draft, draft-ietf-idr-bgp-flowspec-
label-02, 20 October 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-idr-bgp-
flowspec-label-02>.
[I-D.ietf-idr-flowspec-l2vpn]
Weiguo, H., Eastlake, D. E., Litkowski, S., and S. Zhuang,
"BGP Dissemination of L2 Flow Specification Rules", Work
in Progress, Internet-Draft, draft-ietf-idr-flowspec-
l2vpn-21, 24 April 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-idr-
flowspec-l2vpn-21>.
Zhou, et al. Expires 6 January 2024 [Page 11]
�
Internet-Draft BGP-FS for EVPN July 2023
[I-D.ietf-idr-flowspec-path-redirect]
Van de Velde, G., Patel, K., and Z. Li, "Flowspec
Indirection-id Redirect", Work in Progress, Internet-
Draft, draft-ietf-idr-flowspec-path-redirect-12, 24
November 2022, <https://datatracker.ietf.org/doc/html/
draft-ietf-idr-flowspec-path-redirect-12>.
[I-D.ietf-idr-flowspec-srv6]
Li, Z., Li, L., Chen, H., Loibl, C., Mishra, G. S., Fan,
Y., Zhu, Y., Liu, L., and X. Liu, "BGP Flow Specification
for SRv6", Work in Progress, Internet-Draft, draft-ietf-
idr-flowspec-srv6-03, 6 April 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-idr-
flowspec-srv6-03>.
[I-D.ietf-idr-flowspec-v2]
Hares, S., Eastlake, D. E., Yadlapalli, C., and S.
Maduschke, "BGP Flow Specification Version 2", Work in
Progress, Internet-Draft, draft-ietf-idr-flowspec-v2-02,
21 May 2023, <https://datatracker.ietf.org/doc/html/draft-
ietf-idr-flowspec-v2-02>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006,
<https://www.rfc-editor.org/info/rfc4271>.
[RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter,
"Multiprotocol Extensions for BGP-4", RFC 4760,
DOI 10.17487/RFC4760, January 2007,
<https://www.rfc-editor.org/info/rfc4760>.
[RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J.,
and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
<https://www.rfc-editor.org/info/rfc5575>.
[RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A.,
Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based
Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February
2015, <https://www.rfc-editor.org/info/rfc7432>.
Zhou, et al. Expires 6 January 2024 [Page 12]
�
Internet-Draft BGP-FS for EVPN July 2023
[RFC8955] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M.
Bacher, "Dissemination of Flow Specification Rules",
RFC 8955, DOI 10.17487/RFC8955, December 2020,
<https://www.rfc-editor.org/info/rfc8955>.
[RFC8956] Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed.,
"Dissemination of Flow Specification Rules for IPv6",
RFC 8956, DOI 10.17487/RFC8956, December 2020,
<https://www.rfc-editor.org/info/rfc8956>.
Authors' Addresses
Taoran Zhou (editor)
ZTE Corporation
Nanjing
China
Email: zhou.taoran@zte.com.cn
Ran Chen (editor)
ZTE Corporation
Nanjing
China
Email: chen.ran@zte.com.cn
HaiSheng Wu (editor)
ZTE Corporation
Nanjing
China
Email: wu.haisheng@zte.com.cn
Zhou, et al. Expires 6 January 2024 [Page 13]
