Packet Content Filter for BGP FlowSpec
draft-cui-idr-content-filter-flowspec-00

IETF                                                              Y. Cui
Internet-Draft                                       Tsinghua University
Intended status: Informational                                    Y. Gao
Expires: 21 September 2024                       Zhongguancun Laboratory
                                                           20 March 2024

                 Packet Content Filter for BGP FlowSpec
                draft-cui-idr-content-filter-flowspec-00

Abstract

   The BGP Flow Specification enables the distribution of traffic filter
   policies (traffic filters and actions) via BGP, facilitating DDoS
   traffic filtering.  However, the traffic filterer in FSv1 and FSv2
   predominantly focuses on IP header fields, which may not adequately
   address new types of DDoS attack traffic characterized by constant
   patterns within the packet content.  This document introduces a new
   flow specification filter type designed for packet content filtering.
   The match field includes offset-type, offset value, content-length,
   and content-value, encoded in the Flowspec NLRI.  This new filter
   aims to augment DDoS defense capabilities.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 21 September 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.

Cui & Gao               Expires 21 September 2024               [Page 1]
Internet-Draft   Packet Content Filter for BGP FlowSpec       March 2024

   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Definitions and Acronyms  . . . . . . . . . . . . . . . . . .   3
   3.  The Flow Specification for Packet Offset Filter . . . . . . .   3
     3.1.  Offset-type and Offset-value  . . . . . . . . . . . . . .   3
     3.2.  Content-length and Content-value  . . . . . . . . . . . .   4
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   6.  Normative References  . . . . . . . . . . . . . . . . . . . .   5
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   BGP flow specification describes the distribution of traffic filter
   policies through BGP, allowing for efficient traffic management and
   DDoS attack mitigation.  Existing versions, FSv1 and FSv2, primarily
   offer n-tuple matching conditions for policy enforcement, enabling
   actions such as packet dropping, re-directing, or limitation, etc.
   These filter rules can be propagated to all BGP peers simultaneously
   without necessitating router configuration changes.  Despite their
   utility, FSv1 and FSv2 reliance on IP header fields for traffic
   filtering is increasingly inadequate for countering DDoS attack.
   DDoS attacks such as application-level Challenge Collapsar (CC)
   attacks, ACK flood attacks, etc, feature distinct patterns within the
   packet content with a large traffic.

   This document delineates a new flow specification filter type that
   facilitates packet content filtering, leveraging offset-type, offset
   value, content-length, and content-value within the Flowspec NLRI to
   enhance DDoS defense mechanisms.

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

Cui & Gao               Expires 21 September 2024               [Page 2]
Internet-Draft   Packet Content Filter for BGP FlowSpec       March 2024

2.  Definitions and Acronyms

   *  DDoS: Distributed Denial of Service

   *  NLRI: Network Layer Reachability Information

   *  FSv1: Flow Specification Version 1, defined in [RFC8955] and
      [RFC8956]

   *  FSv2: Flow Specification Version 2 define in [draft-hares-idr-
      flowspec-v2-ddos-00]

3.  The Flow Specification for Packet Offset Filter

   This document specifies a new flow specification filter type that is
   encoded in the BGP FS NLRI and we follow the FSv1 definition format
   rightnow.  The new filter is defined as follows:

   Type TBD – Packet-Content

   Encoding:< type (1 octet), [value]+>

   The value field is encoded using offset-type, offset-value, content-
   length and content-value.

   Encoding: < offset-type (4 bits), offset-value (2 octets), content-
   length (1 octets), content-value>

3.1.  Offset-type and Offset-value

   The offset-type and offset-value define the starting position of the
   packet content used for matching.  To avoid the effect of variable
   header length on the offset, we use the hierarchical way like [draft-
   khare-idr-bgp-flowspec-payload-match-08].The offset-tpye is defined
   as follows:

   +-------+-----------------------------+
   | Value | Description of Offset Type  |
   +-------+-----------------------------+
   | 0     | IP Header                   |
   | 1     | IP Header Data              |
   | 2     | Data within TCP/UDP         |
   +-------+-----------------------------+

   Figure 1： offset-type

   Each offset-type is detailed as follows:

Cui & Gao               Expires 21 September 2024               [Page 3]
Internet-Draft   Packet Content Filter for BGP FlowSpec       March 2024

   *  Offset-type 0 is defined as the start of the IP header.

   *  Offset-type 1 is defined as the start of the data portion of the
      IP header after the IP options.

   *  Offset-type 2 is defined as start of the TCP or UDP data.  Type 2
      will only be used if it is the first packet of a fragment and the
      Layer 4 transport protocol is TCP (6) or UDP (17).  For other IP
      protocols, type 1 or type 2 can be used.

   The offset-value is defined as a 2-octet unsigned integer that
   specifies the count of bytes to be bypassed from the offset-type's
   starting position to match the packet content.

   Example:

   *  By setting offset-type 0 and an offset-value of 0, the match is
      configured to start precisely at the beginning of the IP header.

   *  By setting offset-type 1 and an offset-value of 2, the match will
      start two bytes past the initial data portion of the IP header,
      skipping over any IP options.  This configuration, for example, in
      UDP packets, specifically targets the start of the destination
      port information.

   *  By setting offset-type 2 and an offset-value of 10, the match will
      start ten bytes into the content of the TCP/UDP packet.

3.2.  Content-length and Content-value

   The content-length is a one octet unsigned integer field that
   contains the length of the value field in octets.  The content-value
   is encoded as {content, mask}. Content and mask have a same length
   which defined by the content-length.

   The content provides a string to be matched.  Their length is defined
   by content-length.  Based on the information provided by equipment
   vendors and operators, 8octets is usually sufficient for the
   identification of DDoS attacks.

   Mask is a string containing 0 and 1, where 1 represents what will be
   matched and 0 represents characters that can be ignored.

   The content and mask are operated AND by bit to get the final content
   of the packet that needs to be matched.

Cui & Gao               Expires 21 September 2024               [Page 4]
Internet-Draft   Packet Content Filter for BGP FlowSpec       March 2024

4.  IANA Considerations

   In accordance with the procedures outlined for managing the "Flow
   Spec Component Types" registry, IANA is hereby requested to assign a
   new Type Value.  This assignment is sought from the First Come First
   Served range, as detailed below:

   +------------+---------------------------+---------------+
   | Type Value | Name                      | Reference     |
   +------------+---------------------------+---------------+
   | TBD        | Packet Content filter     | this document |
   +------------+---------------------------+---------------+

   The introduction of the "Packet Content filter" Type Value is
   purposed to expand the capability of BGP FSv1 by enabling more
   granular control over traffic filtering.

   This is especially pertinent for addressing complex patterns within
   packet content that are characteristic of Distributed Denial of
   Service (DDoS) attacks and other security challenges.  The proposed
   Packet Content filter facilitate the specification of detailed
   criteria for traffic matching, including but not limited to, content
   inspection at specific packet offsets.  In the following update we
   will add the definition of FSv2.

5.  Security Considerations

   No new security issues are introduced to the BGP protocol by this
   specification

6.  Normative References

   [RFC8955]  Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M.
              Bacher, "Dissemination of Flow Specification Rules",
              RFC 8955, DOI 10.17487/RFC8955, December 2020,
              <https://www.rfc-editor.org/rfc/rfc8955>.

   [RFC8956]  Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed.,
              "Dissemination of Flow Specification Rules for IPv6",
              RFC 8956, DOI 10.17487/RFC8956, December 2020,
              <https://www.rfc-editor.org/rfc/rfc8956>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

Cui & Gao               Expires 21 September 2024               [Page 5]
Internet-Draft   Packet Content Filter for BGP FlowSpec       March 2024

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

Acknowledgements

   We wish to thank Susan Hares, Jeffery Hass and Li Yang for their
   valuable comments and suggestions on this document.

Authors' Addresses

   Yong Cui
   Tsinghua University
   Beijing, 100084
   China
   Email: cuiyong@tsinghua.edu.cn
   URI:   http://www.cuiyong.net/

   Yujia Gao
   Zhongguancun Laboratory
   Beijing, 100094
   China
   Email: gaoyj@zgclab.edu.cn

Cui & Gao               Expires 21 September 2024               [Page 6]