BGP Dissemination of Flow Specification Rules for Tunneled Traffic
draft-ietf-idr-flowspec-nvo3-09
Document Type Active Internet-Draft (idr WG)
Last updated 2020-04-12
Replaces draft-hao-idr-flowspec-nvo3
Stream IETF
Intended RFC status Proposed Standard
Formats plain text pdf htmlized (tools) htmlized bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Consensus Boilerplate Yes
Telechat date
Responsible AD (None)
Send notices to (None)
Email authors Email WG IPR 1 References Referenced by Nits 
INTERNET-DRAFT                                               D. Eastlake
Intended Status: Proposed Standard                Futurewei Technologies
                                                                  W. Hao
                                                               S. Zhuang
                                                                   Z. Li
                                                     Huawei Technologies
                                                                   R. Gu
                                                             China Mobil
Expires: October 11, 2020                                 April 12, 2020

                          BGP Dissemination of
             Flow Specification Rules for Tunneled Traffic
                    draft-ietf-idr-flowspec-nvo3-09

Abstract
   This draft specifies a Border Gateway Protocol (BGP) Network Layer
   Reachability Information (NLRI) encoding format for flow
   specifications (RFC 5575bis) that can match on a variety of tunneled
   traffic. In addition, flow specification components are specified for
   certain tunneling header fields.

Status of This Document

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Distribution of this document is unlimited. Comments should be sent
   to the authors or the IDR Working Group mailing list <idr@ietf.org>.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft
   Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

D. Eastlake, et al                                              [Page 1]
INTERNET-DRAFT                                       BGP Tunnel Flowspec

Table of Contents

      1. Introduction............................................3
      1.1 Terminology............................................3

      2. Tunneled Traffic Flow Specification NLRI................5
      2.1 The SAFI Code Point....................................7
      2.2 Tunnel Header Component Code Points....................8
      2.3 Specific Tunnel Types..................................9
      2.3.1 VXLAN................................................9
      2.3.2 VXLAN-GPE...........................................10
      2.3.3 NVGRE...............................................11
      2.3.4 L2TPv3..............................................11
      2.3.5 GRE.................................................12
      2.3.6 IP-in-IP............................................12
      2.4 Tunneled Traffic Actions..............................13

      3. Order of Traffic Filtering Rules.......................14
      4. Flow Spec Validation...................................15

      5. Security Considerations................................15
      6. IANA Considerations....................................15

      Normative References......................................16
      Informative References....................................17

      Acknowledgments...........................................18
      Authors' Addresses........................................18

D. Eastlake, et al                                              [Page 2]
INTERNET-DRAFT                                       BGP Tunnel Flowspec

1. Introduction

   BGP Flow Specification (flowspec [RFC5575bis]) is an extension to BGP
   that supports the dissemination of traffic flow specification rules.
   It uses the BGP control plane to simplify the distribution of Access
   Control Lists (ACLs) and allows new filter rules to be injected to
   all BGP peers simultaneously without changing router configuration. A
   typical application of BGP flowspec is to automate the distribution
   of traffic filter lists to routers for Distributed Denial of Service
   (DDOS) mitigation.

   BGP flowspec defines BGP Network Layer Reachability Information
   (NLRI) formats used to distribute traffic flow specification rules.
   AFI=1/SAFI=133 is for IPv4 unicast filtering. AFI=1/SAFI=134 is for
   IPv4 BGP/MPLS VPN filtering. [FlowSpecV6] and [FlowSpecL2] extend the
   flowspec rules for IPv6 and Layer 2 Ethernet packets respectively.
   None of these previously defined flow specifications are suitable for
   matching in cases of tunneling or encapsulation where there might be
   duplicates of a layer of header such as two IPv6 headers in IP-in-IP
   or a nested header sequence such as the Layer 2 and 3 headers
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools