BGP Dissemination of Flow Specification Rules for Tunneled Traffic
draft-ietf-idr-flowspec-nvo3-08

Document Type Active Internet-Draft (idr WG)
Last updated 2020-01-16
Replaces draft-hao-idr-flowspec-nvo3
Stream IETF
Intended RFC status Proposed Standard
Formats plain text pdf htmlized bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Consensus Boilerplate Yes
Telechat date
Responsible AD (None)
Send notices to (None)
INTERNET-DRAFT                                               D. Eastlake
Intended Status: Proposed Standard                Futurewei Technologies
                                                                  W. Hao
                                                               S. Zhuang
                                                                   Z. Li
                                                     Huawei Technologies
                                                                   R. Gu
                                                             China Mobil
Expires: July 15, 2020                                  January 16, 2020

                          BGP Dissemination of
             Flow Specification Rules for Tunneled Traffic
                    draft-ietf-idr-flowspec-nvo3-08

Abstract
   This draft specifies a Border Gateway Protocol Network Layer
   Reachability Information (BGP NLRI) encoding format for flow
   specifications (RFC 5575bis) that can match on a variety of tunneled
   traffic. In addition, flow specification components are specified for
   certain tunneling header fields.

Status of This Document

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Distribution of this document is unlimited. Comments should be sent
   to the authors or the IDR Working Group mailing list <idr@ietf.org>.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft
   Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

D. Eastlake, et al                                              [Page 1]
INTERNET-DRAFT                                      BGP Tunnel Flow-Spec

Table of Contents

      1. Introduction............................................3
      1.1 Terminology............................................3

      2. Tunneled Traffic Flow Specification NLRI................5
      2.1 The SAFI Code Point....................................7
      2.2 Tunnel Header Component Code Points....................8
      2.3 Specific Tunnel Types..................................9
      2.3.1 VXLAN................................................9
      2.3.2 VXLAN-GPE...........................................10
      2.3.3 NVGRE...............................................11
      2.3.4 L2TPv3..............................................11
      2.3.5 GRE.................................................12
      2.3.6 IP-in-IP............................................12
      2.4 Tunneled Traffic Actions..............................12

      3. Order of Traffic Filtering Rules.......................13
      4. Flow Spec Validation...................................14

      5. Security Considerations................................14
      6. IANA Considerations....................................14

      Normative References......................................15
      Informative References....................................16

      Acknowledgments...........................................17
      Authors' Addresses........................................17

D. Eastlake, et al                                              [Page 2]
INTERNET-DRAFT                                      BGP Tunnel Flow-Spec

1. Introduction

   BGP Flow-spec [RFC5575bis] is an extension to BGP that supports the
   dissemination of traffic flow specification rules.  It uses the BGP
   control plane to simplify the distribution of Access Control Lists
   (ACLs) and allows new filter rules to be injected to all BGP peers
   simultaneously without changing router configuration. A typical
   application of BGP Flow-spec is to automate the distribution of
   traffic filter lists to routers for Distributed Denial of Service
   (DDOS) mitigation.

   BGP Flow-spec defines a BGP Network Layer Reachability Information
   (NLRI) format used to distribute traffic flow specification rules.
   AFI=1/SAFI=133 is for IPv4 unicast filtering. AFI=1/SAFI=134 is for
   IPv4 BGP/MPLS VPN filtering. [FlowSpecV6] and [FlowSpecL2] extend the
   flow-spec rules for IPv6 and layer 2 Ethernet packets respectively.
   None of these previous flow specifications are suitable for matching
   in cases of tunneling or encapsulation where there might be
   duplicates of a layer of header such as two IPv6 headers in IP-in-IP
   or a nested header sequence such as the layer 2 and 3 headers
Show full document text