IDR Working Group J. Uttaro
Internet-Draft AT&T
Intended status: Standards Track
Expires: Aug 2, 2015 J. Haas
Juniper Networks
M. Texier
Arbor Networks
A. Karch
A. Sreekantiah
S. Ray
Cisco Systems
A. Simpson
W. Henderickx
Alcatel-Lucent
Feb 2, 2015
BGP Flow-Spec Redirect to IP Action
draft-ietf-idr-flowspec-redirect-ip-02.txt
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on Aug 2, 2015.
Simpson, et al Expires Aug 2, 2015 [Page 1]
Internet-Draft draft-ietf-idr-flowspec-redirect-ip-02 Feb 2015
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Abstract
Flow-spec is an extension to BGP that allows for the dissemination
of traffic flow specification rules. This has many possible
applications but the primary one for many network operators is the
distribution of traffic filtering actions for DDoS mitigation. The
flow-spec standard [RFC 5575] defines a redirect-to-VRF action for
policy-based forwarding but this mechanism can be difficult to use,
particularly in networks without L3 VPN infrastructure.
This draft defines a new redirect-to-IP flow-spec action that
provides a simpler method of policy-based forwarding. The details of
the action, including the IPv4 or IPv6 target address, are encoded
in newly defined BGP extended communities.
Table of Contents
1. Introduction...................................................3
2. Terminology....................................................3
3. Redirect to IP Extended Communities............................3
3.1. Validation Procedures.....................................5
4. Security Considerations........................................6
5. IANA Considerations............................................6
6. References.....................................................6
6.1. Normative References......................................6
6.2. Informative References....................................6
7. Contributors...................................................7
8. Acknowledgments................................................7
Simpson, et al. Expires Aug 2, 2015 [Page 2]
Internet-Draft draft-ietf-idr-flowspec-redirect-ip-02 Feb 2015
1. Introduction
Flow-spec is an extension to BGP that allows for the dissemination
of traffic flow specification rules. This has many possible
applications but the primary one for many network operators is the
distribution of traffic filtering actions for DDoS mitigation.
Every flow-spec route is effectively a rule, consisting of a
matching part (encoded in the NLRI field) and an action part
(encoded in one or more BGP extended communities). The flow-spec
standard [RFC 5575] defines widely-used filter actions such as
discard and rate limit; it also defines a redirect-to-VRF action for
policy-based forwarding. Using the redirect-to-VRF action for
redirecting traffic towards an alternate destination is useful for
DDoS mitigation but it can be complex and cumbersome, particularly
in networks without L3 VPN infrastructure.
This draft proposes a new redirect-to-IP flow-spec action that
provides a simpler method of policy-based forwarding. The details of
the action, including the IPv4 or IPv6 target address, are encoded
in newly defined BGP extended communities.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC-2119].
3. Redirect to IP Extended Communities
This document defines two new BGP extended communities. The extended
communities have a type indicating they are transitive and IPv4-
address-specific or IPv6-address-specific, depending on whether the
redirection target address is IPv4 or IPv6. The sub-type value [to
be assigned by IANA] indicates that the global administrator and
local administrator fields encode a flow-spec 'redirect to IP'
action. In the new extended communities the 4-byte or 16-byte global
administrator field encodes the IPv4 or IPv6 address that is the
redirection target address and the 2-byte local administrator field
is formatted as shown in Figure 1.
Simpson, et al. Expires Aug 2, 2015 [Page 3]
Internet-Draft draft-ietf-idr-flowspec-redirect-ip-02 Feb 2015
Figure 1 : Local Administrator
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved |C|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
In the local administrator field the least-significant bit is
defined as the 'C' (or copy) bit. When the 'C' bit is set the
redirection applies to copies of the matching packets and not to the
original traffic stream.
All bits other than the 'C' bit in the local administrator field
MUST be set to 0 by the originating BGP speaker and ignored by
receiving BGP speakers.
When a BGP speaker receives a flow-spec route with a 'redirect to
IP' extended community and this route represents the one and only
best path, it installs a traffic filtering rule that matches the
packets described by the NLRI field and redirects them (C=0) or
copies them (C=1) towards the IPv4 or IPv6 address in the extended
community's global administrator field (the 'target address'). The
BGP speaker is expected to do a longest-prefix-match lookup of the
'target address' in its forwarding information base (FIB) and
forward the redirected/copied packets based on the resulting route
(the 'target route'). If the 'target route' has multiple ECMP next-
hops the redirected/copied packets SHOULD be load-shared across
these next-hops according to the router's ECMP configuration. If the
'target route' has one or more tunnel next-hops then the appropriate
encapsulations SHOULD be added to the redirected/copied packets. If
the 'target address' is invalid or unreachable then the extended
community SHOULD be ignored.
If a BGP speaker receives a flow-spec route with multiple 'redirect
to IP' extended communities and this route represents the one and
only best path, it SHOULD load-share the redirected/copied packets
across all the 'target addresses' according to its ECMP
configuration. If the BGP speaker is not capable of redirecting and
copying the same packet it SHOULD ignore the extended communities
with C=0. If the BGP speaker is not capable of redirecting/copying a
packet towards multiple 'target addresses' it SHOULD
deterministically select one 'target address' and ignore the others.
Simpson, et al. Expires Aug 2, 2015 [Page 4]
Internet-Draft draft-ietf-idr-flowspec-redirect-ip-02 Feb 2015
If a BGP speaker receives multiple flow-spec routes for the same
flow-spec NLRI and all of them are considered best and usable paths
according to the BGP speaker's multipath configuration and each one
carries one or more 'redirect to IP' extended communities, the BGP
speaker SHOULD load-share the redirected/copied packets across all
the 'target addresses', with the same fallback rules as discussed in
the previous paragraph. Note that this situation does not require
the BGP speaker to have multiple peers - i.e. Add-Paths could be
used for the flow-spec address family.
If a BGP speaker receives a flow-spec route with one or more
'redirect to IP' extended communities and one or more 'redirect to
VRF' extended communities, and this route represents the one and
only best path, the 'redirect to IP' actions described above should
be applied in the context of the 'target VRF' matching the 'redirect
to VRF' extended community - i.e. the 'target addresses' should be
looked up in the FIB of the 'target VRF'. If there are multiple
'redirect to VRF' extended communities in the route the 'target VRF'
SHOULD be the one that matches the 'redirect to VRF' extended
community with the highest numerical value. If the BGP speaker is
not capable of 'redirect to VRF' followed by 'redirect to IP' then
it SHOULD give preference to performing the 'redirect to VRF' action
and doing only longest-prefix-match forwarding in the 'target VRF'.
If a BGP speaker receives multiple flow-spec routes for the same
flow-spec NLRI and all of them are considered best and usable paths
according to the BGP speaker's multipath configuration and they
carry a combination of 'redirect to IP' and 'redirect to VRF'
extended communities, the BGP speaker SHOULD apply the 'redirect to
IP' actions in the context of the 'target VRF' as described above.
Note that this situation does not require the BGP speaker to have
multiple peers - i.e. Add-Paths could be used for the flow-spec
address family.
3.1. Validation Procedures
The validation check described in [RFC 5575] and revised in
[VALIDATE] SHOULD be applied by default to received flow-spec routes
with a 'redirect to IP' extended community, as it is to all types of
flow-spec routes. This means that a flow-spec route with a
destination prefix subcomponent SHOULD NOT be accepted from an EBGP
peer unless that peer also advertised the best path for the matching
unicast route.
BGP speakers that support the extended communities defined in this
draft MUST also, by default, enforce the following check when
receiving a flow-spec route from an EBGP peer: if the received flow-
Simpson, et al. Expires Aug 2, 2015 [Page 5]
Internet-Draft draft-ietf-idr-flowspec-redirect-ip-02 Feb 2015
spec route has a 'redirect to IP' extended community with a 'target
address' X (in the global administrator field) and the best matching
route to X is not a BGP route with origin AS matching the peer AS
then the extended community should be discarded and not propagated
along with the flow-spec route to other peers. It MUST be possible
to disable this additional validation check on a per-EBGP session
basis.
4. Security Considerations
A system that originates a flow-spec route with a 'redirect to IP'
extended community can cause many receivers of the flow-spec route
to send traffic to a single next-hop, overwhelming that next-hop and
resulting in inadvertent or deliberate denial-of-service. This is
particularly a concern when the 'redirect to IP' extended community
is allowed to cross AS boundaries. The validation check described in
section 3.1 significantly reduces this risk.
5. IANA Considerations
This document requests a new sub-type from the "Transitive IPv4-
Address-Specific" extended community registry. The sub-type name
shall be 'Flow-spec Redirect to IPv4'.
This document requests a new sub-type from the "Transitive IPv6-
Address-Specific" extended community registry. The sub-type name
shall be 'Flow-spec Redirect to IPv6'.
IANA is requested to deprecate the type 0x0800 type/sub-type.
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
6.2. Informative References
[RFC5575] P. Marques, N. Sheth, R. Raszuk, B. Greene, J.
Mauch, D. McPherson, "Dissemination of Flow
Specification Rules", RFC 5575, August 2009.
Simpson, et al. Expires Aug 2, 2015 [Page 6]
Internet-Draft draft-ietf-idr-flowspec-redirect-ip-02 Feb 2015
[IPV6-FLOW] R. Raszuk, B. Pithawala, D. McPherson,
"Dissemination of Flow Specification Rules for
IPv6", draft-ietf-idr-flow-spec-v6-00, June 2011.
[VALIDATE] Uttaro, J., Filsfils, C., Mohapatra, P., Smith, D.,
"Revised Validation Procedure for BGP Flow
Specifications", draft-ietf-idr-bgp-flowspec-oid-
00, June 2012.
7. Contributors
David Smith
Cisco
111 Wood Avenue South
Iselin, NJ 08830
USA
E-mail: djsmith@cisco.com
8. Acknowledgments
The authors would like to thank Han Nguyen and Robert Raszuk for
their feedback and suggestions.
This document was prepared using 2-Word-v2.0.template.dot.
Simpson, et al. Expires Aug 2, 2015 [Page 7]
Internet-Draft draft-ietf-idr-flowspec-redirect-ip-02 Feb 2015
Authors' Addresses
James Uttaro
AT&T
200 S. Laurel Avenue
Middletown, NJ 07748
USA
Email: ju1738@att.com
Jeffrey Haas
Juniper Networks
1194 N. Mathida Ave.
Sunnyvale, CA 94089
USA
Email: jhaas@juniper.net
Andy Karch
Cisco Systems
170 West Tasman Drive
San Jose, CA 95134
USA
Email: akarch@cisco.com
Saikat Ray
Cisco Systems, Inc.
170, West Tasman Drive
San Jose, CA 95134
USA
Email: sairay@cisco.com
Pradosh Mohapatra
Cumulus Networks
Email: pmohapat@cumulusnetworks.com
Wim Henderickx
Alcatel-Lucent
Copernicuslaan 50
2018 Antwerp, Belgium
Email: wim.henderickx@alcatel-lucent.be
Adam Simpson
Alcatel-Lucent
600 March Road
Ottawa, Ontario K2K 2E6
Canada
Email: adam.simpson@alcatel-lucent.com
Simpson, et al. Expires Aug 2, 2015 [Page 8]
Internet-Draft draft-ietf-idr-flowspec-redirect-ip-02 Feb 2015
Matthieu Texier
Arbor Networks
38 Rue de Berri
75008 Paris
Email: mtexier@arbor.net
Simpson, et al. Expires Aug 2, 2015 [Page 9]