I2RS working group                                               S. Kini
Internet-Draft                                                  Ericsson
Intended status: Standards Track                                S. Hares
Expires: April 21, 2016                                        L. Dunbar
                                                             A. Ghanwani
                                                             R. Krishnan
                                                           D. Bogdanovic
                                                        Juniper Networks
                                                             J. Tantsura
                                                                R. White
                                                        October 19, 2015

                   Filter-Based RIB Information Model


   This document defines an information model for the I2RS Filter-based
   Routing Information Base (RIB) Yang model.  A routing system uses the
   Filter-based RIBto program FIB entries that process incoming packets
   by matching on multiple fields within the packet and then performing
   a specified action on it.  The FB-RIB can also specify an action to
   forward the packet according to the FIB entries programmed using the
   RIBs of its routing instance.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 21, 2016.

Kini, et al.             Expires April 21, 2016                 [Page 1]

Internet-Draft             Filter-Base RIB IM               October 2015

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Definition of I2RS Filter Based RIB . . . . . . . . . . .   3
     1.2.  ECA Policy Supported  . . . . . . . . . . . . . . . . . .   3
     1.3.  I2RS Use Cases Suported by Filter-Based RIB . . . . . . .   4
   2.  Definitions and Acronyms  . . . . . . . . . . . . . . . . . .   4
   3.  Filter-Based-RIB module . . . . . . . . . . . . . . . . . . .   5
     3.1.  FB-RIB entries  . . . . . . . . . . . . . . . . . . . . .   7
     3.2.  Relationship between RB-RIB Rule Model and RIB
           Information Model . . . . . . . . . . . . . . . . . . . .   9
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     6.1.  Normative References: . . . . . . . . . . . . . . . . . .  10
     6.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   The Interface to the Routing System (I2RS)
   [I-D.ietf-i2rs-architecture] architecture provides dynamic read and
   write access to the information and state within the routing
   elements.  The I2RS client interacts with the I2RS agent in one or
   more network routing systems.

   This document provides an information module for the I2RS filter
   Based Routing Information Base (FB-RIB) and describes the I2RS
   interaction with routing filters within a routing element.

Kini, et al.             Expires April 21, 2016                 [Page 2]

Internet-Draft             Filter-Base RIB IM               October 2015

1.1.  Definition of I2RS Filter Based RIB

   Filter-based routing is a technique used to make packet forwarding
   decisions based on a filter that is matched to the incoming packets
   and the specified action.  It should be noted that that this is
   distinct from the static routes in the RIB
   [I-D.ietf-i2rs-rib-info-model] where the routing is destination
   ddress based.

   A Filter-Based RIB (Routing Information Base) is contained in a
   routing instance (defined in [I-D.ietf-i2rs-rib-info-model]).  It
   contains a list of filters (match-action conditions), a list of
   interface the filter-based forwarding operates on.  Filter-based RIBs
   (FB-RIBs) operate only on the interface the FB-RIB are configured on.

   A Filter Based RIB uses Event-Condition-Action policy.  A Filter-
   based RIB entry specifies matches on fields in a packet (which may
   include layer 2 fields, IP header fields, transport or application
   fields) or size of the packet or interface received on.  The matches
   are contained in an ordered list of filters which contain pairs of
   match condition-action (aka event-condition-action).

   If all matches fail, default action is to forward the packet using
   FIB entries that were programmed by the Routing Informational Base
   (RIB) manager described in [I-D.ietf-i2rs-rib-info-model].

   Actions in the condition-action pair may impact forwarding or set
   something in the packet that will impact forwarding.  Policy actions
   are typically applied before applying QoS constraints since policy
   actions may override QoS constraint.

   The Filter-Based RIB resides in ephemeral state as does the I2RS RIB
   and I2RS topology models.

1.2.  ECA Policy Supported

   The filter based-RIB uses event-condition-action policy (ECA) rules.
   The following policies are used in this version of the yang module:

   o  Access lists (ACLs) [I-D.ietf-netmod-acl-model]

   o  Basic network filters [I-D.hares-i2rs-bnp-info-model]

   Proprietary filters may augment these IETF defined ECA rules.  The
   IETF filters support basic filtering plus QOS and load balancing.
   Below is an example set of match conditions on ingreessI2RS that the
   basic I2RS FB-RIB can support.

Kini, et al.             Expires April 21, 2016                 [Page 3]

Internet-Draft             Filter-Base RIB IM               October 2015

                 Ingress filter Matches (for ECA policy)
          |       |        |         |     |      |    |     |
          |       |        |         |     |      |    |     |
      L3-Header L2-header L4-header VLAN  VN ID  size event ...

     Figure 1: Possible matching conditions for basic network filters

1.3.  I2RS Use Cases Suported by Filter-Based RIB

   The I2RS use cases which benefit from Filter-Based Routing are:

   o  Protocol independent Use cases and large flow use cases described
      in [I-D.hares-i2rs-usecase-reqs-summary].

   o  the use cases of steering traffic to their designated service
      functions that are different than the packet's destinations, and

   o  large flow use cases described in

2.  Definitions and Acronyms


      Command Line Interface


      Filter-Based Routing Information Base


      The policy rules in the filter-based RIB are prescriptive of the
      Event-Condition-Action form which is often represented by if
      Condition then action".

   Policy Group

      Policy Groups are groups of policy rules.  The groups of policy in
      the basic network policy [I-D.hares-i2rs-bnp-info-model] allow
      grouping of policy by name.  This name allow easier management of
      customer-based or provider based filters.


Kini, et al.             Expires April 21, 2016                 [Page 4]

Internet-Draft             Filter-Base RIB IM               October 2015

      RIB Informational Model (RIB IM) [I-D.ietf-i2rs-rib-info-model]

   Routing instance

      A routing instance, in the context of the FB-FIB is a collection
      of RIBs, interfaces, and routing parameters.  A routing instance
      creates a logical slice of the router and allows different logical
      slices; across a set of routers; to communicate with each other.

3.  Filter-Based-RIB module

   A Filter-Based RIB (FB-RIB)contains an ordered set of filter routes
   where each filter-route is a match condition followed by an action.
   An FB-RIB is contained in a routing-instance that is defined in
   [I-D.ietf-i2rs-rib-info-model] and whose data modelling is done in
   [I-D.ietf-i2rs-rib-data-model].  An FB-RIB has a list of interfaces
   that is a subset of the list of interfaces in the routing-instance
   that it is contained in.  An incoming packet on an interface
   belonging to a FB-RIB is first handled by the FIB programmed using
   that FB-RIB.  If no match action succeeds, then the packet is
   forwarded using the FIB programmed using the RIB of that routing

   An ordered set of filters implies that the insertion of a filter
   route into a FB-RIB MUST provide the ability to insert a filter route
   at any specific position and delete of a filter-based route at a
   specific position.  The ability to change a filter route at a
   specific position combines these two functions (delete an existing
   filter route rule and add a new policy rule).

   Each FB-RIB is contained within a routing instance, but one routing
   instance (named by an INSTANCE_NAME) can contain multiple FB-RIBs.
   Each routing instance is associated with a set of interfaces, a
   router-id, and list of FB-RIBs.  Each interface can be associated
   with at most one FB RIB.

   The processing within the FB-RIB process within the routing system is
   expected to do the following:

   o  When a packet successfully matches match term/entry in a filter-
      route, the corresponding rule-actions are applied.

   o  If a packet does not match the match term/entry in the filter
      route, the filter route processing goes to the next term/entry in
      the order, and looks for a match, within the current filter or
      goes to the next filter in the list.  This continues until either
      a filter route match term/entry is successfully matched, or no
      more filters in the list exists.

Kini, et al.             Expires April 21, 2016                 [Page 5]

Internet-Draft             Filter-Base RIB IM               October 2015

   o  If no match has been found within list of filters in FB-RIB list,
      then the packet will be forwarded using the I2RS RIB specified by
      the FB-RIB if one exists.  If no I2RS RIB is specified, the packet
      will be discarded.

            |     routing instance          |
               |FB-RIB *list |
               |             |
            |        FB-RIB               |
                 |  +---|----+  +-----|-----+
                 |  | I2 RIB |  |interface* |
                 |  | Name   |  | (Names)   |
                 |  +--------+  +-----------+
            | FB-RIB Ordered List   |
            |   of filter rules     |
                        | Filter policy list-entries
                        | entries depend on type
                        |  (ACL, Routing, QOS, SFC)
            |    Groups             |
                        | Groups depend on type
            |      Rules (by type)     |
            |(ordered list of rules of |
            | the form match-action)   |
                        | Entries depend on type

              Figure 2: Routing instance with FB-RIB

Kini, et al.             Expires April 21, 2016                 [Page 6]

Internet-Draft             Filter-Base RIB IM               October 2015

   Policy definitions

   ACL types:
   Policy level access-lists
   group level: access_lists: access-list-entries
   rule level:  access_lists: access-list-entries:

   Policy level: bnp-eca: bnp-policy-set
   group level:  bnp-eca: bnp-policy-set:rule-group-list:rule-group
   rule level:   bnp-eca: bnp-policy-set:rule-group-list:rule-group
                 policy-rule-list: policy-rule

   Note: The ACL policy definitions do not provide sufficient
          depth for the I2RS Filter RIB, but
              are provided here for early implementations.

   Figure 3

3.1.  FB-RIB entries

   The FB-RIB entries associated with each FB-RIB in a routing instance

   instance-name (FB-FIB-instance-name)

      Name of Routing instance

   router-id (FB-RIB-router-id)

      router id associated with the FB-RIB function of the Routing


      A list of interfaces that all of the FB-RIB RIBs operate over.
      This list must be a subset of the interface_list associated with
      the routing instance.

   Default RIB

      A RIB contained in the same routing instance that can be used to
      forward packets when the FIB entries in the FB-RIB list do not
      match the packets.  This Default-RIB forwards based on destination
      based routing.

Kini, et al.             Expires April 21, 2016                 [Page 7]

Internet-Draft             Filter-Base RIB IM               October 2015

   FB-RIB Order list of policy (FB-FIB-O-Filters

      ordered list of filter rules of the form in

   The Top-level Yang structure for the FB-RIB is:

    module: FB-RIB
       +--rw FB-RIB-instance-name
       +--rw RB-RIB-router-id
       |  uses rt:router-id
       +--rw FB-RIB*  [rib-name]
       |  +--rw rib-Name
       |  +--rw rib-afi
       |  +--rw fb-rib-intf* if:inteface-ref
       |  +--rw default-I2RS-RIB
       |  |  +--RIB-name
       |  |    uses i2rs-rib:name
       |  +--rw fb-rib-status-info
       |  +--rw fb-rib-update-ref uint64
       |  +--rw fb-rib-Group*
             +-rw filter-type  // for group
             +-rw order-number // for group
               + choice (filter-type)
                 +-case: acl
                  uses: acl: access_lists: access-list-entries
                             // operational status augment to group
                  augments: access_lists: access-list-entries
                  uses fb-rib-group-order_status;

              // operational status augment to individual ACL
                  augments: access_lists:access-list-entries:
                               uses fb-rib-rule-order-status;

               +--case: bnp-eca Rules
                  uses bnp-eca: bnp-policy-set
                    augments bnp-eca:bnp-policy-set:group-list:group
                        uses fb-rib-group-order_status
                    augment bnp-eca:bnp-policy-set:group-list:group:rule
                        uses fb-rib-rule-order_status

                     Figure 4: FB RIB Yang Structure

Kini, et al.             Expires April 21, 2016                 [Page 8]

Internet-Draft             Filter-Base RIB IM               October 2015

3.2.  Relationship between RB-RIB Rule Model and RIB Information Model

   The I2RS RIB module is described in [I-D.ietf-i2rs-rib-info-model]
   and [I-D.ietf-i2rs-rib-data-model].  The I2RS RIB contains a
   collection of RIBs with the following information per instance:

   o  The set of interfaces indicates which interfaces are associated
      with this routing instance.

   o  The RIBs specify how incoming traffic is to be forwarded based on
      destination (E.g.  RIB and FB-RIB).

   o  The routing parameters control the information in the RIBs.

   A routing instance may have both an I2RS RIB modules and I2RS FB-FIB
   modules associated with it.

   FB-RIB and RIB can not be used at the same time, which means:

   o  If a router doesn't support filter-based routing, a router MUST
      use RIB and MUST not use FB-RIB.

   o  If a router supports filter-based routing:

      *  FB-RIB is used

      *  Multiple FB-RIBs may exist within a routing instance

      *  An interface can be associated with at most one FB-RIB

      *  The Default RIB for a FB-RIB is used if several criteria beyond
         destination address is not matched.

4.  IANA Considerations


5.  Security Considerations

   A I2RS RIB is ephemeral data store that will dyanamically change
   traffic paths set by the routing configuration.  An I2RS FB-RIB
   provides dynamic Event-Condition-Action policy that will further
   change the operation of forwarding by allow dyanmic policy and
   ephemeral RIBs to alter the traffic paths set by routing
   configuration.  Care must be taken in deployments to use the
   appropriate security and operational control to make use of the tools
   the I2RS RIB and I2RS FB-RIB provide.

Kini, et al.             Expires April 21, 2016                 [Page 9]

Internet-Draft             Filter-Base RIB IM               October 2015

6.  References

6.1.  Normative References:

              Hares, S., Wu, Q., Tantsura, J., and R. White, "An
              Information Model for Basic Network Policy and Filter
              Rules", draft-hares-i2rs-bnp-info-model-02 (work in
              progress), March 2015.

              Atlas, A., Halpern, J., Hares, S., Ward, D., and T.
              Nadeau, "An Architecture for the Interface to the Routing
              System", draft-ietf-i2rs-architecture-09 (work in
              progress), March 2015.

              Wang, L., Ananthakrishnan, H., Chen, M.,
              amit.dass@ericsson.com, a., Kini, S., and N. Bahadur, "A
              YANG Data Model for Routing Information Base (RIB)",
              draft-ietf-i2rs-rib-data-model-01 (work in progress),
              September 2015.

              Bahadur, N., Kini, S., and J. Medved, "Routing Information
              Base Info Model", draft-ietf-i2rs-rib-info-model-07 (work
              in progress), September 2015.

              Bogdanovic, D., Sreenivasa, K., Huang, L., and D. Blair,
              "Network Access Control List (ACL) YANG Data Model",
              draft-ietf-netmod-acl-model-03 (work in progress), June

6.2.  Informative References

              Hares, S. and M. Chen, "Summary of I2RS Use Case
              Requirements", draft-hares-i2rs-usecase-reqs-summary-02
              (work in progress), May 2015.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

Kini, et al.             Expires April 21, 2016                [Page 10]

Internet-Draft             Filter-Base RIB IM               October 2015

Authors' Addresses

   Sriganesh Kini

   Email: sriganesh.kini@ericsson.com

   Susan Hares
   7453 Hickory Hill
   Saline, MI  48176

   Email: shares@ndzh.com

   Linda Dunbar

   Email: linda.dunbar@huawei.com

   Anoop Ghanwani

   Email: anoop@alumni.duke.edu

   Ram Krishnan

   Email: Ramkri123@gmail.com

   Dean Bogdanovic
   Juniper Networks
   Westford, MA

   Email: deanb@juniper.net

   Jeff Tantsura

   Email: jeff.tantsura@ericsson.com

Kini, et al.             Expires April 21, 2016                [Page 11]

Internet-Draft             Filter-Base RIB IM               October 2015

   Russ White

   Email: russ@riw.us

Kini, et al.             Expires April 21, 2016                [Page 12]