Isis Working Group J. You
Internet-Draft Q. Liang
Intended status: Standards Track Huawei
Expires: March 29, 2015 September 25, 2014
IS-IS Extensions for Flow Specification
draft-you-isis-flowspec-extensions-00
Abstract
This document discusses the use cases why IS-IS distributing flow
specification (FlowSpec) routes is necessary. One advantage is to
mitigate the impacts of Denial-of-Service (DoS) attacks. This
document also defines a new IS-IS FlowSpec reachability TLV encoding
format that can be used to distribute the FlowSpec routes.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 29, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
You & Liang Expires March 29, 2015 [Page 1]
Internet-Draft ISIS FlowSpec September 2014
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Use Cases for IS-IS based FlowSpec Distribution . . . . . . . 3
3.1. BGP/MPLS VPN . . . . . . . . . . . . . . . . . . . . . . 3
3.1.1. Traffic Analyzer Deployed in Provider Network . . . . 3
3.1.2. Traffic Analyzer Deployed in Customer Network . . . . 4
3.2. IS-IS Campus Network . . . . . . . . . . . . . . . . . . 5
4. IS-IS Extensions for FlowSpec Routes . . . . . . . . . . . . 6
4.1. FlowSpec Filters sub-TLV . . . . . . . . . . . . . . . . 7
4.2. FlowSpec Action sub-TLV . . . . . . . . . . . . . . . . . 7
5. Import-policy Extended Community . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6.1. FlowSpec reachability TLV . . . . . . . . . . . . . . . . 8
6.2. FlowSpec Filters sub-TLV . . . . . . . . . . . . . . . . 8
6.3. FlowSpec Action sub-TLV . . . . . . . . . . . . . . . . . 9
7. Security considerations . . . . . . . . . . . . . . . . . . . 9
8. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 9
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
9.1. Normative References . . . . . . . . . . . . . . . . . . 9
9.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
[RFC5575] defines a new Border Gateway Protocol Network Layer
Reachability Information (BGP NLRI) encoding format that can be used
to distribute traffic flow specifications. One application of that
encoding format is to automate inter-domain coordination of traffic
filtering, such as what is required in order to mitigate
(distributed) DoS attacks. [RFC5575] allows flow specifications
received from an external autonomous system to be forwarded to a
given BGP peer. However, in order to block the attack traffic more
effectively, it is better to distribute the BGP FlowSpec routes to
the customer network, which is much closer to the attacker.
For the network not deploying BGP or the internal nodes in an AS
(Autonomous System), it is expected to extend IGP (Interior Gateway
Protocol) to distribute FlowSpec routes. This document discusses the
use cases why IS-IS distributing FlowSpec routes is necessary. One
You & Liang Expires March 29, 2015 [Page 2]
Internet-Draft ISIS FlowSpec September 2014
advantage is to mitigate the impact of Denial-of-Service (DoS)
attacks. This document also defines a new IS-IS FlowSpec
reachability TLV encoding format that can be used to distribute the
FlowSpec routes.
2. Terminology
This section contains definitions for terms used frequently
throughout this document. However, many additional definitions can
be found in [RFC1142] and [RFC5575].
Flow Specification (FlowSpec): A flow specification is an n-tuple
consisting of several matching criteria that can be applied to IP
traffic, including filters and actions. Each FlowSpec consists of
a set of filters and a set of actions.
3. Use Cases for IS-IS based FlowSpec Distribution
For the network not deploying BGP or the internal nodes in an AS, it
is expected to extend IGP to distribute FlowSpec routes, because when
the FlowSpec routes are installed in the customer network, it would
be closer to the attacker than when they are installed in the
provider network. Consequently, the attack traffic could be blocked
or the suspicious traffic could be limited to a low rate as early as
possible.
The following sub-sections discuss the use cases for IS-IS based
FlowSpec routes distribution.
3.1. BGP/MPLS VPN
[RFC5575] defines a BGP NLRI encoding format to distribute traffic
flow specifications in BGP deployed network. However in the BGP/MPLS
VPN scenario, the IGP (e.g. IS-IS, OSPF) is used between PE
(Provider Edge) and CE (Customer Edge) for many deployments. In
order to distribute the FlowSpec routes to the customer network, the
IGP needs to support the FlowSpec route distribution. The FlowSpec
routes are usually generated by the traffic policy center or the
traffic analyzer in the network. Depending on the location of the
traffic analyzer deployment, two different distribution scenarios
will be discussed below.
3.1.1. Traffic Analyzer Deployed in Provider Network
The traffic analyzer (also acting as the traffic policy center) could
be deployed in the provider network as shown in Figure 1. If the
traffic analyzer detects attack traffic from the customer network
VPN1, it would generate the FlowSpec routes for preventing DoS
You & Liang Expires March 29, 2015 [Page 3]
Internet-Draft ISIS FlowSpec September 2014
attacks. The FlowSpec routes with a route distinguisher information
corresponding to VPN1 are distributed from the traffic analyzer to
the PE1 which the traffic analyzer is the attached to. If the
traffic analyzer is also a BGP speaker, it can distribute the
FlowSpec routes based on the BGP [RFC5575]. Then the PE1 distributes
the FlowSpec routes further to the PE2. Finally, the FlowSpec routes
need to be distributed from the PE2 to the CE2 based on IS-IS, i.e.
to the customer network VPN1. As the attacker is more likely in the
customer network, if the FlowSpec routes installed on the CE2, it
could mitigate the impacts of DoS attacks better.
+--------+
|Traffic |
+---+Analyzer| -----------
| +--------+ //- -\\
| /// \\\
|FlowSpec / \
| // \\
| | |
+--+--+ +-----+ | +-----+ +--------+ |
| PE1 +-------+ PE2 +-------+--+ CE2 +-------+Attacker| |
+-----+ +-----+ | +-----+ +--------+ |
| |
| | | | | |
| BGP FlowSpec | ISIS FlowSpec | Attack Traffic| |
| | \\ | | //
\ /
\\\ VPN1 ///
\\-- --//
---------
Figure 1: Traffic Analyzer deployed in Provider Network
3.1.2. Traffic Analyzer Deployed in Customer Network
The traffic analyzer (also acting as the traffic policy center) could
be deployed in the customer network as shown in Figure 2. If the
traffic analyzer detects attack traffic, it would generate FlowSpec
routes for preventing DoS attacks. Then the FlowSpec routes would be
distributed from the traffic analyzer to the CE1 based on IS-IS or
other policy protocol (e.g. RESTful API over HTTP). Further, the
FlowSpec routes need to be distributed through the provider network
via the PE1/PE2 to the CE2, i.e. to the remote customer network VPN1
Site1. If the FlowSpec routes installed on the CE2, it could block
the attack traffic as close to the source of the attack as possible.
You & Liang Expires March 29, 2015 [Page 4]
Internet-Draft ISIS FlowSpec September 2014
+--------+
|Traffic |
+---+Analyzer|
| +--------+ --------
| //-- --\\
|FlowSpec // \\
| / \
| // \\
+--+--+ +-----+ +-----+ | +-----+ +--------+ |
| CE1 +--------+ PE1 +-------+ PE2 +--------+-+ CE2 +-------+Attacker| |
+-----+ +-----+ +-----+ | +-----+ +--------+ |
| |
| | | | | | |
| ISIS FlowSpec | BGP FlowSpec| ISIS FlowSpec | Attack Traffic | |
| | | | | | |
| |
\\ //
\ VPN1 Site1 /
\\ //
\\-- --//
--------
Figure 2: Traffic Analyzer deployed in Customer Network
3.2. IS-IS Campus Network
For the network not deploying BGP, for example, the campus network
using IS-IS, it is expected to extend IS-IS to distribute FlowSpec
routes as shown in Figure 3. In this kind of network, the traffic
analyzer could be deploy with a router, then the FlowSpec routes from
the traffic analyzer need to be distributed to the other routers in
this domain based on IS-IS.
You & Liang Expires March 29, 2015 [Page 5]
Internet-Draft ISIS FlowSpec September 2014
+--------+
|Traffic |
+---+Analyzer|
| +--------+
|
|FlowSpec
|
|
+--+-------+ +----------+ +--------+
| Router A +-----------+ Router B +--------+Attacker|
+----------+ +----------+ +--------+
| | |
| ISIS FlowSpec | Attack Traffic |
| | |
Figure 3: IS-IS Campus Network
4. IS-IS Extensions for FlowSpec Routes
This document defines a new IS-IS TLV, i.e. the FlowSpec reachability
TLV (TLV type: TBD1), which would be carried in an LSP (Link State
Protocol) Data Unit [RFC1142], to describe the FlowSpec routes.
The FlowSpec reachability TLV carries one or more FlowSpec entries.
Each FlowSpec entry consists of FlowSpec filters (FlowSpec filters
sub-TLVs) and corresponding FlowSpec actions (FlowSpec Action sub-
TLVs).
The FlowSpec reachability TLV is defined below in Figure 4:
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type (TBD1) | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length 1 | FlowSpec |
+-+-+-+-+-+-+-+-+ +
| Entry 1 (variable) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length 2 | FlowSpec |
+-+-+-+-+-+-+-+-+ +
| Entry 2 (variable) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... |
Figure 4: FlowSpec Reachability TLV
You & Liang Expires March 29, 2015 [Page 6]
Internet-Draft ISIS FlowSpec September 2014
Type: 1 octet. Type code is TBD1.
Length: 1 octet. The length field defines the length of the value
portion in octets (thus a TLV with no value portion would have a
length of 0).
Value: variable. The value field contains one or more 2-tuples
consisting of the Length and the FlowSpec entry. Each 2-tuple
starts with 1 octet of Length, and followed by a variable length
FlowSpec entry, which consists of FlowSpec filters sub-TLVs and
corresponding FlowSpec action sub-TLVs. The length specifies the
number of bytes of the FlowSpec entry.
4.1. FlowSpec Filters sub-TLV
IS-IS FlowSpec filters sub-TLV is one component of FlowSpec entry,
carried in the FlowSpec reachability TLV. It is defined below in
Figure 5.
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type (TBD2) | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Filters (variable) |
+ +
| ... |
Figure 5: IS-IS FlowSpec Filters sub-TLV
Type: the TLV type (Type Code: TBD2)
Length: the size of the value field (typically in bytes)
Filters: the same as "flow-spec NLRI value" defined in [RFC5575].
4.2. FlowSpec Action sub-TLV
IS-IS FlowSpec Action sub-TLV is the other component of FlowSpec
entry. There would be one or more FlowSpec Action sub-TLVs
associated with a FlowSpec Filters sub-TLV. Meanwhile, different
FlowSpec Filters sub-TLV could have the same FlowSpec Action sub-TLV/
s.
The following IS-IS FlowSpec action sub-TLVs are the same as defined
in [RFC5575].
You & Liang Expires March 29, 2015 [Page 7]
Internet-Draft ISIS FlowSpec September 2014
Table 1: Traffic Filtering Actions in [RFC5575]
+---------+---------------------+--------------------------+
| type | FlowSpec Action | encoding |
+---------+---------------------+--------------------------+
| TBD3 | traffic-rate | 2-byte as#, 4-byte float |
| TBD4 | traffic-action | bitmask |
| TBD5 | redirect | 6-byte Route Target |
| TBD6 | traffic-marking | DSCP value |
+---------+---------------------+--------------------------+
5. Import-policy Extended Community
When FlowSpec routes are from the BGP protocol, these FlowSpec routes
need to be imported to the IGP protocol. This document defines a new
filtering action that it standardizes as a BGP extended community
value [RFC4360]. This extended community is used to specify a
particular action, i.e. importing the FlowSpec routes to the IGP
protocol.
This import-policy extended community is the same as defined in
[I-D.liang-ospf-flowspec-extensions].
6. IANA Considerations
This document defines the following new IS-IS TLV types, which need
to be reflected in the ISIS TLV codepoint registry.
6.1. FlowSpec reachability TLV
+------+---------------------------------+-----+-----+-----+
| Type | Description | IIH | LSP | SNP |
+------+---------------------------------+-----+-----+-----+
| TBD1 | The FlowSpec reachability TLV | n | y | n |
+------+---------------------------------+-----+-----+-----+
6.2. FlowSpec Filters sub-TLV
+--------+-----------------------+--------------------------+
| Type | Description | encoding |
+--------+-----------------------+--------------------------+
| TBD2 |The FlowSpec filters | flow-spec NLRI value |
| | sub-TLV | [RFC5575] |
+--------+-----------------------+--------------------------+
You & Liang Expires March 29, 2015 [Page 8]
Internet-Draft ISIS FlowSpec September 2014
6.3. FlowSpec Action sub-TLV
+---------+----------------------------+--------------------------+
| Type | Description | encoding |
| |----------------------------+ |
| |The FlowSpec action sub-TLVs| |
+---------+----------------------------+--------------------------+
| TBD3 | traffic-rate | 2-byte as#, 4-byte float |
| TBD4 | traffic-action | bitmask |
| TBD5 | redirect | 6-byte Route Target |
| TBD6 | traffic-marking | DSCP value |
+---------+----------------------------+--------------------------+
7. Security considerations
This extension to IS-IS does not change the underlying security
issues inherent in the existing IS-IS.
8. Acknowledgement
TBD.
9. References
9.1. Normative References
[RFC1142] Oran, D., "OSI IS-IS Intra-domain Routing Protocol", RFC
1142, February 1990.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended
Communities Attribute", RFC 4360, February 2006.
[RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J.,
and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, August 2009.
9.2. Informative References
[I-D.liang-ospf-flowspec-extensions]
Liang, Q. and J. You, "OSPF Extensions for Flow
Specification", draft-liang-ospf-flowspec-extensions-00
(work in progress), September 2014.
You & Liang Expires March 29, 2015 [Page 9]
Internet-Draft ISIS FlowSpec September 2014
Authors' Addresses
Jianjie You
Huawei
101 Software Avenue, Yuhuatai District
Nanjing, 210012
China
Email: youjianjie@huawei.com
Qiandeng Liang
Huawei
101 Software Avenue, Yuhuatai District
Nanjing, 210012
China
Email: liuweihang@huawei.com
You & Liang Expires March 29, 2015 [Page 10]