Internet-Draft | BGP FSv2 More IP Actions | October 2024 |
Hares | Expires 19 April 2025 | [Page] |
The BGP flow specification version 2 (FSv2) for Basic IP defines user ordering of filters along with FSv1 IP Filters and FSv2 actions in Extended Communites. This draft suggests additional IP actions for FSv2 in a BGP Community path attribute.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 19 April 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Version 2 of BGP flow specification (FSv2) is contained in a series of specifications ([I-D.ietf-idr-fsv2-ip-basic]), [I-D.hares-idr-fsv2-more-ip-filters]), this document, and individuals specifications for IP Filters, IP actions, and non-IP actions (MPLS, L2, SFC and tunneled IP). This draft defines user-ordered FSv2 actions encoded in a BGP Community Path Attribute and how these actions interwork with the FSv2 actions encoded in Extended Community attributes.¶
The remainder of this Introduction section provides an overview of the FSv2 specifications.¶
Section 2 contains a description of the format of the user ordered actions encoded in the BGP Community Path Attribute in the FSv2 TLV. Section 3 provides information on Validation and Error handling for the FSv2 Actions when the BGP Community Path Attribute is attached to the BGP update message. Sections 4-6 contain considerations for manageability security and IANA considerations for the FSv2 user ordered ations.¶
BGP Flow Specification version 1 (FSv1) defined in [RFC8955], [RFC8956], and [RFC9117] specifies 2 SAFIs (133, 134) to be used with IPv4 AFI (AFI = 1) and IPv6 AFI (AFI=2).¶
FSv2 specifies 2 new SAFIs (TBD1, TBD2) for FSv2 to be used with 5 AFIs (1, 2, 6, 25, and 31) to allow user-ordered lists of traffic match filters for user-ordered traffic match actions encoded in Communities (Wide or Extended). The first SAFI (TBD1) will be used for IP forwarding, and the second SAFI (TBD2) will be used with VPNs. The supported AFI/SAFI combinations in FSv2 are:¶
IPv4 (AFI=1, SAFI=TBD1),¶
IPv6 (AFI=2, SAFI=TBD1),¶
L2 (AFI=6, SAFI=TBD1),¶
SFC (AFI=31, SAFI=TBD1),¶
BGP/MPLS IPv4 VPN (AFI=1, SAFI=TBD2),¶
BGP/MPLS IPv6 VPN (AFI=2, SAFI=TBD2),¶
BGP/MPLS L2VPN (AFI=25, SAFI=TBD2), and¶
SFC VPN (AFI=31, SAFI=TBD2)¶
FSv1 and FSv2 use different AFI/SAFIs to send flow specification filters. Since BGP route selection is performed per AFI/SAFI, this approach can be termed “ships in the night” based on AFI/SAFI.¶
Version 2 of BGP flow specification was originally defined in [I-D.ietf-idr-flowspec-v2] (denoted FSv2). However, the full FSv2 specification contains more than initial implementers desired. Therefore, this original FSv2 draft was split into a group of functionations that implementers can decide to upgrade. The basic functionality that all FSv2 implementations are required to implement is a FSv2 NLRI format that allows user ordered FSv1 components. Just as in FSv1, the FSv2 allows the passage of actions in Extended community (see [I-D.ietf-idr-fsv2-ip-basic]).¶
Implementers may optionally add to FSv2 basic functions the following abilities regarding filters for match criteria for IP packets (see [I-D.hares-idr-fsv2-more-ip-filters]):¶
the ability to pass additional IP-related Components in the Extended IP Filter TLV in the FSv2 NLRI,¶
the ability to signal dependencies between IP Filters, and¶
the ability to signal via a filter group number the filters types of Filters being passed in the FSv2 Extended IP Filters.¶
While there have been arguments for dependencies between filters, [I-D.hares-idr-fsv2-more-ip-filters] only provides a place holder for signaling dependencies between filters. Implementations of specific filters groups and actions will need to define the specifics of this function.¶
Implementers may optionally augment the signaling of basic FSv2 Actions with the following functions:¶
the ability to order the multiple actions associated with a filter, and¶
the ability to have dependency between multiple actions.¶
FSv1 actions in FSv1-EC had problems with multiple actions associated with one filter match taking conflicting actions or having problems when one action failed. The basic [I-D.ietf-idr-fsv2-ip-basic] specification provides a fix for FSv2-EC. User ordering of multiple actions and dependency within filters are other methods to fix these problems. This document defines how to carry user-ordered FSv2 Actions in a BGP Community Path Attribute. Space is left within that attribute to have future specifications define action dependency, but those procedures are out of scope for this document.¶
AFI - Address Family Identifier¶
AS - Autonomous System¶
BGP Session ephemeral state - state which does not survive the loss of BGP peer session.¶
Configuration state - state which persists across a reboot of software module within a routing system or a reboot of a hardware routing device.¶
CPA - BGP Community Path Attribute¶
DDOs - Distributed Denial of Service¶
Ephemeral state - state which does not survive the reboot of a software module, or a hardware reboot. Ephemeral state can be ephemeral configuration state or operational state.¶
FSv1 - Flow Specification version 1 [RFC8955] [RFC8956]¶
FSv2 - Flow Specification version 2 (this document)¶
FS-EC - Flow Specification Actions in Extended Community¶
FSv1-EC - FSv1 Actions in Extended Community¶
FSv2-EC - FSv2 Actions in Extended Community¶
FSv2-CPA - FSv2 Actions in BGP Community Path Attribute¶
RIB - Routing Information Base¶
RR - Route Reflector.¶
SAFI – Subsequent Address Family Identifier¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals as shown here.¶
The FSv2 actions may be sent in an Extended Community or a Community Path Attribute. User ordering of FSv2 actions requires using the Community Path Attribute. This section reviews the describes the format of FSv2 actions in Extended Communities or Community Path Attributes.¶
The Extended Community encodes the Flow Specification actions in the Extended IPv4 Community format [RFC4360] or in the Extended IPv6 Community format [RFC5701]. The Extended Community actions cannot be ordered by the user, but will be ordered by default. The implementer and the operator must be aware of interactions between any FSv2 actions must be specified in an Extended Community.¶
Three problems exist with FSv1 actions encoded in an Extended Community:¶
FSv2 proposes the following fixes to these problems:¶
The BGP Community Path Attribute is defined in: [I-D.hares-idr-bgp-community-attribute] The format for the BGP Community Path Attribute is shown in figure 2-1.¶
BGP Community Path attribute common header 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = FSv2 (1) | Flags |C|T| Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2-1¶
where:¶
This one octet field is anoctet of bits with only two bit that can be set as follows:¶
FSv2 Action TLV 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FSv2 Action Group (2 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | User Action order | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Dependency chain ID (8 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | <Action SubTLVs>+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2-2¶
Where:¶
this is an 8 octet field with a dependency chain with the format:¶
The FSv2 Action TLVs have the following format:¶
Action SubTLV format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Action type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Action Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2-3¶
Where:¶
The long-term goal of the FSv2 actions is to allow user ordering of the flow specification actions. Only the Community Path Attribute provides enough structured space for user ordering of actions. Table 2-1 shows the FSv2 BGP Community Path Attribute action types for the BGP Community Path Attribute Container for FSv2 actions. These allocations allow transition from FSv2-EC to BGP Path Community by authors of the FSv2-EC.¶
Support for this document requires the following is supported:¶
Optionally, implementations may support other actions groups defined in this document. Any unsupported FSv2 Action Groups (FSv2 AGs) may be silently ignored.¶
Table 2-1 FSv2 Actions supported in by BGP Community Path Attribute ID FSv2 H-L FSv2 Description Name FS document == ======== ============================= ======= ========== 0 0x80-00 Reserved RSV [This document] 1 0x80-xx Action Chain ordering ACO [this document] 2 0x07-02 FS for an Interface set TAIS ifset 3 -------- Reserved RSV [this document] 4 -------- Reserved RSV [this document] 5 -------- Reserved RSV [this document] 6 0x80-06 Traffic rate limit by bytes TRB RFC8955 7 0x80-07 Traffic Action TA RFC8955 (sample, terminal) 8 0x80-08 Redirect in various forms RD [this document] to VRF (2 AS form) RDIP RFC8955 8 0x81-08 to VPN (IPv4 form) RDIP RFC8955 8 0x81-08 to VPN (4 AS form) RDIP RFC8955 8 0x01-0C to IPv4 / copy RDIPv4 RDIP 8 0x000C to IPv6 / copy RDIPv6C RDIP 8 0x000D to IPv6 RDIPv6 RFC8956 8 0x09-xx to Indirection ID RGID RGID 9 0x80-09 Traffic mark DSCP TM RFC8955 10 0x80-0A Traffic rate limit by packets TRP RFC8955 11 0x0b-00 SFC Reserved SFC-R RFC9015 0x01 -SFVC SFIR POOL ID SFIR-PI RFC9015 12 0x80-0c Traffic rate limit by packets TRP RFC8955¶
Table 2-2 Short Names to IETF documents Short-name Filename ================= =============================== ifset draft-ietf-idr-flowspec-interfaceset-05 RDPIP draft-ietf-idr-flowspec-redirect-ip-03 RGID draft-ietf-idr-flowspec-redirect-path¶
Table 2-3 Action Group IDs for groupings of Action Types (AT) AG-id Name Action Type IDs Reference ----- ------- ---------------- -------------- 0x00 RSV Reserved Group [this document] 0x01 Base-IP ACO, TA, TRB, RDIP, [this document] TRP, SFC 0x02 If-sets ACO, TA, TRB, RDIP, [this document] TRB, TRP, TAIS [ifset]¶
The FSv2 Community Path Attribute could inherits the FSv2 Extended Community actions (FSv2-EC) for FSv1 actions standardized in [RFC8955], [RFC8956], IP Redirect [I-D.ietf-idr-flowspec-redirect-ip], and SFC [RFC9015]¶
New FSv2-EC must define both an Extended Community form and a Community Path Attribute form.¶
The following FSv2 BGP Community Path Attribute (FSv2-CPA) Action types created from FSv1 actions will be defined in this section:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Action type (0x01) | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |ACO-dependency | AC-Failure | AC Failure value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2-4¶
where:¶
The order dependency within the Action chain.¶
1 octet byte that determines the action on failure. Actions may succeed or fail and an Action chain must deal with it. The default value stored for an action chain that does not have this action chain is “stop on failure”. AC-Failure types values are:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Action type (0x02) | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Interface group |O I - Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sequence of interfaces | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Each intrface has the format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |AFI | SAFI | interface adddress | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | interface address (continued) (4 or 16 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2-5¶
where:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Action type (0x06) | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Maximum rate of bytes per second | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2-6¶
where:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Action type (0x06) | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 6 octet bit mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |S|T| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2-7¶
where:¶
6 octets of bit mask (0-47) with all values being reserved except S (bit 46) and T (bit 47).¶
Interferes with:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Action type (0x08) | Length (2 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 4-ocet AS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AFI | SAFI | Redirect Type | flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | redirect location (4 octets or 16 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2-8¶
where:¶
The 1-octet redirect type May be one of the following values:¶
Where:¶
0 1 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | RES | S-ID |C| +-+-+-+-+-+-+-+-+ Figure 2-9¶
FSv2 redirection functions from the following FSv2 Extended Communities (FSv2-EC):¶
Common functions with Redirect types IP Address (0x00) or IP Address copy (0x01). A change of overlapping functions with other redirect types (0x02-0x10).¶
See [I-D.ietf-idr-flowspec-redirect-ip]).¶
Common function with redirect of type IP Adress with copy (0x01). A change of overlapping functions with other redirect types (0x01, 0x02-0x10).¶
See [I-D.ietf-idr-flowspec-path-redirect]¶
Potential overlap with redirect types (0x02-0x10).¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Action type (0x08) | Length (2 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |RR | DSCP | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2-10¶
where:¶
Value field for SFC Classifier CPA 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Action type (0x08) | Length (2 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sub-type(0x01)| SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SI | SFT | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2-11: The Format of the Flow Specification for SFC Classifiers Extended Community¶
where:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Action type (0x06) | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Maximum rate of packets per second | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2-12¶
where:¶
FSv2 actions may associate actions using Extended Communities or the BGP Community Path attribute (FSv2-CPA) with FSv2 NLRIs. All the NLRIs in an UPDATE packet are associate with a FSv2 action found in either the FSv2-EC or the FSv2-CPA.¶
Actions may conflict, duplicate, or complement other actions. An example of conflict is the packet rate limiting by byte and by packet. An example of a duplicate is the request to copy or sample a packet under one of the redirect functions (RDIPv4, RDIPv6, or RDIID) Each FSv2 actions in this document defines the potential conflicts or duplications. Specifications for new FSv2 actions outside of this specification MUST specify interactions or conflicts with any FSv2 actions (that appear in this specification or subsequent specifications).¶
Well-formed syntactically correct actions are logically linked to the filter rule(s) in the NLRI in the path in ordered as described in section 3.2. If one action in the ordered list fails, the default procedure is for the action process for this rule to stop and flag the error via system management. By explicit configuration, the action processing may continue after errors.¶
Implementations MAY wish to log the actions taken by FS actions (FSv1 or FSv2).¶
The normal processing of FSv2 actions are by user order. The default ordering involves processing of the Actions specified by the BGP Path Community followed by the Extended Community ordering.¶
The ordering of precedence for these FSv2 actions set in BGP Path Community and Extended Community are:¶
During initial deployment of BGP Path Community, implementations may wish to set all Extended Community orders to 1, and assign user order values of 2-N. A configuration knob should be added to indicate this alternative assignment of order.¶
All Extended Community actions and Path Community attributes should be ordered in the action number specified in Table 3-1.¶
Operators should use user-defined ordering to clearly specify the actions desired upon a match. The FSv2-CPA default ordering is specified to provide deterministic order for actions which have the same user-defined order and same type.¶
FS Action Value Order (lowest value to highest) (lowest to highest) ================================ ============================== 0x01: ACO: Action chain operation dependency value, failure value 0x02 TAIS:Traffic actions per AS, then Group-ID, then Action ID Interface group 0x06: TRB: Traffic rate limit AS, then float value by bytes 0x07: TA: Traffic Action Traffic action value 0x08: RDIP: Redirect to IP AS, then IP Address, then ID RDIPC: Redirect to IP/Copy AS, then IP address, then ID RDIPv6: Redirect to IPv6 AS, then IPv6 value, then local Admin RGID: Redirect via type to AS, then type, then Generalized-ID Generalized Identifier 0x09: TM: Traffic Marking DSCP value (lowest to highest) 0x0b: SFCC: sub-type, SFI, SI, SFT 0x0C: TRP: Traffic Rate limit AS, then float value by bytes Figure 3-1¶
The following error handling rules must be followed by all BGP speakers which support FSv2 Community Attribute:¶
A Malformed Community Path Attribute container shall be considered malformed if any action TLVs or the Community container which is malformed.¶
FSv2 Community Path attributes having TLVs which do not follow the FSv2 ordering rules described in this document MUST be considered as malformed by a BGP FSv2 propagator.¶
An Update with a malformed Community Path Attribute shall execute the "treat-as-withdaw" behavior [RFC7606]¶
Note that a BGP speaker MUST NOT TLV type in the FSv2-CPA as an error.¶
Please note that these rules augment the FSv2 rules for NLRI which state:¶
FSv2 NLRI having TLVs which do not have the correct lengths or syntax must be considered MALFORMED.¶
FSv2 NLRIs having TLVs which do not follow the FSv2 ordering rules described in section 4.1 MUST be considered as malformed by a BGP FSv2 propagator.¶
The above two rules prevent any ambiguity that arises from the multiple copies of the same NLRI from multiple BGP FSv2 propagators.¶
A BGP implementation SHOULD treat such malformed NLRIs as ‘Treat-as-withdraw’ [RFC7606]¶
An implementation for a BGP speaker supporting both FSv1 and FSv2 MUST support the error handling for both FSv1 and FSv2.¶
This section complies with [RFC7153].¶
IANA is requested to create the following entries on a new "Flow Specification v2 Action” registry.¶
Name: BGP FSv2 Action types Reference: [this document] Registration Procedure: 0x01-0x3FFF Standards Action. Type Use Reference ----- --------------- --------------- 0x00 Reserved [this document] 0x01 ACO: Action Chain Operation [this document] 0x02 TAIS: Filters by interface set [this document] interface group [this document] 0x03 Unassigned [this document] 0x04 Unassigned [this document] 0x05 Unassigned [this document] 0x06 TRB: traffic rate limit (bytes) [this document] 0x07 TA: Traffic action [this document] 0x08 Redirect (all types) [this document] 0x09 TM: traffic marking (DSCP) [this document] 0x0C TRP: traffic rate limit (pkts) [this document] 0x00D- 0x3ff Unassigned [this document] 0x4000- 0x7fff Vendor assigned [this document] 0x8000- 0xFFFF Reserved [this document]¶
The use of ROA improves on [RFC8955] by checking to see of the route origination. This check can improve the validation sequence for a multiple-AS environment.¶
>The use of BGPSEC [RFC8205] to secure the packet can increase security of BGP flow specification information sent in the packet.¶
The use of the reduced validation within an AS [RFC9117] can provide adequate validation for distribution of flow specification within a single autonomous system for prevention of DDoS.¶
Distribution of flow filters may provide insight into traffic being sent within an AS, but this information should be composite information that does not reveal the traffic patterns of individuals.¶