Internet-Draft | FlowSpec with SRv6 Policy | October 2022 |
Jiang, et al. | Expires 12 April 2023 | [Page] |
BGP Flow Specification (FlowSpec) [RFC8955] [RFC8956] has been proposed to distribute BGP FlowSpec NLRI to FlowSpec clients to mitigate (distributed) denial-of-service attacks, and to provide traffic filtering in the context of a BGP/MPLS VPN service. Recently, traffic steering applications in the context of SRv6 using FlowSpec also attract attention. This document introduces the usage of BGP FlowSpec to steer packets into an SRv6 Policy.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 12 April 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Segment Routing IPv6 (SRv6) is a protocol designed to forward IPv6 data packets on a network using the source routing model. SRv6 enables the ingress network device to add a segment routing header (SRH) [RFC8754] to an IPv6 packet and push an explicit IPv6 address stack into the SRH. After receiving the packet, each transit node updates the IPv6 destination IP address in the packet and segment list to implement hop-by-hop forwarding.¶
SRv6 Policy [RFC9256] is a tunneling technology developed based on SRv6. An SRv6 Policy is a set of candidate paths consisting of one or more segment lists, that is, segment ID (SID) lists. Each SID list identifies an end-to-end path from the source node to the destination node, instructing a network device to forward traffic through the path rather than the shortest path computed using an IGP. The header of a packet steered into an SRv6 Policy is augmented with an ordered list of segments associated with that SRv6 Policy, so that other devices on the network can execute the instructions encapsulated into the list.¶
The headend of an SRv6 Policy may learn multiple candidate paths for an SRv6 Policy. Candidate paths may be learned via a number of different mechanisms, e.g., CLI, NetConf, PCEP[I-D.ietf-pce-segment-routing-policy-cp], or BGP[I-D.ietf-idr-segment-routing-te-policy].¶
[RFC8955] [RFC8956] defines the flow specification (FlowSpec) that allows to convey flow specifications and traffic Action/Rules associated (rate- limiting, redirect, remark ...). BGP Flow specifications are encoded within the MP_REACH_NLRI and MP_UNREACH_NLRI attributes[RFC4760]. Rules (Actions associated) are encoded in Extended Community attribute[RFC4360]. The BGP Flow Specification function allows BGP Flow Specification routes that carry traffic policies to be transmitted to BGP Flow Specification peers to steer traffic.¶
This document proposes BGP flow specification usage that are used to steer data flow into an SRv6 Policy as well as to indicate Tailend function. This work is helpful for promoting the deployment of SRv6 networks.¶
An SRv6 policy [RFC9256] is identified through the tuple <headend, color, endpoint>. In the context of a specific headend, one may identify an SRv6 policy by the <color, endpoint> tuple. The headend is the node where the SRv6 policy is instantiated/implemented. The headend is specified as an IPv4 or IPv6 address and is expected to be unique in the domain. The endpoint indicates the destination of the SRv6 policy. The endpoint is specified as an IPv6 address and is expected to be unique in the domain. The color is a 32-bit unsigned numerical value that associates with the SRv6 policy, and it defines an application-level network Service Level Agreement (SLA) policy or intent.¶
Assume one or multiple SRv6 policies are already setup/instantiated in the SRv6 HeadEnd device. In order to steer traffic into a specific SRv6 Policy at the Headend, one can use the SRv6 Color Extended community [RFC9012] and endpoint to map to a satisfying SRv6 policy, and steer the traffic into this specific policy.¶
[I-D.ietf-idr-flowspec-redirect-ip] defines the redirect to IPv4 and IPv6 Next-hop action. The IPv6 next-hop address in the Flow-spec Redirect to IPv6 Extended Community[RFC5701] can be used to specify the endpoint of the SRv6 Policy. When the packets reach to the TailEnd device, some specific function information identifiers can be used decide how to further process the flows. Several endpoint functions are already defined, e.g., End.DT6: Endpoint with decapsulation and IPv6 table lookup, and End.DX6: Endpoint with decapsulation and IPv6 cross-connect. The BGP Prefix-SID defined in [RFC8669] is utilized to enable SRv6 VPN services [RFC9252]. SRv6 Services TLVs within the BGP Prefix-SID Attribute can be used to indicate the endpoint functions.¶
This document proposes to carry the Color Extended Community and BGP Prefix-SID Attribute in the context of a Flowspec NLRI [RFC8955] [RFC8956] to an SRv6 Headend to steer traffic into one SRv6 policy, as well as to indicate specific Tailend functions.¶
For the case that a flowspec route carries multiple Color Extend Communities, the Color Extended community with the highest numerical value will be given higher preference per the description in Section 8.4.1 of [RFC9256].¶
The method proposed in this document supports load balancing to the tailend device. To achieve that, the headend device CAN set up multiple paths in one SRv6 policy, and use a Flowspec route to indicate the specific SRv6 policy.¶
In following scenario, BGP FlowSpec Controller signals the filter rules, the redirect to IPv6 Nexthop action, the policy color and the function information (SRv6 SID: Service_id_x) to the HeadEnd device.¶
+------------+ | BGP FS | | Controller | +------------+ | FlowSpec route to HeadEnd: | NLRI: Filter Rules | Redirect to IPv6 Nexthop: TailEnd's Address | Policy Color: C1 | PrefixSID: Service_id_x | .-----. | ( ) V .--( )--. +-------+ ( ) +-------+ | |_( SRv6 Core Network )_| | |HeadEnd| ( ================> ) |TailEnd| +-------+ (SR List<S1,S2,S3>) +-------+ '--( )--' Service SID: Service_id_x ( ) (e.g.: End.DT4 or End.DT6 or others) '-----' Figure 1: Steering the Traffic Flow into SRv6 Policy (Option 1)¶
When the HeadEnd device (as a FlowSpec client) receives such instructions from BGP FS Controller, it will steer the traffic flows matching the criteria in the FlowSpec route into the SRv6 Policy matching the tuple (Endpoint: TailEnd's Address, Color: C1). And the packets of such traffic flows will be encapsulated with SRH(Segment Routing Header) using the SR List <S1, S2, S3, Service_id_x>. When the packets reach to the TailEnd device, they will be further processed per the function denoted by the Service_id_x.¶
When the HeadEnd device determines (with the help of SRv6 SID Structure) that the Service SID belongs to the same SRv6 Locator as the last SRv6 SID of the TailEnd device in the SRv6 Policy segment list, it MAY exclude that last SRv6 SID when steering the service flow. For example, the effective segment list of the SRv6 Policy associated with SID list <S1, S2, S3> would be replaced as <S1, S2, Service_id_x>.¶
If the last SRv6 SID (For example, S3 we use here) of the TailEnd device in the SRv6 Policy segment list is USD-flavored, an SRv6 Service SID (e.g., End.DT4 or End.DT6) is not required when BGP FlowSpec Controller sends the FlowSpec route to the HeadEnd device (as a FlowSpec client).¶
+------------+ | BGP FS | | Controller | +------------+ | FlowSpec route to HeadEnd: | NLRI: Filter Rules | Redirect to IPv6 Nexthop: TailEnd's Address | Policy Color: C2 | .-----. | ( ) V .--( )--. +-------+ ( ) +-------+ | |_( SRv6 Core Network )_| | |HeadEnd| ( ================> ) |TailEnd| +-------+ (SR List<S1,S2,S3>) +-------+ '--( )--' ( ) '-----' Note: S3 MUST be a USD-flavored SRv6 SID of the TailEnd Figure 2: Steering the Traffic Flow into SRv6 Policy (Option 2)¶
When the HeadEnd device (as a FlowSpec client) receives such instructions from BGP FS Controller, it will steer the traffic flows matching the criteria in the Flowspec route into the SRv6 Policy matching the tuple (Endpoint: TailEnd's Address, Color: C2). And the packets of such traffic flows will be encapsulated with SRH(Segment Routing Header) using the SR List <S1, S2, S3>. When the packets reach to the TailEnd device, they will be further processed per the function denoted by the USD-flavored SRv6 SID S3.¶
At this point, the work discusses the matching of global routing table prefixes.¶
For the cases of intra-AS and inter-AS traffic steering using this method, the usages of Flowspec Color Extended Community with BGP prefix SID are the same for both scenarios. The difference lies between the local SRv6 policy configurations. For the inter-domain case, the operator can configure an inter-domain SRv6 policy/path at the Headend device. For the intra-domain case, the operator can configure an intra-domain SRv6 policy/path at the Headend device.¶
The Traffic Steering using BGP FlowSpec with SRv6 Policy mechanism has been implemented on the following hardware devices, Network Operating System software and SDN controllers. They had also successfully participated in the series of joint interoperability testing events hosted by China Mobile from July 2021 to October 2021. The following hardware devices and Network Operating System software had successfully passed the interoperability testing (in alphabetical order).¶
Routers: +---------+---------------+--------------------------------+ | Vendors | Device Model | Version | +---------+---------------+--------------------------------+ | Huawei | NE40-X8A | NE40E V800R021C00SPC091T | +---------+---------------+--------------------------------+ | New H3C | CR16010H-FA | Version 7.1.075, ESS 8305 | +---------+---------------+--------------------------------+ | Ruijie | RG-N8010-R | N8000-R_RGOS 12.8(1)B08T1 | +---------+---------------+--------------------------------+ | ZTE | M6000-8S Plus | V5.00.10(5.60.5) | +---------+---------------+--------------------------------+ Controllers: +----------------+---------------+-------------------------+ | Vendors | Device Model | Version | +----------------+---------------+-------------------------+ | China Unitechs | I-T-E SC | V1.3.6P3 | +----------------+---------------+-------------------------+ | Huawei | NCE-IP | V100R021C00 | +----------------+---------------+-------------------------+ | Ruijie | RG-ONC-AIO-H | RG-ION-WAN-CLOUD_2.00T1 | +----------------+---------------+-------------------------+ | ZTE | ZENIC ONE | R22V16.21.20 | +----------------+---------------+-------------------------+¶
Currently, this feature has beed deployed on the IP backbone network of China Mobile.¶
No IANA actions are required for this document.¶
This document does not change the security properties of SRv6 and BGP.¶
The following people made significant contributions to this document:¶
Yunan Gu Huawei Technologies Email: guyunan@huawei.com Haibo Wang Huawei Technologies Email: rainsword.wang@huawei.com Jie Dong Huawei Technologies Email: jie.dong@huawei.com Xue Yang China Mobile Email: yangxuewl@chinamobile.com¶
The authors would like to acknowledge the review and inputs from Jeffrey Haas, Susan Hares, Weiqiang Cheng, Kaliraj Vairavakkalai, Robin Li, Acee Lindem, Gunter Van De Velde, John Scudder, Rainbow Wu, Linda Dunbar, Gang Yan, Feng Yang, Wim Henderickx, Robert Raszuk, Ketan Talaulikar, Changwang Lin, Aijun Wang, Hao Li, Huaimo Chen, Sheng Fang, Yuanxiang Qiu, Ran Chen, Cheng Li, Zheng Zhang, Xuewei Wang, Yanrong Liang, Xuhui Cai, Haojie Wang, Lili Wang and Nan Geng.¶