Internet-Draft | FlowSpec with SR Policy | June 2023 |
Jiang, et al. | Expires 19 December 2023 | [Page] |
BGP Flow Specification (FlowSpec) [RFC8955] and [RFC8956] has been proposed to distribute BGP [RFC4271] FlowSpec NLRI to FlowSpec clients to mitigate (distributed) denial-of-service attacks, and to provide traffic filtering in the context of a BGP/MPLS VPN service. Recently, traffic steering applications in the context of SR-MPLS and SRv6 using FlowSpec also attract attention. This document introduces the usage of BGP FlowSpec to steer packets into an SR Policy.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 RFC 2119 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 19 December 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
SR-MPLS [RFC8660] forwards data packets using the source routing model. The core idea of SR-MPLS is to divide a packet forwarding path into different segments, allocate segment identifiers (SIDs) to the segments, and encapsulate segment information into packets at the ingress of the path to guide packet forwarding.¶
Segment Routing IPv6 (SRv6) is a protocol designed to forward IPv6 data packets on a network using the source routing model. SRv6 enables the ingress network device to add a segment routing header (SRH) [RFC8754] to an IPv6 packet and push an explicit IPv6 address stack into the SRH. After receiving the packet, each transit node updates the IPv6 destination IP address in the packet and segment list to implement hop-by-hop forwarding.¶
SR Policy (includes SR-MPLS and SRv6 Policy) [RFC9256] is a tunneling technology based on SR-MPLS and SRv6. An SR Policy is a set of candidate paths consisting of one or more segment lists, that is, segment ID (SID) lists. Each SID list identifies an end-to-end path from the source node to the destination node, instructing a network device to forward traffic through the path rather than the shortest path computed using an IGP. The header of a packet steered into an SR Policy is augmented with an ordered list of segments associated with that SR Policy, so that other devices on the network can execute the instructions encapsulated into the list.¶
The headend of an SR Policy may learn multiple candidate paths for an SR Policy. Candidate paths may be learned via a number of different mechanisms, e.g., CLI, NetConf, PCEP[I-D.ietf-pce-segment-routing-policy-cp], or BGP[I-D.ietf-idr-segment-routing-te-policy].¶
[RFC8955] and [RFC8956] define the BGP [RFC4271] Flow Specification (FlowSpec) that allows conveying flow specifications and traffic Action/Rules associated (rate- limiting, redirect, remark ...). BGP Flow specifications are encoded within the MP_REACH_NLRI and MP_UNREACH_NLRI attributes[RFC4760]. Rules (Actions associated) are encoded in Extended Community attribute[RFC4360]. The BGP Flow Specification function allows BGP Flow Specification routes that carry traffic policies to be transmitted to BGP Flow Specification peers to steer traffic.¶
This document proposes BGP flow specification usage that are used to steer data flow into an SR Policy as well as to indicate Tailend function for SRv6 scenarios. This work is helpful for promoting the deployment of SR-MPLS and SRv6 networks.¶
An SR Policy [RFC9256] is identified through the tuple <headend, color, endpoint>. In the context of a specific headend, one may identify an SR Policy by the <color, endpoint> tuple. The headend is the node where the SR Policy is instantiated/implemented. The headend is specified as an IPv4 or IPv6 address and is expected to be unique in the domain. The endpoint indicates the destination of the SR Policy. The endpoint is specified as an IPv4 or IPv6 address and is expected to be unique in the domain. The color is a 32-bit unsigned numerical value that associates with the SR policy, and it defines an application-level network Service Level Agreement (SLA) policy or intent.¶
Assume one or multiple SR Policies are already setup/instantiated in the SR HeadEnd device. In order to steer traffic into a specific SR Policy at the Headend, one can use the SR Color Extended community [RFC9012] and endpoint to map to a satisfying SR Policy, and steer the traffic into this specific SR Policy.¶
[I-D.ietf-idr-flowspec-redirect-ip] defines the redirect to IPv4 and IPv6 Next-hop action. The IPv4 next-hop address in the Flow-spec Redirect to IPv4 Extended Community can be used to specify the endpoint of the SR Policy, and the IPv6 next-hop address in the Flow-spec Redirect to IPv6 Extended Community[RFC5701] can be used to specify the endpoint of the SRv6 Policy. When the packets reach the TailEnd device, some specific function information identifiers can be used to decide how to further process the flows in SRv6 scenarios. Several endpoint functions are already defined, e.g., End.DT6: Endpoint with decapsulation and IPv6 table lookup, and End.DX6: Endpoint with decapsulation and IPv6 cross-connect. The BGP Prefix-SID defined in [RFC8669] is utilized to enable SRv6 VPN services [RFC9252]. SRv6 Services TLVs within the BGP Prefix-SID Attribute can be used to indicate the endpoint functions.¶
For SR-MPLS scenarios, this document proposes carrying the Color Extended Community and the Flow-spec Redirect to IPv4 Extended Community in the context of a Flowspec NLRI [RFC8955] [RFC8956] to an SR-MPLS Headend to steer traffic into one SR-MPLS Policy.¶
For SRv6 scenarios, this document proposes carrying the Color Extended Community, the Flow-spec Redirect to IPv6 Extended Community and BGP Prefix-SID Attribute in the context of a Flowspec NLRI [RFC8955] [RFC8956] to an SRv6 Headend to steer traffic into one SRv6 Policy, as well as to indicate specific Tailend functions.¶
For the case where a FlowSpec route carries multiple Color Extend Communities, the Color Extended community with the highest numerical value will be given higher preference per the description in Section 8.4.1 of [RFC9256].¶
The method proposed in this document supports load balancing to the tailend device. To achieve that, the headend device CAN set up multiple paths in one SR Policy, and use a FlowSpec route to indicate the specific SR Policy.¶
In following scenario, BGP FlowSpec Controller signals the filter rules, the Flow-spec Redirect to IPv4 action, and the policy color to the SR-MPLS HeadEnd device.¶
+------------+ | BGP FS | | Controller | +------------+ | FlowSpec route to HeadEnd: | NLRI: Filter Rules | Redirect to IPv4 Nexthop: TailEnd's Address | Policy Color: C0 | | .-----. | ( ) V .--( )--. +-------+ ( ) +-------+ | |_( SR-MPLS Network )_| | |HeadEnd| ( ================> ) |TailEnd| +-------+ (SR List<S1,S2,S3>) +-------+ '--( )--' ( ) '-----' Figure 1: Steering the Traffic Flow into SR-MPLS Policy¶
When the SR-MPLS HeadEnd device (as a FlowSpec client) receives such instructions from BGP FS Controller, it will steer the traffic flows matching the criteria in the FlowSpec route into the SR-MPLS Policy matching the tuple (Endpoint: TailEnd's Address, Color: C0). And the packets of such traffic flows will be encapsulated with an MPLS stack using the SR List <S1, S2, S3> in the HeadEnd device, then send the packets to the TailEnd device along the path indicated by the SR list.¶
In following scenario, BGP FlowSpec Controller signals the filter rules, the redirect to IPv6 Nexthop action, the policy color and the function information (SRv6 SID: Service_id_x) to the HeadEnd device.¶
+------------+ | BGP FS | | Controller | +------------+ | FlowSpec route to HeadEnd: | NLRI: Filter Rules | Redirect to IPv6 Nexthop: TailEnd's Address | Policy Color: C1 | PrefixSID: Service_id_x | .-----. | ( ) V .--( )--. +-------+ ( ) +-------+ | |_( SRv6 Core Network )_| | |HeadEnd| ( ================> ) |TailEnd| +-------+ (SR List<S1,S2,S3>) +-------+ '--( )--' Service SID: Service_id_x ( ) (e.g.: End.DT4 or End.DT6 or others) '-----' Figure 2: Steering the Traffic Flow into SRv6 Policy (Option 1)¶
When the HeadEnd device (as a FlowSpec client) receives such instructions from BGP FS Controller, it will steer the traffic flows matching the criteria in the FlowSpec route into the SRv6 Policy matching the tuple (Endpoint: TailEnd's Address, Color: C1). And the packets of such traffic flows will be encapsulated with an SRH (Segment Routing Header) using the SR List <S1, S2, S3, Service_id_x>. When the packets reach to the TailEnd device, they will be further processed per the function denoted by the Service_id_x.¶
When the HeadEnd device determines (with the help of SRv6 SID Structure) that the Service SID belongs to the same SRv6 Locator as the last SRv6 SID of the TailEnd device in the SRv6 Policy segment list, it MAY exclude that last SRv6 SID when steering the service flow. For example, the effective segment list of the SRv6 Policy associated with SID list <S1, S2, S3> would be replaced with <S1, S2, Service_id_x>.¶
If the last SRv6 SID (for example, we use S3 here) of the TailEnd device in the SRv6 Policy segment list is USD-flavored, an SRv6 Service SID (e.g., End.DT4 or End.DT6) is not required when a BGP FlowSpec Controller sends the FlowSpec route to the HeadEnd device (as a FlowSpec client).¶
+------------+ | BGP FS | | Controller | +------------+ | FlowSpec route to HeadEnd: | NLRI: Filter Rules | Redirect to IPv6 Nexthop: TailEnd's Address | Policy Color: C2 | .-----. | ( ) V .--( )--. +-------+ ( ) +-------+ | |_( SRv6 Core Network )_| | |HeadEnd| ( ================> ) |TailEnd| +-------+ (SR List<S1,S2,S3>) +-------+ '--( )--' ( ) '-----' Note: S3 MUST be a USD-flavored SRv6 SID of the TailEnd Figure 3: Steering the Traffic Flow into SRv6 Policy (Option 2)¶
When the HeadEnd device (as a FlowSpec client) receives such instructions from a BGP FS Controller, it will steer the traffic flows matching the criteria in the Flowspec route into the SRv6 Policy matching the tuple (Endpoint: TailEnd's Address, Color: C2). And the packets of such traffic flows will be encapsulated with an SRH (Segment Routing Header) using the SR List <S1, S2, S3>. When the packets reach to the TailEnd device, they will be further processed per the function denoted by the USD-flavored SRv6 SID S3.¶
For the cases of intra-AS and inter-AS traffic steering using this method, the usages of Flowspec Color Extended Community with BGP prefix SID are the same for both scenarios. The difference lies between the local SRv6 policy configurations. For the inter-domain case, the operator can configure an inter-domain SRv6 policy/path at the Headend device. For the intra-domain case, the operator can configure an intra-domain SRv6 policy/path at the Headend device.¶
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this document. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.¶
The Traffic Steering using BGP FlowSpec with SR-MPLS / SRv6 Policy mechanism has been implemented on the following hardware devices, Network Operating System software, and SDN controllers. They have also successfully participated in the series of joint interoperability testing events hosted by China Mobile from July 2021 to October 2021. The following hardware devices and Network Operating System software had successfully passed the interoperability testing (in alphabetical order).¶
Routers: +---------+---------------+--------------------------------+ | Vendors | Device Model | Version | +---------+---------------+--------------------------------+ | Huawei | NE40-X8A | NE40E V800R021C00SPC091T | +---------+---------------+--------------------------------+ | New H3C | CR16010H-FA | Version 7.1.075, ESS 8305 | +---------+---------------+--------------------------------+ | Ruijie | RG-N8010-R | N8000-R_RGOS 12.8(1)B08T1 | +---------+---------------+--------------------------------+ | ZTE | M6000-8S Plus | V5.00.10(5.60.5) | +---------+---------------+--------------------------------+ Controllers: +----------------+---------------+-------------------------+ | Vendors | Device Model | Version | +----------------+---------------+-------------------------+ | China Unitechs | I-T-E SC | V1.3.6P3 | +----------------+---------------+-------------------------+ | Huawei | NCE-IP | V100R021C00 | +----------------+---------------+-------------------------+ | Ruijie | RG-ONC-AIO-H | RG-ION-WAN-CLOUD_2.00T1 | +----------------+---------------+-------------------------+ | ZTE | ZENIC ONE | R22V16.21.20 | +----------------+---------------+-------------------------+¶
As of August 2022, this feature has been deployed on the IP backbone network of China Mobile.¶
No IANA actions are required for this document.¶
This document does not change the security properties of SRv6 and BGP.¶
The following people made significant contributions to this document:¶
Yunan Gu Huawei Technologies Email: guyunan@huawei.com Haibo Wang Huawei Technologies Email: rainsword.wang@huawei.com Jie Dong Huawei Technologies Email: jie.dong@huawei.com Xue Yang China Mobile Email: yangxuewl@chinamobile.com¶
The authors would like to acknowledge the review and inputs from Jeffrey Haas, Susan Hares, Weiqiang Cheng, Kaliraj Vairavakkalai, Robin Li, Acee Lindem, Gunter Van De Velde, John Scudder, Rainbow Wu, Linda Dunbar, Gang Yan, Feng Yang, Wim Henderickx, Robert Raszuk, Ketan Talaulikar, Changwang Lin, Aijun Wang, Hao Li, Huaimo Chen, Sheng Fang, Yuanxiang Qiu, Ran Chen, Cheng Li, Zheng Zhang, Xuewei Wang, Yanrong Liang, Xuhui Cai, Haojie Wang, Lili Wang and Nan Geng.¶
Special thanks to Nat Kao, who suggested adding SR-MPLS use cases to this document.¶
Special thanks to Donald E. Eastlake, 3rd, who thoroughly reviewed the entire document and made many useful suggestions for improvement.¶