Internet-Draft Group Policy ID BGP Extended Community October 2022
Lin & Drake Expires 23 April 2023 [Page]
Workgroup:
bess
Internet-Draft:
draft-wlin-bess-group-policy-id-extended-community-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
W. Lin
Juniper Networks
J. Drake
Juniper Networks

Group Policy ID BGP Extended Community

Abstract

Group Based Policy can be used to achieve micro or macro segmentation of the user traffic. For Group Based Policy, a Group Policy ID, as known as Group Policy Tag, is used to represent a logical group that shares the same policy and access privilege. This specification defines a new BGP extended community that can be used to propagate Group Policy ID through a route advertisement in the control plane. This is to facilitate policy enforcement at the ingress node when the optimization of network bandwidth is desired.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 23 April 2023.

Table of Contents

1. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

EVPN: Ethernet Virtual Private Networks, as per [RFC7432].

GBP: Group Based Policy

VXLAN: Virtual Extensible LAN

NVO: Network Virtualization Overlay

2. Introduction

In the virtualized overlay network where EVPN with VXLAN encapsulation is used as the overlay solution, without external management software or controller, the propagation of a Group Policy ID is done through the data plane. The source Group Policy ID is encoded in the VXLAN header before the user traffic is sent to the VXLAN tunnel. The encoding format of a Group Policy ID in the VXLAN header is specified in [I-D.smith-vxlan-group-policy].

When the source Group Policy ID is propagated through the data plane to the remote VXLAN tunnel endpoint, the policy enforcement is carried out at the egress node based on both the source and destination Group Policy tags. The policy rule for the source and destination Group Policy Tags may result in the traffic being dropped at the remote VXLAN tunnel endpoint which is the egress node. To send the traffic all the way from an ingress node and then drop it at an egress node is an inefficient use of the network bandwidth.

To optimizes the network bandwidth usage, it may be desirable to have policy enforcement done at the head-end of a VXLAN tunnel that is the ingress node for the user traffic. To accomplish this, there is a need to communicate the destination Group Policy ID from the egress node to the ingress node. This document defines a Group Policy ID BGP Extended Community that can be used in the control plane to achieve the propagation of Group Policy ID from an ingress node to an egress node.

3. NVO Use Case

In an EVPN VXLAN overlay network, a policy group tag may be assigned based on the MAC, IP, port, VLAN, etc, or a combination of the above. Similar to the MAC/IP addresses in the EVPN network, once the Policy Group ID is known for a local host/server/VM attached to an EVPN network, its Group Policy ID can be advertised to other Network Virtualization Edge devices in the control plane through the Group Policy ID extended community. The scheme used for classification and allocation of Policy Group IDs used for GBP in an EVPN overlay network with VXLAN encapsulation is outside the scope of this document.

Policy group tag prorogation in the EVPN/BGP control plane can be applied to the EVPN type-2 MAC/IP route[RFC7432], EVPN type-3 Ethernet Inclusive Multicast route [RFC7432] or EVPN type-5 IP host and prefix route [RFC9136]. If Policy Group ID is allocated for a MAC address, IP host or prefix address through the GBP classification scheme, EVPN can encode its Group Policy ID through the Group Policy ID extended community and advertise it alongside its corresponding EVPN route.

For the flows that the ingress VXLAN tunnel endpoint has learned its destination group policy tag through EVPN/BGP control plane signaling, the policy enforcement can be thus carried out right at the ingress node. Otherwise, policy enforcement can be carried out at the egress node. If policy enforcement is carried out at the head-end VXLAN tunnel, the ingress node MUST set the GBP applied bit, the A-bit as it is specified in [I-D.smith-vxlan-group-policy], to 1 in the VXLAN header before forwarding the traffic to the VXLAN tunnel. Otherwise, the ingress node set the A-bit to 0 in the VXLAN header.

4. EVPN Interworking with IPVPN

In the EVPN interworking use case as it is specified in the [I-D.ietf-bess-evpn-ipvpn-interworking], two or more EVPN networks/domains are interconnected by a layer 3 IP-VPN network with VPN-IPv4/VPN-IPv6 BGP address families. To support ingress policy enforcement, the Policy Group ID extended community needs to be propagated by the GW PEs sitting at the border of an EVPN domain and IP-VPN domain from one domain to another.

For the Uniform-Propagation-Mode defined in the [I-D.ietf-bess-evpn-ipvpn-interworking], when propagating an EVPN IP prefix route across the domain boundary to IP-VPN network, the Gateway PE SHOULD propagate communities, extended communities and large communities except for all the EVPN extended communities. The Policy Group ID extended community defined in this document is a new transitive Opaque Extend Community. It is not subject to stripping at the GW PE when the Uniform-Propagation-Mode is used.

5. The Group Policy ID Extended Community

The Group Policy ID BGP Extended Community is a new transitive Opaque Extended Community with a Type value of 0x03. This extended community may be advertised along with an EVPN type-2 MAC/IP route, EVPN type-3 Ethernet Inclusive Multicast route, and EVPN type-5 IP prefix route. This new Opaque Extended Community enables the EVPN route it attached to propagate the Group Policy ID used for Group Based Policy in the control plane.

When the "Uniformed-Propagation-Mode" is used under the EVPN and IPVPN interworking use case, the Group Policy ID extended community is carried over by the GW PE when a route for a given IP or IPv6 prefix is propagated from one domain to another with a different address family.

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   Type=0x03   |   Sub-Type    |           Reserved            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            Reserved           |    Group Policy ID            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Group Policy ID (GPI): The GPI field is 16-bit long and it encodes the value of a Group Policy ID.

The reserved fields MUST be set to zero by the sender and ignored by the receiver.

6. IANA Considerations

This document requests a codepoint value in the Sub-type registry of Type 0x03 Transitive Opaque Extended Community.

 Sub-Type     Name                                  Reference

 TBD          Group Policy ID Extended Community    [this document]

7. Security Considerations

All the security considerations for BGP extended communities can be applied there. Attackers may alter the value carried in a BGP extended community. In this case, the Group Policy ID carried in the Group Policy ID field can be altered by attackers, which could lead to the wrong policy rule being enforced on the user traffic.

8. Acknowledgements

The authors would like to thank Jeffrey Zhang, Jeff Haas for their careful review and valuable feedbacks.

We also would like to thank Prasad Miriyala and Selvakumar Sivaraj for their contributions.

9. References

9.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC7432]
Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, , <https://www.rfc-editor.org/info/rfc7432>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC9136]
Rabadan, J., Ed., Henderickx, W., Drake, J., Lin, W., and A. Sajassi, "IP Prefix Advertisement in Ethernet VPN (EVPN)", RFC 9136, DOI 10.17487/RFC9136, , <https://www.rfc-editor.org/info/rfc9136>.

9.2. Informative References

[I-D.ietf-bess-evpn-ipvpn-interworking]
Rabadan, J., Sajassi, A., Rosen, E., Drake, J., Lin, W., Uttaro, J., and A. Simpson, "EVPN Interworking with IPVPN", Work in Progress, Internet-Draft, draft-ietf-bess-evpn-ipvpn-interworking-07, , <https://www.ietf.org/archive/id/draft-ietf-bess-evpn-ipvpn-interworking-07.txt>.
[I-D.smith-vxlan-group-policy]
Smith, M. and L. Kreeger, "VXLAN Group Policy Option", Work in Progress, Internet-Draft, draft-smith-vxlan-group-policy-05, , <https://www.ietf.org/archive/id/draft-smith-vxlan-group-policy-05.txt>.

Authors' Addresses

Wen Lin
Juniper Networks
John Drake
Juniper Networks