IDR T. Zhou, Ed. Internet-Draft R. Chen, Ed. Intended status: Standards Track H. Wu, Ed. Expires: 6 January 2024 ZTE Corporation 5 July 2023 BGP Flow Specification for EVPN draft-zhou-flowspec-extensions-evpn-00 Abstract [RFC8955] defines BGP flow specification version 1 (FSv1) and [I-D.ietf-idr-flowspec-v2] defines BGP flow specification (FSv2) protocol. This document proposes extensions to BGP Flow Specification Version 2 to support MPLS-based EVPN traffic filtering. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 6 January 2024. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Zhou, et al. Expires 6 January 2024 [Page 1] Internet-Draft BGP-FS for EVPN July 2023 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. EVPN Flow Specification Encoding . . . . . . . . . . . . . . 3 4. EVPN Component Types . . . . . . . . . . . . . . . . . . . . 3 4.1. Type TBD3 - EVPN label (EVI) . . . . . . . . . . . . . . 4 4.2. Type TBD4 - Inner Destination IP . . . . . . . . . . . . 4 4.3. Type TBD5 - Inner source IP . . . . . . . . . . . . . . . 5 4.4. Type TBD6- Inner destination MAC . . . . . . . . . . . . 5 4.5. Type TBD7 - Inner Source MAC . . . . . . . . . . . . . . 5 4.6. Ordering of Traffic Filtering Rules . . . . . . . . . . . 5 5. Encoding of FSV2 Actions (type=2) . . . . . . . . . . . . . . 5 5.1. Redirect to EVPN instance . . . . . . . . . . . . . . . . 6 5.2. Redirect to tunnel with EVPN label . . . . . . . . . . . 7 5.3. EVI action . . . . . . . . . . . . . . . . . . . . . . . 8 6. Consideration on Traffic Filtering Action Interference . . . 9 7. Ordering of Flow Specification . . . . . . . . . . . . . . . 9 7.1. Ordering of Flow Specification NLRI filters . . . . . . . 9 7.2. Ordering of the Actions . . . . . . . . . . . . . . . . . 10 8. Flow Specification Validation . . . . . . . . . . . . . . . . 10 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 10.1. Flow Specification SAFI for MPLS-based EVPN traffic filtering . . . . . . . . . . . . . . . . . . . . . . . 10 10.2. FSV2 NLRI TLV Types . . . . . . . . . . . . . . . . . . 10 10.3. Filter MPLS-based EVPN Component types . . . . . . . . . 10 10.4. New BGP FSv2 Action types . . . . . . . . . . . . . . . 11 11. Security Considerations . . . . . . . . . . . . . . . . . . . 11 12. Normative References . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction Border Gateway Protocol Flow Specification is an extension to BGP which helps BGP peers in the flow classifications and corresponding flow actions during traffic forwarding. It could be regarded as an advanced route policy with more specific traffic match abilities and more kinds of traffic filtering actions. Besides, the usage of Flow Specification in BGP control plane simplify the dissemination of the flow specification. Without any configuration to the routers, all of the BGP Flow Specification clients would receive the BGP Flow Specification NLRIs as traffic filtering rules. At the beginning of the application of Flow Specification, it typically aimed at the mitigation of distributed denial of service attack (DDoS), as an efficient tools against Internet attack. Zhou, et al. Expires 6 January 2024 [Page 2] Internet-Draft BGP-FS for EVPN July 2023 The usage of EVPN is more and more frequently. For the advantages in the control plane with kinds of routing types, EVPN helps a lot in the packets forwarding within L2 and L3. AS an unique type of L2VPN technology, the route type and the traffic encapsulation is quite different in L2 networks, especially simultaneously deployed with MPLS or SRv6. This document proposes extensions to BGP Flow Specification Version 2 to support MPLS-based EVPN traffic filtering. AFI/SAFI 25/TBD1 is used for these purposes. New component types and three FSV2 Actions are also defined. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. EVPN Flow Specification Encoding The EVPN NLRI is carried in BGP [RFC4271] using BGP Multiprotocol Extensions [RFC4760] with an Address Family Identifier (AFI) of 25(L2VPN) and a Subsequent Address Family Identifier (SAFI) of 70 (EVPN). This document specifies a new SAFI (TBD) for FSv2 to be used with AFI 25(L2VPN) to allow user-ordered lists of traffic match filters for user-ordered traffic match actions encoded in Communities (Wide or Extended). The AFI/SAFI NLRI for BGP Flow Specification version 2 (FSv2) has been defined in [I-D.ietf-idr-flowspec-v2] section 3. This document defines a new type for FSv2 TLV of the NRLI as follows. * TBD2 - BGP/MPLS EVPN Traffic rules 4. EVPN Component Types The Flow Specification NLRI-type consists of several optional components, each of which begins with a type field (1 octet) followed by a variable length parameter. Zhou, et al. Expires 6 January 2024 [Page 3] Internet-Draft BGP-FS for EVPN July 2023 In BGP MPLS-based EVPN, except the outer encapsulation including Ethernet header, MPLS label, EVPN label, the payload packets MAY keep its own Ethernet header and IP header. As mentioned in [I-D.ietf-idr-flowspec-v2], outer encapsulation were defined for L2/L3/MPLS components. Here, this document provide EVPN lable and inner payload encapsulation as new components and types. For SRv6-based EVPN, the usage of service SID of EVPN type replace the EVPN label. There is no difference in encapsulation of packet- forwarding by EVPN routing plane, and reuse the extensions in [I-D.ietf-idr-flowspec-srv6], This section provides EVPN label and inner payload encapsulation as new components and types for MPLS-based EVPN. 4.1. Type TBD3 - EVPN label (EVI) Encoding: Defines a list of {operation, value} used to match the encapsulation filed in the forwarding traffic for MPLS-based EVPN. The value field is encode as: 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | EVPN label | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1 Values are encoded for the EVPN label filed in the frame, in the middle of outer MAC address and inner MAC address. This field is defined as the label used in the forwarding of routers to identify the specific user VPN. 4.2. Type TBD4 - Inner Destination IP Encoding:. Defines the destination IPv4/IPv6 address prefix to match the IP header of payload. The length and prefix fields are encoded as in BGP UPDATE message [RFC4271]. Zhou, et al. Expires 6 January 2024 [Page 4] Internet-Draft BGP-FS for EVPN July 2023 4.3. Type TBD5 - Inner source IP Encoding:< type(1 octet), prefix length(1 octet), prefix(variable)>. Defines the source IPv4/IPv6 address prefix to match the IP header of payload. The length and prefix fields are encoded as in BGP UPDATE message [RFC4271]. 4.4. Type TBD6- Inner destination MAC Encoding:. Defines the inner destination MAC address prefix to match the inner layer of the packets(Because of the encapsulation feature of forwarded packets, there are outer and inner layer MAC addresses). Prefix length is in bits and the MAC Prefix is fill out with from 1 to 7 padding bits so that it is an integer number of octets. These padding bits are ignored for matching purposes. 4.5. Type TBD7 - Inner Source MAC Encoding: . Defines the inner source MAC address prefix to match the inner layer of the packets(Because of the encapsulation feature of forwarded packets, there are outer and inner layer MAC addresses). Prefix length is in bits and the MAC Prefix is fill out with from 1 to 7 padding bits so that it is an integer number of octets. These padding bits are ignored for matching purposes. 4.6. Ordering of Traffic Filtering Rules This section defines the orders of the traffic filtering rules for EVPN components, and they are listed below in order of priority: EVPN label, inner destination IP, inner source IP address, inner destination MAC address, inner source MAC address. 5. Encoding of FSV2 Actions (type=2) This document defines a set of extensions for the redirecting action, including forwarding actions and label actions, and other actions such as rate-limit, remark, copy, sample and etc are the same as [I-D.ietf-idr-flowspec-v2]. Zhou, et al. Expires 6 January 2024 [Page 5] Internet-Draft BGP-FS for EVPN July 2023 Most of the traffic filtering actions defined in this document are designed for a single Flow Specification function, but there are possibilities that these actions are applied along with other actions at the same time. So, it becomes important to set orders for these actions, and if not all traffic filtering actions can be applied to one traffic flow, they SHOULD be regarded as interfering traffic filtering actions. The orders and conflicts of traffic filtering actions is provided in Section 7.1 of this document, and the general consideration of traffic action interference is described in Section 6 of this document. 5.1. Redirect to EVPN instance SubTLV: TBD8. Length: 4 octets. Value field: [1-octet-type][3-octet-VPN information]. The redirect to EVPN instance Community allows the device to forward the traffic into an EVPN routing instance specifically by the VPN information fields. If the device match several local instances, then the instance with lowest Route Distinguisher value can be selected. The value field is encoded as: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | T | VPN information | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2 where: * T: redirect information type. It allows the VPN information to be route-target or VPN name. 0 represents that the VPN information is route-target, and 1 represents that the VPN information is the name of instance. * VPN information: It indicates the information responding to the local EVPN instance. Zhou, et al. Expires 6 January 2024 [Page 6] Internet-Draft BGP-FS for EVPN July 2023 Note: It is appropriate for L2/L3 traffic only. 5.2. Redirect to tunnel with EVPN label [I-D.ietf-idr-bgp-flowspec-label]defines capabilities steering IP traffic into SR-TE and RSVP-TE by the indirection ID with the information of such tunnels. This document defines new traffic filtering actions to steer both IP traffic and L2 traffic into MPLS tunnel with EVPN encapsulation. Extended from Section 5.1 of this document, the redirect to tunnel with EVPN label Community provide the VPN information and tunnel-id at the same time to steer the traffic into MPLS tunnel with EVPN label. SubTLV: TBD9. Length: 8 octets. Value field: [1-octet-type][3-octet-VPN information][4-octet-Tunnel ID] The value field is encoded as: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | T | VPN information | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Tunnel ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3 where: * T: Redirect information type. 0 and 1 are used in Section 5.1, and 2 represents the redirect information including route-target and tunnel-id, and 3 represents the redirect information including VPN name and tunnel-id. * VPN information: It indicates the information responding to the local EVPN instance. * Tunnel-id: As described in [I-D.ietf-idr-flowspec-path-redirect]. Note: It is appropriate for L2/L3 traffic only. Zhou, et al. Expires 6 January 2024 [Page 7] Internet-Draft BGP-FS for EVPN July 2023 5.3. EVI action Similar to MPLS Action defined in [I-D.ietf-idr-bgp-flowspec-label], using a set of actions on MPLS label stack to change the packets forwarding of the device. The EVI action Community apply the label action of pop, swap and insert. SubTLV: TBD10. Length: 8 octets. Value field: [1-octet-type][3-octet-EVI] The value field is encoded as: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | T | EVI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 4 where: T: Action type. Where actions: +=============+=====================================+ | Action Type | Function | +=============+=====================================+ | 0 | pop the evpn label | +-------------+-------------------------------------+ | 1 | swap the evpn label with entry | +-------------+-------------------------------------+ | 2 | insert the evpn label at the bottom | | | of the label stack with the entry | +-------------+-------------------------------------+ | 3-255 | reserved | +-------------+-------------------------------------+ Table 1: Action table Note: It is appropriate for MPLS labeled traffic only. Zhou, et al. Expires 6 January 2024 [Page 8] Internet-Draft BGP-FS for EVPN July 2023 6. Consideration on Traffic Filtering Action Interference It was already recognized that the traffic filtering actions MAY interfere with each other in [RFC8955]. It is impossible for BGP to verify the update message during production, propagation and reception. For specific traffic filtering actions, it SHOULD be designed properly for that the traffic forwarding goes meaningfully after mix actions executed. In this document, all of the new defined redirecting actions SHOULD be interfered with any other redirecting action. Which means that at most one Flow Specification update message could contain only one traffic filtering redirecting action, and any Flow Specification with more than one redirecting action SHOULD be regarded as invalid, but its propagation is unaffected. On the other hand, Flow Specification MAY interfere with the local route policy on Flow Specification client, it is SUGGESTED to make the implementation decision of routers to select Flow Specification as the valid one. 7. Ordering of Flow Specification In the design of Flow Specification, it is allowed for one Flow Specification has multi traffic filtering rules and traffic filtering actions. In Section 4.6, it defines the orders of traffic filtering rules, and also there is need to define the orders between different types of components. This document allows the Flow Specification server to set the order of traffic filtering types by the filed of order in NLRI. This section describes the methods to compare the order of one Flowpsec to another one, with the same order filed in NLRI. These Flowpsecs SHOULD be ordered by the default priority of the traffic filtering rules. Besides, the community used for traffic filtering actions MAY effect the orders of BGP routes, this document dose not discuss this issue about route-selecting for BGP communities. 7.1. Ordering of Flow Specification NLRI filters This document dose not define more Ordering of Flow Specification NLRI filters than [I-D.ietf-idr-flowspec-v2]. Zhou, et al. Expires 6 January 2024 [Page 9] Internet-Draft BGP-FS for EVPN July 2023 7.2. Ordering of the Actions This document dose not define more Ordering of the Actions than [I-D.ietf-idr-flowspec-v2]. 8. Flow Specification Validation This document dose not introduce more Flow Specification Validation than [RFC8955] and [I-D.ietf-idr-flowspec-v2]. 9. Acknowledgements TBD. 10. IANA Considerations 10.1. Flow Specification SAFI for MPLS-based EVPN traffic filtering IANA is requested to assign a new SAFI as follows: Value Description Reference ----- ------------------------------------------ --------------- TBD1 MPLS-based EVPN traffic filtering [This document] Figure 5 10.2. FSV2 NLRI TLV Types IANA is requested to create the following new registry on a new "Flow Specification v2 TLV Typesā€¯ web page. Type Use Reference ----- ----------------------------------- --------------- TBD2 TBD2 - BGP/MPLS EVPN Traffic rules [this document] Figure 6 10.3. Filter MPLS-based EVPN Component types IANA is requested to indicate [this draft] as a reference on the following assignments in the Flow Specification Component Types Registry: Zhou, et al. Expires 6 January 2024 [Page 10] Internet-Draft BGP-FS for EVPN July 2023 Value Description Reference ----- ------------------------ ------------------------ TBD3 EVPN label [this document] TBD4 Inner Destination IP [this document] TBD5 Inner Source IP [this document] TBD6 Inner Destination MAC [this document] TBD7 Inner Source MAC [this document] Figure 7 10.4. New BGP FSv2 Action types IANA is requested to indicate [this draft] as a reference on the following assignments in the Flow Specification Component Types Registry: Value Use Reference ----- ---------------------------------- -------------------- TBD8 Redirect to EVPN instance [this document] TBD9 Redirect to tunnel with EVPN label [this document] TBD10 EVI action [this document] Figure 8 11. Security Considerations This document dose not introduce more Security Consideration than [RFC8955] and [I-D.ietf-idr-flowspec-v2]. 12. Normative References [I-D.ietf-idr-bgp-flowspec-label] liangqiandeng, Hares, S., You, J., Raszuk, R., and D. Ma, "Carrying Label Information for BGP FlowSpec", Work in Progress, Internet-Draft, draft-ietf-idr-bgp-flowspec- label-02, 20 October 2022, . [I-D.ietf-idr-flowspec-l2vpn] Weiguo, H., Eastlake, D. E., Litkowski, S., and S. Zhuang, "BGP Dissemination of L2 Flow Specification Rules", Work in Progress, Internet-Draft, draft-ietf-idr-flowspec- l2vpn-21, 24 April 2023, . Zhou, et al. Expires 6 January 2024 [Page 11] Internet-Draft BGP-FS for EVPN July 2023 [I-D.ietf-idr-flowspec-path-redirect] Van de Velde, G., Patel, K., and Z. Li, "Flowspec Indirection-id Redirect", Work in Progress, Internet- Draft, draft-ietf-idr-flowspec-path-redirect-12, 24 November 2022, . [I-D.ietf-idr-flowspec-srv6] Li, Z., Li, L., Chen, H., Loibl, C., Mishra, G. S., Fan, Y., Zhu, Y., Liu, L., and X. Liu, "BGP Flow Specification for SRv6", Work in Progress, Internet-Draft, draft-ietf- idr-flowspec-srv6-03, 6 April 2023, . [I-D.ietf-idr-flowspec-v2] Hares, S., Eastlake, D. E., Yadlapalli, C., and S. Maduschke, "BGP Flow Specification Version 2", Work in Progress, Internet-Draft, draft-ietf-idr-flowspec-v2-02, 21 May 2023, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 10.17487/RFC4271, January 2006, . [RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter, "Multiprotocol Extensions for BGP-4", RFC 4760, DOI 10.17487/RFC4760, January 2007, . [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., and D. McPherson, "Dissemination of Flow Specification Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, . [RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February 2015, . Zhou, et al. Expires 6 January 2024 [Page 12] Internet-Draft BGP-FS for EVPN July 2023 [RFC8955] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M. Bacher, "Dissemination of Flow Specification Rules", RFC 8955, DOI 10.17487/RFC8955, December 2020, . [RFC8956] Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed., "Dissemination of Flow Specification Rules for IPv6", RFC 8956, DOI 10.17487/RFC8956, December 2020, . Authors' Addresses Taoran Zhou (editor) ZTE Corporation Nanjing China Email: zhou.taoran@zte.com.cn Ran Chen (editor) ZTE Corporation Nanjing China Email: chen.ran@zte.com.cn HaiSheng Wu (editor) ZTE Corporation Nanjing China Email: wu.haisheng@zte.com.cn Zhou, et al. Expires 6 January 2024 [Page 13]