idnits 2.17.00 (12 Aug 2021) /tmp/idnits30043/draft-ietf-idr-flow-spec-v6-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 9 instances of too long lines in the document, the longest one being 7 characters in excess of 72. ** The abstract seems to contain references ([RFC5575]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (March 19, 2016) is 2254 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '137' on line 217 -- Looks like a reference, but probably isn't: '139' on line 217 == Unused Reference: 'RFC2119' is defined on line 343, but no explicit reference was found in the text == Unused Reference: 'RFC4271' is defined on line 358, but no explicit reference was found in the text == Unused Reference: 'RFC5492' is defined on line 363, but no explicit reference was found in the text == Unused Reference: 'RFC6437' is defined on line 376, but no explicit reference was found in the text == Unused Reference: 'RFC5095' is defined on line 387, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 5575 (Obsoleted by RFC 8955) Summary: 4 errors (**), 0 flaws (~~), 7 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IDR Working Group D. McPherson 3 Internet-Draft Verisign, Inc. 4 Intended status: Standards Track R. Raszuk, Ed. 5 Expires: September 20, 2016 Bloomberg LP 6 B. Pithawala 7 Individual 8 A. Karch 9 Cisco Systems 10 S. Hares, Ed. 11 Huawei 12 March 19, 2016 14 Dissemination of Flow Specification Rules for IPv6 15 draft-ietf-idr-flow-spec-v6-07.txt 17 Abstract 19 Dissemination of Flow Specification Rules [RFC5575] provides a 20 protocol extension for propagation of traffic flow information for 21 the purpose of rate limiting or filtering. The [RFC5575] specifies 22 those extensions for IPv4 protocol data packets. 24 This specification extends the current [RFC5575] and defines changes 25 to the original document in order to make it also usable and 26 applicable to IPv6 data packets. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at http://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on September 20, 2016. 45 Copyright Notice 47 Copyright (c) 2016 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 2. IPv6 Flow Specification encoding in BGP . . . . . . . . . . . 3 64 3. IPv6 Flow Specification types changes . . . . . . . . . . . . 3 65 3.1. Order of Traffic Filtering Rules . . . . . . . . . . . . 5 66 4. IPv6 Flow Specification Traffic Filtering Action changes . . 6 67 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 68 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 69 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 70 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 71 8.1. Normative References . . . . . . . . . . . . . . . . . . 8 72 8.2. Informative References . . . . . . . . . . . . . . . . . 9 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 75 1. Introduction 77 The growing amount of IPv6 traffic in private and public networks 78 requires the extension of tools used in the IPv4 only networks to be 79 also capable of supporting IPv6 data packets. 81 In this document authors analyze the differences of IPv6 [RFC2460] 82 flows description from those of traditional IPv4 packets and propose 83 subset of new encoding formats to enable Dissemination of Flow 84 Specification Rules [RFC5575] for IPv6. 86 This specification should be treated as an extension of base 87 [RFC5575] specification and not its replacement. It only defines the 88 delta changes required to support IPv6 while all other definitions 89 and operation mechanisms of Dissemination of Flow Specification Rules 90 will remain in the main specification and will not be repeated here. 92 2. IPv6 Flow Specification encoding in BGP 94 The [RFC5575] defines a new SAFIs (133 for IPv4) and (134 for VPNv4) 95 applications in order to carry corresponding to each such application 96 flow specification. 98 This document will redefine the [RFC5575] SAFIs in order to make them 99 AFI specific and applicable to both IPv4 and IPv6 applications. 101 The following changes are defined: 103 "SAFI 133 for IPv4 dissemination of flow specification rules" to 104 now be defined as "SAFI 133 for dissemination of unicast flow 105 specification rules" 107 "SAFI 134 for VPNv4 dissemination of flow specification rules" to 108 now be defined as "SAFI 134 for dissemination of L3VPN flow 109 specification rules" 111 For both SAFIs the indication to which address family they are 112 referring to will be recognized by AFI value (AFI=1 for IPv4 or 113 VPNv4, AFI=2 for IPv6 and VPNv6 respectively). Such modification is 114 fully backwards compatible with existing implementation and 115 production deployments. 117 It needs to be observed that such choice of proposed encoding is 118 compatible with filter validation against routing reachability 119 information as described in section 6 of RFC5575. Validation tables 120 will now be performed according to the following rules. 122 Flow specification received over AFI/SAFI=1/133 will be validated 123 against routing reachability received over AFI/SAFI=1/1 125 Flow specification received over AFI/SAFI=1/134 will be validated 126 against routing reachability received over AFI/SAFI=1/128 128 Flow specification received over AFI/SAFI=2/133 will be validated 129 against routing reachability received over AFI/SAFI=2/1 131 Flow specification received over AFI/SAFI=2/134 will be validated 132 against routing reachability received over AFI/SAFI=2/128 134 3. IPv6 Flow Specification types changes 136 The following component types are redefined or added for the purpose 137 of accommodating new IPv6 header encoding. Unless otherwise stated 138 all other types as defined in [RFC5575] apply to IPv6 packets as is. 140 Type 1 - Destination IPv6 Prefix 142 Encoding: 145 Function: Defines the destination prefix to match. Prefix 146 offset has been defined to allow for flexible matching on part 147 of the IPv6 address where we want to skip (don't care) of N 148 first bits of the address. This can be especially useful where 149 part of the IPv6 address consists of an embedded IPv4 address 150 and matching needs to happen only on the embedded IPv4 address. 151 The encoded prefix contains enough octets for the bits used in 152 matching (length minus offset bits). 154 Type 2 - Source IPv6 Prefix 156 Encoding: 159 Function: Defines the source prefix to match. Prefix offset 160 has been defined to allow for flexible matching on part of the 161 IPv6 address where we want to skip (don't care) of N first bits 162 of the address. This can be especially useful where part of 163 the IPv6 address consists of an embedded IPv4 address and 164 matching needs to happen only on the embedded IPv4 address. 165 The encoded prefix contains enough octets for the bits used in 166 matching (length minus offset bits) 168 Type 3 - Next Header 170 Encoding: 172 Function: Contains a set of {operator, value} pairs that are 173 used to match the last Next Header value octet in IPv6 packets. 174 The operator byte is encoded as specified in component type 3 175 of [RFC5575]. 177 Note: While IPv6 allows for more then one Next Header field in 178 the packet the main goal of Type 3 flow specification component 179 is to match on the subsequent IP protocol value. Therefor the 180 definition is limited to match only on last Next Header field 181 in the packet. 183 Type 12 - Fragment 185 Encoding: 186 Uses bitmask operand format defined above. Bit-7 is not used 187 and MUST be 0 to provide backwards-compatibility with the 188 definition in [RFC5575] 190 Bitmast operand format: 192 0 1 2 3 4 5 6 7 193 +---+---+---+---+---+---+---+---+ 194 | Reserved |LF |FF |IsF| 0 | 195 +---+---+---+---+---+---+---+---+ 197 Bitmask values: 199 + Bit 6 - Is a fragment (IsF) 201 + Bit 5 - First fragment (FF) 203 + Bit 4 - Last fragment (LF) 205 Type 13 - Flow Label (New type) 207 Encoding: 209 Function: Contains a set of {operator, value} pairs that are 210 used to match the 20-bit Flow Label field [RFC2460]. The 211 operator byte is encoded as specified in the component type 3 212 of [RFC5575]. Values are encoded as 1-, 2-, or 4- byte 213 quantities. 215 The following example demonstrates the new prefix encoding for: "all 216 packets to ::1234:5678:9A00:0/64-104 from 192::/8 and port {range 217 [137, 139] or 8080}". In the destination prefix, "80-" represents 218 the prefix offset of 80 bits. In this exmaple, the 0 offset is 219 omitted from the printed source prefix. 221 +---------------------------+-------------+-------------------------+ 222 | destination | source | port | 223 +---------------------------+-------------+-------------------------+ 224 | 0x01 68 50 12 34 56 78 9A | 02 00 08 c0 | 04 03 89 45 8b 91 1f 90 | 225 +---------------------------+-------------+-------------------------+ 227 3.1. Order of Traffic Filtering Rules 229 The orignal definition for the order of traffic filtering rules can 230 be reused with new consideration for the IPv6 prefix offset. As long 231 as the offsets are equal, the comparison is the same, retaining 232 longest-prefix-match semantics. If the offsets are not equal, the 233 lowest offset has precedence, as this flow matches the most 234 significant bit. 236 Pseudocode: 238 flow_rule_v6_cmp (a, b) 239 { 240 comp1 = next_component(a); 241 comp2 = next_component(b); 242 while (comp1 || comp2) { 243 // component_type returns infinity on end-of-list 244 if (component_type(comp1) < component_type(comp2)) { 245 return A_HAS_PRECEDENCE; 246 } 247 if (component_type(comp1) > component_type(comp2)) { 248 return B_HAS_PRECEDENCE; 249 } 251 if (component_type(comp1) == IPV6_DESTINATION || IPV6_SOURCE) { 252 // offset not equal, lowest offset has precedence 253 // offset equal ... 254 common_len = MIN(prefix_length(comp1), prefix_length(comp2)); 255 cmp = prefix_compare(comp1, comp2, offset, common_len); 256 // not equal, lowest value has precedence 257 // equal, longest match has precedence 258 } else { 259 common = 260 MIN(component_length(comp1), component_length(comp2)); 261 cmp = memcmp(data(comp1), data(comp2), common); 262 // not equal, lowest value has precedence 263 // equal, longest string has precedence 264 } 265 } 267 return EQUAL; 268 } 270 4. IPv6 Flow Specification Traffic Filtering Action changes 272 One of the traffic filtering actions which can be expressed by BGP 273 extended community is defined in [RFC5575] as traffic-marking. 274 Another traffic filtering action defined in [RFC5575] as a BGP 275 extended community is redirect. To allow an IPv6 address specific 276 route-target, a new traffic action IPv6 address specific extended 277 community is provided. 279 Therefore, for the purpose of making it compatible with IPv6 header 280 action expressed by presence of the extended community the following 281 text in [RFC5575] has been modified to read: 283 Traffic Marking (0x8009): The traffic marking extended community 284 instructs a system to modify first 6 bits of Traffic Class field 285 as (recommended by [RFC2474]) of a transiting IPv6 packet to the 286 corresponding value. This extended community is encoded as a 287 sequence of 42 zero bits followed by the 6 bits overwriting DSCP 288 portion of Traffic Class value. 290 Redirect-IPv6 (0x800B): redirect IPv6 address specific extended 291 community allows the traffic to be redirected to a VRF routing 292 instance that lists the specified IPv6 address specific route- 293 target in its import policy. If several local instances match 294 this criteria, the choice between them is a local matter (for 295 example, the instance with the lowest Route Distinguisher value 296 can be elected). This extended community uses the same encoding 297 as the IPv6 address specific Route Target extended community 298 [RFC5701]. 300 5. Security Considerations 302 No new security issues are introduced to the BGP protocol by this 303 specification over the security concerins in [RFC5575] 305 6. IANA Considerations 307 This section complies with [RFC7153] 309 IANA is requested to rename currently defined SAFI 133 and SAFI 134 310 per [RFC5575] to read: 312 133 Dissemination of flow specification rules 313 134 L3VPN dissemination of flow specification rules 315 IANA is requested to create and maintain a new registry entitled: 316 "Flow Spec IPv6 Component Types". The initial values are: 318 Type Description RFC 319 --------------------------------- --------- 320 Type 1 - Destination IPv6 Prefix [this draft] 321 Type 2 - Source IPv6 Prefix [this draft] 322 Type 3 - Next Header [this draft] 323 Type 4 - Port [this draft] 324 Type 5 - Destination port [this draft] 325 Type 6 - Source port [this draft] 326 Type 7 - ICMP type [this draft] 327 Type 8 - ICMP code [this draft] 328 Type 9 - TCP flags [this draft] 329 Type 10 - Packet length [this draft] 330 Type 11 - DSCP [this draft] 331 Type 12 - Fragment [this draft] 332 Type 13 - Flow Label [this draft] 334 7. Acknowledgements 336 Authors would like to thank Pedro Marques, Hannes Gredler and Bruno 337 Rijsman, Brian Carpenter, and Thomas Mangin for their valuable input. 339 8. References 341 8.1. Normative References 343 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 344 Requirement Levels", BCP 14, RFC 2119, 345 DOI 10.17487/RFC2119, March 1997, 346 . 348 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 349 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 350 December 1998, . 352 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 353 "Definition of the Differentiated Services Field (DS 354 Field) in the IPv4 and IPv6 Headers", RFC 2474, 355 DOI 10.17487/RFC2474, December 1998, 356 . 358 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 359 Border Gateway Protocol 4 (BGP-4)", RFC 4271, 360 DOI 10.17487/RFC4271, January 2006, 361 . 363 [RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement 364 with BGP-4", RFC 5492, DOI 10.17487/RFC5492, February 365 2009, . 367 [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., 368 and D. McPherson, "Dissemination of Flow Specification 369 Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, 370 . 372 [RFC5701] Rekhter, Y., "IPv6 Address Specific BGP Extended Community 373 Attribute", RFC 5701, DOI 10.17487/RFC5701, November 2009, 374 . 376 [RFC6437] Amante, S., Carpenter, B., Jiang, S., and J. Rajahalme, 377 "IPv6 Flow Label Specification", RFC 6437, 378 DOI 10.17487/RFC6437, November 2011, 379 . 381 [RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP 382 Extended Communities", RFC 7153, DOI 10.17487/RFC7153, 383 March 2014, . 385 8.2. Informative References 387 [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation 388 of Type 0 Routing Headers in IPv6", RFC 5095, 389 DOI 10.17487/RFC5095, December 2007, 390 . 392 Authors' Addresses 394 Danny McPherson 395 Verisign, Inc. 397 Email: dmcpherson@verisign.com 399 Robert Raszuk (editor) 400 Bloomberg LP 401 731 Lexington Ave 402 New York City, NY 10022 403 USA 405 Email: robert@raszuk.net 407 Burjiz Pithawala 408 Individual 410 Email: burjizp@gmail.com 411 Andy Karch 412 Cisco Systems 413 170 West Tasman Drive 414 San Jose, CA 95134 415 USA 417 Email: akarch@cisco.com 419 Susan Hares (editor) 420 Huawei 421 7453 Hickory Hill 422 Saline, MI 48176 423 USA 425 Email: shares@ndzh.com