idnits 2.17.00 (12 Aug 2021) /tmp/idnits8364/draft-you-isis-flowspec-extensions-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC5575]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 14, 2016) is 2281 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC4360' is defined on line 548, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-idr-flowspec-redirect-rt-bis' is defined on line 577, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO-10589' ** Obsolete normative reference: RFC 5575 (Obsoleted by RFC 8955) == Outdated reference: draft-ietf-idr-bgp-flowspec-oid has been published as RFC 9117 == Outdated reference: draft-ietf-idr-flow-spec-v6 has been published as RFC 8956 == Outdated reference: draft-ietf-idr-flowspec-redirect-rt-bis has been published as RFC 7674 Summary: 2 errors (**), 0 flaws (~~), 6 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ISIS Working Group J. You 3 Internet-Draft Q. Liang 4 Intended status: Standards Track Huawei Technologies 5 Expires: August 17, 2016 K. Patel 6 Cisco Systems 7 P. Fan 9 Z. Li 10 China Mobile 11 February 14, 2016 13 IS-IS Extensions for Flow Specification 14 draft-you-isis-flowspec-extensions-04 16 Abstract 18 Dissemination of the Traffic flow information was first introduced in 19 the BGP protocol [RFC5575]. FlowSpec rules are used to distribute 20 traffic filtering rules that are used to filter Denial-of-Service 21 (DoS) attacks. For the networks that only deploy IS-IS or IS-IS 22 variant, it is required that IS-IS is extended to distribute Flow 23 Specification or FlowSpec rules. 25 This document discusses the use cases for distributing flow 26 specification (FlowSpec) routes using IS-IS. Furthermore, this 27 document defines a new IS-IS FlowSpec Reachability TLV encoding 28 format that can be used to distribute FlowSpec rules, its validation 29 procedures for imposing the filtering information on the routers, and 30 a capability to indicate the support of FlowSpec functionality. 32 Requirements Language 34 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 35 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 36 document are to be interpreted as described in [RFC2119]. 38 Status of This Memo 40 This Internet-Draft is submitted in full conformance with the 41 provisions of BCP 78 and BCP 79. 43 Internet-Drafts are working documents of the Internet Engineering 44 Task Force (IETF). Note that other groups may also distribute 45 working documents as Internet-Drafts. The list of current Internet- 46 Drafts is at http://datatracker.ietf.org/drafts/current/. 48 Internet-Drafts are draft documents valid for a maximum of six months 49 and may be updated, replaced, or obsoleted by other documents at any 50 time. It is inappropriate to use Internet-Drafts as reference 51 material or to cite them other than as "work in progress." 53 This Internet-Draft will expire on August 17, 2016. 55 Copyright Notice 57 Copyright (c) 2016 IETF Trust and the persons identified as the 58 document authors. All rights reserved. 60 This document is subject to BCP 78 and the IETF Trust's Legal 61 Provisions Relating to IETF Documents 62 (http://trustee.ietf.org/license-info) in effect on the date of 63 publication of this document. Please review these documents 64 carefully, as they describe your rights and restrictions with respect 65 to this document. Code Components extracted from this document must 66 include Simplified BSD License text as described in Section 4.e of 67 the Trust Legal Provisions and are provided without warranty as 68 described in the Simplified BSD License. 70 Table of Contents 72 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 73 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 74 3. Use Cases for IS-IS based FlowSpec Distribution . . . . . . . 3 75 3.1. Anti-DDOS . . . . . . . . . . . . . . . . . . . . . . . . 3 76 4. IS-IS Extensions for FlowSpec Rules . . . . . . . . . . . . . 4 77 4.1. FlowSpec Filters sub-TLV . . . . . . . . . . . . . . . . 5 78 4.1.1. Order of Traffic Filtering Rules . . . . . . . . . . 7 79 4.1.2. Validation Procedure . . . . . . . . . . . . . . . . 7 80 4.2. FlowSpec Action sub-TLV . . . . . . . . . . . . . . . . . 8 81 4.2.1. Traffic-rate . . . . . . . . . . . . . . . . . . . . 9 82 4.2.2. Traffic-action . . . . . . . . . . . . . . . . . . . 9 83 4.2.3. Traffic-marking . . . . . . . . . . . . . . . . . . . 9 84 4.2.4. Redirect-to-IP . . . . . . . . . . . . . . . . . . . 10 85 5. Redistribution of FlowSpec Rules . . . . . . . . . . . . . . 10 86 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 87 6.1. FlowSpec Reachability TLV . . . . . . . . . . . . . . . . 11 88 6.2. FlowSpec Filters sub-TLVs . . . . . . . . . . . . . . . . 11 89 6.3. FlowSpec Filter Component Types . . . . . . . . . . . . . 11 90 6.4. FlowSpec Action sub-TLVs . . . . . . . . . . . . . . . . 12 91 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 92 8. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 13 93 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 94 9.1. Normative References . . . . . . . . . . . . . . . . . . 13 95 9.2. Informative References . . . . . . . . . . . . . . . . . 13 97 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 99 1. Introduction 101 [RFC5575] defines Border Gateway Protocol protocol extensions that 102 can be used to distribute traffic flow specifications. One 103 application of this encoding format is to automate inter-domain 104 coordination of traffic filtering, such as what is required in order 105 to mitigate (distributed) denial-of-service attacks. 107 For the networks deploying only IS-IS or IS-IS variant, it is 108 expected to extend IS-IS to distribute FlowSpec rules. This document 109 discusses the use cases for distributing FlowSpec rules using IS-IS. 110 Furthermore, this document also defines a new IS-IS FlowSpec 111 Reachability TLV encoding format that can be used to distribute 112 FlowSpec entries to the specific routers in the campus network, its 113 validation procedures for imposing the filtering information on the 114 routers, and a capability to indicate the support of FlowSpec 115 functionality. 117 The semantic content of the FlowSpec extensions defined in this 118 document are identical to the corresponding extensions to BGP 119 ([RFC5575] and [I-D.ietf-idr-flow-spec-v6]). In order to avoid 120 repetition, this document only concentrates on those parts of 121 specification where IS-IS is different from BGP. The IS-IS FlowSpec 122 extensions defined in this document can be used to mitigate the 123 impacts of DoS attacks. 125 2. Terminology 127 This section contains definitions for terms used frequently 128 throughout this document. However, many additional definitions can 129 be found in [ISO-10589] and [RFC5575]. 131 Flow Specification (FlowSpec): A flow specification is an n-tuple 132 consisting of several matching criteria that can be applied to IP 133 traffic. Each FlowSpec consists of a set of filters and a set of 134 actions. 136 3. Use Cases for IS-IS based FlowSpec Distribution 138 3.1. Anti-DDOS 140 For the networks using IS-IS or IS-IS variant, for example, the 141 campus network or DC network, it is expected to extend IS-IS to 142 distribute FlowSpec rules as shown in Figure 1. In this network, the 143 traffic analyzer could be deployed to inject the FlowSpec rules into 144 Router A. Router A creates FlowSpec entries according to the 145 FlowSpec rules, then the FlowSpec entries would be distributed to the 146 other routers in this domain using IS-IS. Consequently, the attack 147 traffic could be blocked or the suspicious traffic could be limited 148 to a low rate as early as possible. 150 +--------+ 151 |Traffic | 152 +---+Analyzer| 153 | +--------+ 154 | 155 |FlowSpec 156 | 157 | 158 +--+-------+ +----------+ +--------+ 159 | Router A +-----------+ Router B +--------+Attacker| 160 +----------+ +----------+ +--------+ 162 | | | 163 | IS-IS FlowSpec | Attack Traffic | 164 | | | 166 Figure 1: Anti-DDOS in IS-IS Network 168 4. IS-IS Extensions for FlowSpec Rules 170 This document defines a new IS-IS TLV, i.e. the FlowSpec reachability 171 TLV (TLV type: TBD1), to describe the FlowSpec rules. An LSP (Link 172 State Protocol) Data Unit [ISO-10589] can carry one or more FlowSpec 173 reachability TLVs. 175 Each FlowSpec Reachability TLV carries a FlowSpec entry. The 176 FlowSpec entry consists of a FlowSpec Filters sub-TLV and one or more 177 corresponding FlowSpec Action sub-TLVs. 179 The FlowSpec Reachability TLV is defined below in Figure 2: 181 0 1 2 3 182 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 183 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 184 | Type (TBD1) | Length | Flags | 185 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 186 | FlowSpec Entry (variable) | 187 + + 188 ~ ~ 189 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 191 Figure 2: FlowSpec Reachability TLV 193 Type: 1 octet. Type code is TBD1. 195 Length: 1 octet. The length field defines the length of the value 196 portion in octets (thus a TLV with no value portion would have a 197 length of 0). 199 Value: variable. The value field contains a "Flags" field and a 200 FlowSpec entry, which consists of a FlowSpec filters sub-TLV and 201 one or more corresponding FlowSpec action sub-TLVs. The size of 202 the FlowSpec entry cannot be greater than 253. In most scenarios, 203 using one FlowSpec entry is sufficient. If the injected FlowSpec 204 rule is too complex that the IS-IS router has to use more than 253 205 octets to encode it into a FlowSpec entry, the IS-IS router should 206 reject it. It is strongly recommended that the FlowSpec rule 207 provider should split or revise the complex FlowSpec rule to a 208 suitable one for the IS-IS routers. 210 Flags: One octet Field identifying Flags 212 0 1 2 3 4 5 6 7 213 +-+-+-+-+-+-+-+-+ 214 | Reserved |L| 215 +-+-+-+-+-+-+-+-+ 217 The least significant bit L is defined as a Leaking enable bit. 218 If set, the FlowSpec Reachability TLV SHOULD be flooded across the 219 entire routing domain. If the L flag is not set, the FlowSpec 220 Reachability TLV MUST NOT be leaked between levels. This bit MUST 221 NOT be altered during the TLV leaking. This Flags may be modified 222 by the IS-IS Speaker according to a local policy. 224 4.1. FlowSpec Filters sub-TLV 226 IS-IS FlowSpec filters sub-TLV is one component of FlowSpec entry, 227 carried in the FlowSpec reachability TLV. It is defined below in 228 Figure 3. 230 0 1 231 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 232 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 233 | Type | Length | 234 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 235 | Flags | | 236 +-+-+-+-+-+-+-+-+ + 237 ~ Filters (variable) ~ 238 + + 239 | ... | 241 Figure 3: IS-IS FlowSpec Filters sub-TLV 243 Type: the TLV type (Type Code: TBD2 for IPv4 FlowSpec filters, TBD3 244 for IPv6 FlowSpec filters) 246 Length: the size of the value field in octets, it cannot be greater 247 than 253. 249 Flags: One octet Field identifying Flags 251 0 1 2 3 4 5 6 7 252 +-+-+-+-+-+-+-+-+ 253 | Reserved |S| 254 +-+-+-+-+-+-+-+-+ 256 The least significant bit S is defined as a strict filter check bit. 257 If set, strict validation rules outlined in the validation section 258 Section 4.1.2 need to be enforced. 260 Filters: the same as "flow-spec filter components" defined in 261 [RFC5575] and [I-D.ietf-idr-flow-spec-v6]. 263 Table 1: IS-IS Supported FlowSpec Filter Component Types 264 +------+------------------------+------------------------------+ 265 | Type | Description | RFC/ WG draft | 266 +------+------------------------+------------------------------+ 267 | 1 | Destination IPv4 Prefix| RFC5575 | 268 | | Destination IPv6 Prefix| I-D.ietf-idr-flow-spec-v6 | 269 +------+------------------------+------------------------------+ 270 | 2 | Source IPv4 Prefix | RFC5575 | 271 | | Source IPv6 Prefix | I-D.ietf-idr-flow-spec-v6 | 272 +------+------------------------+------------------------------+ 273 | 3 | IP Protocol | RFC5575 | 274 | | Next Header | I-D.ietf-idr-flow-spec-v6 | 275 +------+------------------------+------------------------------+ 276 | 4 | Port | RFC5575 | 277 +------+------------------------+------------------------------+ 278 | 5 | Destination port | RFC5575 | 279 +------+------------------------+------------------------------+ 280 | 6 | Source port | RFC5575 | 281 +------+------------------------+------------------------------+ 282 | 7 | ICMP type | RFC5575 | 283 +------+------------------------+------------------------------+ 284 | 8 | ICMP code | RFC5575 | 285 +------+------------------------+------------------------------+ 286 | 9 | TCP flags | RFC5575 | 287 +------+------------------------+------------------------------+ 288 | 10 | Packet length | RFC5575 | 289 +------+------------------------+------------------------------+ 290 | 11 | DSCP | RFC5575 | 291 +------+------------------------+------------------------------+ 292 | 12 | Fragment | RFC5575 | 293 +------+------------------------+------------------------------+ 294 | 13 | Flow Label | I-D.ietf-idr-flow-spec-v6 | 295 +------+------------------------+------------------------------+ 297 4.1.1. Order of Traffic Filtering Rules 299 With traffic filtering rules, more than one rule may match a 300 particular traffic flow. The order of applying the traffic filter 301 rules is the same as described in Section 5.1 of [RFC5575] and in 302 Section 3.1 of [I-D.ietf-idr-flow-spec-v6]. 304 4.1.2. Validation Procedure 306 [RFC5575] defines a validation procedure for BGP FlowSpec rules, and 307 [I-D.ietf-idr-bgp-flowspec-oid] describes a modification to the 308 validation procedure defined in [RFC5575] for the dissemination of 309 BGP flow specifications. The IS-IS FlowSpec should support similar 310 features to mitigate the unnecessary or invalid application of 311 traffic filter rules. The IS-IS FlowSpec validation procedure is 312 described as follows. 314 When a router receives a FlowSpec rule including a destination prefix 315 filter from its neighbor router, it should consider the prefix filter 316 as a valid filter unless the S bit in the flags field of Filter TLV 317 is set. If the S bit is set, then the FlowSpec rule is considered 318 valid if and only if: 320 The originator of the FlowSpec rule matches the originator of the 321 best-match unicast route for the destination prefix embedded in 322 the FlowSpec. 324 The former rule allows any centralized controller to originate the 325 prefix filter and advertise it within a given IS-IS network. The 326 latter rule, also known as a Strict Validation rule, allows strict 327 checking and enforces that the originator of the FlowSpec filter is 328 also the originator of the destination prefix. 330 When multiple equal-cost paths exist in the routing table entry, each 331 path could end up having a separate set of FlowSpec rules. 333 When a router receives a FlowSpec rule not including a destination 334 prefix filter from its neighbor router, the validation procedure 335 described above is not applicable. 337 The FlowSpec filter validation state is used by an IS-IS speaker when 338 the filter is considered for an installation in its FIB. An IS-IS 339 speaker MUST flood IS-IS LSP containing a FlowSpec Reachability TLV 340 as per the entries defined in [ISO-10589] regardless of the 341 validation state of the prefix filters. 343 4.2. FlowSpec Action sub-TLV 345 There are one or more FlowSpec Action TLVs associated with a FlowSpec 346 Filters TLV. Different FlowSpec Filters TLV could have the same 347 FlowSpec Action TLVs. The following IS-IS FlowSpec action TLVs, 348 except Redirect, are same as defined in [RFC5575]. 350 Redirect: IPv4 or IPv6 address. This target IP address MUST 351 correspond to a tunnel in the current IS-IS router, if not, the 352 "redirect to IP" action is invalid, and if the flowspec entry has no 353 other action, the flowspec entry is invalid and wouldn't be installed 354 . If the IS-IS router doesn't have a valid route for the target IP, 355 the "redirect to IP" action is also invalid. 357 Table 2: BGP FlowSpec Actions 358 +-------+-----------------+---------------------------------------+ 359 | type | FlowSpec Action | RFC/WG draft | 360 +-------+-----------------+---------------------------------------+ 361 | 0x8006| traffic-rate | RFC5575 | 362 | | | | 363 | 0x8007| traffic-action | RFC5575 | 364 | | | | 365 | 0x8108| redirect-to-IPv4| I-D.ietf-idr-flowspec-redirect-rt-bis | 366 | | | 367 | 0x800b| redirect-to-IPv6| I-D.ietf-idr-flow-spec-v6 | 368 | | | | 369 | 0x8009| traffic-marking | RFC5575 | 370 +-------+-----------------+---------------------------------------+ 372 4.2.1. Traffic-rate 374 Traffic-rate TLV is encoded as: 376 0 1 2 3 377 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 378 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 379 | TBD4 | 4 | 380 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 381 | Traffic-rate | 382 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 384 Traffic-rate: the same as defined in [RFC5575]. 386 4.2.2. Traffic-action 388 Traffic-action TLV is encoded as: 390 0 1 2 3 391 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 392 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 393 | TBD5 | 2 | Reserved |S|T| 394 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 396 S flag and T flag: the same as defined in [RFC5575]. 398 4.2.3. Traffic-marking 400 Traffic-marking TLV is encoded as: 402 0 1 2 3 403 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 404 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 405 | TBD6 | 2 | Reserved | DSCP Value| 406 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 408 DSCP value: the same as defined in [RFC5575]. 410 4.2.4. Redirect-to-IP 412 Redirect-to-IPv4 is encoded as: 414 0 1 2 3 415 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 416 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 417 | TBD7 | 6 | Reserved |C| 418 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 419 | IPv4 Address | 420 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 422 Redirect to IPv6 TLV is encoded as: 424 0 1 2 3 425 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 426 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 427 | TBD8 | 18 | Reserved |C| 428 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 429 | | 430 | IPv6 Address | 431 | | 432 | | 433 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 435 IPv4/6 Address: the redirection target IP address. 437 'C' (or copy) bit: when the 'C' bit is set, the redirection applies 438 to copies of the matching packets and not to the original traffic 439 stream [I-D.ietf-idr-flowspec-redirect-ip]. 441 5. Redistribution of FlowSpec Rules 443 An implementation MAY provide an option for an IS-IS speaker to 444 announce a redistributed FlowSpec route within an IS-IS domain 445 regardless of being installed in its local FIB. An implementation 446 MAY impose an upper bound on number of FlowSpec entries that an IS-IS 447 router MAY advertise. 449 6. IANA Considerations 451 This document defines the following new IS-IS TLV types, which need 452 to be reflected in the IS-IS TLV codepoint registry. 454 6.1. FlowSpec Reachability TLV 456 +------+---------------------------------+-----+-----+-----+ 457 | Type | Description | IIH | LSP | SNP | 458 +------+---------------------------------+-----+-----+-----+ 459 | TBD1 | The FlowSpec Reachability TLV | n | y | n | 460 +------+---------------------------------+-----+-----+-----+ 462 6.2. FlowSpec Filters sub-TLVs 464 +--------+--------------------------------------------+ 465 | Type | Description | 466 +--------+--------------------------------------------+ 467 | TBD2 |IPv4 FlowSpec filters sub-TLV | 468 +--------+--------------------------------------------+ 469 | TBD3 |IPv6 FlowSpec filters sub-TLV | 470 +--------+--------------------------------------------+ 472 6.3. FlowSpec Filter Component Types 473 +------+------------------------+------------------------------+ 474 | Type | Description | RFC/ WG draft | 475 +------+------------------------+------------------------------+ 476 | 1 | Destination IPv4 Prefix| RFC5575 | 477 | | Destination IPv6 Prefix| I-D.ietf-idr-flow-spec-v6 | 478 +------+------------------------+------------------------------+ 479 | 2 | Source IPv4 Prefix | RFC5575 | 480 | | Source IPv6 Prefix | I-D.ietf-idr-flow-spec-v6 | 481 +------+------------------------+------------------------------+ 482 | 3 | IP Protocol | RFC5575 | 483 | | Next Header | I-D.ietf-idr-flow-spec-v6 | 484 +------+------------------------+------------------------------+ 485 | 4 | Port | RFC5575 | 486 +------+------------------------+------------------------------+ 487 | 5 | Destination port | RFC5575 | 488 +------+------------------------+------------------------------+ 489 | 6 | Source port | RFC5575 | 490 +------+------------------------+------------------------------+ 491 | 7 | ICMP type | RFC5575 | 492 +------+------------------------+------------------------------+ 493 | 8 | ICMP code | RFC5575 | 494 +------+------------------------+------------------------------+ 495 | 9 | TCP flags | RFC5575 | 496 +------+------------------------+------------------------------+ 497 | 10 | Packet length | RFC5575 | 498 +------+------------------------+------------------------------+ 499 | 11 | DSCP | RFC5575 | 500 +------+------------------------+------------------------------+ 501 | 12 | Fragment | RFC5575 | 502 +------+------------------------+------------------------------+ 503 | 13 | Flow Label | I-D.ietf-idr-flow-spec-v6 | 504 +------+------------------------+------------------------------+ 506 6.4. FlowSpec Action sub-TLVs 508 This document defines a group of FlowSpec actions. The following TLV 509 types need to be assigned: 511 Type TBD4 - traffic-rate 513 Type TBD5 - traffic-action 515 Type TBD6 - traffic-marking 517 Type TBD7 - redirect to IPv4 519 Type TBD8 - redirect to IPv6 521 7. Security Considerations 523 This extension to IS-IS does not change the underlying security 524 issues inherent in the existing IS-IS. Implementations must assure 525 that malformed TLV and Sub-TLV permutations do not result in errors 526 which cause hard IS-IS failures. 528 8. Acknowledgement 530 The authors would like to thank Jeff Haas for his useful comments. 532 9. References 534 9.1. Normative References 536 [ISO-10589] 537 ISO, "Intermediate System to Intermediate System intra- 538 domain routeing information exchange protocol for use in 539 conjunction with the protocol for providing the 540 connectionless-mode network service (ISO 8473)", 541 International Standard 10589: 2002, Second Edition, 2002. 543 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 544 Requirement Levels", BCP 14, RFC 2119, 545 DOI 10.17487/RFC2119, March 1997, 546 . 548 [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended 549 Communities Attribute", RFC 4360, DOI 10.17487/RFC4360, 550 February 2006, . 552 [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., 553 and D. McPherson, "Dissemination of Flow Specification 554 Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, 555 . 557 9.2. Informative References 559 [I-D.ietf-idr-bgp-flowspec-oid] 560 Uttaro, J., Filsfils, C., Smith, D., Alcaide, J., and P. 561 Mohapatra, "Revised Validation Procedure for BGP Flow 562 Specifications", draft-ietf-idr-bgp-flowspec-oid-02 (work 563 in progress), January 2014. 565 [I-D.ietf-idr-flow-spec-v6] 566 Raszuk, R., Pithawala, B., McPherson, D., and A. Andy, 567 "Dissemination of Flow Specification Rules for IPv6", 568 draft-ietf-idr-flow-spec-v6-06 (work in progress), 569 November 2014. 571 [I-D.ietf-idr-flowspec-redirect-ip] 572 Uttaro, J., Haas, J., Texier, M., Andy, A., Ray, S., 573 Simpson, A., and W. Henderickx, "BGP Flow-Spec Redirect to 574 IP Action", draft-ietf-idr-flowspec-redirect-ip-02 (work 575 in progress), February 2015. 577 [I-D.ietf-idr-flowspec-redirect-rt-bis] 578 Haas, J., "Clarification of the Flowspec Redirect Extended 579 Community", draft-ietf-idr-flowspec-redirect-rt-bis-05 580 (work in progress), July 2015. 582 Authors' Addresses 584 Jianjie You 585 Huawei Technologies 586 101 Software Avenue, Yuhuatai District 587 Nanjing 210012 588 China 590 Email: youjianjie@huawei.com 592 Qiandeng Liang 593 Huawei Technologies 594 101 Software Avenue, Yuhuatai District 595 Nanjing 210012 596 China 598 Email: liangqiandeng@huawei.com 600 Keyur Patel 601 Cisco Systems 602 170 W. Tasman Drive 603 San Jose CA 95124 95134 604 US 606 Email: keyupate@cisco.com 607 Peng Fan 608 Beijing 609 China 611 Email: peng.fan@139.com 613 Zhenqiang Li 614 China Mobile 615 Beijing 616 China 618 Email: li_zhenqiang@hotmail.com