IDR Working Group S. Hares
Internet-Draft Hickory Hill Consulting
Intended status: Standards Track 22 July 2024
Expires: 23 January 2025
BGP Flow Specification Version 2 - More IP Filters
draft-hares-idr-fsv2-more-ip-filters-02
Abstract
The BGP flow specification version 2 (FSv2) for Basic IP defines user
ordering of filters along with FSv1 IP Filters and FSv1 actions.
This draft suggests additional IP Filters for Flow Specification
FSv2.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 23 January 2025.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Hares Expires 23 January 2025 [Page 1]
Internet-Draft FSv2 More IP Filters July 2024
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 3
1.2. RFC 2119 language . . . . . . . . . . . . . . . . . . . . 4
1.3. FSv2 Refesher . . . . . . . . . . . . . . . . . . . . . . 4
1.4. FSv2 Series of Specifications . . . . . . . . . . . . . . 8
2. Extended IP Filters SubTLV . . . . . . . . . . . . . . . . . 9
3. Template for New FSv2 IP Filters . . . . . . . . . . . . . . 13
4. Review of existing proposals (For review only) . . . . . . . 14
4.1. New Filter Components (IDR approved) . . . . . . . . . . 14
4.1.1. TTL (type=TTL-Type (TBD1) . . . . . . . . . . . . . . 14
4.1.2. Parts of SID (type=16 (0x40)) . . . . . . . . . . . . 14
4.1.3. NRP ID Filter(type=17) (0x11) . . . . . . . . . . . . 18
4.2. Proposed Filter components . . . . . . . . . . . . . . . 19
4.2.1. IP Payloads Match type=18 (0x12)) . . . . . . . . . . 19
4.2.2. Group ID (type=19 (0x13)) . . . . . . . . . . . . . . 20
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
5.1. Filter IP Component types . . . . . . . . . . . . . . . . 22
5.2. FSV2 Filter versions . . . . . . . . . . . . . . . . . . 23
6. Security Considerations . . . . . . . . . . . . . . . . . . . 24
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 25
7.1. Normative References . . . . . . . . . . . . . . . . . . 25
7.2. Informative References . . . . . . . . . . . . . . . . . 28
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction
Version 2 of BGP flow specification was original defined in
[I-D.ietf-idr-flowspec-v2] (denoted FSv2). However, the full FSv2
specification contains more than initial implementers desired.
Therefore, this original FSv2 draft remains an WG draft, but the
content will be split out into functions that implementers can
manage. Section 1.4 contains the list of documents intended to be
the split of the original FSv2 documents.
FSv2 specifies new user-ordered filters that will be used with the
IPv4 (AFI=1) and IPv6 (AFI=2) 2 new SAFIs (TBD1, TBD2) for FSv2 to be
used with 5 AFIs (1, 2, 6, 25, and 31) to allow user-ordered lists of
traffic match filters for user-ordered traffic match actions encoded
in Communities (Wide or Extended).
This draft specifies defines extensions to the FSv2 Basic IP package
[I-D.hares-idr-fsv2-ip-basic]to support additional IP filters for IP
packet and payload. The filters are passed in the Extended IP
Filters (type 2) of the subTLVs. This filter form contains a filter
version number so filters can be added easily.
Hares Expires 23 January 2025 [Page 2]
Internet-Draft FSv2 More IP Filters July 2024
BGP Flow Specifiction version 1 (FSv1) as defined in [RFC8955],
[RFC8956], and [RFC9117] specified 2 SAFIs (133, 134) to be used with
IPv4 AFI (AFI = 1) and IPv6 AFI (AFI=2). FSV2 specifies 2 new SAFIs
(TBD1, TBD2) for FSv2 to be used with 5 AFIs (1, 2, 6, 25, and 31) to
allow user-ordered lists of traffic match filters for user-ordered
traffic match actions encoded in Communities (Wide or Extended). The
first SAFI (TBD1) will be used for IP forwarding, and the second SAFI
(TBD2) will be used with VPNs. The supported AFI/SAFI combinations
in FSV2 are:
* IPV4 (AFI=1, SAFI=TBD1),
* IPv6 (AFI=2, SAFI=TBD1),
* L2 (AFI=6, SAFI=TBD1),
* SFC (AFI=31, SAFI=TBD1),
* BGP/MPLS IPv4 VPN (AFI=1, SAFI=TBD2),
* BGP/MPLS IPV6 VPN (AFI=2, SAFI=TBD2),
* BGP/MPLS L2VPN (AFI=25, SAFI=TBD2), and
* SFC VPN (AFI=31, SAFI=TBD2)
FSv2 specifies new IP filter that will be used with the IPv4 (AFI=1)
and IPv6 (AFI=2) 2 new SAFIs (TBD1, TBD2) for FSv2 to be used with 5
AFIs (1, 2, 6, 25, and 31) to allow user-ordered lists of traffic
match filters for user-ordered traffic match actions encoded in
Communities (Wide or Extended). This document specifies IP filters
used with IPvr (AFI=1) and IPv6 (AFI=2).
FSv1 and FSv2 use different AFI/SAFIs to send flow specification
filters. Since BGP route selection is performed per AFI/SAFI, this
approach can be termed “ships in the night” based on AFI/SAFI.
Section 2 contains a description of the format of the FSv2 NLRI for
the the Extended IP Filters type (type 2). Section 3 provides three
new Filters approved in IDR WG drafts. Section 4 provides potential
filters from individual drafts.
1.1. Definitions and Acronyms
AFI - Address Family Identifier
AS - Autonomous System
Hares Expires 23 January 2025 [Page 3]
Internet-Draft FSv2 More IP Filters July 2024
BGPSEC - secure BGP [RFC8205] updated by [RFC8206]
BGP Session ephemeral state - state which does not survive the
loss of BGP peer session.
Configuration state - state which persist across a reboot of
software module within a routing system or a reboot of a hardware
routing device.
DDOs - Distributed Denial of Service.
Ephemeral state - state which does not survive the reboot of a
software module, or a hardware reboot. Ephemeral state can be
ephemeral configuration state or operational state.
FSv1 - Flow Specification version 1 [RFC8955] [RFC8956]
FSv2 - Flow Specification version 2 (this document)
NETCONF - The Network Configuration Protocol [RFC6241].
RESTCONF - The RESTCONF configuration Protocol [RFC8040]
RIB - Routing Information Base.
ROA - Route Origin Authentication [RFC6482]
RR - Route Reflector.
SAFI – Subsequent Address Family Identifier
1.2. RFC 2119 language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119]
[RFC8174] when, and only when, they appear in all capitals as shown
here.
1.3. FSv2 Refesher
Note from Editor: This review section is here for the initial drafts
to help with interim. It will be deleted as it is in
[I-D.hares-idr-fsv2-ip-basic].
A BGP Flow Specification (version 1 or version 2) is an n-tuple
containing one or more match criteria that can be applied to IP
traffic, traffic encapsulated in IP traffic or traffic associated
Hares Expires 23 January 2025 [Page 4]
Internet-Draft FSv2 More IP Filters July 2024
with IP traffic. The following are examples of such traffic: IP
packet or an IP packet inside a L2 packet (Ethernet), an MPLS packet,
and SFC flow.
Flow Specification NLRI may be associated with a set of path
attributes depending on the particular application to determine what
happens upon matching the data flow filter. FSv1 and FSv2 support
specifying the Extended Community specify a set of actions with a
default order and known interactions. FSv2 also supports the ability
to have user ordered actions by using the FSv2 type of Community BGP
Path Attribute.
A particular application is identified by a specific AFI/SAFI
(Address Family Identifier/Subsequent Address Family Identifier) and
corresponds to a distinct set of RIBs. Those RIBs should be treated
independently of each other in order to assure noninterference
between distinct applications. FSv1 data is sent in a different NLRI
than FSv2 NLRI.
BGP processing treats the NLRI as a key to entries in AFI/SAFI BGP
databases. Entries that are placed in the Loc-RIB are then
associated with a given set of semantics which are application
dependent. Standard BGP mechanisms such as update filtering by NLRI
or by attributes such as AS_PATH or large communities apply to the
BGP Flow Specification defined NLRI-types.
Network operators can control the propagation of BGP routes by
enabling or disabling the exchange of routes for a particular AFI/
SAFI pair on a particular peering session. As such, the Flow
Specification may be distributed to only a portion of the BGP
infrastructure.
Flow Specification v2 allows the user to order the flow specification
rules and the actions associated with a rule. Each FSv2 rule may
have one or more match conditions and one or more associated actions.
The IDR WG draft [I-D.ietf-idr-flowspec-v2] contains the complete
solution for FSv2. However, this complete solution makes
implementation of these features a large task so, please see the next
section on how the complete solution is broken into a series of
solutions. This section describres the complete solution.
This FSv2 specification supports the components and actions for the
following:
* IPv4 (AFI=1, SAFI=TBD1) [defined in FSv2-DDOS],
* IPv6 (AFI=2, SAFI=TBD2) [defined in FSv2-DDOS],
Hares Expires 23 January 2025 [Page 5]
Internet-Draft FSv2 More IP Filters July 2024
* L2 (AFI=6, SAFI=TDB1) [defined in FSv2-L2],
* BGP/MPLS IPv4 VPN: (AFI=1, SAFI=TBD2),
* BGP/MPLS IPv6 VPN: (AFI=2, SAFI=TBD2),
* BGP/MPLS L2VPN (AFI=25, SAFI=TDB2) [defined in FSv2-L2],
* SFC: (AFI=31, SAFI=TBD1) [defined in FSv2-SFC], and
* SFC VPN (AFI=31, SAFI=TBD2) [defined in FSv2-SFC].
The FSv2 specification for tunnel traffic is outside the scope of
this specification. The FSv1 specification for tunneled traffic is
in [I-D.ietf-idr-flowspec-nvo3]. The FSv2 tunnel traffic for FSv2
will be added to this list.
FSv2 operates in the ships-in-the night model with FSv1 so network
operators can manipulate which the distribution of FSv2 and FSv1
using configuration parameters. Since the lack of deterministic
ordering was an FSv1 problem, this specification provides rules and
protocol features to keep filters in a deterministic order between
FSv1 and FSv2.
The basic principles regarding ordering of flow specification filter
rules are:
1) Rule-0 (zero) is defined to be 0/0 with the “permit-all”
action.
2) FSv2 rules are ordered based on user-specified order.
- The user-specified order is carried in the FSv2 NLRI and a
numerical lower value takes precedence over a numerically
higher value. For rules received with the same order value,
the FSv1 rules apply (order by component type and then by value
of the components).
3) FSv2 rules are added starting with Rule 1 and FSv1 rules are
added after FSv2 rules
- For example, BGP Peer A has FSv2 data base with 10 FSv2 rules
(1-10). FSv1 user number is configured to start at 301 so 10
FSv1 rules are added at 301-310.
Hares Expires 23 January 2025 [Page 6]
Internet-Draft FSv2 More IP Filters July 2024
4) An FSv2 peer may receive BGP NLRI routes from a FSv1 peer or a
BGP peer that does not support FSv1 or FSv2. The capabilities
sent by a BGP peer indicate whether the AFI/SAFI can be received
(FSv1 NLRI or FSv2 NLRI).
5) Associate a chain of actions to rules based on user-defined
action number (1-n). (optional)
- If no actions are associated with a filter rule, the default is
to drop traffic the filter rules match
- An action chain of 1-n actions can be associated with a set of
filter rules can via Extended Communities or Wide Communities.
Only Wide Communities can associate a user-defined order for
the actions. Extended Community actions occur after actions
with a user specified order (see section 5.2 for details).
Figure 2-2 provides a logical diagram of the FSv2 structure
Hares Expires 23 January 2025 [Page 7]
Internet-Draft FSv2 More IP Filters July 2024
+--------------------------------+
| Rule Group |
+--------------------------------+
^ ^ ^
| |--------- |
| | ------
| | |
+--------^-------+ +-------^-----+ +---^-----+
| Rule1 | | Rule2 | ... | Rule-n |
+----------------+ +-------------+ +---------+
: : : :
:.................: : : :
: |...........: : :
+--V--+ +--V-------+ : :
|order| |identifie | .......: :
+-----+ +----------+ : :
: :
+------------------V--+ +-----V----------------+
|Rule Match condition | | Rule Action |
+---------------------+ +----------------------+
: : : : : : : : |
+--V--+ : : : +--V---+ : : : V
| Rule| : : : |action| : : : +-----------+
| name| : : : |order | : : : |action name|
+-----+ : : : +------+ : : : +-----------+
: : : : : :.............
: : : : : :
.....: . :..... ..: :...... :
: : : : : :
+----V---+ +---V----+ +--V---+ +-V------+ +--V-----+ +--V---+
| Match | | match | |match | | Action | | action | |action|
|Operator| |variable| |Value | |Operator| |Variable| | Value|
+--------+ +--------+ +------+ +--------+ +--------+ +------+
Figure 2-2: BGP FSv2 Data storage
1.4. FSv2 Series of Specifications
The full FSV2 information is contained in [I-D.ietf-idr-flowspec-v2].
Feedback from the implementers indicate that the Flow Specification
v2 needs to broken into drafts based on the use cases the technology
supports. These include IPv4/IPv6 IP Basic Filters for DDOS, IPv4/
IPv6 filters beyond DDOS, BGP/MPLS IPv4 VPN, BGP/MPLS IPv6 VPN, BGP/
MPLS L2VPN, Segment routing (SRMPLS, SRv6), SFC, SFC VPN, L2, L2
VPNs, and tunneled traffic (e.g., nv03 WG tunnels).
The following is the list of planned drafts:
Hares Expires 23 January 2025 [Page 8]
Internet-Draft FSv2 More IP Filters July 2024
FSv2 IP Basic: ([I-D.hares-idr-fsv2-ip-basic]) describes the minimal
set of functions each FSv2 implementation must support.
FSv2 More IP Filters: (this document) defines a road map for
additional IP filters. This base specification provides the
format of the NLRI for IP Extended Filters" and gives templates
for components used in the IP Extended Filters for FSv2.
Temporarily, it list the IP Extended Filters - both filters
approved by the IDR WG and the proposed filters.
FSv2 More IP Actions: ([I-D.hares-idr-fsv2-more-ip-actions]) This
draft provides:
Template for additional FSv2 IP Actions in Extended
Communities,
Template for additional FSv2 IP Actions in Community Path
Attribute,
List of IDR WG approved IP Actions (in standardization
process),
List of IP Actions proposed for IDR WG standarization)
FSv2 Non-IP Filters drafts: This group of drafts will include new
proposals and revisions of the following existing IDR work:
FSv2 MPLS Filters and Actions:
((draft-hares-idr-fsv2-mpls-Filters) This base specification
provides the format of the MPLS filters and actions.
FSv2 L2 Filters and Actions: Revision of [I-D.ietf-idr-flowspec-
l2vpn] for FSv2.
FSv2 L2 Filters and Actions: Revision of [I-D.ietf-idr-flowspec-
nvo3] for FSv2.
2. Extended IP Filters SubTLV
The format of the FSv2 NLRI field for IP Filters is defined in the
original FSv2 draft [I-D.ietf-idr-flowspec-v2] and in the first of
the FSv2 series drafts [I-D.hares-idr-fsv2-ip-basic]. As a review,
the FSv2 NLRI with
Hares Expires 23 January 2025 [Page 9]
Internet-Draft FSv2 More IP Filters July 2024
The format of the NLRI for Basic IP Filters (type 1) is also defined
in [I-D.hares-idr-fsv2-ip-basic]. This document defines the format
of NLRI for the FSv2 Extended IP Filter type (type 2). Figure 3-1
provides the general header and Figure 3-2 provides the definition of
the "value" portion. Figure 3-3 provides a diagram of the component
types.
The key differences is that the extended IP filter types starts with
a IP Filters identifier before SubTLVs with the filter components.
+-------------------------------+
| NLRI length (2 octets) |
+-------------------------------+
| TLVs+ |
| +===========================+ |
| | order (4 octets) | |
| +---------------------------+ |
| | Dependent filters chain | |
| |(type, chain ID, count, | |
| | item) (8 octets) | |
| +---------------------------+ |
| + FSv2 Filter type 2 + |
| +---------------------------+ |
| + length TLVs (2 octet) + |
| + --------------------------+ |
| + value (variable) + |
| +---------------------------+ |
+-------------------------------+
Figure 3-1 - FSv2 NLRI with Extended IP Filter type.
Where:
Dependent Filters Chain: 8 octets for identifying a chain of FSv2
filters that must be deployed at the same time.
Why needed in FSv2 filters: Flow spedcification filters
distributed in BGP UPDATE packets may be broken into multiple
packets. In FSv2, the dependent filter ID allows the filter
chains to be identified across all user-defined or default
filters. The rules can be installed from BGP into the firewall
after all filters have been installed.
Components of the field The field has the following components:
version: (1 octet) identifies format of field (zero is
reserved)
Hares Expires 23 January 2025 [Page 10]
Internet-Draft FSv2 More IP Filters July 2024
Chain ID: (3 octet): Identifier for filter chain (zero is
reserved)
Count of items (2 octet): count of item on chains
item on chain: (2 octets): filter sequence number on chain
Where: the IP Filter type has a value field has a series of SubTLV as
shown in figure 3-2.
+-------------------------------+
| +--------------------------+ |
| | FSv2 Extended Filters | |
| | version (1 octet) | |
| +--------------------------+ |
| | Components+ (SUB-TLVs) | |
| +--------------------------+ |
+-------------------------------+
Figure 3-2 - FSv2 for Extended IP filters
Where: FSv2 Extended Filters version - gives a version number for the
group of Extended IP Components supported. For example, the first
version could support just the components listed in Table 3-1.
And Component SubTLV has the format of
+-------------------------------+
| Component Type (1 octet) |
+-------------------------------+
| length (2 octets) |
+ ------------------------------+
| value (variable) |
+-------------------------------+
Figure 3-3 – IP header SubTLV format
Where:
Component type: component values are defined in the “Flow
Specification Component types” registry for IPv4 and IPv6 by
[RFC8955], [RFC8956], and [I-D.ietf-idr-flowspec-srv6]
length: length of SubTLV (varies depending on the component type)>
value: dependent on component type. The component types supported
are based on the FSv2 filter version.
Hares Expires 23 January 2025 [Page 11]
Internet-Draft FSv2 More IP Filters July 2024
- The component types supported for FSv2 IP Extended Filters
depends on the Extended Capability version.
- For descriptions of value portions for components 1-13 see
[RFC8955] and [RFC8956]. Potential new filter components are
listed in Table 3-3.
Table 3-1 Extended IP Filters Components
SubTLV
-type Definition
====== ==========================
0 - Reserved
1 - IP Destination prefix
2 - IP Source prefix
3 – IPv4 Protocol /
IPv6 Upper Layer Protocol
4 – Port
5 – Destination Port
6 – Source Port
7 – ICMPv4 type / ICMPv6 type
8 – ICMPv4 code / ICPv6 code
9 – TCP Flags
10 – Packet length
11 – DSCP
12 – Fragment
13 – Flow Label
14 - TTL
15 - Reserved
16 - SID in Routing IPv6 Header
17 - NRP-ID in Hop-by-Hop IPv6 Header
18 - Payload component
Table 3-2 Extended IP Component Ranges
(proposed)
Sub-TLV range Definition
------------- -------------
1-13 V1 filters
14-63 IP Extended Filters
64-150 Non-IP filters
151-180 Associated Data filters
181-191 Reserved
192-249 FCFS
250-255 Reserved
Ordering within the TLV in FSv2: The transmission of SubTLVs within a
flow specification rule MUST be sent ascending order by SubTLV type.
If the SubTLV types are the same, then the value fields are compared
Hares Expires 23 January 2025 [Page 12]
Internet-Draft FSv2 More IP Filters July 2024
using mechanisms defined in [RFC8955] and [RFC8956] and MUST be in
ascending order. NLRIs having TLVs which do not follow the above
ordering rules MUST be considered as malformed by a BGP FSv2
propagator. This rule prevents any ambiguities that arise from the
multiple copies of the same NLRI from multiple BGP FSv2 propagators.
A BGP implementation SHOULD treat such malformed NLRIs as "Treat-as-
withdraw" [RFC7606].
See [RFC8955], [RFC8956], and [I-D.ietf-idr-flowspec-srv6]. for
specific details.
3. Template for New FSv2 IP Filters
Summary: 1 line summary of function
Component ID: TBD-X1 (14)
Packet filtering:
This should be a choice of IPv4, IPv6, L2 Frame, MPLS frame,
tunnel
What fitering in packet: specific field
Encoding: encoding of values in component. (below is example of v1
component)
<[numeric_op, value]+>
where:
- numeric_op - definition
- value - (give definition)
Ordering within component: by full value of number_op concatenated
with value
dependency between components: no issues
conflict with other filters: none
reference document: [this document]
Examples in: in section (fill in section number)
Hares Expires 23 January 2025 [Page 13]
Internet-Draft FSv2 More IP Filters July 2024
4. Review of existing proposals (For review only)
This section provides examples of the use of templates for existing
drafts. This section is for example only.
4.1. New Filter Components (IDR approved)
This approved Filters will be moved into individual drafts
4.1.1. TTL (type=TTL-Type (TBD1)
Summary: TTL filter defines matches for 8-bit TTL field in IP header
Component ID: TBD-X1
What packet filtering: IPv4
What fitering in packet: 8 bit TTL field
Encoding: <[numeric_op, value]+>
where:
- numeric_op - is defined by Flow Specification v1
- value is a 1 octet value for TTL.
ordering within component: by full value of number_op concatenated
with value
dependency between components:
User ordering of filters can place this at any point in the filter
chain.
Default component order: V1 ordering does not have TTL default
need to be set by IDR WG. User ordering cn set this in order.
conflict: none
reference: draft-bergeon-flowspec-ttl-match-00.txt
examples in: section 6
4.1.2. Parts of SID (type=16 (0x40))
Summary: IPv6 Service Identifier (SRv6 SID) Matches
([I-D.ietf-idr-flowspec-srv6] )
Hares Expires 23 January 2025 [Page 14]
Internet-Draft FSv2 More IP Filters July 2024
component ID: TBD-X2 (16)
What Packet filtering: IPv6
What filtering in IPv6 Packet: Segment Routing Header (SRH)
([RFC8402])
SID in SRH: [RFC8402] defines SRv6 Segment Identifier (SID) as an
IPv6 address explicitly associated with the segment. [RFC8986]
defines the SID format as: "LOC:FUNCT:ARG" where:
- locator (LOC) is encoded in the L most significant bits of the
SID,
- followed by F bits of function (FUNCT), and
- A bits of arguments (ARG).
Encoding FSv2 Component: Parts of SID Filter: defines a list of match
bit match criteria for some combinations of the LOC (location), FUNCT
(function) and ARG (arguments) fields in the SID or or whole SID.
Length: variable
Component Value format: [type, LOC-Len, FUNCT-Len, ARG-Len, [op,
value]+]
where:
- type (1 octet): This indicates the new component type (TBD1,
which is to be assigned by IANA).
- LOC-Len (1 octet): This indicates the length in bits of LOC in
SID.
- FUNCT-Len (1 octet): This indicates the length in bits of FUNCT
in SID.
- ARG-Len (1 octet): This indicates the length in bits of ARG in
SID.
- [op, value]+: This contains a list of {operator, value} pairs
that are used to match some parts of SID.
The total of three lengths (i.e., LOC length + FUNCT length + ARG
length) MUST NOT be greater than 128. If it is greater than 128,
an error occurs and it is treated as a withdrawal [RFC7606] and
[RFC4760].
Hares Expires 23 January 2025 [Page 15]
Internet-Draft FSv2 More IP Filters July 2024
The operator (op) byte is encoded as:
0 1 2 3 4 5 6 7
+---+---+---+---+---+---+---+---+
| e | a | field type|lt |gt |eq |
+---+---+---+---+---+---+---+---+
Figure 3-5
where:
- where the behavior of each operator bit has clear similarity
with that of [RFC8955]'s Numeric Operator field.
- e (end-of-list bit): Set in the last {op, value} pair in the
sequence.
- a - AND bit: If unset, the previous term is logically ORed with
the current one. If set, the operation is a logical AND. It
should be unset in the first operator byte of a sequence. The
AND operator has higher priority than OR for the purposes of
evaluating logical expressions.
- field type:
o 000: SID's LOC
o 001: SID's FUNCT
o 010: SID's ARG
o 011: SID's LOC:FUNCT (the concatenation of the LOC and
FUNCTION fields)
o 100: SID's FUNCT:ARG (the concatenation of the FUNCTION and
ARG fields)
o 101: SID's LOC:FUNCT:ARG (the concatenation of the FUNCTION
and ARG fields)
- Note: For an unknown field type, Error Handling is to "treat as
withdrawal" [RFC7606] and [RFC4760].
- lt: less than comparison between data' and value'.
- gt: greater than comparison between data' and value'.
- eq: equality between data' and value'.
Hares Expires 23 January 2025 [Page 16]
Internet-Draft FSv2 More IP Filters July 2024
The data' and value' used in lt, gt and eq are indicated by the
field type in an operator and the value field following the
operator.
The length of the value field depends on the field type and is the
length of the SID parts being matched (see Table 3, Figure 3-6) in
bytes, rounded up if that length is not a multiple of 8.
Table 3 - SID Parts fields
+-----------------------+------------------------------+
| Field Type | Value |
+=======================+==============================+
| SID's LOC | value of LOC bits |
+-----------------------+------------------------------+
| SID's FUNCT | value of FUNCT bits |
+-----------------------+------------------------------+
| SID's ARG | value of ARG bits |
+-----------------------+------------------------------+
| SID's LOC:FUNCT | value of LOC:FUNCT bits |
+-----------------------+------------------------------+
| SID's FUNCT:ARG | value of FUNCT:ARG bits |
+-----------------------+------------------------------+
| SID's LOC:FUNCT:ARG | value of LOC:FUNCT:ARG bits |
+-----------------------+------------------------------+
------------------ SID, 128 bits ----------------
/ \
+-----------+-----------+-----------+----------------+
| LOC | FUNCT | ARG | ... |
+-----------+-----------+-----------+----------------+
\ / \ / \ / \ /
j bits k bits m bits 128-j-k-m bits
\ /
LOC:FUNCT, j+k bits
\ /
FUNCT:ARG, k+m bits
\ /
-- LOC:FUNCT:ARG, j+k+m bits –
Figure 3-6
Dependency between components: TBD
conflicts between components: TBD
reference: [I-D.ietf-idr-flowspec-srv6]
Hares Expires 23 January 2025 [Page 17]
Internet-Draft FSv2 More IP Filters July 2024
Examples in: TBD
4.1.3. NRP ID Filter(type=17) (0x11)
Summary: Network Resource Partition ID Component
IP Packet filtering: IPv6
What filtering: IPv6 Hop-by-Hop Options Header ([RFC8402])
Description: Option in Next-Hop-Options header in IPv6 packet
([RFC8402], section 4). A Network Resource Partition (NRP) option
carries around the network resource partition information (NRP) in
the Hop-by-Hop options header ([I-D.ietf-6man-enhanced-vpn-vtn-id]).
This IPv6 Extension head has:
Flags (flags): This is a 8 bit flag field in a single octet. One
bit, "S" defined in most significant bit. The S stands for strict
match of NRP ID field. The NRP Flags field is filtered for by the
FSv2 component Flags field.
Context type (CT): - 1 octet field indicating the semantics and
length of NRP-ID field. The value of CT=0 indicates a 4-octet NRP
ID.
followed by F bits of function (FUNCT), and
A bits of arguments (ARG).
FSv2 NRP ID Component: Defines match for NRP ID in the NRP option of
Hop-by-Hop Header. This FSv2 component has following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Type | Opt Data Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Flags | Context Type | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ NRP ID ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure: NRP FSv2 Component
Flags - This field is 2 octets with only the most signficant bit
defined as Global Bit (g).
Hares Expires 23 January 2025 [Page 18]
Internet-Draft FSv2 More IP Filters July 2024
- Global bit (g): When set, it indicates the NRP ID to be matched
with a globally unique NRP ID. Otherwise, the NRP-ID is to be
a domain significant NRP ID. The global NRP ID has been
coordinated among these domains.
Reserved: This a 2-octet field reserved for future use. It SHOULD
be set to zero on transmission and MUST be ignored on receipt.
NRP ID: This is a 4-octet identifier which is used to identify an
NRP
Interactions with: (TBD)
reference: [I-D.ietf-idr-flowspec-network-slice-ts]
4.2. Proposed Filter components
The documents in this section are proposed filters. Each of these
proposals would be included in an individual draft.
4.2.1. IP Payloads Match type=18 (0x12))
Summary: IP Payload filter
IP Packet filtering: IPv4 or IPv6
What filtering in packet: Data in header or within the payload.
Encoding: The filter has an offset to filter data from the point
specified in the "offset-type field" for using a filter of specific
length (content-length) with a specific pattern (content). The type
of packet IPv4 or IPv6 is specified in Type of IP packet.
The structure of the component is:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Type | component Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PType | Otype | offset (offset-value) | content length|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| content |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3-x: FSv2 IP Payload Match Component
Hares Expires 23 January 2025 [Page 19]
Internet-Draft FSv2 More IP Filters July 2024
Where the
- Ptype - 4 bit field indicating the packet type via AFI (IPv4 or
IPv6)
o IPv4 = 1
o IPv6 = 2
- Otype - 4 bit field indicating the offset type where
o 0 = IP header
o 1 = IP header data
o 2 = Data within TCP/UDP
- offset - is number of bytes to the payload from the point
defined by Ptype and Otype.
- content length - length of the content.
- content - content filter field to match (significant field bit
zero).
Ordering within component: (TBD)
interacts with components: (TBD)
reference: [I-D.cui-idr-content-filter-flowspec]
4.2.2. Group ID (type=19 (0x13))
Summary: Filter on Group ID
IP Packet filtering: IPv4 or IPv6
What filtering: Group ID specified sub-type
What Filtering in Packet: The filter looks for a specific type of
group ID within either the IPv4 or IPv6 packet header.
Encoding of component: The structure of the component is the
following
Hares Expires 23 January 2025 [Page 20]
Internet-Draft FSv2 More IP Filters July 2024
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Type | Opt Data Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Packet Type | Offset type | Group type | SubGroup type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Offset value | GMask length | SG Mask length|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Group Mask |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Group ID value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sub-Group Mask |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sub-Group Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3-x: FSv2 IP Payload Match Component
Where the
- Packet type - 8 bit field indicating the packet type
o IPv4 = 1
o IPv6 = 2
- Offset type - 4 bit field indicating the offset type where
o 0 = IP header
o 1 = IP header data
o 2 = Data within TCP/UDP
- offset - is number of bytes to the payload from the point
defined by Ptype and Otype.
- Group type - 1 octet field indicating the type of group ID
o 0 = Reserved
o 1 = Indirection ID
o 2 = Interface group
o 3 = CATS ID
Hares Expires 23 January 2025 [Page 21]
Internet-Draft FSv2 More IP Filters July 2024
o 4 = SAV ID
o 5 = APN ID
- Sub-Group type - Sub group within filters.
o 0 = Reserved
o 1 = data traffic (Inbound/outbound)
o 1 = data traffic Inbound only
o 2 = data traffic outbound only
- Group Mask - (variable) Group field mask
- Group ID value - (variable) Group ID value to match
- Sub Group Mask - (variable) Sub-Group Mask
- Sub-Group Value - (variable) Sub-Group value to match on
ordering within component: TBD
dependency between components: TBD
conflicts with other components: (TBD)
reference: TBD (this is just a sample).
5. IANA Considerations
This section complies with [RFC7153].
5.1. Filter IP Component types
IANA is requested to indicate [this draft] as a reference on the
following assignments in the Flow Specification Component Types
Registry:
Hares Expires 23 January 2025 [Page 22]
Internet-Draft FSv2 More IP Filters July 2024
ID Name Reference
---- ----------- -----------------------------------------
14 TTL [this document]
15 Partial SID [draft-ietf-idr-flowspec-srv6]
[this document]
16 NRP ID [this document]
[draft-ietf-idr-flowspec-network-slice-ts]
17 payload [this document]
[draft-cui-content-filter-flowspec-00]
18 Group ID [this document]
[draft-ietf-idr-flowspec-path-redirect]
[draft-peng-idr-apn-bgp-flowspec]
[draft-lin-idr-cats-flowspec-ts]
[draft-geng-idr-flowspec-sav]
5.2. FSV2 Filter versions
IANA is requested to create the following three new egistries on a
new "Flow Specification v2 Parameters” web page.
Name: BGP FSv2 Filter Version types
Reference: [this document]
Registration Procedures: 0x01-0x3F Standards Action.
0x40-0x6F FCFS
0x70-0xFF reserved
Type Use Reference
----- --------------- ---------------
0x00 IP basic only [this document]
[FSv2 IP basic]
0x01 Extended IP Filters 1 [This document]
Figure 4-1
Hares Expires 23 January 2025 [Page 23]
Internet-Draft FSv2 More IP Filters July 2024
Name: BGP Group Types
Reference: [this document]
Registration Procedures: 0x01-0x3F Standards Action.
0x40-0x6F FCFS
0x70-0xFF reserved
Type Use Reference
----- --------------- ---------------
0x00 reserved [this document]
0x01 Indirection ID [this document]
0x01 Interface Group [this document]
0x02 CATs group [this document]
0x03 SAVNet group [this document]
0x04 APN group [this document]
Figure 4-2 Groups
Name: BGP Sub Group Types
Reference: [this document]
Registration Procedures: 0x01-0x3F Standards Action.
0x40-0x5F FCFS
0x5F-0xFF reserved
Type Use Reference
----- --------------- ---------------
0x00 Inbound/outbound [this document]
0x01 Inbound on [this document]
0x02 Outbound only [this document]
0x03 SubGroup ID based [this document]
figure 4-3 Sub-Group types
6. Security Considerations
The use of ROA improves on [RFC8955] by checking to see of the route
origination. This check can improve the validation sequence for a
multiple-AS environment.
>The use of BGPSEC [RFC8205] to secure the packet can increase
security of BGP flow specification information sent in the packet.
The use of the reduced validation within an AS [RFC9117] can provide
adequate validation for distribution of flow specification within a
single autonomous system for prevention of DDoS.
Distribution of flow filters may provide insight into traffic being
sent within an AS, but this information should be composite
information that does not reveal the traffic patterns of individuals.
Hares Expires 23 January 2025 [Page 24]
Internet-Draft FSv2 More IP Filters July 2024
7. References
7.1. Normative References
[I-D.hares-idr-fsv2-ip-basic]
Hares, S., Eastlake, D., Yadlapalli, C., and S. Maduschke,
"BGP Flow Specification Version 2 - for Basic IP", Work in
Progress, Internet-Draft, draft-hares-idr-fsv2-ip-basic-
03, 22 July 2024,
.
[I-D.hares-idr-fsv2-more-ip-actions]
Hares, S., "BGP Flow Specification Version 2 - More IP
Actions", Work in Progress, Internet-Draft, draft-hares-
idr-fsv2-more-ip-actions-01, 3 June 2024,
.
[I-D.hares-idr-fsv2-more-ip-filters]
Hares, S., "BGP Flow Specification Version 2 - More IP
Filters", Work in Progress, Internet-Draft, draft-hares-
idr-fsv2-more-ip-filters-01, 12 May 2024,
.
[I-D.ietf-6man-enhanced-vpn-vtn-id]
Dong, J., Li, Z., Xie, C., Ma, C., and G. S. Mishra,
"Carrying Network Resource Partition (NRP) Information in
IPv6 Extension Header", Work in Progress, Internet-Draft,
draft-ietf-6man-enhanced-vpn-vtn-id-07, 8 July 2024,
.
[I-D.ietf-idr-bgp-flowspec-label]
liangqiandeng, Hares, S., You, J., Raszuk, R., and D. Ma,
"Carrying Label Information for BGP FlowSpec", Work in
Progress, Internet-Draft, draft-ietf-idr-bgp-flowspec-
label-02, 20 October 2022,
.
Hares Expires 23 January 2025 [Page 25]
Internet-Draft FSv2 More IP Filters July 2024
[I-D.ietf-idr-flowspec-interfaceset]
Litkowski, S., Simpson, A., Patel, K., Haas, J., and L.
Yong, "Applying BGP flowspec rules on a specific interface
set", Work in Progress, Internet-Draft, draft-ietf-idr-
flowspec-interfaceset-05, 18 November 2019,
.
[I-D.ietf-idr-flowspec-l2vpn]
Weiguo, H., Eastlake, D. E., Litkowski, S., and S. Zhuang,
"BGP Dissemination of L2 Flow Specification Rules", Work
in Progress, Internet-Draft, draft-ietf-idr-flowspec-
l2vpn-23, 15 April 2024,
.
[I-D.ietf-idr-flowspec-mpls-match]
Yong, L., Hares, S., liangqiandeng, and J. You, "BGP Flow
Specification Filter for MPLS Label", Work in Progress,
Internet-Draft, draft-ietf-idr-flowspec-mpls-match-02, 20
October 2022, .
[I-D.ietf-idr-flowspec-network-slice-ts]
Dong, J., Chen, R., Wang, S., and J. Wenying, "BGP
Flowspec for IETF Network Slice Traffic Steering", Work in
Progress, Internet-Draft, draft-ietf-idr-flowspec-network-
slice-ts-02, 4 March 2024,
.
[I-D.ietf-idr-flowspec-nvo3]
Eastlake, D. E., Weiguo, H., Zhuang, S., Li, Z., and R.
Gu, "BGP Dissemination of Flow Specification Rules for
Tunneled Traffic", Work in Progress, Internet-Draft,
draft-ietf-idr-flowspec-nvo3-20, 16 June 2024,
.
[I-D.ietf-idr-flowspec-path-redirect]
Van de Velde, G., Patel, K., and Z. Li, "Flowspec
Indirection-id Redirect", Work in Progress, Internet-
Draft, draft-ietf-idr-flowspec-path-redirect-12, 24
November 2022, .
Hares Expires 23 January 2025 [Page 26]
Internet-Draft FSv2 More IP Filters July 2024
[I-D.ietf-idr-flowspec-srv6]
Li, Z., Li, L., Chen, H., Loibl, C., Mishra, G. S., Fan,
Y., Zhu, Y., Liu, L., and X. Liu, "BGP Flow Specification
for SRv6", Work in Progress, Internet-Draft, draft-ietf-
idr-flowspec-srv6-05, 29 March 2024,
.
[I-D.ietf-idr-wide-bgp-communities]
Raszuk, R., Haas, J., Lange, A., Decraene, B., Amante, S.,
and P. Jakma, "BGP Community Container Attribute", Work in
Progress, Internet-Draft, draft-ietf-idr-wide-bgp-
communities-11, 9 March 2023,
.
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
DOI 10.17487/RFC0791, September 1981,
.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y.,
Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack
Encoding", RFC 3032, DOI 10.17487/RFC3032, January 2001,
.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006,
.
[RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended
Communities Attribute", RFC 4360, DOI 10.17487/RFC4360,
February 2006, .
[RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter,
"Multiprotocol Extensions for BGP-4", RFC 4760,
DOI 10.17487/RFC4760, January 2007,
.
[RFC5065] Traina, P., McPherson, D., and J. Scudder, "Autonomous
System Confederations for BGP", RFC 5065,
DOI 10.17487/RFC5065, August 2007,
.
Hares Expires 23 January 2025 [Page 27]
Internet-Draft FSv2 More IP Filters July 2024
[RFC5701] Rekhter, Y., "IPv6 Address Specific BGP Extended Community
Attribute", RFC 5701, DOI 10.17487/RFC5701, November 2009,
.
[RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)", RFC 6482,
DOI 10.17487/RFC6482, February 2012,
.
[RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP
Extended Communities", RFC 7153, DOI 10.17487/RFC7153,
March 2014, .
[RFC7606] Chen, E., Ed., Scudder, J., Ed., Mohapatra, P., and K.
Patel, "Revised Error Handling for BGP UPDATE Messages",
RFC 7606, DOI 10.17487/RFC7606, August 2015,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, .
[RFC8955] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M.
Bacher, "Dissemination of Flow Specification Rules",
RFC 8955, DOI 10.17487/RFC8955, December 2020,
.
[RFC8956] Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed.,
"Dissemination of Flow Specification Rules for IPv6",
RFC 8956, DOI 10.17487/RFC8956, December 2020,
.
[RFC9015] Farrel, A., Drake, J., Rosen, E., Uttaro, J., and L.
Jalil, "BGP Control Plane for the Network Service Header
in Service Function Chaining", RFC 9015,
DOI 10.17487/RFC9015, June 2021,
.
[RFC9117] Uttaro, J., Alcaide, J., Filsfils, C., Smith, D., and P.
Mohapatra, "Revised Validation Procedure for BGP Flow
Specifications", RFC 9117, DOI 10.17487/RFC9117, August
2021, .
[RFC9184] Loibl, C., "BGP Extended Community Registries Update",
RFC 9184, DOI 10.17487/RFC9184, January 2022,
.
7.2. Informative References
Hares Expires 23 January 2025 [Page 28]
Internet-Draft FSv2 More IP Filters July 2024
[I-D.cui-idr-content-filter-flowspec]
Cui, Y., Gao, Y., and S. Hares, "Packet Content Filter for
BGP FlowSpec", Work in Progress, Internet-Draft, draft-
cui-idr-content-filter-flowspec-02, 19 July 2024,
.
[I-D.ietf-idr-flowspec-v2]
Hares, S., Eastlake, D. E., Yadlapalli, C., and S.
Maduschke, "BGP Flow Specification Version 2", Work in
Progress, Internet-Draft, draft-ietf-idr-flowspec-v2-04,
28 April 2024, .
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
.
[RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol
Specification", RFC 8205, DOI 10.17487/RFC8205, September
2017, .
[RFC8206] George, W. and S. Murphy, "BGPsec Considerations for
Autonomous System (AS) Migration", RFC 8206,
DOI 10.17487/RFC8206, September 2017,
.
[RFC8300] Quinn, P., Ed., Elzur, U., Ed., and C. Pignataro, Ed.,
"Network Service Header (NSH)", RFC 8300,
DOI 10.17487/RFC8300, January 2018,
.
[RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L.,
Decraene, B., Litkowski, S., and R. Shakir, "Segment
Routing Architecture", RFC 8402, DOI 10.17487/RFC8402,
July 2018, .
[RFC8986] Filsfils, C., Ed., Camarillo, P., Ed., Leddy, J., Voyer,
D., Matsushima, S., and Z. Li, "Segment Routing over IPv6
(SRv6) Network Programming", RFC 8986,
DOI 10.17487/RFC8986, February 2021,
.
Hares Expires 23 January 2025 [Page 29]
Internet-Draft FSv2 More IP Filters July 2024
Author's Address
Susan Hares
Hickory Hill Consulting
7453 Hickory Hill
Saline, MI 48176
United States of America
Phone: +1-734-604-0332
Email: shares@ndzh.com
Hares Expires 23 January 2025 [Page 30]