Filter-Based RIB Data Model
draft-hares-rtgwg-fb-rib-01

Abstract

This document defines a yang data model for a Filter-based Routing Information Base (RIB) Yang data model. A routing system uses the Filter-based RIB to program FIB entries that process incoming packets by matching on multiple fields (n-tuple) within the packet and then performing a specified action on it. The FB-RIB can also specify an action to forward the packet according to the FIB entries programmed using the RIBs of its routing instance.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on October 6, 2016.

Copyright Notice

Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

• 1. Introduction
• 1.1. Definition of I2RS Filter Based RIB
• 1.2. Requirements Language
• 1.3. Definitions and Acronyms
• 1.4. Yang High Level (YHL) graphical form
• 2. Where Filter-Based RIB Fits in Global RIBs
• 3. Proposed Structure for Filter-Based RIBs
• 4. Yang High Level Structure for FB-RIBs
• 4.1. Top Level Yang Structure for ietf-fb-rib
• 4.2. Filter-Based RIB structures
• 5. yang models
• 5.1. Filter-Based RIB types
• 6. IANA Considerations
• 7. Security Considerations
• 8. References
• 8.1. Normative References:
• 8.2. Informative References
• Authors' Addresses

1. Introduction

This document provides a yang module for flow filter n-tuple policy that is locally configured. This flow filter policy has also been called Policy routing in some implementations.

This document defines a yang data model for a Filter-based Routing Information Base (RIB) Yang data model. A routing system uses the Filter-based RIB to program FIB entries that process incoming packets by matching on multiple fields within the packet and then performing a specified action on it. The FB-RIB can also specify an action to forward the packet according to the FIB entries programmed using the RIBs of its routing instance.

1.1. Definition of I2RS Filter Based RIB

Filter-based routing is a technique used to make packet forwarding decisions based on a n-tuple filter that is matched to the incoming packets and the specified action. It should be noted that that this is distinct from the static routes in the following RIBS:

• configured RIB created using static routes in [I-D.ietf-netmod-routing-cfg]
• Extended static RIB defined in [I-D.acee-rtgwg-yang-rib-extend],
• Ephmeral Protocol Independent RIB defined in [I-D.ietf-i2rs-rib-info-model], or

A Filter-Based RIB (Routing Information Base) is contained in a routing instance. It contains a list of filters (match-action conditions), a list of interface the filter-based forwarding operates on. Filter-based RIBs (FB-RIBs) operate only on the interface the FB-RIB are configured on.

A Filter Based RIB uses packet forwarding policy. If packet reception is considered an event, then the I2RS Filter-based RIB uses a minimalistic Event-Condition-Action policy. A Filter-based RIB entry specifies matche filters for the fields in a packet (which may include layer 1 to layer 3 header fields, transport or application fields) or size of the packet or interface received on. The matches are contained in an ordered list of filters which contain pairs of match condition-action (aka event-condition-action).

If all matches fail, the default action is to forward the packet using FIB entries that were programmed by the default Routing Informational Base (RIB) manager configured in the Filter-Based RIB (FB-RB)

Actions in the condition-action pair may impact forwarding or set something in the packet that will impact forwarding. Policy actions are typically applied before applying QoS constraints since policy actions may override QoS constraint.

The Filter-Based RIB resides in ephemeral state as does the I2RS RIB and I2RS topology models.

1.2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]

In this document, these words will appear with that interpretation only when in ALL CAPS. Lower case uses of these words are not to be interpreted as carrying RFC-2119 significance.

1.3. Definitions and Acronyms

CLI

Command Line Interface

FB-RIB

Filter-Based Routing Information Base

FB-Route

The policy rules in the filter-based RIB are prescriptive of the Event-Condition-Action form which is often represented by if Condition then action. All policy in the filter-based RIB are in a ordered list, ordered by "order-number". Order number is similar to some CLI concepts of line number.

Policy Group

Policy Groups are groups of policy rules that are set-up for the convenience of operators who wish to link the rules connected to a particular client.

• Groups do not affect the order of policy rulies.
• The policy groups in the basic network policy [I-D.hares-i2rs-pkt-eca-data-model] allow grouping of policy by name. This name allow easier management of customer-based or provider based filters. This policy group is a second way to access certain policy rules on the policy rule list.

RIB IM

RIB Informational Model (RIB IM) [I-D.ietf-i2rs-rib-info-model]

Routing instance

A routing instance, in the context of the FB-FIB is a collection of RIBs, interfaces, and routing parameters. A routing instance creates a logical slice of the router and allows different logical slices; across a set of routers; to communicate with each other.

1.4. Yang High Level (YHL) graphical form

The High-level Yang graphical representation uses the following symbols:

• Brackets "[" and "]" enclose list keys.
• Curly braces "{" and "}" contain names of optional features that make the corresponding node conditional.
• Abbreviations before data node names: "rw" means configuration (read-write), "ro" state data (read-only), "-x" RPC operations, and "-n" notifications.
• Symbols after data node names: "?" means an optional node, "!" a container with presence, and "*" denotes a "list" or "leaf-list".
• Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":").
• Ellipsis ("...") stands for contents of subtrees that are not shown.

2. Where Filter-Based RIB Fits in Global RIBs

The Top-level Yang structure for a global FB-RIB types (similar to acl) is not defined. The Filter-Based RIB should be defined under this structure under a routing instance. The two things under this RIB would be: configured Filter-Based RIB (aka Policy routing), I2RS reboot Ephemeral Filter-Based RIB. ACLs [I-D.ietf-netmod-acl-model] have the potential to be augmented to be included, but this version of this document does address that issue.

The purpose of this section is illustrate why the flow specification policy installed in yang modules loaded into intended configuration needs to be able to be compared. After demonstrating why this is needed, this section suggests a structure for filter-based RIBS.

BGP's Flow Specification (BGP-FS) configures filter-based policy in the local BGP configuration, and passes this information in BGP packets (in NLRI and Extended Communities). The BGP-FS YANG model [I-D.wu-idr-flowspec-yang-cfg] specifies the locally configuration, and the derived state that includes the BGP Flow Specifications received. BGP-FS processing may install the locally configured BGP Flow specification in the local FB-RIB. If it does, this policy is like any other locally configured policy.

ietf-fb-rib module 
+--rw routing-instance 
   +--rw ietf-fb-rib  
      +--rw default-instance-name string 
      +--rw default-router-id rt:router-id 
	  +--rw config-fb-rib // config state 
	     uses fb-ribs 
	  +--rw I2rs-fb-rib  // ephemeral state  
	     uses fb-ribs 
	  +--rw BGP-FB-RIB   // Install derived  
	     uses fb-ribs    // BGP-FS policy state 
		 
    Figure 6: Global FB RIB Yang Structure  

The BGP-FS may installed the flow policy received from a remote BGP peer and stored in derived state. This policy has a different characteristics as it will disappear if the peer connection between the two peers drops, or if the peer changes the BGP-FS policy. Due to the ephemeral nature of the BGP-FS, it should be installed unique. Otherwise, If the local configuration state changes, it cannot differentiate between the true configured state and the ephemeral states (I2RS ephemeral and BGP-session ephemeral). Both I2RS ephemeral and BGP-session ephemeral policy will disappear upon a reboot.

I2RS architecture [I-D.ietf-i2rs-architecture] specifies that by default the Local configuration will win if the local configuration changes. In the NETCONF/NETMOD language, the "last write wins".

An example will help illustrate this:

• local configuration installs filter for IP-Dest=128.2/16, IP-SRC=192.5.7/24 DPORT=ALL drop in the running configuration, and then synchronously loads it to the intended configuration and applied configuration.
• I2RS installs an ephemeral filter for IP-Dest=128.2/16, IP-SRC=192.5.7/24 DPORT=125 forward intended configuration synchronously.
• BGP-FS processing installs BGP-FS policy for IP-Dest=128.2/16, IP-SRC=192.5.7/24 DPORT=125 forward, traffic-rate by bytes.
• local configuration install a filter for IP-Dest=128.2/16, IP-SRC=192.5.7/24, DPort=125, drop. This local configuration policy would win over the I2RS policy and the BGP-FS. The I2RS process is required to receive an event indicating the overwrite. The BGP-FS process should also receive an event indicating an overwrite.

The I2RS [I-D.ietf-i2rs-architecture] also allows that the preference between local-configuration and I2RS ephemeral state can be determined by operator-applied policy. However, illustrations of this are out of scope for this version of this document.

3. Proposed Structure for Filter-Based RIBs

There are three levels in the Filter-Based RIBs (FB-RIB) structure:

• a global FB-RIB structures,
• the common structure of the FB-RIB, and
• the groupings that make up the FB-RIB

All structures have two types: configuration/ephemeral state and operational state.

This yang model describes three types of FB-RIBS: configuration, I2RS, and BGP Flow Specification. The configuration FB-RIB yang module is config state ("config true" and "ephemeral false") and survives a reboot. The I2RS FB-RB yang model is reboot ephemeral ("config true" and "ephemeral true"). The BGP Flow Specification Filter-Based RIB stores policy which is received by the BGP peers, and can be considered policy configured as part of BGP infrastructure ("config true" and "peer-ephemeral true;")

 

Configuration RIBS 

bgp-fs-fb-rib - is the BGP processes installation of 
    the BGP Flow Specification (BGP-FS) policy rules
	from remote peers. Locally configured 
	BGP-FS rules are configured in the BGP peer 
	structure. 
				
   +-----------------------------------------+
   |     routing instance                    |
   +-------|-------------|----------------|--+
           |             |                |
           |             |                |
 +---------|----+  +-----|-----+ +--------|-----+ 
 |config-fb-rib |  |i2rs-fb-rib| |bgp-fs-fb-rib |	 
 +------|-------+  +-----|------+ +------|------+
        |............:....|...............|
                     :  (uses common structures
                     :   in separate lists of FB-RIBs) 		
            +--------|----+  
            |fb-ribs*     |  
            |             |  
            +--|----------+  
               |             
       
  Figure 3: Routing instance with three types of 
            Filter-FIB lists

4. Yang High Level Structure for FB-RIBs

The following section provides the high level yang structure diagrams for the following levels of structures for both config/ephemeral state and operationa.

• ietf-fb-rib - contains filter-based RIBS for config, I2RS FB-RIB, and BGP Flow Specification.
• fb-rib - that contains the structures for the filter-based grouping
• fb-rib-types - that contains the structures for groupings within the filter-based RIBS

These structures are contained within the yang section in this draft.

The packet-reception ECA policy yang module is contained in the draft [I-D.hares-i2rs-pkt-eca-data-model].

For those who desire more information regarding the logic behind the I2RS Filter-Based RIB, please see the Informational Model at: [I-D.kini-i2rs-fb-rib-info-model].

4.1. Top Level Yang Structure for ietf-fb-rib

The Top-level Yang structure for a global FB-RIB types (similar to acl) is not defined for filter-based RIBS. The I2RS Filter-Based RIB should be defined under this structure under a routing instance. The three things under this RIB would be: configured Filter-Based RIB (aka Policy routing), I2RS reboot Ephemeral Filter-Based RIB, and BGP Flow Specification's Filter-Based RIB. All of these RIBs have similar actions.

There are two types top-level structures for ietf-fb-ribs: config and operational state.

Augments rt:logical-network-elements:\
        :logical-network-element:network-instances: \
	    network-instance 
		
ietf-fb-rib module 
  +--rw ietf-fb-rib
     +--rw default-instance-name string 
     +--rw default-router-id rt:router-id
     +--rw config-fb-ribs
	    if-feature "config-filter-based-RIB";
        uses fb-ribs;
     +--rw i2rs-fb-ribs 
		  if-feature "I2RS-filter-based-RIB";
		  uses fb-rib-t:fb-ribs;	
     +--rw bgp-fs-fb-ribs 
		 if-feature "BGP-FS-filter-based-RIB";
		  uses fb-rib-t:fb-ribs;
		
    Figure 5: configuration state   		

The Top-level Yang structure for a global configuration of Filter-Based RIBs are:

Augments rt:logical-network-elements:\
        :logical-network-element:network-instances: \
	    network-instance 
		
ietf-fb-rib module 
  +--rw ietf-fb-rib-opstate
    +--rw default-instance-name string 
    +--rw default-router-id rt:router-id
	+--rw config-fb-rib-opstate 
		  if-feature "config-filter-based-RIB";
		  uses fb-rib-t:fb-ribs-oper-status;
	+--rw i2rs-fb-rib-opstate {
		  if-feature "I2RS-filter-based-RIB";
		  uses fb-rib-t:fb-ribs-oper-status;
	+--rw bgp-fs-fb-rib-opstate 
		  if-feature "BGP-FS-filter-based-RIB";
		  uses fb-rib-t:fb-ribs-oper-status;
		
    Figure 5: operational state   		

The Top-level Yang structure for a global operational state of Filter-Based RIBs are:

4.2. Filter-Based RIB structures

The Top-level yang structures at the Filter-Based RIB level have two types: configuration and operational state.

 module: fb-rib-types:
 +--rw fb-ribs 
    +--rw fb-rib* [rib-name]
    |  +--rw rib-name string
    |  |  rw fb-type identityref / ephemeral or not 
    |  +--rw rib-afi rt:address-family 
    |  +--rw fb-rib-intf* [name] 
    |  |  +--rw name string
    |  |  +--rw intf if:interface 
    |  +--rw default-rib 
    |  |  +--rw rt-rib rt:routing:routing-instance:name  
    |  |  +--rw config-rib string;  // config rib name                     
    |  |  +--rw i2rs-rib:routing-instance:name   
    |  |  +--rw i2rs-rib string;   //ephemeral rib name
    |  |  +--rw bgp-instance-name string 
    |  |  +--rw bgp-rib  string    //session ephemeral 
    |  +--rw fb-rib-refs
    |  |  +--rw fb-rib-update-ref uint32 /count of writes 
    |  +--rw instance-using* 
    |  |   device:networking-instance:networking-instance-name 
    |  +--use pkt-eca:pkt-eca-policy-set
			 
	  Figure 6: FB RIB Type Structure   

The Top-level Yang structure for the FB-RIB types is:

HIgh Level Yang 

+--rw fb-ribs-oper-status
   +--rw fb-rib-oper-status* [fb-rib-name]
         uses pkt-eca:pkt-eca-opstate 

5. yang models

5.1. Filter-Based RIB types

Yang model is contained in draft-hares-i2rs-fb-rib-data-model-01.txt

Please see this draft for the data model.

6. IANA Considerations

TBD

7. Security Considerations

A I2RS RIB is ephemeral data store that will dyanamically change traffic paths set by the routing configuration. An I2RS FB-RIB provides dynamic Event-Condition-Action policy that will further change the operation of forwarding by allow dyanmic policy and ephemeral RIBs to alter the traffic paths set by routing configuration. Care must be taken in deployments to use the appropriate security and operational control to make use of the tools the I2RS RIB and I2RS FB-RIB provide.

8. References

8.1. Normative References:

8.2. Informative References

Authors' Addresses