Traffic Steering using BGP
Flowspec with SRv6 PolicyChina MobileBeijingChinajiangwenying@chinamobile.comChina MobileBeijingChinaliuyisong@chinamobile.comHuaweiBeijingChinachenshuanglong@huawei.comBGP Flow Specification (FlowSpec) has been proposed to distribute BGP
FlowSpec NLRI to FlowSpec clients to mitigate (distributed)
denial-of-service attacks, and to provide traffic filtering in the
context of a BGP/MPLS VPN service. Recently, traffic steering
applications in the context of SRv6 using FlowSpec aslo attract
attention. This document introduces the usage of BGP FlowSpec to steer
packets into an SRv6 Policy.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.Segment Routing IPv6 (SRv6) is a protocol designed to forward IPv6
data packets on a network using the source routing model. SRv6 enables
the ingress to add a segment routing header (SRH) to an IPv6 packet and push an explicit IPv6 address
stack into the SRH. After receiving the packet, each transit node
updates the IPv6 destination IP address in the packet and segment list
to implement hop-by-hop forwarding.SRv6 Policy
is a tunneling technology developed based on SRv6. An SRv6 Policy is a
set of candidate paths consisting of one or more segment lists, that is,
segment ID (SID) lists. Each SID list identifies an end-to-end path from
the source to the destination, instructing a device to forward traffic
through the path rather than the shortest path computed using an IGP.
The header of a packet steered into an SRv6 Policy is augmented with an
ordered list of segments associated with that SRv6 Policy, so that other
devices on the network can execute the instructions encapsulated into
the list.The headend of an SRv6 Policy may learn multiple candidate paths for
an SRv6 Policy. Candidate paths may be learned via a number of different
mechanisms, e.g., CLI, NetConf, PCEP, or BGP. defines the flow
specification (FlowSpec) that allows to convey flow specifications and
traffic Action/Rules associated (rate- limiting, redirect, remark ...).
BGP Flow specifications are encoded within the MP_REACH_NLRI and
MP_UNREACH_NLRI attributes. Rules (Actions associated) are encoded in
Extended Community attribute. The BGP Flow Specification function allows
BGP Flow Specification routes that carry traffic policies to be
transmitted to BGP Flow Specification peers to steer traffic.This document proposes BGP flow specification usage that are used to
steer data flow into an SRv6 Policy as well as to indicate Tailend
function.FlowSpec: Flow SpecificationSR: Segment RoutingSRv6: IPv6 Segment RoutingSID: Segment IdentifierSRH: Segment Routing HeaderTE: Traffic EngineeringAn SRv6 Policy is identified through
the tuple <headend, color, endpoint>. In the context of a specific
headend, one may identify an SRv6 policy by the <color, endpoint>
tuple. The headend is the node where the SRv6 policy is
instantiated/implemented. The headend is specified as an IPv4 or IPv6
address and is expected to be unique in the domain. The endpoint
indicates the destination of the SRv6 policy. The endpoint is specified
as an IPv6 address and is expected to be unique in the domain. The color
is a 32-bit numerical value that associates the SRv6 Policy, and it
defines an application-level network Service Level Agreement (SLA)
policy.Assume one or multiple SRv6 Policies are already setup in the SRv6
HeadEnd device. In order to steer traffic into a specific SRv6 policy at
the Headend, one can use the SRv6 color extended community and endpoint
to map to a satisfying SRv6 policy, and steer traffic into this specific
policy. defines the
redirect to IPv4 and IPv6 Next-hop action. The IPv6 next-hop address in
the FlowSpec NLRI can be used to specify the endpoint of the SRv6
Policy. When the packets reach to the TailEnd device, some specific
function imformation identifiers can be used decide how to further
process the flows. Several endpoint functions are already defined, e.g.,
End.DT6: Endpoint with decapsulation and IPv6 table lookup, and End.DX6:
Endpoint with decapsulation and IPv6 cross-connect. The BGP Prefix-SID
defined in is utilized to enable SRv6 VPN
services . SRv6 Services
TLVs within the BGP Prefix-SID Attribute can be used to indicate the
endpoint functions.This document proposes to carry the Color Extended Community and BGP
Prefix-SID Attribute in the context of a Flowspec NLRI to an SRv6 Headend to steer traffic
into one SRv6 policy, as well as to indicate specific Tailend
functions.In this document, the usage of at most one Color Extended Community
in combination at most one BGP Prefix SID Attribute is discussed. For
the case that a flowspec route carries multiple Color Extend Communities
and/or a BGP Prefix SID Attribute, a protocol extension to Flowspec is
required, and is thus out of the scope of this document.However, the method proposed in this document still supports load
balancing to the tailend device. To achieve that, the headend device CAN
set up multiple paths in one SRv6 policy, and use a Flowspec route to
indicate the specific SRv6 policy.In following scenario, BGP FlowSpec Controller signals the function
imformation (SRv6 SID: Service_id_x) to the HeadEnd device.When the headend device (as a Flowspec client) receives such
instructions, it will steer the flows matching the criteria in the
Flowspec route into the SRv6 Policy matching the tuple (Endpoint:
TailEnd's Address, Color: C1). And the packets of such flows will be
encapsulated with SRH using the SR List<S1, S2, S3, Service_id_x>.
When the packets reach to the TailEnd device, they will be further
procetssed per the function denoted by the Service_id_x.For the cases of intra-AS and inter-AS traffic steering using this
method, the usages of Flowspec Color Extended Community with BGP prefix
SID are the same for both scenarios. The difference lie between the
local SRv6 policy configurations. For the inter-domain case, the
operator can configure an inter-domain SRv6 policy/path at the Headend
device. For the intra-domain case, the operator can configure an
intra-domain SRv6 policy/path at the Headend device.No IANA actions are required for this document.This document does not change the security properties of SRv6 and
BGP.The following people made significant contributions to this
document:TBD.