IDR Working Group S. Hares
Internet-Draft Q. Liang
Intended status: Standards Track J. You
Expires: January 9, 2017 Huawei
July 8, 2016
BGP Flow Specification V2 Component for Time Constraints
draft-liang-idr-flowspec-v2-time-00.txt
Abstract
BGP flow specification version 1 (RFC5575) describes the distribution
of traffic filter policy (traffic filters and actions) which are
distributed via BGP to BGP peers to support the following 3
applications: (1) mitigation of Denial of Service (DoS), (2) traffic
filtering in BGP/MPLS VPNs, and (3) centralized traffic control for
networks with SDN or NFV controllers. A BGP Flow Filter that
combines packet filter with time may provide an ability to for these
three applications to have a flow filter operate for only a specific
time. The traffic filtering and centralized traffic control
applications may require user-defined ordering of filters rather than
RFC5575's defined order. BGP Flow Specification version 2016 allows
for user ordering of flow specifications.
This document proposes a new BGP Flow specification filter for BGP
Flow Specification 2.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 9, 2017.
Hares, et al. Expires January 9, 2017 [Page 1]
�
Internet-Draft BGP FlowSpec v2 Time Filter July 2016
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. RFC 2119 language . . . . . . . . . . . . . . . . . . . . . . 3
3. Encoding of BGP-FS time . . . . . . . . . . . . . . . . . . . 3
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Normative References . . . . . . . . . . . . . . . . . . 6
6.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
BGP flow specification [RFC5575] describes the distribution of
filters and actions that apply when packets are received on a router
with the flow specification function turned on. If one considers the
reception of the packet as an event, then BGP [RFC4271] flow
specification describes a set of minimalistic Event-MatchCondition-
Action (ECA) policies were the match-condition is defined in the BGP
NLRI, and the action is defined either by the default condition
(accept traffic) or actions defined in Extended BGP Communiites
values [RFC4360].
The initial set of policy [RFC5575] for this policy includes 12 types
of match filters encoded in two application specific AFI/SAFIs for
the IPv4 AFI and the following SAFIs:
IP traffic: AFI:1, SAFI, 133;
BGP/MPLS VPN AFI:1 VPN SAFI, 134) for IPv4.
Hares, et al. Expires January 9, 2017 [Page 2]
�
Internet-Draft BGP FlowSpec v2 Time Filter July 2016
The 12 filters specified in [RFC5575] are "ANDED" and measured in a
specific order. The packet does not match unless all filters match.
The popularity of these flow specification filters in deployment for
the following applications has led to the requirement for more BGP
flow specification match filters in the NLRI and more BGP flow
specification actions to support these applications
o mitigation of Denial of Service (DoS),
o support of traffic filtering in BGP/MPLS VPNs,
o centralized traffic control for networks with SDN or NFV
controllers.
Since DDoS attacks are dynamic, redirection or filtering of a flow
may be necessary only for some specified, and may be undesirable at
other times. Thus network administrators may want to add a time
filter to group of filters to be matched. For example, a network
administrator may need to insert DoS filters for only a specific
period while a DoS attack or a Distributed DoS (DDoS) attack is
occuring. Another example, is the filter of traffic in the BGP/MPLS
VPN to support prioritization of high priority services such as video
traffic and limiting of bandwidth of low priority services (such as
web browsing). A third example is centralized traffic control that
varies traffic based on time of day.
Some of the requested BGP Flow Specification filters expand the
number of filters and actions using the encoding rules described in
[RFC5575] and [I-D.hares-idr-rfc5575bis]. Other requests for
additional BGP Flow Specification filters request user-defined orders
to BGP Flow Specification filters as described in
[I-D.hares-idr-flowspec-v2]
This draft provides a timing filter for the user-ordered BGP Flow
Specification filters (version 2).
2. RFC 2119 language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Encoding of BGP-FS time
The encoding for BGP Flow Specification time
Type: Time Filter (TBD) Flow Specification Component type
Hares, et al. Expires January 9, 2017 [Page 3]
�
Internet-Draft BGP FlowSpec v2 Time Filter July 2016
Function: Match filter based on time.
Encoding: <type(1 octet), length(1 octet), <value>
value field: has the form shown in figure 3.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NLRI Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Body per filter
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| order (2 octets) | type (2 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Component length (2 octets) | time type | duration type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Starting Time (seconds) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Starting Time (microseconds) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Duration (seconds) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Duration (microseconds) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Delay Time (seconds) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Delay Time (microseconds) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Periodic Time (seconds) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Periodic Time (microseconds) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1:Time filersub-TLV Format
Order: user define order of filter
Type: Time Flow Filter Component type (TBD)
Component length: Time Flow Filter Component length.
Time Type: Type of time filter with the values of:
* a) immediate start at start time (value 0),
Hares, et al. Expires January 9, 2017 [Page 4]
�
Internet-Draft BGP FlowSpec v2 Time Filter July 2016
* b) delayed start (start time + Delay) (value 1), or
* c) period of time (from start time to duration time).
* Any other values cause this filter to be invalid.
Duration type: May be:
* a) normal (from start time until BGP flow specification is
removed (value 0),
* b) time period (from start time until Duration time is
completed),
* c) time period of Duration time of no traffic match after start
time.
* Any other values cause this filter to be invalid.
Starting Time: Expressed in seconds and microseconds since midnight
(zero hour), January 1, 1970 (UTC). Precision of the "Starting
Time" is implementation-dependent. If the "Starting Time Type" is
set to 0, this field is invalid.
Duration: Expressed in seconds and microseconds. If this field is
zero this filter is invalid.
Delay: Expressed in seconds and microseconds. If this field is zero
this filter is invalid.
An Invalid FlowSpecification filter is logged, and the NLRI ignored.
4. IANA Considerations
This document requests IANA BGP allocations in line with [RFC7153].
This document requests IANA allocates an entry in the Flow
Specification Component Types Registry with the following values:
Name Value Document
------------- ------- -------
Time Filter v2 TBD This document.
5. Security Considerations
The time filter augments the other BGP Flow Filters with an
indication of the time these filters are active. It is anticipated
that these filters are deployed within secure BGP infrastructures and
Hares, et al. Expires January 9, 2017 [Page 5]
�
Internet-Draft BGP FlowSpec v2 Time Filter July 2016
not in home environments. In home environments, the time of filters
may provide insight to the activities of individuals. Anyone
installing BGP Flow Filters in home environments should secure any
flow filters by encrypting the data that flows over IP links.
6. References
6.1. Normative References
[I-D.hares-idr-flowspec-v2]
Hares, S., "BGP Flow Specification Version 2", draft-
hares-idr-flowspec-v2-00 (work in progress), June 2016.
[I-D.hares-idr-rfc5575bis]
Hares, S., McPherson, D., and J. Mauch, "Dissemination of
Flow Specification Rules", draft-hares-idr-rfc5575bis-00
(work in progress), July 2016.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006,
<http://www.rfc-editor.org/info/rfc4271>.
[RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended
Communities Attribute", RFC 4360, DOI 10.17487/RFC4360,
February 2006, <http://www.rfc-editor.org/info/rfc4360>.
[RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter,
"Multiprotocol Extensions for BGP-4", RFC 4760,
DOI 10.17487/RFC4760, January 2007,
<http://www.rfc-editor.org/info/rfc4760>.
[RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J.,
and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
<http://www.rfc-editor.org/info/rfc5575>.
[RFC7674] Haas, J., Ed., "Clarification of the Flowspec Redirect
Extended Community", RFC 7674, DOI 10.17487/RFC7674,
October 2015, <http://www.rfc-editor.org/info/rfc7674>.
Hares, et al. Expires January 9, 2017 [Page 6]
�
Internet-Draft BGP FlowSpec v2 Time Filter July 2016
6.2. Informative References
[RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP
Extended Communities", RFC 7153, DOI 10.17487/RFC7153,
March 2014, <http://www.rfc-editor.org/info/rfc7153>.
Authors' Addresses
Susan Hares
Huawei
7453 Hickory Hill
Saline, MI 48176
USA
Email: shares@ndzh.com
Qiandeng Liang
Huawei
101 Software Avenue, Yuhuatai District
Nanjing 210012
China
Email: liangqiandeng@huawei.com
Jianjie You
Huawei
101 Software Avenue, Yuhuatai District
Nanjing 210012
China
Email: youjianjie@huawei.com
Hares, et al. Expires January 9, 2017 [Page 7]