Internet-Draft FlowSpec with SRv6 Policy March 2022
Jiang, et al. Expires 24 September 2022 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-jiang-idr-ts-flowspec-srv6-policy-07
Published:
Intended Status:
Informational
Expires:
Authors:
W. Jiang
China Mobile
Y. Liu
China Mobile
S. Chen
Huawei
S. Zhuang
Huawei

Traffic Steering using BGP Flowspec with SRv6 Policy

Abstract

BGP Flow Specification (FlowSpec) [RFC8955] [RFC8956] has been proposed to distribute BGP FlowSpec NLRI to FlowSpec clients to mitigate (distributed) denial-of-service attacks, and to provide traffic filtering in the context of a BGP/MPLS VPN service. Recently, traffic steering applications in the context of SRv6 using FlowSpec aslo attract attention. This document introduces the usage of BGP FlowSpec to steer packets into an SRv6 Policy.

Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 24 September 2022.

Table of Contents

1. Introduction

Segment Routing IPv6 (SRv6) is a protocol designed to forward IPv6 data packets on a network using the source routing model. SRv6 enables the ingress to add a segment routing header (SRH) [RFC8754] to an IPv6 packet and push an explicit IPv6 address stack into the SRH. After receiving the packet, each transit node updates the IPv6 destination IP address in the packet and segment list to implement hop-by-hop forwarding.

SRv6 Policy [I-D.ietf-spring-segment-routing-policy] is a tunneling technology developed based on SRv6. An SRv6 Policy is a set of candidate paths consisting of one or more segment lists, that is, segment ID (SID) lists. Each SID list identifies an end-to-end path from the source to the destination, instructing a device to forward traffic through the path rather than the shortest path computed using an IGP. The header of a packet steered into an SRv6 Policy is augmented with an ordered list of segments associated with that SRv6 Policy, so that other devices on the network can execute the instructions encapsulated into the list.

The headend of an SRv6 Policy may learn multiple candidate paths for an SRv6 Policy. Candidate paths may be learned via a number of different mechanisms, e.g., CLI, NetConf, PCEP, or BGP.

[RFC8955] [RFC8956] defines the flow specification (FlowSpec) that allows to convey flow specifications and traffic Action/Rules associated (rate- limiting, redirect, remark ...). BGP Flow specifications are encoded within the MP_REACH_NLRI and MP_UNREACH_NLRI attributes. Rules (Actions associated) are encoded in Extended Community attribute. The BGP Flow Specification function allows BGP Flow Specification routes that carry traffic policies to be transmitted to BGP Flow Specification peers to steer traffic.

This document proposes BGP flow specification usage that are used to steer data flow into an SRv6 Policy as well as to indicate Tailend function.

2. Definitions and Acronyms

3. Operations

An SRv6 Policy [I-D.ietf-spring-segment-routing-policy] is identified through the tuple <headend, color, endpoint>. In the context of a specific headend, one may identify an SRv6 policy by the <color, endpoint> tuple. The headend is the node where the SRv6 policy is instantiated/implemented. The headend is specified as an IPv4 or IPv6 address and is expected to be unique in the domain. The endpoint indicates the destination of the SRv6 policy. The endpoint is specified as an IPv6 address and is expected to be unique in the domain. The color is a 32-bit numerical value that associates the SRv6 Policy, and it defines an application-level network Service Level Agreement (SLA) policy.

Assume one or multiple SRv6 Policies are already setup in the SRv6 HeadEnd device. In order to steer traffic into a specific SRv6 policy at the Headend, one can use the SRv6 color extended community and endpoint to map to a satisfying SRv6 policy, and steer traffic into this specific policy.

[I-D.ietf-idr-flowspec-redirect-ip] defines the redirect to IPv4 and IPv6 Next-hop action. The IPv6 next-hop address in the Flow-spec Redirect to IPv6 Extended Community can be used to specify the endpoint of the SRv6 Policy. When the packets reach to the TailEnd device, some specific function imformation identifiers can be used decide how to further process the flows. Several endpoint functions are already defined, e.g., End.DT6: Endpoint with decapsulation and IPv6 table lookup, and End.DX6: Endpoint with decapsulation and IPv6 cross-connect. The BGP Prefix-SID defined in [RFC8669] is utilized to enable SRv6 VPN services [I-D.ietf-bess-srv6-services]. SRv6 Services TLVs within the BGP Prefix-SID Attribute can be used to indicate the endpoint functions.

This document proposes to carry the Color Extended Community and BGP Prefix-SID Attribute in the context of a Flowspec NLRI [RFC8955] [RFC8956] to an SRv6 Headend to steer traffic into one SRv6 policy, as well as to indicate specific Tailend functions.

In this document, the usage of at most one Color Extended Community in combination at most one BGP Prefix SID Attribute is discussed. For the case that a flowspec route carries multiple Color Extend Communities and/or a BGP Prefix SID Attribute, a protocol extension to Flowspec is required, and is thus out of the scope of this document.

However, the method proposed in this document still supports load balancing to the tailend device. To achieve that, the headend device CAN set up multiple paths in one SRv6 policy, and use a Flowspec route to indicate the specific SRv6 policy.

4. Application Example

In following scenario, BGP FlowSpec Controller signals the filter rules, the redirect action, the policy color and the function imformation (SRv6 SID: Service_id_x) to the HeadEnd device.

   +------------+
   |  BGP FS    |
   | Controller |
   +------------+
      | Flowspec route to HeadEnd:
      |   NLRI: Filter Rules
      |   Redirect to IPv6 Nexthop: TailEnd's Address
      |   Policy Color: C1
      |   PrefixSID: Service_id_x
      |          .-----.
      |         (       )
      V     .--(         )--.
+-------+  (                 )  +-------+
|       |_( SRv6 Core Network )_|       |
|HeadEnd| ( ================> ) |TailEnd|
+-------+  (SR List<S1,S2,S3>)  +-------+
            '--(         )--'   Service SID: Service_id_x
                (       )       (e.g.: End.DT4 or End.DT6 or others)
                 '-----'

      Figure 1: Steering the Flow into SRv6 Policy (Option 1)

When the HeadEnd device (as a Flowspec client) receives such instructions, it will steer the flows matching the criteria in the Flowspec route into the SRv6 Policy matching the tuple (Endpoint: TailEnd's Address, Color: C1). And the packets of such flows will be encapsulated with SRH using the SR List<S1, S2, S3, Service_id_x>. When the packets reach to the TailEnd device, they will be further procetssed per the function denoted by the Service_id_x.

When the HeadEnd device determines (with the help of SRv6 SID Structure) that the Service SID belongs to the same SRv6 Locator as the last SRv6 SID of the TailEnd device in the SRv6 Policy segment list, it MAY exclude that last SRv6 SID when steering the service flow. For example, the effective segment list of the SRv6 Policy associated with SID list <S1, S2, S3> would be <S1, S2, Service_id_x>.

If the last SRv6 SID (For example, S3 we use here) of the TailEnd device in the SRv6 Policy segment list is USD-flavored, an SRv6 Service SID (e.g., End.DT4 or End.DT6) is not required when BGP FlowSpec Controller send the FlowSpec route to the HeadEnd device (as a Flowspec client).

   +------------+
   |  BGP FS    |
   | Controller |
   +------------+
      | Flowspec route to HeadEnd:
      |   NLRI: Filter Rules
      |   Redirect to IPv6 Nexthop: TailEnd's Address
      |   Policy Color: C2
      |          .-----.
      |         (       )
      V     .--(         )--.
+-------+  (                 )  +-------+
|       |_( SRv6 Core Network )_|       |
|HeadEnd| ( ================> ) |TailEnd|
+-------+  (SR List<S1,S2,S3>)  +-------+
            '--(         )--'
                (       )
                 '-----'
Note: S3 MUST be a USD-flavored SRv6 SID of the TailEnd

      Figure 2: Steering the Flow into SRv6 Policy (Option 2)

When the HeadEnd device (as a Flowspec client) receives such instructions, it will steer the flows matching the criteria in the Flowspec route into the SRv6 Policy matching the tuple (Endpoint: TailEnd's Address, Color: C2). And the packets of such flows will be encapsulated with SRH using the SR List<S1, S2, S3>. When the packets reach to the TailEnd device, they will be further procetssed per the function denoted by the USD-flavored SRv6 SID S3.

At this point, the work discusses the matching of global routing table prefixes.

For the cases of intra-AS and inter-AS traffic steering using this method, the usages of Flowspec Color Extended Community with BGP prefix SID are the same for both scenarios. The difference lie between the local SRv6 policy configurations. For the inter-domain case, the operator can configure an inter-domain SRv6 policy/path at the Headend device. For the intra-domain case, the operator can configure an intra-domain SRv6 policy/path at the Headend device.

.

5. Running Code

5.1. Interop-test Status

The Traffic Steering using BGP Flowspec with SRv6 Policy mechanism has been implemented on the following hardware devices, software implementations and SDN controllers. They had also successfully participated in the series of joint interoperability testing events hosted by China Mobile from July 2021 to October 2021. The following hardware devices and software implementations had successfully passed the interoperability testing (in alphabetical order).

Routers:
-----------------------------------------------------------
| Vendors | Device Model  | Version                       |
-----------------------------------------------------------
| Huawei  | NE40-X8A      | NE40E V800R021C00SPC091T      |
-----------------------------------------------------------
| New H3C | CR16010H-FA   | Version 7.1.075, ESS 8305     |
-----------------------------------------------------------
| Ruijie  | RG-N8010-R    | N8000-R_RGOS 12.8(1)B08T1     |
-----------------------------------------------------------
| ZTE     | M6000-8S Plus | V5.00.10(5.60.5)              |
-----------------------------------------------------------

Controllers:
-----------------------------------------------------------
| Vendors       | Device Model  | Version                 |
-----------------------------------------------------------
| China Unitecs | I-T-E SC      | V1.3.6P3                |
-----------------------------------------------------------
| Huawei        | NCE-IP        | V100R021C00             |
-----------------------------------------------------------
| Ruijie        | RG-ONC-AIO-H  | RG-ION-WAN-CLOUD_2.00T1 |
-----------------------------------------------------------
| ZTE           | ZENIC ONE     | R22V16.21.20            |
-----------------------------------------------------------

5.2. Deployment Status

TBD

6. IANA Considerations

No IANA actions are required for this document.

7. Security Considerations

This document does not change the security properties of SRv6 and BGP.

8. Contributors

The following people made significant contributions to this document:

Yunan Gu
Huawei
Email: guyunan@huawei.com

Haibo Wang
Huawei
Email: rainsword.wang@huawei.com

Jie Dong
Huawei
Email: jie.dong@huawei.com

Xue Yang
China Mobile
Email: yangxuewl@chinamobile.com

9. Acknowledgements

The authors would like to acknowledge the review and inputs from Jeffrey Haas, Kaliraj Vairavakkalai, Robin Li, Acee Lindem, Gunter Van De Velde, John Scudder, Rainbow Wu and Gang Yang.

10. References

10.1. Normative References

[I-D.ietf-bess-srv6-services]
Dawra, G., Filsfils, C., Talaulikar, K., Raszuk, R., Decraene, B., Zhuang, S., and J. Rabadan, "SRv6 BGP based Overlay Services", Work in Progress, Internet-Draft, draft-ietf-bess-srv6-services-13, , <https://www.ietf.org/archive/id/draft-ietf-bess-srv6-services-13.txt>.
[I-D.ietf-idr-flowspec-redirect-ip]
Uttaro, J., Haas, J., Texier, M., Karch, A., Ray, S., Simpson, A., and W. Henderickx, "BGP Flow-Spec Redirect to IP Action", Work in Progress, Internet-Draft, draft-ietf-idr-flowspec-redirect-ip-02, , <https://www.ietf.org/archive/id/draft-ietf-idr-flowspec-redirect-ip-02.txt>.
[I-D.ietf-idr-segment-routing-te-policy]
Previdi, S., Filsfils, C., Talaulikar, K., Mattes, P., Jain, D., and S. Lin, "Advertising Segment Routing Policies in BGP", Work in Progress, Internet-Draft, draft-ietf-idr-segment-routing-te-policy-16, , <https://www.ietf.org/archive/id/draft-ietf-idr-segment-routing-te-policy-16.txt>.
[I-D.ietf-idr-tunnel-encaps]
Patel, K., Velde, G. V. D., Sangli, S. R., and J. Scudder, "The BGP Tunnel Encapsulation Attribute", Work in Progress, Internet-Draft, draft-ietf-idr-tunnel-encaps-22, , <https://www.ietf.org/archive/id/draft-ietf-idr-tunnel-encaps-22.txt>.
[I-D.ietf-spring-segment-routing-policy]
Filsfils, C., Talaulikar, K., Voyer, D., Bogdanov, A., and P. Mattes, "Segment Routing Policy Architecture", Work in Progress, Internet-Draft, draft-ietf-spring-segment-routing-policy-21, , <https://www.ietf.org/archive/id/draft-ietf-spring-segment-routing-policy-21.txt>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8669]
Previdi, S., Filsfils, C., Lindem, A., Ed., Sreekantiah, A., and H. Gredler, "Segment Routing Prefix Segment Identifier Extensions for BGP", RFC 8669, DOI 10.17487/RFC8669, , <https://www.rfc-editor.org/info/rfc8669>.
[RFC8955]
Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M. Bacher, "Dissemination of Flow Specification Rules", RFC 8955, DOI 10.17487/RFC8955, , <https://www.rfc-editor.org/info/rfc8955>.
[RFC8956]
Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed., "Dissemination of Flow Specification Rules for IPv6", RFC 8956, DOI 10.17487/RFC8956, , <https://www.rfc-editor.org/info/rfc8956>.

10.2. Informative References

[RFC4456]
Bates, T., Chen, E., and R. Chandra, "BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP)", RFC 4456, DOI 10.17487/RFC4456, , <https://www.rfc-editor.org/info/rfc4456>.
[RFC8754]
Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J., Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header (SRH)", RFC 8754, DOI 10.17487/RFC8754, , <https://www.rfc-editor.org/info/rfc8754>.

Authors' Addresses

Wenying Jiang
China Mobile
Beijing
China
Yisong Liu
China Mobile
Beijing
China
Shuanglong Chen
Huawei
Beijing
China
Shunwan Zhuang
Huawei
Beijing
China