IDR Working Group S. Hares
Internet-Draft Hickory Hill Consulting
Intended status: Standards Track 14 October 2024
Expires: 17 April 2025
BGP Flow Specification Version 2 - More IP Filters
draft-hares-idr-fsv2-more-ip-filters-03
Abstract
The BGP flow specification version 2 (FSv2) for Basic IP defines user
ordering of filters along with FSv1 IP Filters and FSv1 actions.
This draft defines the format for the Extended IP Filters for Flow
Specification FSv2.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 17 April 2025.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Hares Expires 17 April 2025 [Page 1]
�
Internet-Draft FSv2 More IP Filters October 2024
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. FSv2 background . . . . . . . . . . . . . . . . . . . . . 3
1.2. Definitions and Acronyms . . . . . . . . . . . . . . . . 5
1.3. RFC 2119 language . . . . . . . . . . . . . . . . . . . . 6
2. Extending the IP Filters . . . . . . . . . . . . . . . . . . 6
2.1. Dependency Filter Chain in FSv2 NLRI Header . . . . . . . 6
2.2. Extended IP Filters TLV . . . . . . . . . . . . . . . . . 8
2.3. Extended IP Filters Component Groups . . . . . . . . . . 10
2.4. Ordering within FSv2 NLRI in Update Packet . . . . . . . 12
2.5. Template for Extended IP Components . . . . . . . . . . . 13
3. New Extended IP Components . . . . . . . . . . . . . . . . . 14
3.1. TTL (type = 0(0x00) or 14(0x0E)) . . . . . . . . . . . . 14
3.2. Parts of SID (type=16 (0x10)) . . . . . . . . . . . . . . 15
4. Proposed Extended IP Components and Filter Groups . . . . . . 18
4.1. NRP ID Filter(type=17) (0x11) . . . . . . . . . . . . . . 19
4.2. IP Payloads Match type=18 (0x12)) . . . . . . . . . . . . 20
4.3. Group ID (type=19 (0x13)) . . . . . . . . . . . . . . . . 21
4.4. Proposed Filter Groups . . . . . . . . . . . . . . . . . 23
5. Validation and Error Handling . . . . . . . . . . . . . . . . 25
6. Manageability . . . . . . . . . . . . . . . . . . . . . . . . 27
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28
7.1. FSv2 Component types . . . . . . . . . . . . . . . . . . 28
7.2. FSV2 IP Extended Filter Groups . . . . . . . . . . . . . 28
7.2.1. Template for Requesting FSv2 Extended Filters
Group . . . . . . . . . . . . . . . . . . . . . . . . 29
8. Security Considerations . . . . . . . . . . . . . . . . . . . 29
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 29
9.1. Normative References . . . . . . . . . . . . . . . . . . 29
9.2. Informative References . . . . . . . . . . . . . . . . . 33
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction
Version 2 of BGP flow specification (FSv2) has a series of
foundational documents ([I-D.ietf-idr-fsv2-ip-basic], this document,
[I-D.hares-idr-fsv2-more-ip-actions], and [draft-hares-idr-fsv2-non-
ip]) plus drafts on specific filter components, actions, or groups of
filter components and actions.
The remainder of this introductory section provides a introduction to
FSv2.
Section 2 contains a description of the format of the FSv2 NLRI with
the Extended IP Filters TLV. The Extended IP Filters TLV allows the
user to specify new IP Filters components and a group of IP Filter
components. The concept of a group of filter components allows an
Hares Expires 17 April 2025 [Page 2]
�
Internet-Draft FSv2 More IP Filters October 2024
BGP peer originating a FSv2 NLRI with the Extended IP Filter TLV to
pass what components the originating BGP Peer expects will be
supported by the BGP Peers receiving the FSv2 Extended Filter TLV.
The group field is designed to aid upgrades to additional component
by providing a simple check the FSv2 component range passed in the
Extended Filters TLV. Groups can be register with IANA in either a
FCFS range or IETF Consensus range. Section 2 also provides
templates for defining: a) new components to be passed in the
Extended IP Filter group and b) new Extended IP Filter groups.
Section 3 provides two new Filters approved in IDR WG drafts.
Section 3.1 provides definitions for new components: TTL, SID in IPv6
Segment Routing header (SRH). These two components were defined in
the original specification for Flow Specification v2
([I-D.ietf-idr-flowspec-v2]). Section 3.2 also provides prototypes
for a few existing components to aid authors of IDR drafts (current
or proposed) examples to aid their quick use of the Extended IP
Filters.
Section 4 provides information on Validation and Error handling for
the Extended Filters TLV. Section 5 contains manageability
considerations for FSv2 with Extended IP Filters TLV. Section 6
contains IANA considerations and section 7 contains security
considerations.
1.1. FSv2 background
FSv2 specifies new user-ordered filters that will be used with the
IPv4 (AFI=1) and IPv6 (AFI=2) 2 new SAFIs (TBD1, TBD2) for FSv2 to be
used with 5 AFIs (1, 2, 6, 25, and 31) to allow user-ordered lists of
traffic match filters for user-ordered traffic match actions encoded
in Communities (Extended or Wide Communities). The first SAFI (TBD1)
is used for IP forwarding, and the second SAFI (TBD2) will be used
with VPNs. The supported AFI/SAFI combinations in FSV2 are:
* IPV4 (AFI=1, SAFI=TBD1),
* IPv6 (AFI=2, SAFI=TBD1),
* L2 (AFI=6, SAFI=TBD1),
* SFC (AFI=31, SAFI=TBD1),
* BGP/MPLS IPv4 VPN (AFI=1, SAFI=TBD2),
* BGP/MPLS IPV6 VPN (AFI=2, SAFI=TBD2),
* BGP/MPLS L2VPN (AFI=25, SAFI=TBD2), and
Hares Expires 17 April 2025 [Page 3]
�
Internet-Draft FSv2 More IP Filters October 2024
* SFC VPN (AFI=31, SAFI=TBD2)
FSv1 and FSv2 use different AFI/SAFIs to send flow specification
filters. Since BGP route selection is performed per AFI/SAFI, this
approach can be termed “ships in the night” based on AFI/SAFI.
The full FSv2 specification ( Version 2 of BGP flow specification
(FSv2) was original defined in [I-D.ietf-idr-flowspec-v2]. contains
more than initial implementers desired to put in a single upgrade.
Therefore, the original FSv2 draft remains an WG draft, but the
content will be split out into groups of functions that can be easily
deployed as upgrades to FSv1. The upgrades will come in the
following groups:
FSv2 IP Basic ([I-D.ietf-idr-fsv2-ip-basic]): This specification
defines the FSv2 NLRI that allows user ordering of filters plus in
a IP Basic TLV which only allows FSv1 components. FSv2 actions
are implemented in Extended Communities (FSv2-EC). FSv2 defines
how the actions defined in FSv2-EC are ordered. Multiple FSv2-EC
actions can be attached to a single filter component, so FSv2
defines an Action Chain Ordering community to define what happens
if one of these multiple actions fails. All FSv2 implementations
must support the minimal subset in this document.
FSv2 IP Extended Filters (this document): This document defines the
Extended IP Filters TLV to allow easy addition of FSv2 filters.
The original FSv2 had definitions [I-D.ietf-idr-flowspec-v2] for
FSv2 TTL and SRv6 Header (SRH) filter so these components are
included in this specification.
FSv2 Individual drafts for IP Extended Filters: These drafts should
utilize the template given in section 2.2 Current proposals for
Extended IP Filters can request component identifier(s) be
included in this draft's BGP FSv2 Component registry list.
Grouping of Extended IP Filter can be registered in the Extended
IP Filter Groups (see section 2.3).
FSv2 IP Extended Actions ([I-D.hares-idr-fsv2-more-ip-actions]):
This document defines a FSV2 TLV for the for the BGP Community
Path Attribute, and a protocols for combining FSv2 Extended
Community (FSv2-EC) Actions with FSv2 Community Path Attributes.
FSv2 Individual drafts for FSv2 Actions: These drafts may define
FSv2 actions in Extended Communities and/or FSv2 actions in the
FSv2 TLV of the BGP Community Attribute.
Non-IP Filters (draft-hares-idr-fsv2-non-ip]: defines the template
Hares Expires 17 April 2025 [Page 4]
�
Internet-Draft FSv2 More IP Filters October 2024
for FSv2 non-IP filters for MPLS, L2 traffic, SFC, and tunnel
traffic, and FSV2 non-IP actions.
Individual drafts on Non-IP Filters: IDR drafts for non-ip functions
passed in BGP FSv2 includes: MPLS ([draft-hares-idr-fsv2-mpls]),
L2VPN ([I-D.ietf-idr-flowspec-l2vpn]), and NV03
([I-D.ietf-idr-flowspec-nvo3]).
1.2. Definitions and Acronyms
AFI: Address Family Identifier
AS: Autonomous System
BGPSEC: secure BGP [RFC8205] updated by [RFC8206]
BGP Session ephemeral state: state which does not survive the loss
of BGP peer session.
BGP Configuration state: state which persist across a reboot of
software module within a routing system or a reboot of a hardware
routing device.
DDOs: Distributed Denial of Service.
Ephemeral state: state which does not survive the reboot of a
software module, or a hardware reboot. Ephemeral state can be
ephemeral configuration state or operational state.
FS: Flow Specification.
FSv1: Flow Specification version 1 [RFC8955] [RFC8956]
FSv2: Flow Specification version 2 [I-D.ietf-idr-fsv2-ip-basic],
[this document].
FS-EC: Flow Specification Extended Community
FSv1-EC: FSv1 Extended Community that signals actions that occur
after a filter match
FSv2-EC: FSv2 Extended Community that signals actions that occur
after a filter match. FSv2-EC are preformed with either a default
order of processing or signal the FSv2-EC are performed in
implementation order.
NETCONF: The Network Configuration Protocol [RFC6241].
Hares Expires 17 April 2025 [Page 5]
�
Internet-Draft FSv2 More IP Filters October 2024
RESTCONF: The RESTCONF configuration Protocol [RFC8040].
RIB: Routing Information Base.
ROA: Route Origin Authentication [RFC9582]
RR: Route Reflector.
SAFI: Subsequent Address Family Identifier.
1.3. RFC 2119 language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119]
[RFC8174] when, and only when, they appear in all capitals as shown
here.
2. Extending the IP Filters
The format of the FSv2 NLRI field for IP Filters is defined in
[I-D.ietf-idr-fsv2-ip-basic]. This format includes a common header
with fields for user specified order, dependency filter chain, and a
TLV for filter components (type, length, value).
This section defines the use of the dependency filter chain (section
2.1) in the NLRI and the format of the Extended IP Filters TLV
(section 2.2). The Extended IP Filter group provides a flexible
means to define which components are supported by the Extended IP
Filter TLV. Four Extended Filter Component groups are defined in
section 2.3, but additional may be defined via an IANA Registry. The
ordering of Filters is by user define order number, then component,
then value within a component. Section 2.4 provides the rules for
ordering for FSv2 NLRI with IP Basic Filters and Extended IP Filters.
Section 2.5 provides a template for new Extended IP Components.
2.1. Dependency Filter Chain in FSv2 NLRI Header
FSv2 filters may be distributed in multiple BGP UPDATE packets. The
format of the FSv2 NLRI is shown in Figure 3-1. In FSv2, the user
can define the order of the filters by an including an order in the
FSV2 NLRI prior to the filter. FSv2 also defines an optional
dependency filter chain to allow the filter chains to be identified
across all FSV2 Filter chains. This information may be installed
from BGP data based into firewalls.
Hares Expires 17 April 2025 [Page 6]
�
Internet-Draft FSv2 More IP Filters October 2024
+-------------------------------+
| NLRI length (2 octets) |
+-------------------------------+
| TLVs+ |
| +===========================+ |
| | order (4 octets) | |
| +---------------------------+ |
| | Dependent filter chain | |
| |(type, chain ID, count, | |
| | item) (8 octets) | |
| +---------------------------+ |
| + FSv2 Filter type + |
| | (2 octets) | |
| +---------------------------+ |
| + length TLVs (2 octet) + |
| + --------------------------+ |
| + value (variable) + |
| +---------------------------+ |
+-------------------------------+
Figure 2-1 - FSv2 NLRI with Extended IP Filter type.
Where:
order: 4 octet field for the FSv21 user defined order of the filter
with a a value of 1-n. The value of zero is invalid
Dependent Filters Chain: 8 octets for identifying a chain of FSv2
filters that must be deployed at the same time. (See figure 2-2
for details.) If the dependency filters chain field is also zero,
there is no dependency filter chain defined.
FSv2 Filter type: 2 octet field for the FSv2 filter type. The
Extended IP Filter type value is 2.
length: 2 octet field for the length of the value field.
value field: variable length field defined per FSv2 filter type.
The value field for the Extended IP Filter rules has the format
shown in Figure 2-3.
The dependency filter chain has the following components:
Hares Expires 17 April 2025 [Page 7]
�
Internet-Draft FSv2 More IP Filters October 2024
+-------------------------------+
| Version (1 octet) |
+-------------------------------+
| chain id (3 octets) |
+-------------------------------+
| Count of items (2 octets) |
+ ------------------------------+
| Item (2 octets) |
+-------------------------------+
Figure 2-2 – IP header SubTLV format
where:
Version: This 1 octet field defines the version of the filter chain.
Valid values are 1-0xFF. Value 0 is reserved.
Chain ID: This 3 octet field identifies the filter chain. Valid
values include 0x00001 to 0xFFFFFF with the value zero (0x000000)
being reserved.
Count of items: This 2 octet field contains the count of item on
this filter dependency chains. Valid values are 0x0001 to 0xFFFF
with the value of zero being reserved.
Item: This (2 octets): filter sequence number on chain Valid values
are 0x0001 to 0xFFFF with the value of zero being reserved.
2.2. Extended IP Filters TLV
The Extended IP Filters TLV has a type value of 2 with a variable
length. The Extended IP Filters value field has the form shown in
Figure 2-3 where:
FSv2 Extended Filters Group: is a 1 octet field indicating the group
of components supported. Three groups are defined in this
document. Additional groups may be defined by registering the
group in the FSv2 Extended IP Filter group registry (see IANA
registry policy in section x.x), but those groups are outside the
scope of this document.
Components+: This field is a sequence of FSv2 Components with the
format shown in figure 2-4.
Hares Expires 17 April 2025 [Page 8]
�
Internet-Draft FSv2 More IP Filters October 2024
Extended Filters value field
+-------------------------------+
| +--------------------------+ |
| | FSv2 Extended Filters | |
| | group(2 octets) | |
| +--------------------------+ |
| | Components+ (variable) | |
| +--------------------------+ |
+-------------------------------+
Figure 2-3 - Extended IP Filters TLV
Each Component is a sequence of TLVs with the format
+-------------------------------+
| Component Type (1 octet) |
+-------------------------------+
| Component length (2 octets) |
+ ------------------------------+
| Component value (variable) |
+-------------------------------+
Figure 2-4 – Component format
Where:
Component type: is a 1 octet specify the component type.
Component length: is a 2 octet value specifying the component
length.
Component value: is a variable field defined per component.
The valid components for the Extended IP Filters defined by this
specification are listed in table 2-X below. These components
include the following:
IP Basic components: Components 1-13 are defined in
[I-D.ietf-idr-fsv2-ip-basic].
TTL Filter on Time to Live in IPv4 packet or maximum hop limit in
IPv6 packets.
SID function SID in segment routing header (SRH) in the IPv6 packet.
Hares Expires 17 April 2025 [Page 9]
�
Internet-Draft FSv2 More IP Filters October 2024
Table 2-1
Components for Extended IP Filters
SubTLV Extended IP Filters Components
-type for IP Extended Filters version 2
-------- ----------------------------------
0 - TTL
1 - IP Destination prefix
2 - IP Source prefix
3 – IPv4 Protocol od
IPv6 Upper Layer Protocol
4 – Port
5 – Destination Port
6 – Source Port
7 – ICMPv4 type or ICMPv6 type
8 – ICMPv4 code or ICMPv6 code
9 – TCP Flags
10 – Packet length
11 – DSCP
12 – Fragment
13 – Flow Label
14 - TTL
15 - Reserved
16 - SID in Routing IPv6 Header
2.3. Extended IP Filters Component Groups
Three groups are defined for Extended IP Filters:
FSv1: comprised of FSv2 components 1-13 (see Table 3-1)
FSv1 with TTL compromised of FSv2 components 0-14 where TTL has
component values 0 and 14 (see Table 3-2).
SR (Segment Routing) comprised of FSv2 components 0-17 were TTL has
the component value of 0 and 14 (see Table 3-3).
Hares Expires 17 April 2025 [Page 10]
�
Internet-Draft FSv2 More IP Filters October 2024
Table 2-2 FSv1 Component Group (0x00)
SubTLV Extended IP Filters Components
-type for IP Extended Filters version 1
-------- ----------------------------------
1 - IP Destination prefix
2 - IP Source prefix
3 – IPv4 Protocol or
IPv6 Upper Layer Protocol
4 – Port
5 – Destination Port
6 – Source Port
7 – ICMPv4 type or ICMPv6 type
8 – ICMPv4 code or ICMPv6 code
9 – TCP Flags
10 – Packet length
11 – DSCP
12 – Fragment
13 – Flow Label
Table 2-3 FSv1 + TTL Component Group (0x01)
SubTLV Extended IP Filters Components
-type for IP Extended Filters version 1
-------- ----------------------------------
0 - TTL
1 - IP Destination prefix
2 - IP Source prefix
3 – IPv4 Protocol or
IPv6 Upper Layer Protocol
4 – Port
5 – Destination Port
6 – Source Port
7 – ICMPv4 type or ICMPv6 type
8 – ICMPv4 code or ICMPv6 code
9 – TCP Flags
10 – Packet length
11 – DSCP
12 – Fragment
13 – Flow Label
14 - TTL
Hares Expires 17 April 2025 [Page 11]
�
Internet-Draft FSv2 More IP Filters October 2024
Table 2-4 Segment Routing Group (0x02)
SubTLV Extended IP Filters Components
-type for IP Extended Filters version 2
-------- ----------------------------------
0 - TTL
1 - IP Destination prefix
2 - IP Source prefix
3 – IPv4 Protocol od
IPv6 Upper Layer Protocol
4 – Port
5 – Destination Port
6 – Source Port
7 – ICMPv4 type or ICMPv6 type
8 – ICMPv4 code or ICMPv6 code
9 – TCP Flags
10 – Packet length
11 – DSCP
12 – Fragment
13 – Flow Label
14 - TTL
15 - Reserved
16 - SID in Routing IPv6 Header
Table 2-5 Extended IP Component Ranges
Sub-TLV range Definition
------------- -------------
1-13 V1 filters
14-63 IP Extended Filters
2.4. Ordering within FSv2 NLRI in Update Packet
The transmission of TLVs within a FSV2 NLRI SHOULD be sent via
ascending user order.
Within a single user order, the TLVs should be ordered by FSv2 Filter
type. The FSv2 Filter types which MUST be supported for the Extended
IP Filter support are Filter Type IP Basic (type = 1) and Filter Type
Extended IP Filters (type = 2). Other FSv2 Filter types MAY be
supported, but the support of those filter types is outside the scope
of this document.
Within a single user order number and the same IP Basic Filter Type,
the components should be ordered by ascending numerical order of the
component type.
Hares Expires 17 April 2025 [Page 12]
�
Internet-Draft FSv2 More IP Filters October 2024
Within a single user order number and the same Extended IP Basic
Type, the components should also be ordered by ascending component
numbers. The Extended IP Filters version number simply indicates
which components are required to be supported per version.
Within a single user order and a single component number, the order
of the filters is defined by the component. For example, if the
component types are the same, then the value fields are compared as
defined in [I-D.ietf-idr-fsv2-ip-basic], [RFC8955] and [RFC8956].
The filters MUST be stored with the value fields in ascending order.
NLRIs having TLVs which do not follow the above ordering rules MUST
be considered as malformed by a BGP FSv2 propagator. This rule
prevents any ambiguities that arise from the multiple copies of the
same NLRI from multiple BGP FSv2 propagators. A BGP implementation
SHOULD treat such malformed NLRIs as ""Treat-as-withdraw"" [RFC7606].
2.5. Template for Extended IP Components
Summary: One line title summary
Component type: The numerical value for component type. If the
component value has not been assigned by IANA, this value should
be in the form TBDx where x is a number (1..N).
Description: Description of what component does.
What field component targets in IPv4 packet: The specific field or
fields the compnent filters. If the field filter is in the IPv6
packet, then this field is left (n/a).
What field Filter targets in IPv6 packet: The specific field or
fields the compnent filters. If the field filter is in the IPv4
packet, then this field is left (n/a).
Length: Describe the length or possible lengths of this field.
Encoding of Component Value field This is the encoding of the value
in FSv2 NLRI. The best descriptions combine a diagram plus a
description.
Ordering within component: The mechanism to order if multiple
components of the same type occur.
conflicts with other filters: Describe what other filters this
component could interfere with.
Example encoding: Provide one simple example of the encoding of a
filter for the component.
Hares Expires 17 April 2025 [Page 13]
�
Internet-Draft FSv2 More IP Filters October 2024
references: earlier documents which defined this filter.
3. New Extended IP Components
3.1. TTL (type = 0(0x00) or 14(0x0E))
Summary: Defines matches for 8-bit (1 octet) TTL field in IPv4
header and 8-bit (1 octet) in IPv6 header Hop limit.
Component Type: 0 (0x00) and 14 (0x0E). Component type of zero
(0x00) places the TTL (IPv4) or Hop limit (IPv6) filter prior to
any other component test. Component ID value of 14 (0x0E) places
the TTL (IPv4)/Hop limit (IPv6) filter after all IP Basic Filters.
Description: This component filters IPv4 packets on a certain range
of values for TTL for IPv4 packets or a range of avalues for Hop
Limit for IPv6 packets.
What field Filter targets in IPv4 packet: TTL field
What field Filter targets in IPv6 packet: Hop Limit field
Length: variable with valid values 2-N in increments of 2 octets.
Encoding of Component:
TTL Component Value encoding
<[numeric_op, value]+>
Figure 3-1
where:
numeric_op: 1 octet field can express less than, greater than, or
equal. The field numeric_op is defined in
[I-D.ietf-idr-fsv2-ip-basic]. This is the same format as the
numeric-op for FSv1 components.
value: is a 1 octet value for TTL for IPv4 packets and Hop limit for
IPv6.
ordering of components: by full value of number_op concatenated with
value
conflict: none
Hares Expires 17 April 2025 [Page 14]
�
Internet-Draft FSv2 More IP Filters October 2024
reference: draft-bergeon-flowspec-ttl-match-00.txt
3.2. Parts of SID (type=16 (0x10))
Summary: IPv6 Service Identifier (SRv6 SID) Filter
Component type: 16 (0x10)
Description: Filters the SRv6 SEgment Identifier in an IPv6 address
associated the Segment Routing Header (SRH) ([RFC8402]).
What field targets in IPv6 Packet: Segment Routing Header (SRH)
SID in SRH: [RFC8402] defines SRv6 Segment Identifier (SID) as an
IPv6 address explicitly associated with the segment. [RFC8986]
defines the SID format as: "LOC:FUNCT:ARG" where:
* locator (LOC) is encoded in the L most significant bits of
the SID, followed by
* F bits of function (FUNCT), and
* A bits of arguments (ARG).
Length The total of three lengths (i.e., LOC length + FUNCT length +
ARG length) MUST NOT be greater than 128. If it is greater than
128, an error occurs and it is treated as a withdrawal [RFC7606]
and [RFC4760]. The length of the value field depends on the field
type and is the length of the SID parts being matched (see
Table 3, Figure 3-6) in bytes, rounded up if that length is not a
multiple of 8.
Encoding FSv2 Component Value: This component is expressed as as a
list of filter match conditions where a match is expressed as a
bit match for some parts of SID (LOC, FUNCT, ARG) or the whole
SID.
Hares Expires 17 April 2025 [Page 15]
�
Internet-Draft FSv2 More IP Filters October 2024
+------------------+-------------------+
| type (1 octet) | Loc-Len (1 octet) |
+------------------+-------------------+
| FUNCT-len (octet)| ARG -len (1 octet)}
+------------------+-------------------+
sequence of
+--------------------------------------+
| op (1 octet) | value (variable |
+------------------+-------------------+
[type, LOC-Len, FUNCT-Len, ARG-Len, [op, value]+]
Figure 3-2
where:
* type (1 octet): one type octet determining type of match. The
only valid value is 0x00 for Parts of SID.
* LOC-Len (1 octet): This indicates the length in bits of LOC in
SID.
* FUNCT-Len (1 octet): This indicates the length in bits of FUNCT
in SID.
* ARG-Len (1 octet): This indicates the length in bits of ARG in
SID.
* [op, value]+: This contains a list of {operator, value} pairs
that are used to match some parts of SID.
The operator (op) byte: is encoded as:
0 1 2 3 4 5 6 7
+---+---+---+---+---+---+---+---+
| e | a | field type|lt |gt |eq |
+---+---+---+---+---+---+---+---+
Figure 3-3
where: the behavior of each operator bit has clear similarity
with that of [RFC8955]'s Numeric Operator field.
e (end-of-list bit): Set in the last {op, value} pair in the
sequence.
a - AND bit: If unset, the previous term is logically ORed
Hares Expires 17 April 2025 [Page 16]
�
Internet-Draft FSv2 More IP Filters October 2024
with the current one. If set, the operation is a logical
AND. It should be unset in the first operator byte of a
sequence. The AND operator has higher priority than OR for
the purposes of evaluating logical expressions.
field type: 3 bits with the following meanings:
000: SID's LOC
001: SID's FUNCT
010: SID's ARG
011: SID's LOC:FUNCT (the concatenation of the LOC and
FUNCTION fields)
100: SID's FUNCT:ARG (the concatenation of the FUNCTION and
ARG fields)
101: SID's LOC:FUNCT:ARG (the concatenation of the FUNCTION
and ARG fields)
Note: For an unknown field type, Error Handling is to "treat
as withdrawal" [RFC7606] and [RFC4760].
lt: less than comparison between data' and value'.
gt: greater than comparison between data' and value'.
eq: equality between data' and value'.
use of lt,gt, and eq: The data' and value' used in lt, gt and eq
are indicated by the field type in an operator and the value
field following the operator.
Hares Expires 17 April 2025 [Page 17]
�
Internet-Draft FSv2 More IP Filters October 2024
Table 3-1 SID Parts fields
+-----------------------+------------------------------+
| Field Type | Value |
+=======================+==============================+
| SID's LOC | value of LOC bits |
+-----------------------+------------------------------+
| SID's FUNCT | value of FUNCT bits |
+-----------------------+------------------------------+
| SID's ARG | value of ARG bits |
+-----------------------+------------------------------+
| SID's LOC:FUNCT | value of LOC:FUNCT bits |
+-----------------------+------------------------------+
| SID's FUNCT:ARG | value of FUNCT:ARG bits |
+-----------------------+------------------------------+
| SID's LOC:FUNCT:ARG | value of LOC:FUNCT:ARG bits |
+-----------------------+------------------------------+
------------------ SID, 128 bits ----------------
/ \
+-----------+-----------+-----------+----------------+
| LOC | FUNCT | ARG | ... |
+-----------+-----------+-----------+----------------+
\ / \ / \ / \ /
j bits k bits m bits 128-j-k-m bits
\ /
LOC:FUNCT, j+k bits
\ /
FUNCT:ARG, k+m bits
\ /
-- LOC:FUNCT:ARG, j+k+m bits –
Figure 3-4
Dependency between components: TBD
conflicts between components: TBD
Examples in: TBD
reference: [I-D.ietf-idr-flowspec-srv6]
4. Proposed Extended IP Components and Filter Groups
This section provides suggested templates for existing proposals for
components and Extended IP Filter Groups. This section will be
deleted prior to publication, and the proposals moved to individual
drafts.
Hares Expires 17 April 2025 [Page 18]
�
Internet-Draft FSv2 More IP Filters October 2024
4.1. NRP ID Filter(type=17) (0x11)
Summary: Network Resource Partition ID Component
Description: This filters an Option in the Next-Hop-Options header
in IPv6 packet ([RFC8402], section 4). A Network Resource
Partition (NRP) option carries around the network resource
partition information (NRP) in the Hop-by-Hop options header
([I-D.ietf-6man-enhanced-vpn-vtn-id]). This IPv6 Extension head
has:
Flags (flags): This is a 8 bit flag field in a single octet. One
bit, "S" defined in most significant bit. The S stands for
strict match of NRP ID field. The NRP Flags field is filtered
for by the FSv2 component Flags field.
Context type (CT): 1 octet field indicating the semantics and
length of NRP-ID field. The value of CT=0 indicates a 4-octet
NRP ID, F bits of function (FUNCT), and A bits of arguments
(ARG).
What filtering in IPv6 Packet: IPv6 Hop-by-Hop Options Header
([RFC8402])
FSv2 NRP ID Component value field: Defines match for NRP ID in the
NRP option of Hop-by-Hop Header. This FSv2 component has
following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Type | Opt Data Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Flags | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NRP ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4-1: NRP FSv2 Component
where:
Flags: This field is 2 octets with only the most signficant bit
defined as Global Bit (g).
Global bit (g): When set, it indicates the NRP ID to be
Hares Expires 17 April 2025 [Page 19]
�
Internet-Draft FSv2 More IP Filters October 2024
matched with a globally unique NRP ID. Otherwise, the NRP-
ID is to be a domain significant NRP ID. The global NRP ID
has been coordinated among these domains.
Reserved: This a 2-octet field reserved for future use. It
SHOULD be set to zero on transmission and MUST be ignored on
receipt.
NRP ID: This is a 4-octet identifier which is used to identify an
NRP
Interactions with: None
reference: [I-D.ietf-idr-flowspec-network-slice-ts]
4.2. IP Payloads Match type=18 (0x12))
Summary: IP Payload filter
Description: Flexible Deep packet filters
IP Packet filtering: IPv4 and/or IPv6
What filtering in packet: Data in header or within the payload.
Encoding: The filter has an offset to filter data from the point
specified in the "offset-type field" for using a filter of
specific length (content-length) with a specific pattern
(content). The type of packet IPv4 or IPv6 is specified in Type
of IP packet.
The structure of the component is:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Type | component Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PType | Otype | offset (offset-value) | content length|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| content |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4-2: FSv2 IP Payload Match Component
Where the
Hares Expires 17 April 2025 [Page 20]
�
Internet-Draft FSv2 More IP Filters October 2024
* Ptype - 4 bit field indicating the packet type via AFI (IPv4 or
IPv6)
- IPv4 = 1
- IPv6 = 2
* Otype - 4 bit field indicating the offset type where
- 0 = IP header
- 1 = IP header data
- 2 = Data within TCP/UDP
* offset - is number of bytes to the payload from the point
defined by Ptype and Otype.
* content length - length of the content.
* content - content filter field to match (significant field bit
zero).
Ordering within component: (TBD)
Interacts with components: (TBD)
reference: [I-D.cui-idr-content-filter-flowspec]
4.3. Group ID (type=19 (0x13))
Summary: Filter on Group ID
Description: Flexible filters on group identifiers
IP Packet filtering: IPv4 or IPv6
What filtering: Group ID specified sub-type
What Filtering in Packet: The filter looks for a specific type of
group ID within either the IPv4 or IPv6 packet header.
Encoding of component: The structure of the component is the
following
Hares Expires 17 April 2025 [Page 21]
�
Internet-Draft FSv2 More IP Filters October 2024
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Type | Opt Data Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Packet Type | Offset type | Group type | SubGroup type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Offset value | GMask length | SG Mask length|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Group Mask |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Group ID value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sub-Group Mask |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sub-Group Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4-3: FSv2 IP Payload Match Component
Where the
* Packet type - 8 bit field indicating the packet type
- IPv4 = 1
- IPv6 = 2
* Offset type - 4 bit field indicating the offset type where
- 0 = IP header
- 1 = IP header data
- 2 = Data within TCP/UDP
* offset - is number of bytes to the payload from the point
defined by Ptype and Otype.
* Group type - 1 octet field indicating the type of group ID
- 0 = Reserved
- 1 = Indirection ID
- 2 = Interface group
- 3 = CATS ID
Hares Expires 17 April 2025 [Page 22]
�
Internet-Draft FSv2 More IP Filters October 2024
- 4 = SAV ID
- 5 = APN ID
* Sub-Group type - Sub group within filters.
- 0 = Reserved
- 1 = data traffic (Inbound/outbound)
- 1 = data traffic Inbound only
- 2 = data traffic outbound only
* Group Mask - (variable) Group field mask
* Group ID value - (variable) Group ID value to match
* Sub Group Mask - (variable) Sub-Group Mask
* Sub-Group Value - (variable) Sub-Group value to match on
Ordering within component: TBD
Dependency between components: TBD
Donflicts with other components: (TBD)
Reference: TBD (just a sample)
Note: In addition, the Group will need to define a registries for
Group types and sub-group types.
4.4. Proposed Filter Groups
Three new Extended IP filter groups could be created from these
filters for SRv6, SRv6+Payload, SRv6 + groups. Tables 3-x, 3-x, and
3-y show these grouping. These groups are simply suggests for the
proposed individual drafts to consider.
Hares Expires 17 April 2025 [Page 23]
�
Internet-Draft FSv2 More IP Filters October 2024
Table 4-1 SR + Payload Filters
SubTLV Extended IP Filters Components
-type for IP Extended Filters version 2
-------- ----------------------------------
0 - TTL
1 - IP Destination prefix
2 - IP Source prefix
3 – IPv4 Protocol od
IPv6 Upper Layer Protocol
4 – Port
5 – Destination Port
6 – Source Port
7 – ICMPv4 type or ICMPv6 type
8 – ICMPv4 code or ICMPv6 code
9 – TCP Flags
10 – Packet length
11 – DSCP
12 – Fragment
13 – Flow Label
14 - TTL
15 - Reserved
16 - SID in Routing IPv6 Header
17 - NRP-ID in Hop-by-Hop IPv6 Header
18 - Payload
Hares Expires 17 April 2025 [Page 24]
�
Internet-Draft FSv2 More IP Filters October 2024
Table 4-2 SR + Payloads + Group Filters
SubTLV Extended IP Filters Components
-type for IP Extended Filters version 2
-------- ----------------------------------
0 - TTL
1 - IP Destination prefix
2 - IP Source prefix
3 – IPv4 Protocol od
IPv6 Upper Layer Protocol
4 – Port
5 – Destination Port
6 – Source Port
7 – ICMPv4 type or ICMPv6 type
8 – ICMPv4 code or ICMPv6 code
9 – TCP Flags
10 – Packet length
11 – DSCP
12 – Fragment
13 – Flow Label
14 - TTL
15 - Reserved
16 - SID in Routing IPv6 Header
17 - NRP-ID in Hop-by-Hop IPv6 Header
18 - Payload
19 - Group filters
5. Validation and Error Handling
Validation of the FSv2 NLRI follows the rules from section 4.1 of
[I-D.ietf-idr-fsv2-ip-basic]. For ease of reference to this
validation procedure, the implementer might consider the following
facts:
Extended IP filters - are passed as either IPv4 (AFI=1, SAFI=TBD1),
IPv6 (AFI=2, SAFI=TBD1), IPv4 VPN (AFI=1, SAFI=TBD2), IPv6 VPN
(AFI=2, SAFI=TBD2). or (AFI=2) SAFI=TBD1 or SAFI=TBD2.
IP Extended filters sent in SAFI=TBD1 - are validated against
SAFI=1. To be specific, (AFI=1, SAFI=TBD1) is validated against
(AFI=1, SAFI=1), and (AFI=2, SAFI=TBD1) is validasted against
(AFI=2, SAFI=1).
IP Extended filters sent in SAFI=TBD2 - are validated against
SAFI=128. To be specific, (AFI=1, SAFI=TBD2) is validated against
(AFI=1, SAFI=128) AND (AFI=2, SAFI=TBD2) is validated against
(AFI=2, SAFI=128).
Hares Expires 17 April 2025 [Page 25]
�
Internet-Draft FSv2 More IP Filters October 2024
Validation of the FSv2 NLRI follows the rules from section 4.2 of
[I-D.ietf-idr-fsv2-ip-basic] apply to the FSV2 NLRI filters. For
ease of reference to this section, implementers might consider the
following facts:
FSv2 defines a Rule-0 for 0/0 with "permit-all" action. - By
default, FSv2 (and FSv1) restrict the flow from permit all. By
configuration, Rule-0 could be set to 0/0 with "permit-none" and
filters could have the benefit of allowing traffic. If this
configuration knob is set, then it MUST be used in a limited
Domain of cooperating networks.
FSv2 rules are ordered by ascending user order number, FSv2 Filter
type, FSv2 component type, and FSv2 component value. This ordering
rules means that multiple FSv2 filter rules with the same user
order number of ordered by ascending FSv2 filter types (IP Basic
(0x01) and Extended IP Filters (0x02)). If the FSv2 filter has
the same user order and Filter type, then the order is by
ascending FSv2 component type numbers. Finally, if FSv2 filters
have the same user order, Flter type, component type, then the
filter is ordered by the component value.
Order is deterministic, but arbitrary. Users may use the user
ordering and dependency chain to establish more complex
relationships.
The following two error handling rules stated in Section 4.1.3 of
[I-D.ietf-idr-fsv2-ip-basic] must be followed by all BGP speakers:
1) FSv2 NLRI having TLV which do not have the correct length or
syntax must be considered MALFORMED. Syntax is defined as having
each field within NLRI header (order, dependent filters chain and
within the FSv2 TLV (IP Basic TLV or Extended TLV) header, and
each component. Any MALFORMED FSv2 NLRI is handled as "TREAT AS
WITHDRAW" per [RFC7606].
2) Any FSV2 NLRI which do not follow the ordering rules described in
section 4 [I-D.ietf-idr-fsv2-ip-basic] for filters is considered
MALFORMED.
Actions are transmitted on Extended Communities (EC) for FSv2 basic
actions (FSv2-EC) or BGP Community path attribute (CPA) with FSv2 TLV
(FSv2-CPA). The following rules MUST be followed by the FSv2
actions:
If BGP Community Path Attribute is not supported, then: FSv2-EC MUST
Hares Expires 17 April 2025 [Page 26]
�
Internet-Draft FSv2 More IP Filters October 2024
be ordered by FSv2 default order (see
[I-D.ietf-idr-fsv2-ip-basic]) if one of the two conditions is not
present:
* Implement configuration knob that implementation specific order
is set
* Action Chain Order (ACO) FSV2-EC is attached with the Action
dependency set to implementation specific
If a BGP Community Path Attribute with a FSv2 TLV (FSv2-CPA)is
supported and attached in an invalid form, then: the FSv2-CPA is
ignored and not forwarded.
If BGP Community Path Attribute with a FSv2 TLV (FSv2-CPA) is
supported and a valid FSv2-CPA is attached, then: the FSv2-CPA takes
precedence over FSv2-EC. The BGP Community Path attribute allows
for user ordering with user order values of [1-N]. By default,
the FSv2-EC follow the FSv2-CP actions (N+1) with all FSv2-EC on
the same user order number. Early deployments of FSv2-CPA may
want to reverse this order (first FSv2-EC, then BGP Community Path
attribute). If so, FSv2-EC should be defined as [action order 0]
by configuration knob.
6. Manageability
FSv1 is a key part of many existing networks. The introduction of
FSv2 is expected to be a phased process. where FSv1 is replaced
slowly. One potential way this might occur is the following:
FSv2 IP basic replaces FSv1 - A FSv2 implementation may simply
configure FSv2 with the same IP Basic components as used in FSv1,
and a user order of 1 for FSv2. FSv1 would be configured with a
default user order of 10. The same Extended Communities are
passed plus an ACO community (Generic Transitive Extended
Community (0x01)) with ACO-Dependency of 0x0 (implementation
specific) and AC-FAilure (0x00).
FSv2 IP basic with default Action order ACO FSv2-EC used when
FSv2-EC action order is needed to detect conflicts in actions in
remote BGP peers.
FSv2 IP basic with flexible user order After the implementations are
solid, it is expected that networks will use FSv2 user ordering to
provide flexible ordering.
FSv2 Extended IP Filters with no dependency chain are deployed. The
Hares Expires 17 April 2025 [Page 27]
�
Internet-Draft FSv2 More IP Filters October 2024
dependency chain field can be left as zero for any deployment of
FSv2 Filter NLRI.
FSv2 MPLS Filters with no dependency chain are deployed. The default
ordering of the filters with the same user order number would be
IP Basic Filters (0x01), Extended IP Filters (0x02), and MPLS
Filters (0x03). If MPLS filters need to be done first, then the
user order of MPLS would need to be lower than Extended IP
filters. Please note that SRv6 headers are Extended IP Filters so
SRv6 takes precedence over MPLS label filters.
7. IANA Considerations
This section complies with [RFC7153].
7.1. FSv2 Component types
IANA is requested to indicate [this draft] as a reference on the
following assignments in the Flow Specification Component Types
Registry:
ID Name Reference
---- ----------- -----------------
0 TTL [this document]
14 TTL [this document]
15 Reserved [this document]
16 Partial SID [this document]
17 NRP ID [this document]
7.2. FSV2 IP Extended Filter Groups
IANA is requested to create the following a registry for extended IP
Filters Group with the following values. Registry type is "IETF-
Consensus" for values 0x04 to 0xFF. Registry type is "FCFS" for
values 0x100 to 0x1FF.
ID Group Name Valid FSV2
component values Reference
--- ----------- ---------------- -----------------
0 FSv1 0-13 [this document]
1 FSv1 + TTL 0-14 [this document]
2 SRv6 0-16 [this document]
Values 0x04 - 0xFF (255) - Assigned via IETF Consensus
Values 0x100 - 0x1FF (300-511) - Expert review
Values 0x200 - 0x2FF (512-7670 - FCFS
Hares Expires 17 April 2025 [Page 28]
�
Internet-Draft FSv2 More IP Filters October 2024
A template for requesting the IP Filters group assignment is given
below.
7.2.1. Template for Requesting FSv2 Extended Filters Group
Name: Provide a short name (10 characters, maximum)
Summary: One line title summary
Component IDs included: The numerical value for component ID type.
Type of Group Assignment: This should either be IETF Consensus,
Expert review or FCFS.
Document reference: document that defines group
Contact: Person making request
8. Security Considerations
The use of ROA improves on [RFC8955] by checking to see of the route
origination. This check can improve the validation sequence for a
multiple-AS environment.
>The use of BGPSEC [RFC8205] to secure the packet can increase
security of BGP flow specification information sent in the packet.
The use of the reduced validation within an AS [RFC9117] can provide
adequate validation for distribution of flow specification within a
single autonomous system for prevention of DDoS.
Distribution of flow filters may provide insight into traffic being
sent within an AS, but this information should be composite
information that does not reveal the traffic patterns of individuals.
9. References
9.1. Normative References
[I-D.hares-idr-bgp-community-attribute]
Hares, S., "BGP Community Container Attribute", Work in
Progress, Internet-Draft, draft-hares-idr-bgp-community-
attribute-01, 14 October 2024,
.
Hares Expires 17 April 2025 [Page 29]
�
Internet-Draft FSv2 More IP Filters October 2024
[I-D.ietf-6man-enhanced-vpn-vtn-id]
Dong, J., Li, Z., Xie, C., Ma, C., and G. S. Mishra,
"Carrying Network Resource Partition (NRP) Information in
IPv6 Extension Header", Work in Progress, Internet-Draft,
draft-ietf-6man-enhanced-vpn-vtn-id-07, 8 July 2024,
.
[I-D.ietf-idr-bgp-flowspec-label]
liangqiandeng, Hares, S., You, J., Raszuk, R., and D. Ma,
"Carrying Label Information for BGP FlowSpec", Work in
Progress, Internet-Draft, draft-ietf-idr-bgp-flowspec-
label-02, 20 October 2022,
.
[I-D.ietf-idr-flowspec-interfaceset]
Litkowski, S., Simpson, A., Patel, K., Haas, J., and L.
Yong, "Applying BGP flowspec rules on a specific interface
set", Work in Progress, Internet-Draft, draft-ietf-idr-
flowspec-interfaceset-05, 18 November 2019,
.
[I-D.ietf-idr-flowspec-l2vpn]
Weiguo, H., Eastlake, D. E., Litkowski, S., and S. Zhuang,
"BGP Dissemination of L2 Flow Specification Rules", Work
in Progress, Internet-Draft, draft-ietf-idr-flowspec-
l2vpn-24, 6 October 2024,
.
[I-D.ietf-idr-flowspec-mpls-match]
Yong, L., Hares, S., liangqiandeng, and J. You, "BGP Flow
Specification Filter for MPLS Label", Work in Progress,
Internet-Draft, draft-ietf-idr-flowspec-mpls-match-02, 20
October 2022, .
[I-D.ietf-idr-flowspec-network-slice-ts]
Dong, J., Chen, R., Wang, S., and J. Wenying, "BGP
Flowspec for IETF Network Slice Traffic Steering", Work in
Progress, Internet-Draft, draft-ietf-idr-flowspec-network-
slice-ts-02, 4 March 2024,
.
Hares Expires 17 April 2025 [Page 30]
�
Internet-Draft FSv2 More IP Filters October 2024
[I-D.ietf-idr-flowspec-nvo3]
Eastlake, D. E., Weiguo, H., Zhuang, S., Li, Z., and R.
Gu, "BGP Dissemination of Flow Specification Rules for
Tunneled Traffic", Work in Progress, Internet-Draft,
draft-ietf-idr-flowspec-nvo3-20, 16 June 2024,
.
[I-D.ietf-idr-flowspec-path-redirect]
Van de Velde, G., Patel, K., and Z. Li, "Flowspec
Indirection-id Redirect", Work in Progress, Internet-
Draft, draft-ietf-idr-flowspec-path-redirect-12, 24
November 2022, .
[I-D.ietf-idr-flowspec-srv6]
Li, Z., Li, L., Chen, H., Loibl, C., Mishra, G. S., Fan,
Y., Zhu, Y., Liu, L., and X. Liu, "BGP Flow Specification
for SRv6", Work in Progress, Internet-Draft, draft-ietf-
idr-flowspec-srv6-05, 29 March 2024,
.
[I-D.ietf-idr-fsv2-ip-basic]
Hares, S., Eastlake, D. E., Dong, J., Yadlapalli, C., and
S. Maduschke, "BGP Flow Specification Version 2 - for
Basic IP", Work in Progress, Internet-Draft, draft-ietf-
idr-fsv2-ip-basic-01, 3 October 2024,
.
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
DOI 10.17487/RFC0791, September 1981,
.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y.,
Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack
Encoding", RFC 3032, DOI 10.17487/RFC3032, January 2001,
.
Hares Expires 17 April 2025 [Page 31]
�
Internet-Draft FSv2 More IP Filters October 2024
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006,
.
[RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended
Communities Attribute", RFC 4360, DOI 10.17487/RFC4360,
February 2006, .
[RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter,
"Multiprotocol Extensions for BGP-4", RFC 4760,
DOI 10.17487/RFC4760, January 2007,
.
[RFC5065] Traina, P., McPherson, D., and J. Scudder, "Autonomous
System Confederations for BGP", RFC 5065,
DOI 10.17487/RFC5065, August 2007,
.
[RFC5701] Rekhter, Y., "IPv6 Address Specific BGP Extended Community
Attribute", RFC 5701, DOI 10.17487/RFC5701, November 2009,
.
[RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)", RFC 6482,
DOI 10.17487/RFC6482, February 2012,
.
[RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP
Extended Communities", RFC 7153, DOI 10.17487/RFC7153,
March 2014, .
[RFC7606] Chen, E., Ed., Scudder, J., Ed., Mohapatra, P., and K.
Patel, "Revised Error Handling for BGP UPDATE Messages",
RFC 7606, DOI 10.17487/RFC7606, August 2015,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, .
[RFC8955] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M.
Bacher, "Dissemination of Flow Specification Rules",
RFC 8955, DOI 10.17487/RFC8955, December 2020,
.
Hares Expires 17 April 2025 [Page 32]
�
Internet-Draft FSv2 More IP Filters October 2024
[RFC8956] Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed.,
"Dissemination of Flow Specification Rules for IPv6",
RFC 8956, DOI 10.17487/RFC8956, December 2020,
.
[RFC9015] Farrel, A., Drake, J., Rosen, E., Uttaro, J., and L.
Jalil, "BGP Control Plane for the Network Service Header
in Service Function Chaining", RFC 9015,
DOI 10.17487/RFC9015, June 2021,
.
[RFC9117] Uttaro, J., Alcaide, J., Filsfils, C., Smith, D., and P.
Mohapatra, "Revised Validation Procedure for BGP Flow
Specifications", RFC 9117, DOI 10.17487/RFC9117, August
2021, .
[RFC9184] Loibl, C., "BGP Extended Community Registries Update",
RFC 9184, DOI 10.17487/RFC9184, January 2022,
.
[RFC9582] Snijders, J., Maddison, B., Lepinski, M., Kong, D., and S.
Kent, "A Profile for Route Origin Authorizations (ROAs)",
RFC 9582, DOI 10.17487/RFC9582, May 2024,
.
9.2. Informative References
[I-D.cui-idr-content-filter-flowspec]
Cui, Y., Gao, Y., and S. Hares, "Packet Content Filter for
BGP FlowSpec", Work in Progress, Internet-Draft, draft-
cui-idr-content-filter-flowspec-03, 14 August 2024,
.
[I-D.hares-idr-fsv2-more-ip-actions]
Hares, S., "BGP Flow Specification Version 2 - More IP
Actions", Work in Progress, Internet-Draft, draft-hares-
idr-fsv2-more-ip-actions-01, 3 June 2024,
.
[I-D.ietf-idr-flowspec-v2]
Hares, S., Eastlake, D. E., Yadlapalli, C., and S.
Maduschke, "BGP Flow Specification Version 2", Work in
Progress, Internet-Draft, draft-ietf-idr-flowspec-v2-04,
28 April 2024, .
Hares Expires 17 April 2025 [Page 33]
�
Internet-Draft FSv2 More IP Filters October 2024
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
.
[RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol
Specification", RFC 8205, DOI 10.17487/RFC8205, September
2017, .
[RFC8206] George, W. and S. Murphy, "BGPsec Considerations for
Autonomous System (AS) Migration", RFC 8206,
DOI 10.17487/RFC8206, September 2017,
.
[RFC8300] Quinn, P., Ed., Elzur, U., Ed., and C. Pignataro, Ed.,
"Network Service Header (NSH)", RFC 8300,
DOI 10.17487/RFC8300, January 2018,
.
[RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L.,
Decraene, B., Litkowski, S., and R. Shakir, "Segment
Routing Architecture", RFC 8402, DOI 10.17487/RFC8402,
July 2018, .
[RFC8986] Filsfils, C., Ed., Camarillo, P., Ed., Leddy, J., Voyer,
D., Matsushima, S., and Z. Li, "Segment Routing over IPv6
(SRv6) Network Programming", RFC 8986,
DOI 10.17487/RFC8986, February 2021,
.
Author's Address
Susan Hares
Hickory Hill Consulting
7453 Hickory Hill
Saline, MI 48176
United States of America
Phone: +1-734-604-0332
Email: shares@ndzh.com
Hares Expires 17 April 2025 [Page 34]