One document matched: draft-baker-ipv6-ospf-dst-flowlabel-routing-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- Some of the more generally applicable PIs that most I-Ds might want to use -->
<!-- Try to enforce the ID-nits conventions and DTD validity -->
<?rfc strict="yes" ?>
<!-- Items used when reviewing the document -->
<?rfc comments="no" ?>
<!-- Controls display of <cref> elements -->
<?rfc inline="no" ?>
<!-- When no, put comments at end in comments section,
otherwise, put inline -->
<?rfc editing="no" ?>
<!-- When yes, insert editing marks: editing marks consist of a
string such as <29> printed in the blank line at the
beginning of each paragraph of text. -->
<!-- Create Table of Contents (ToC) and set some options for it.
Note the ToC may be omitted for very short documents, but idnits insists on a ToC
if the document has more than 15 pages. -->
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<!-- If "yes" eliminates blank lines before main section entries. -->
<?rfc tocdepth="4"?>
<!-- Sets the number of levels of sections/subsections... in ToC -->
<!-- Choose the options for the references.
Some like symbolic tags in the references (and citations) and others prefer
numbers. The RFC Editor always uses symbolic tags.
The tags used are the anchor attributes of the references. -->
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc rfcprocack="yes" ?>
<!-- If "yes", causes the references to be sorted in order of tags.
This doesn't have any effect unless symrefs is "yes" also. -->
<!-- These two save paper: Just setting compact to "yes" makes savings by not starting each
main section on a new page but does not omit the blank lines between list items.
If subcompact is also "yes" the blank lines between list items are also omitted. -->
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<!-- end of list of popular I-D processing instructions -->
<!-- end of list of processing instructions -->
<rfc category="std" docName="draft-baker-ipv6-ospf-dst-flowlabel-routing-01"
ipr="trust200902">
<front>
<title abbrev="RBAC in Routing">Using OSPFv3 with Role-Based Access
Control</title>
<author fullname="Fred Baker" initials="F.J." surname="Baker">
<organization>Cisco Systems</organization>
<address>
<postal>
<street></street>
<city>Santa Barbara</city>
<code>93117</code>
<region>California</region>
<country>USA</country>
</postal>
<email>fred@cisco.com</email>
</address>
</author>
<date />
<area>Routing</area>
<workgroup>OSPF</workgroup>
<abstract>
<t>This note describes the changes necessary for OSPFv3 to route classes
of IPv6 traffic that are defined by an IPv6 Flow Label and a destination
prefix. This implies not simply routing "to a destination", but "traffic
going to that destination AND using a specified flow label". It may be
combined with other qualifying attributes, such as "traffic going to
that destination AND using a specified flow label AND from a specified
source prefix". The obvious application is data center inter-tenant
routing using a form of role-based access control. If the sender doesn't
know the value to insert in the flow label (the receiver's tenant ID),
it in effect has no route to that destination, thus providing an access
list that is as changeable and scalable as routing.</t>
</abstract>
<!--
<note title="Foreword">
</note>
-->
<!--
<?rfc needLines="10" ?>
<texttable anchor="table_example" title="A Very Simple Table">
<preamble>Tables use ttcol to define column headers and widths.
Every cell then has a "c" element for its content.</preamble>
<ttcol align="center">ttcol #1</ttcol>
<ttcol align="center">ttcol #2</ttcol>
<c>c #1</c> <c>c #2</c>
<c>c #3</c> <c>c #4</c>
<c>c #5</c> <c>c #6</c>
<postamble>which is a very simple example.</postamble>
</texttable>
-->
</front>
<middle>
<!--
<t>There are multiple list styles: "symbols", "letters", "numbers",
"hanging", "format", etc.</t>
<t>
<list style="symbols">
<t>First bullet</t>
<t>Second bullet</t>
</list>
</t>
-->
<!--
<figure anchor="reference" title="Figure">
<artwork align="center">
<![CDATA[
ASCII artwork goes here...
]]>
</artwork>
</figure>
-->
<section title="Introduction">
<t>This specification builds on <xref target="RFC5340">OSPF for
IPv6</xref> and the extensible LSAs defined in <xref
target="I-D.acee-ospfv3-tlv-extend"></xref>. It adds the sub-TLV option
for an IPv6 Flow Label, in order to define routes to a destination
prefix for traffic that is tagged with a specified flow label.</t>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"></xref>.</t>
</section>
</section>
<section anchor="extensions" title="Theory of Routing">
<t>Both IS-IS and OSPF perform their calculations by building a lattice
of routers and links from the router performing the calculation to each
router, and then use those routes to get to destinations that those
routes advertise connectivity to. Following the SPF algorithm,
calculation starts by selecting a starting point (typically the router
doing the calculation), and successively adding {link, router) pairs
until one has calculated a route to every router in the network. As each
router is added, including the original router, destinations that it is
directly connected to are turned into routes in the route table: "to get
to 2001:db8::/32, route traffic to {interface, list of next hop
routers}". For immediate neighbors to the originating router, of course,
there is no next hop router; traffic is handled locally.</t>
<t>In this context, the route is qualified by a flow label value; It is
installed into the FIB with the value, and the FIB applies the route if
and only if the IPv6 header flow label field matches the advertised flow
label. Of course, there may be multiple LSAs in the LSDB with the same
destination and differing flow labels; these may also have the same or
differing next hop lists. The intended forwarding action is to forward
matching traffic to one of the next hop routers associated with this
destination and flow label value, or to discard non-matching traffic as
"destination unreachable".</t>
<t>LSAs that lack a flow label tag match any flow label, by
definition.</t>
<section title="Dealing with ambiguity">
<t>In any routing protocol, there is the possibility of ambiguity. An
area border router might, for example, summarize the routes to other
areas into a small set of relatively short prefixes, which have more
specific routes within the area. Traditionally, we have dealt with
that using a "longest match first" rule. If the same datagram matches
more than one destination prefix advertised within the area, we follow
the route to the longest matching prefix.</t>
<t>When routing a class of traffic, we follow an analogous "most
specific match" rule; we follow the route for the most specific
matching tuple. In cases of simple overlap, such as routing to
2001:db8::/32 or 2001:db8:1::/48, that is exactly analogous; we choose
one of the two routes.</t>
<t>It is possible, however, to construct an ambiguous case in which
neither class subsumes the other. For example, presume that <list
style="symbols">
<t>A is a prefix,</t>
<t>B is a more-specific prefix within A,</t>
<t>C is a specific flow label value</t>
</list></t>
<t>The two classes "routes to A using flow label C" and "routes to B
using any flow label" are ambiguous: a datagram to B using the flow
label C matches both classes, and it is not clear in the data plane
what decision to make. Solving this requires the addition of a third
route in the FIB corresponding to the class for routes to B using flow
label C, which is more-specific than either of the first two, and can
be given routing guidance based on metrics or other policy in the
usual way.</t>
</section>
</section>
<section title="Extensions necessary for OSPFv3">
<t>The extensible LSA format defined in <xref
target="I-D.acee-ospfv3-tlv-extend"></xref> requires one additional
option to accomplish label+destination routing: the flow label in use by
the destination. This is defined here.</t>
<t><list style="empty">
<t>Editor's note-to-self: the following statement is my expectation.
That said, the authors of <xref
target="I-D.acee-ospfv3-tlv-extend"></xref> suggest that an area
should have one type of LSA (as specified in <xref
target="RFC5340"></xref>) or the extended LSA. I'll leave the
statement for the moment, and remove it if the OSPF working group
tells me to.</t>
</list></t>
<t>In addition, should (as one might expect is normal) destination-only
intra-area-prefix, inter-area-prefix, and AS-external-prefix LSAs be
encountered, we need a rule for interpretation. The rule is that they
are treated exactly as the extensible version if the flow label TLV is
omitted, which is to say, that any flow label value is accepted.</t>
<section anchor="label-security" title="On Flow Labels and security">
<t>According to section 6 of <xref target="RFC2460"></xref>, a Flow
Label is a 20 bit number which <list style="empty">
<t>"may be used by a source to label sequences of packets for
which it requests special handling by the IPv6 routers".</t>
</list></t>
<t>The possible use case mentioned in an appendix is egress routing.
<xref target="RFC1809"></xref>, <xref target="RFC6294"></xref>, <xref
target="RFC6436"></xref>, <xref target="RFC6437"></xref>, and <xref
target="RFC6438"></xref> suggest other possible use cases.</t>
<t>In this model, the flow label is used to prove that the datagram's
sender has specific knowledge of its intended receiver. No proof is
requested; this is left for higher layer exchanges such as IPSec or
TLS. However, if the information is distributed privately, such as
through DHCP/DHCPv6, the network can presume that a system that marks
traffic with the right flow label has a good chance of being
authorized to communicate with its peer.</t>
<t>The key consideration, in this context, is that the flow label is a
20 bit number. As such, an advertised route requiring a given flow
label value is calling for an exact match of all 20 bits of the label
value.</t>
</section>
<section anchor="OSPFv3-label" title="Flow Label TLV">
<?rfc needLines="8"?>
<figure title="Flow Label TLV">
<artwork align="center"><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | Flow Label |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure>
<t><list style="hanging">
<t hangText="Type:">assigned by IANA</t>
<t hangText="Length:">Length of the "value" of the TLV in octets,
which is 4.</t>
<t hangText="Flow Label:">20 bits of Flow Label value</t>
<t hangText="Reserved:">unused, MUST be zero when generated and
ignored on receipt.</t>
</list></t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>The OSPF Working Group will need a registry for sub-TLV Types. To be
discussed</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>Role-based Access Control may be considered a variety of firewall
technology, in the sense that one end system might send a packet
addressed to another, and have the network refuse to carry it. As with
any firewall, the security value is limited; in this case, an attacker
that in some way identified the flow label value being used for an
identified set of targets could circumvent the firewall. And as with any
firewall, while the endpoint is its own final security bastion, there is
value in defense in depth, by which an attacker must thread more than
one defense.</t>
<t>The obvious ways to determine the flow label value (intercepting the
protocol used to configure the Flow label Value, or intercepting
routing) are things that can be handled using appropriate AAA technology
for the routing protocol and DHCP/DHCPv6.</t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t></t>
</section>
<section anchor="log" title="Change Log">
<t><list style="hanging">
<t hangText="Initial Version:">February 2013</t>
<t hangText="First update:">Updated to refer to <xref
target="I-D.acee-ospfv3-tlv-extend"></xref></t>
</list></t>
</section>
</middle>
<back>
<!-- references split to informative and normative -->
<references title="Normative References">
<?rfc include="reference.RFC.2119"?>
<?rfc include="reference.RFC.2460"?>
<?rfc include="reference.RFC.5340" ?>
<!-- rfc include = "reference.I-D.acee-ospfv3-tlv-extend" -->
<reference anchor="I-D.acee-ospfv3-tlv-extend">
<front>
<title>OSPFv3 LSA Extendibility</title>
<author fullname="Acee Lindem" initials="A." surname="Lindem">
<organization>Ericsson</organization>
<address>
<postal>
<street>102 Carric Bend Court</street>
<city>Cary</city>
<region>NC</region>
<country>USA</country>
<code>27519</code>
</postal>
<email>acee.lindem@ericsson.com</email>
</address>
</author>
<author fullname="Sina Mirtorabi" initials="S." surname="Mirtorabi">
<organization>Cisco Systems</organization>
<address>
<postal>
<street>170 Tasman Drive</street>
<city>San Jose</city>
<region>CA</region>
<country>USA</country>
<code>95134</code>
</postal>
<email>sina@cisco.com</email>
</address>
</author>
<author fullname="Abhay Roy" initials="A." surname="Roy">
<organization>Cisco Systems</organization>
<address>
<postal>
<street>170 Tasman Drive</street>
<city>San Jose</city>
<region>CA</region>
<country>USA</country>
<code>95134</code>
</postal>
<email>akr@cisco.com</email>
</address>
</author>
<author fullname="Fred Baker" initials="F." surname="Baker">
<organization>Cisco Systems</organization>
<address>
<postal>
<street></street>
<city>Santa Barbara</city>
<region>CA</region>
<country>USA</country>
<code>93117</code>
</postal>
<email>fred@cisco.com</email>
</address>
</author>
<date month="April" year="2013" />
<abstract>
<t></t>
</abstract>
</front>
</reference>
</references>
<references title="Informative References">
<reference anchor="PATRICIA">
<front>
<title>Practical Algorithm to Retrieve Information Coded in
Alphanumeric</title>
<author fullname="D.R. Morrison" initials="D.R." surname="Morrison">
<organization>Association for Computing Machinery</organization>
</author>
<date month="October" year="1968" />
</front>
<seriesInfo name="Journal of the ACM" value="15(4) pp514-534" />
<format target="http://www.csse.monash.edu.au/~lloyd/tildeAlgDS/Tree/PATRICIA/"
type="HTML" />
</reference>
<?rfc include="reference.RFC.1809" ?>
<?rfc include="reference.RFC.6294" ?>
<?rfc include="reference.RFC.6436" ?>
<?rfc include="reference.RFC.6437" ?>
<?rfc include="reference.RFC.6438" ?>
</references>
<section anchor="rbac"
title="Use case: Data Center Role-based Access Control">
<t>Consider a data center in which IPv6 is deployed throughout using
internet routing technologies instead of tunnels, and the Flow Label is
used to identify tenants, as discussed in <xref
target="label-security"></xref>. Hosts are required, by configuration if
necessary, to know their own tenant number and the numbers of any
tenants they are authorized to communicate with. When they originate a
datagram, they send it to their peer's destination address and label it
with their peer's tenant id. They, or their router on their behalf,
advertise their own addresses as traffic classes <list style="empty">
<t>{destination prefix, Tenant Flow Label }</t>
</list></t>
<t>The net effect is that traffic is routed among tenants that are
authorized to communicate, but not among tenants that are not authorized
to communicate - there is no route. This is done without tunnels, access
lists, or other data plane overhead; the overhead is in the control
plane, equipping authorized parties to communicate.</t>
</section>
<section title="FIB Design">
<t>While the design of the Forwarding Information Base is not a matter
for standardization, as it only has to work correctly, not interoperate
with something else, the design of a FIB for this type of lookup may
differ from approaches used in destination routing. We describe two
possible approaches from the perspective of a proof of concept. These
are a staged lookup and a single FIB.</t>
<section title="Staged Lookup">
<t>A FIB can be designed as a staged lookup. Given that it is unlikely
that any given destination would support very many tenants, a simple
list or small hash may be sufficient; one looks up the destination,
and having found it, validates the flow label used. In such a design,
it is necessary to have the option of "any" flow label in addition to
the set of specified flow labels, as it is legal and correct to
advertise routes that do not have flow labels.</t>
</section>
<section title="PATRICIA">
<t>One approach is a <xref target="PATRICIA"></xref> Tree. This is a
relative of a Trie, but unlike a Trie, need not use every bit in
classification, and does not need the bits used to be contiguous. It
depends on treating the bit string as a set of slices of some size,
potentially of different sizes. Slice width is an implementation
detail; since the algorithm is most easily described using a slice of
a single bit, that will be presumed in this description.</t>
<section title="Virtual Bit String">
<t>It is quite possible to view the fields in a datagram header
incorporated into the classification tuple as a virtual bit string
such as is shown in <xref target="conceptual"></xref>. This bit
string has various regions within it. Some vary and are therefore
useful in a radix tree lookup. Some may be essentially constant -
all global IPv6 addresses at this writing are within 2000::/3, for
example, so while it must be tested to assure a match, incorporating
it into the radix tree may not be very helpful in classification.
Others are ignored; if the destination is a remote /64, we really
don't care what the EID is. In addition, due to variation in prefix
length and other details, the widths of those fields vary among
themselves. The algorithm the FIB implements, therefore, must
efficiently deal with the fact of a discontiguous lookup key.</t>
<figure anchor="conceptual"
title="Treating a traffic class as a virtual bit string">
<artwork align="center"><![CDATA[
+---------------------+----------------------+-----+-----------+
|Destination Prefix |Source Prefix |DSCP | Flow Label|
+------+------+-------+------+-------+-------+-----+-----------+
Common|Varying|Ignored|Common|Varying|Ignored|Varying or ignored
]]></artwork>
</figure>
</section>
<section title="Tree Construction">
<t>The tree is constructed by recursive slice-wise decomposition. At
each stage, the input is a set of classes to be classified. At each
stage, the result is the addition of a lookup node in the tree that
identifies the location of its slice in the virtual bit string
(which might be a bit number), the width of the slice to be
inspected, and an enumerated set of results. Each result is a
similar set of classes, and is analyzed in a similar manner.</t>
<t>The analysis is performed by enumerating which bits that have not
already been considered are best suited to classification. For a
slice of N bits, one wants to select a slide that most evenly
divides the set of classes into 2^N subsets. If one or more bits in
the slice is ignored in some of the classes, those classes must be
included in every subset, as the actual classification of them will
depend on other bits.</t>
<figure anchor="patricia-tree" title="Example PATRICIA Tree">
<artwork align="center"><![CDATA[
Input:{2001:db8::/32, ::/0, *, *}
{2001:db8:1::/48, ::/0, AF41, *}
{2001:db8:1::/48, ::/0, AF42, *}
{2001:db8:1::/48, ::/0, AF43, *}
Common parts: Destination prefix 2001:dba, source prefix, and label
Varying parts: DSCP and the third set of sixteen bits in the
destination prefix
One possible decomposition:
(1) slice = DSCP
enumerated cases:
(a) { {2001:db8::/32, ::/0, *, *}, {2001:db8:1::/48, ::/0, AF41, *} }
(b) { {2001:db8::/32, ::/0, *, *}, {2001:db8:1::/48, ::/0, AF42, *} }
(c) { {2001:db8::/32, ::/0, *, *}, {2001:db8:1::/48, ::/0, AF43, *} }
(2) slice = third sixteen bit field in destination
This divides each enumerated case into those containing 0001 and
"everything else", which would imply 2001:db8::/32
(1) DSCP
--------------------------
(1a) (1b) (1c)
/ \ / \ / \
/32 /48 /32 /48 /32 /48
]]></artwork>
</figure>
</section>
<section title="Tree Lookup">
<t>To look something up in a PATRICIA Tree, one starts at the root
of the tree and performs the indicated comparisons recursively
walking down the tree until one reaches a terminal node. When the
enumerated subset is empty or contains only a single class,
classification stops. Either classification has failed (there was no
matching class, or one has presumably found the indicated class. At
that point, every bit in the virtual bit string must be compared to
the classifier; classification is accepted on a perfect match.</t>
<t>In the example in <xref target="patricia-tree"></xref>, if a
packet {2001:db8:1:2:3:4:5:6, 2001:db8:2:3:4:5:6:7, AF41, 0}
arrives, we start at the root. Since it is an AF41 packet, we deduce
that case (1a) applies, and since the destination has 0001 in the
third sixteen bit field of the destination address, we are comparing
to {2001:db8:1::/48, ::/0, AF41, *}. Since the destination address
is within 2001:db8:1::/48, classification as that succeeds.</t>
</section>
</section>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 20:53:40 |