Internet-Draft Abbreviated Title January 2025
Yu Expires 5 July 2025 [Page]
Workgroup:
Source Packet Routing in Networking
Internet-Draft:
draft-yu-spring-srv6-gbp-00
Published:
Intended Status:
Standards Track
Expires:
Author:
T. Yu, Ed.

SRv6 Group Based Policy

Abstract

This document extends the Segment Routing over IPv6 (SRv6) Network Programming framework [RFC8986] by incorporating group-based policy capabilities.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 5 July 2025.

Table of Contents

1. Introduction

The Group-based Policy (GBP) [GROUPBASEDPOLICY] initially was .It abstractions provide an intent-driven declarative policy model that presents simplified application-oriented interfaces to the user. Group-Based Policy (GBP) is a critical concept in networking and security, particularly in environments like Software-Defined Networking (SDN), cloud computing, and enterprise networks. It provides a flexible and scalable way to manage network policies based on groups of endpoints rather than individual devices, IP addresses, or flows.

2. Specification of Requirements

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

3. Terminology

GBP: Group-based Policy described in [GROUPBASEDPOLICY]

EVPN: BGP MPLS-Based Ethernet VPN defined in [RFC7432].

4. SRv6 SIDs with GBP

This documents defines the behaviors of END.DX6 with GBP, END.DX4 with GBP, END.DT6 with GBP, END.DT4 with GBP, END.DT46 with GBP, END.DT2U with GBP by allowing these SID behaviors taking an argument: "Arg.Src-GBP-ID". The Src-GBP-ID info allows endpoint node to determine the behavior (allowed or denied) when traffic is being forwarded to specific host. The allocation of the GBP-id argument values planned gloabally, and the behavior of traffic from one Src-GBP-ID to another Dst-GBP-ID is specified locally. The SRv6 SIDs with the GBP argument mentioned in this document is not signaled to other nodes via the control plane, which means they are local significant only. The control plane process described in [RFC9252] still applies.

Group 0 is the default group based policy ID. If no group based policy is specified, then value 0 is used. The default behavior of the group 0 is implementation defined and SHOULD be configurable (allowed/denied).

4.1. END.DX6 with GBP

When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DX6 with GBP SID, N does the following:


S01. If (Upper-Layer header type == 41(IPv6) ) {
S02.    Remove the outer IPv6 header with all its extension headers
S03.    Search GBP matching table with exposed packet and get Dst-GBP-ID
S04.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
S05.    If (Matched){
S06.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
S07.    } Else {
S08.        Forward the exposed IPv6 packet to the L3 adjacency J
S09.    }
S10. } Else {
S11.    Process as per Section 4.1.1 in RFC8986
S12. }

4.2. END.DX4 with GBP

When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DX4 with GBP SID, N does the following:


S01. If (Upper-Layer header type == 4(IPv4) ) {
S02.    Remove the outer IPv6 header with all its extension headers
S03.    Search GBP matching table with exposed packet and get Dst-GBP-ID
S04.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
S05.    If (Matched){
S06.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
S07.    } Else {
S08.        Forward the exposed IPv4 packet to the L3 adjacency J
S09.    }
S10. } Else {
S11.    Process as per Section 4.1.1 in RFC8986
S12. }

4.3. End.DT6 with GBP

When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DT6 with GBP SID, N does the following:


S01. If (Upper-Layer header type == 41(IPv6) ) {
S02.    Remove the outer IPv6 header with all its extension headers
S03.    Set the packet's associated FIB table to T
S04.    Submit the packet to the egress IPv6 FIB lookup and get destination oIF
S05.    Search GBP matching table with exposed packet and get Dst-GBP-ID
S06.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
S07.    If (Matched){
S08.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
S09.    } Else {
S10.        Forward the exposed IPv6 packet to the oIF.
S11.    }
S12. } Else {
S13.    Process as per Section 4.1.1 in RFC8986
S14. }

An implementation which is hardware based might be restricted to the pipeline of the ASCI. The process below is also possible. The difference is that oIF is impossible to be part of the GBP match criteria.


S01. If (Upper-Layer header type == 41(IPv6) ) {
S02.    Remove the outer IPv6 header with all its extension headers
S03.    Search GBP matching table with exposed packet and get Dst-GBP-ID
S04.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
S05.    If (Matched){
S06.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
S07.    } Else {
S08.        Set the packet's associated FIB table to T
S09.        Submit the packet to the egress IPv6 FIB lookup for transmission to the new destination
S10.    }
S11. } Else {
S12.    Process as per Section 4.1.1 in RFC8986
S13. }

4.4. End.DT4 with GBP

When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DT4 with GBP SID, N does the following:


S01. If (Upper-Layer header type == 4(IPv4) ) {
S02.    Remove the outer IPv6 header with all its extension headers
S03.    Set the packet's associated FIB table to T
S04.    Submit the packet to the egress IPv6 FIB lookup and get destination oIF
S05.    Search GBP matching table with exposed packet and get Dst-GBP-ID
S06.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
S07.    If (Matched){
S08.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
S09.    } Else {
S10.        Forward the exposed IPv4 packet to the oIF.
S11.    }
S12. } Else {
S13.    Process as per Section 4.1.1 in RFC8986
S14. }

An implementation which is hardware based might be restricted to the pipeline of the ASCI. The process below is also possible. The difference is that oIF is impossible to be part of the GBP match criteria.


S01. If (Upper-Layer header type == 4(IPv4) ) {
S02.    Remove the outer IPv6 header with all its extension headers
S03.    Search GBP matching table with exposed packet and get Dst-GBP-ID
S04.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
S05.    If (Matched){
S06.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
S07.    } Else {
S08.        Set the packet's associated FIB table to T
S09.        Submit the packet to the egress IPv4 FIB lookup for transmission to the new destination
S10.    }
S11. } Else {
S12.    Process as per Section 4.1.1 in RFC8986
S13. }

4.5. End.DT46 with GBP

When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DT46 with GBP SID, N does the following:


S01. If (Upper-Layer header type == 4(IPv4) ) {
S02.    Remove the outer IPv6 header with all its extension headers
S03.    Set the packet's associated FIB table to T
S04.    Submit the packet to the egress IPv6 FIB lookup and get destination oIF
S05.    Search GBP matching table with exposed packet and get Dst-GBP-ID
S06.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
S07.    If (Matched){
S08.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
S09.    } Else {
S10.        Forward the exposed IPv4 packet to the oIF.
S11.    }
S12. } Else If (Upper-Layer header type == 41(IPv6) ) {
S13.    Remove the outer IPv6 header with all its extension headers
S14.    Set the packet's associated FIB table to T
S15.    Submit the packet to the egress IPv6 FIB lookup and get destination oIF
S16.    Search GBP matching table with exposed packet and get Dst-GBP-ID
S17.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
S18.    If (Matched){
S19.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
S20.    } Else {
S21.        Forward the exposed IPv6 packet to the oIF.
S22.    }
S23. } Else {
S24.    Process as per Section 4.1.1 in RFC8986
S25. }

An implementation which is hardware based might be restricted to the pipeline of the ASCI. The process below is also possible. The difference is that oIF is impossible to be part of the GBP match criteria.


S01. If (Upper-Layer header type == 4(IPv4) ) {
S02.    Remove the outer IPv6 header with all its extension headers
S03.    Search GBP matching table with exposed packet and get Dst-GBP-ID
S04.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
S05.    If (Matched){
S06.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
S07.    } Else {
S08.        Set the packet's associated FIB table to T
S09.        Submit the packet to the egress IPv4 FIB lookup for transmission to the new destination
S10.    }
S11. } Else If (Upper-Layer header type == 41(IPv6) ) {
S12.    Remove the outer IPv6 header with all its extension headers
S13.    Search GBP matching table with exposed packet and get Dst-GBP-ID
S14.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
S15.    If (Matched){
S16.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
S17.    } Else {
S18.        Set the packet's associated FIB table to T
S19.        Submit the packet to the egress IPv6 FIB lookup for transmission to the new destination
S20.    }
S21. } Else {
S22.    Process as per Section 4.1.1 in RFC8986
S23. }

4.6. End.DT2U with GBP

When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DT4 SID, N does the following:


S01. If (Upper-Layer header type == 143(Ethernet) ) {
S02.    Remove the outer IPv6 header with all its extension headers
S03.    Learn the exposed MAC Source Address in L2 table T
S04.    Look up the exposed MAC Destination Address in L2 table T
S05.    If (matched entry in T with destination oIF) {
S06.        Search GBP matching table with exposed packet and get Dst-GBP-ID
S07.        Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
S08.        If (Matched){
S09.            Process the exposed IPv6 packet based on the action of match GBP enforcement rule
S10.        } Else {
S11.            Forward the exposed packet to oIF
S12.        }
S13.    } Else {
S14.       Forward via all L2 OIFs in table T
S15.    }
S16. } Else {
S17.    Process as per Section 4.1.1 in RFC8986
S18. }

An implementation which is hardware based might be restricted to the pipeline of the ASCI. The process below is also possible. The difference is that oIF is impossible to be part of the GBP match criteria.


S01. If (Upper-Layer header type == 143(Ethernet) ) {
S02.    Remove the outer IPv6 header with all its extension headers
S03.    Learn the exposed MAC Source Address in L2 table T
S04.    Search GBP matching table with exposed packet and get Dst-GBP-ID
S05.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
S06.    If (Matched){
S07.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
S08.    } Else {
S09.        Look up the exposed MAC Destination Address in L2 table T
S10.        If (matched entry in T with destination oIF){
S11.            Forward the exposed packet to oIF
S12.        } Else {
S13.       Forward via all L2 OIFs in table T
S14.       }
S15.   } Else {
S16.    Process as per Section 4.1.1 in RFC8986
S17.   }
S18. }

5. Source Node Behavior

The souce node can use various clarification methods to identify the Src-GBP-ID of a host it belongs to.

When encapsulating the SRv6 header, the Src-GBP-ID is encapsulated into the argument part of the packet.

6. IANA Considerations

This document requests the IANA to allocate, within the "SRv6 Endpoint Behaviors" sub-registry beloto the top-level "Segment-routing with IPv6 dataplane (SRv6) Parameters" registry, the following allocations:

Table 1
Value Description Reference
TBA1 END.DX6 with GBP [This document]
TBA2 END.DX4 with GBP [This document]
TBA3 END.DT6 with GBP [This document]
TBA4 END.DT4 with GBP [This document]
TBA4 END.DT46 with GBP [This document]
TBA4 END.DT2U with GBP [This document]

7. Security Considerations

The mechanism described in this document leverage the security rules defined in Section 7 of RFC8986 [RFC8986].

8. References

8.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC8986]
Filsfils, C., Ed., Camarillo, P., Ed., Leddy, J., Voyer, D., Matsushima, S., and Z. Li, "Segment Routing over IPv6 (SRv6) Network Programming", RFC 8986, DOI 10.17487/RFC8986, , <https://www.rfc-editor.org/info/rfc8986>.

8.2. Informative References

[GROUPBASEDPOLICY]
OpenStack, "Group Based Policy", , <https://wiki.openstack.org/wiki/GroupBasedPolicy>.
[RFC7432]
Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, , <https://www.rfc-editor.org/info/rfc7432>.
[RFC9252]
Dawra, G., Ed., Talaulikar, K., Ed., Raszuk, R., Decraene, B., Zhuang, S., and J. Rabadan, "BGP Overlay Services Based on Segment Routing over IPv6 (SRv6)", RFC 9252, DOI 10.17487/RFC9252, , <https://www.rfc-editor.org/info/rfc9252>.

Appendix A. Appendix 1 Examples of GBP Usage

This section describes the examples of GBP usage. An implementation is not enforced to achieve all scenarios mentioned in this section.

Example 1: Deny traffic from specific Src-GBP-ID = 100 (e.g. traffic from guest network)

rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = any, action: deny

Example 2: Deny traffic from specific Src-GBP-ID = 100 to Dst-GBP-ID = 200 (e.g. traffic from untrusted host to server)

rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = 200, action: deny

Example 3: Redirect L3 traffic from specific Src-GBP-ID = 100 to Dst-GBP-ID = 200 (e.g. to a cleaning device)

rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = 200, action: redirect

Example 4: RSPAN traffic from specific Src-GBP-ID = 100 to Dst-GBP-ID = 200 (e.g. to a monitoring device)

rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = 200, action: RSPAN

Author's Address

Tianpeng Yu (editor)