draft-hares-idr-flowspec-v2-ddos-00.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC0791 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.0791.xml">
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC3032 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3032.xml">
<!ENTITY RFC4271 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4271.xml">
<!ENTITY RFC4360 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4360.xml">
<!ENTITY RFC4760 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4760.xml">
<!ENTITY RFC5065 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5065.xml">
<!ENTITY RFC5701 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5701.xml">
<!ENTITY RFC6241 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6241.xml">
<!ENTITY RFC6482 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6482.xml">
<!ENTITY RFC7153 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7153.xml">
<!ENTITY RFC7606 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7606.xml">
<!ENTITY RFC8040 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8040.xml">
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml">
<!ENTITY RFC8205 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8205.xml">
<!ENTITY RFC8206 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8206.xml">
<!ENTITY RFC8955 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8955.xml">
<!ENTITY RFC8956 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8956.xml">
<!ENTITY RFC9015 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9015.xml">
<!ENTITY RFC9117 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9117.xml">
<!ENTITY RFC9015 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9015.xml">
<!ENTITY RFC9184 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9184.xml">
<!ENTITY I-D.ietf-idr-wide-bgp-communities SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-idr-wide-bgp-communities.xml">
<!ENTITY I-D.ietf-idr-flowspec-l2vpn SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-idr-flowspec-l2vpn.xml">
<!ENTITY I-D.ietf-idr-flowspec-nvo3 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-idr-flowspec-nvo3.xml">
<!ENTITY I-D.ietf-idr-flowspec-srv6 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-idr-flowspec-srv6.xml">
<!ENTITY I-D.ietf-idr-flowspec-mpls-match SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-idr-flowspec-mpls-match.xml">
<!ENTITY I-D.ietf-idr-bgp-flowspec-label SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-idr-bgp-flowspec-label.xml">
<!ENTITY I-D.ietf-idr-flowspec-interfaceset SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-idr-flowspec-interfaceset.xml">
<!ENTITY I-D.ietf-idr-flowspec-path-redirect SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-idr-flowspec-path-redirect.xml">
<!ENTITY I-D.ietf-idr-flowspec-v2 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-idr-flowspec-v2.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc iprnotified="no" ?>
<?rfc strict="no" ?>
<rfc category="std" docName="draft-hares-idr-flowspec-v2-ddos-00"  ipr="trust200902">
  <front>
    <title abbrev="BGP FlowSpec v2">BGP Flow Specification Version 2 </title>
    <author fullname="Susan Hares" initials="S" surname="Hares">
      <organization>Hickory Hill Consulting</organization>
      <address>
        <postal>
          <street>7453 Hickory Hill</street>
          <city>Saline</city>
          <region>MI</region>
          <code>48176</code>
          <country>USA</country>
        </postal>
		<phone>+1-734-604-0332</phone>
        <email>shares@ndzh.com</email>
      </address>
    </author>
	<author fullname="Donald Eastlake" initials="D" surname="Eastlake">
      <organization>Futurewei Technologies</organization>
      <address>
        <postal>         
		<street>2386 Panoramic Circle</street>
          <city>Apopka</city>
          <region>FL</region>
          <code>32703</code>
          <country>USA</country>
        </postal>
		<phone>+1-508-333-2270</phone>
        <email>d3e3e3@gmail.com</email>
      </address>
    </author>
	<author fullname="Chaitanya Yadlapalli" initials="C" surname="Yadlapalli">
      <organization>ATT</organization>	
	    <address>
        <postal>         
		<street></street>
          <city></city>
          <region></region>
          <code></code>
          <country>USA</country>
        </postal>
        <email>cy098d@att.com</email>
      </address>
	  </author>
     <author fullname="Sven Maduschke" initials="S" surname="Maduscke" >
      <organization> Verizon</organization>	
	    <address>
        <postal>         
		<street></street>
          <city></city>
          <region></region>
          <code></code>
          <country>DE</country>
        </postal>
        <email>sven.maduschke@de.verizon.com</email>
      </address>
	 </author> 
    <date year="2023" />
    <area>Routing Area</area>
    <workgroup>IDR Working Group</workgroup>
    <keyword>RFC</keyword>
    <keyword>Request for Comments</keyword>
    <keyword>I-D</keyword>
    <keyword>Internet-Draft</keyword>
    <keyword>BGP Flow Specification</keyword>
	<abstract>
	   <t>BGP flow specification version 1 (FSv1), defined in RFC 8955, RFC 8956, and 
	  RFC 9117 describes the distribution of traffic filter policy (traffic 
	  filters and actions) distributed via BGP. During the deployment of BGP FSv1 
	  a number of issues were detected, so version 2 of the BGP 
	  flow specification (FSv2) protocol addresses these features.  In order to 
	  provide a clear demarcation between FSv1 and FSv2, a different NLRI
		encapsulates FSv2.  
	   </t>
	    <t>IDR requires two implementations prior to standardization. 
		Implementers feedback on FSv2 was that the complete FSv2 has the 
		contains the correct information, but that breaking FSv2 into 
        a progression of documents would be helpful. The first priority in 
        this progression is expanded IP DDOS capabilities. This document 
		contains original FSv2 IP DDOS capabilities in FlowSpec v2
        using just the extended communities to define actions. 		
	   </t>
    </abstract>
  </front>
  <middle>
<section anchor="intro" title="Introduction">
      <t>
	  Version 2 of BGP flow specification was original defined in 
	  <xref target="I-D.ietf-idr-flowspec-v2"></xref> (denoted FSv2).  However, the full 
	  FSv2 specification contains more than initial implementers desired.  Therefore, the 
	  original FSv2 draft will remain a WG draft, but the content will be split out into 
	  functions that implementers can manage.
	  </t> 
	  <t>This draft provides the FSv2 specification for DDOS for IP filtering 
	  using Extended communities with the following action features: 
	  <list style="symbols"> 
	  <t>Minimal ordering of actions (4 actions) </t>
	  <t>Failure instructions (continue or stop) </t> 
	  </list> 
	  This flowspecification will be denoted as FSv2-DDOS. As  
	  </t> 
	  <t>BGP FSv1 as defined in <xref target="RFC8955"></xref>, <xref target="RFC8956"></xref>, and 
	    <xref target="RFC9117"></xref> specified 2 SAFIs (133, 134) 
		to be used with IPv4 AFI (AFI = 1) and IPv6 AFI (AFI=2). 
	  </t>
	  <t>
	  This document specifies 2 new SAFIs (TBD1, TBD2) for FSv2 to be used with 5 AFIs   
	  (1, 2, 6, 25, and 31) to allow user-ordered lists of traffic match filters for user-ordered 
	  traffic match actions encoded in Communities (Wide or Extended). 
	  </t>
	  <t>
	  FSv1 and FSv2 use different AFI/SAFIs to send flow specification filters.  Since BGP  
	  route selection is performed per AFI/SAFI, this approach can be 
	  termed “ships in the night” based on AFI/SAFI. 
	  </t>	  
<section anchor="introFSv2" title="Why Flow Specification v2">
      <t> 
	  Modern IP routers have the capability to forward traffic and to classify, 
	  shape, rate limit, filter, or redirect packets based on administratively 
	  defined policies. These traffic policy mechanisms allow the operator 
	  to define match rules that operate on multiple fields within header 
	  of an IP data packet.  The traffic policy allows actions 
	  to be taken upon a match to be associated with each match rule.  
	  These rules can be more widely defined as “event-condition-action” 
	  (ECA) rules where the event is always the reception of a packet.  
	  </t>
	  <t>BGP (<xref target="RFC4271"></xref>) flow specification as defined by
	   <xref target="RFC8955"></xref>, <xref target="RFC8956"></xref>,  
	   <xref target="RFC9117"></xref> specifies the distribution of traffic filter policy (traffic 
	   filters and actions) via BGP to a mesh of BGP peers (IBGP and EBGP peers). 
	   The traffic filter policy is applied when packets are received on a router 
	   with the flow specification function turned on. The flow specification 
	   protocol defined in <xref target="RFC8955"></xref>, <xref target="RFC8956"></xref>, and 
	    <xref target="RFC9117"></xref> will be called BGP 
		flow specification version 1 (BGP FSv1) in this draft.
	 </t> 
	  <t> Some modern IP routers also include the abilities of firewalls which can 
	  match on a sequence of packet events based on administrative policy. These 
	  firewall capabilities allow for user ordering of match rules and user 
	  ordering of actions per match.  
	  </t>
	  <t>
	  Multiple deployed applications currently use BGP FSv1 to distribute traffic 
	  filter policy.  These applications include: 1) mitigation of Denial of 
	  Service (DoS), 2) traffic filtering in BGP/MPLS VPNS, and 3) centralized 
	  traffic control for networks utilizing SDN control of router firewall 
	  functions, 4) classifiers for insertion in an SFC, and 5) filters for SRv6 (segment routing v6).      
	  </t>
	  <t>During the deployment of BGP flow specification 
	  v1, the following issues were detected:  
	  <list style="symbols"> 
	  <t>lack of consistent TLV encoding prevented extension of encodings,   </t>
	  <t>inability to allow user defined order for filtering rules,</t>
	  <t>inability to order actions to provide deterministic interactions 
	    or to allow users to define order for actions, and</t>
	  <t>no clearly defined mechanisms for BGP peers which do 
	    not support flow specification v1.</t>
	  </list>
	  </t>
	  <t>
	  Networks currently cope with some of these issues by limiting the type of 
	  traffic filter policy sent in BGP.  Current Networks do not have a good 
	  workaround/solution for applications that receive but do not understand FSv1 
	  policies.  
	  </t>
	  <t>
	  FSv1 is a critical component of deployed applications. Therefore, this 
	  specification defines how FSv2 will interact with BGP peers that support 
	  either FSv2, FSv1, FSv2 and FSv1,or neither of them.  
	  It is expected that a transition to FSv2 will occur over time as new 
	  applications require FSv2 extensibility and user-defined ordering for rules 
	  and actions or network operators tire of the restrictions of FSv1 such as error 
	  handling issues and restricted topologies. 
	  </t>
	 <t>
	 Section 2 contains the definition of Flow specification, a short review of FSv1 and an overview of FSv2.  
	 Section 3 contains the encoding rules for FSv2 and user-based encoding sent via BGP.  Section 4 describes how to 
	 validate FSv2 NLRI. Section 5 discusses how to order FSV2 rules.  Section 6 covers combining 
	 FSv2 user-ordered match rules and FSv1 rules.  Section 6 also discusses how to combine 
	 user-ordered actions, FSv1 actions, and default actions.  Sections 7-10 address an 
	 alternate security mechanism, considerations for IANA, security in deployments, and scalability aspirations. 
	 </t>
	 </section> 
	 <section title="Definitions and Acronyms">
      <t><list>
  		  <t>AFI - Address Family Identifier</t>
		  <t>AS - Autonomous System </t>
		  <t>BGPSEC - secure BGP <xref target="RFC8205"></xref> updated by <xref target="RFC8206"></xref> </t>
  		  <t>BGP Session ephemeral state - state which does not survive the loss of BGP peer session.</t>
		  <t>Configuration state - state which persist across a reboot of software module within 
		      a routing system or a reboot of a hardware routing device.</t>
		  <t>DDOs - Distributed Denial of Service.</t>
		  <t>Ephemeral state - state which does not survive the reboot of a software module,
		   or a hardware reboot. Ephemeral state can be ephemeral configuration state or 
		   operational state.</t>
		  <t>FSv1 - Flow Specification version 1 [RFC8955] [RFC8956] </t>
  		  <t>FSv2 - Flow Specification version 2 (this document) </t>
		  <t>NETCONF - The Network Configuration Protocol <xref target="RFC6241"></xref>.</t>
		  <t>RESTCONF - The RESTCONF configuration Protocol <xref target="RFC8040"></xref> </t>
		  <t>RIB - Routing Information Base.</t>
		  <t> ROA -  Route Origin Authentication <xref target="RFC6482"></xref></t>
		  <t>RR - Route Reflector.</t>
		  <t> SAFI – Subsequent Address Family Identifier </t>
        </list>
		</t>
    </section>
     <section title="RFC 2119 language">
	 <t>   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14 <xref target="RFC2119"></xref>
   <xref target="RFC8174"></xref> when, and only when, they appear in all capitals as shown here.    
	 </t>
	 </section> 
</section>
<section title="Flow Specification Version 2 Primer ">
 <t>
 A BGP Flow Specification (v1 or v2) is an n-tuple containing one or more match criteria 
 that can be applied to IP traffic, traffic encapsulated in IP traffic or 
 traffic associated with IP traffic.  The following are
examples of such traffic: IP packet or an IP packet 
inside a L2 packet (Ethernet), an MPLS packet, and SFC flow.   
 </t>
 <t>
 A given Flow Specification NLRI may be associated with a set of path 
attributes depending on the particular application, and attributes within
that set may or may not include reachability information (e.g., NEXT_HOP). 
FSv1 and FSv2-DDOS use only the Extended Community to 
encode a set of pre-determined actions.  The full FSv2 uses either 
Extended Communities or Wide Communities to encode actions. 
 </t>
 <t>
 A particular application is identified by a specific AFI/SAFI (Address 
 Family Identifier/Subsequent Address Family Identifier) and corresponds to a 
 distinct set of RIBs. Those RIBs should be treated independently of each 
 other in order to assure noninterference between distinct applications. 
 </t>
 <t>
 BGP processing treats the NLRI as a key to entries in AFI/SAFI BGP 
 databases.   Entries that are placed in the Loc-RIB are then associated with 
 a given set of semantics which are application dependent. Standard BGP 
 mechanisms such as update filtering by NLRI or by attributes such as AS_PATH or 
 large communities apply to the BGP Flow Specification defined NLRI-types.  
 </t>
 <t>
 Network operators can control the propagation of BGP routes by enabling or 
 disabling the exchange of routes for a particular AFI/SAFI pair on a 
 particular peering session.  As such, the Flow Specification may be 
 distributed to only a portion of the BGP infrastructure. 
 </t>
<section title="Flow Specification v1  (FSv1) Overview">
	  <t>
	  The FSv1 NLRI defined in <xref target="RFC8955"></xref> and <xref target="RFC8956"></xref> 
      include 13 match conditions encoded for the following AFI/SAFIs: 
	  <list style="symbol">
	  <t>IPv4 traffic: AFI:1, SAFI:133 </t>
	  <t>IPv6 Traffic: AFI:2,  SAFI:133 </t>
	  <t>BGP/MPLS IPv4 VPN: AFI:1, SAFI: 134	 
	  </t>
	  <t> BGP/MPLS IPv6 VPN: AFI:2, SAFI: 134</t>
	  </list>
	  </t>
	  <t>If one considers the reception of the packet as an event,
	  then BGP FSv1 describes a set of 
	  Event-MatchCondition-Action (ECA) policies where: 
	  <list style="symbol">
	  <t>event is the reception of a packet, </t>
	  <t>condition stands for “match conditions” defined in the BGP NLRI as an n-tuple of component filters, and </t>
	  <t>the action is either: the default condition (accept traffic), or a set of actions (1 or more)
	   	  defined in Extended BGP Community values <xref target="RFC4360"></xref>.
	  </t>
	  </list>
	  </t>
	 <t>
	 The flow specification conditions and actions combine to make up FSv1 specification rules. Each FSv1 NLRI must 
	 have a type 1 component (destination prefix).  Extended Communities with FSv1 actions can be attached 
	 to a single NLRI or multiple NLRIs in a BGP message
	 </t> 
	  <t>
	  Within an AFI/SAFI pair, FSv1 rules are ordered based on the components in 
	  the packet (types 1-13) ordered from left-most to right-most and within the 
	  component types by value of the component. Rules are inserted in the rule
	  list by component-based order where an FSv1 rule with existing component type has 
	  higher precedence than one missing a specific component type, 	  
	  </t>
	  <t>
	  Since FSv1 specifications (<xref target="RFC8955"></xref>, <xref target="RFC8956"></xref>, and 
	  <xref target="RFC9117"></xref>) specify that the FSv1 NLRI MUST have a destination prefix 
	 (as component type 1) embedded in the flow specification, the FSv1 rules with destination 
	 components are ordered by IP Prefix comparison rules for IPv4 (<xref target="RFC8955"></xref>)
     and IPv6 (<xref target="RFC8956"></xref>). <xref target="RFC8955"></xref>
	 specifies that more specific prefixes (aka longest match) have higher precedence than 
	 that of less specific prefixes and that for prefixes of the same length the lower IP number 
	 is selected (lowest IP value).  <xref target="RFC8955"></xref> specifies that if the 
	 offsets within component 1 are the same, then the longest match and lowest IP comparison rules from 
	 <xref target="RFC8955"></xref> apply.  If the offsets are different, then the lower offset has precedence.  
	  </t>
	  <t>
	  These rules provide a set of FSv1 rules ordered by IP Destination Prefix 
	  by longest match and lowest IP address. 	 <xref target="RFC8955"></xref>
	  also states that the requirement for a destination prefix component “MAY be relaxed by explicit configuration” 
	  Since the rule insertions are based on comparing component types between two rules in order, 
	  this means the rules without destination prefixes are inserted after all rules which 
	  contain destination prefix component.
	  </t>

	  <t>
	 The actions specified in FSv1 are:
	 <list style="symbols">
	 <t>accept packet (default),</t>
	 <t>traffic flow limitation by bytes (0x6), </t>
	 <t>traffic-action (0x7),</t>
	 <t>redirect traffic (0x8),</t>
	 <t>mark traffic (0x9), and </t>
     <t>traffic flow limitation by packets (12, 0xC)</t>
	 </list>
	 </t> 
	 <t> Figure 1 shows a diagram of the FSv1 logical data structures
       with 5 rules.  If FSv1 rules have destination prefix components 
       (type=1) and FSv1 rule 5 does not have a destination prefix, 
        then FSv1 rule 5 will be inserted in the policy after rules 1-4.	   
<figure>
<artwork>
 
     +--------------------------------------+
     | Flow Specification (FS)              | 
     |  Policy                              | 
     +--------------------------------------+	
       	 ^               ^              ^
         |               |              | 
         |               |              |   
+--------^----+  +-------^-------+     +-------------+    
|   FS Rule 1 |  |   FS Rule 2   | ... |  FS rule 5  |
+-------------+  +---------------+     +-------------+
                    :          :        
                    :          :        
                 ...:          :........   
                 :                     :
       +---------V---------+      +----V-------------+
       |  Rule Condition   |      |   Rule Action    |
       |  in BGP NLRIs     |      | in BGP extended  |
       | AFIs: 1 and 2     |      | Communities      |
       | SAFI 133, 134     |      |                  | 
       +-------------------+      +------------------+
           :     :    :                 :      :    :
      .....:     .    :.....       .....:      .    :.....
      :          :         :       :           :         :
 +----V---+  +---V----+ +--V---+ +-V------+ +--V-----++--V---+
 |  Match |  | match  | |match | | Action | | action ||action|
 |Operator|  |Variable| |Value | |Operator| |variable|| Value|
 |*1      |  |        | |      | |(subtype| |        ||      |
 +--------+  +--------+ +------+ +--------+ +--------++------+
 
   *1 match operator may be complex. 
 
   Figure 2-1: BGP Flow Specification v1 Policy 
</artwork>
</figure>
</t>
</section>
<section title="Flow Specification v2 (FSv2) Overview">
<t>
Flow Specification v2 allows the user to order the flow specification rules and the actions 
associated with a rule. Each FSv2 rule may have one or more match conditions 
and one or more associated actions. 
The IDR WG draft <xref target="I-D.ietf-idr-flowspec-v2"></xref> 
contains the complete solution for FSv2. However, this complete solution makes 
implementation of these features a large task so, please see the next section on 
how the complete solution is broken into a series of solutions. 
This section describres the complete solution.  
</t>
<t>
This FSv2 specification supports the components and actions for the following: 
<list style="symbols">
<t>IPv4 (AFI=1, SAFI=TBD1) [defined in FSv2-DDOS], 
</t>
<t>IPv6 (AFI=2, SAFI=TBD2) [defined in FSv2-DDOS],
</t>
<t>L2 (AFI=6, SAFI=TDB1) [defined in FSv2-L2],
</t>
<t>BGP/MPLS IPv4 VPN: (AFI=1, SAFI=TBD2),
</t>
<t> BGP/MPLS IPv6 VPN: (AFI=2, SAFI=TBD2),
</t>
<t> BGP/MPLS L2VPN (AFI=25, SAFI=TDB2) [defined in FSv2-L2], 
</t>
<t> SFC: (AFI=31, SAFI=TBD1) [defined in FSv2-SFC], and 
</t>
<t> SFC VPN (AFI=31, SAFI=TBD2) [defined in FSv2-SFC].
</t>
</list>
</t>

<t>The FSv2 specification for tunnel traffic is outside the 
scope of this specification. The FSv1 specification for tunneled 
traffic is in <xref target="I-D.ietf-idr-flowspec-nvo3"></xref>. 
The FSv2 tunnel traffic will be defined in [FSv2-Tunnel]. 
</t>
<t>FSv2 operates in the ships-in-the night model with FSv1 so network 
operators can manipulate which the distribution of FSv2 
and FSv1 using configuration parameters.  
Since the lack of deterministic ordering was an FSv1 problem, 
this specification provides rules and protocol features to keep 
filters in a deterministic order between FSv1 and FSv2. 
</t>
<t>
The basic principles regarding ordering of flow specification filter rules are: 
<list>
<t>1) Rule-0 (zero) is defined to be 0/0 with the “permit-all” action. </t>
<t>2) FSv2 rules are ordered based on user-specified order. 
<list>
<t>The user-specified order is carried in the FSv2 NLRI and a 
numerical lower value takes precedence over a numerically higher value.  
For rules received with the same order value, the FSv1 rules apply 
(order by component type and then by value of the components).  
 </t>
</list>
</t>
<t>3) FSv2 rules are added starting with Rule 1 and FSv1 rules are added after FSv2 rules 
<list>
<t>For example, BGP Peer A has FSv2 data base with 10 FSv2 rules (1-10).  FSv1 user number
is configured to start at 301 so 10 FSv1 rules are added at 301-310. 
 </t>
</list>  
</t>
<t>4) An FSv2 peer may receive BGP NLRI routes from a FSv1 peer or a BGP peer that does not support FSv1 or FSv2.  
The capabilities sent by a BGP peer indicate whether the AFI/SAFI can be received (FSv1 NLRI or FSv2 NLRI).
</t>
<t>5) Associate a chain of actions to rules based on user-defined action number (1-n).  (optional) 
<list>
<t>If no actions are associated with a filter rule, the default is to drop traffic the filter rules match</t>
<t>An action chain of 1-n actions can be associated with a set of filter rules can 
via Extended Communities or Wide Communities.  Only Wide Communities can associate a user-defined
order for the actions. Extended Community actions occur after actions with a 
user specified order (see section 5.2 for details).  
</t>    
</list> 
</t>
</list>
</t>
<t>
Figure 2-2 provides a logical diagram of the FSv2 structure
<figure>
<artwork>
 
       +--------------------------------+ 	
       |          Rule Group            | 
       +--------------------------------+			   
         ^          ^                  ^
         |          |---------         |
         |                   |         ------
         |                   |               |
+--------^-------+   +-------^-----+     +---^-----+
|      Rule1     |   |     Rule2   | ... |  Rule-n |
+----------------+   +-------------+     +---------+ 
                      :  :   :    :     
    :.................:  :   :    :
    :	       |.........:   :    :
 +--V--+    +--V--+          :    :        
 | name|    |order| .........:    :.....   
 +-----+    +-----+ :                  :
                    :                  :
   +----------------V----+  +-----V----------------+
   |Rule Match condition |  | Rule Action          |
   +---------------------+  +----------------------+
    :	   :     :    :       :      :   :   :   |
 +--V--+   :     :    :    +--V---+  :   :   :   V
 | Rule|   :     :    :    |action|  :   :   :  +-----------+
 | name|   :     :    :    |order |  :   :   :  |action name|
 +-----+   :     :    :    +------+  :   :   :  +-----------+
           :     :    :              :   :   :.............
           :     :    :              :   :                :     
      .....:     .    :.....       ..:   :......          :
      :          :         :       :           :          :
 +----V---+  +---V----+ +--V---+ +-V------+ +--V-----+ +--V---+
 |  Match |  | match  | |match | | Action | | action | |action|
 |Operator|  |variable| |Value | |Operator| |Variable| | Value|
 +--------+  +--------+ +------+ +--------+ +--------+ +------+

   Figure 2-2: BGP FSv2 Data storage
</artwork>
</figure>
</t>
</section>
<section title="Flow Specification v2 (FSv2) Series of Specifications">
<t>
The full FSV2 information is contained in 
<xref target="I-D.ietf-idr-flowspec-v2"></xref> 
</t>
<t>
Feedback from the implementers indicate that the 
Flow Specification v2 needs to broken into drafts based on the 
use cases the technology supports.  These include IPv4/IPv6 DDOS, 
IPv4/IPv6 filters beyond DDOS, BGP/MPLS IPv4 VPN, BGP/MPLS IPv6 VPN, 
BGP/MPLS L2VPN, Segment routing (SRMPLS, SRv6), SFC, SFC VPN, and tunnel.  
</t>
<t>
The following is the list of planned drafts: 
<list style="hanging">
<t hangText="FSv2 IP DDOS (FSv2 IP DDOS):"> The first draft will support IP filter functions
(Type 1) and Extended Community actions supported by <xref target="RFC8955"></xref> and 
<xref target="RFC8956"></xref> with additions to provide the following:
<list style="symbols"> 
<t>user ordering of IP filters </t>
<t>new filter for filtering of unknown FSv2 types and filters (type = 250)</t>
<t>no support for user ordering of actions </t> 
<t>a new action (Action Chain Operation) for handling failures when multiple actions are associated with 
   a set of filters. 
</t>
</list>
This draft provides the basic functions all other FSv2 drafts will extend.
</t>
<t hangText="FSv2 IP Extensions (FSv2 IP DDOS Extra):"> This draft
provides extensions for proposed filters for IP FSv2.  
</t>
<t hangText="FSv2 Non-IP (FSv2 Non-IP):"> This draft provides Non-IP Filters
filters for BGP/MPLS IPv4 VPNS, BGP/MPLS IPv6 VPNs, Segment Routing (SRMPLS and SRV6).
</t>
<t hangText="FSv2 L2VPN:"><xref target="I-D.ietf-idr-flowspec-l2vpn"></xref>
provides user ordered filters for L2VPNs. 
</t> 
<t hangText="FSv2 Additional Extended Community Actions (FSv2 EC Actions Extra) :"> This draft provides 
additional Flow Specification Actions that can be implemented safely 
with action chain failures, but without user ordering.
</t>
<t hangText="FSv2 Wide Community Actions in Type 1 (FSv2 Wide Action T1):"> This draft provides the 
Wide Community actions in the Type 1 format of Wide communities.
</t>
<t hangText="FSv2 Wide Community Actions in Type 2 (FSv2 Wide Action T2):">
This draft provides Wide Community actions in the type 2 format of Wide communities.
</t>
</list> 
</t>
</section> 
</section> 
<section title="FSv2 Filters and Actions">
<t>
 The BGP FSv2 uses an NRLI with the format for
 AFIs for IPv4 (AFI = 1), IPv6 (AFI = 2), L2 (AFI = 6), L2VPN (AFI=25), and 
 SFC (AFI=31) with SAFIs TBD1 and TBD2 to support transmission of the flow specification
 which supports user ordering of traffic filters and actions for IP traffic and 
 IP VPN traffic.
 </t>
 <t>
  This NLRI information is encoded using MP_REACH_NLRI and MP_UNREACH_NLRI attributes defined in
 <xref target="RFC4760"></xref>.  When advertising FSv2 NLRI, the length of the 
  Next-Hop Network Address MUST be set to 0. Upon reception, 
  the Network Address in the Next-Hop field MUST be ignored.  
 </t>
<t>Implementations wishing to exchange flow specification rules MUST use 
BGP's Capability Advertisement facility to exchange the Multiprotocol Extension Capability Code 
(Code 1) as defined in <xref target="RFC4760"></xref>, and 
indicate a capability for FSv1, FSv2 (Code TBD3), or both.  
</t> 
<t>The AFI/SAFI NLRI for BGP Flow Specification version 2 (FSv2) has the format:
 <figure>
 <artwork>
 +-------------------------------+
 |length (2 octets)              |
 +-------------------------------+
 | Sub-TLVs (variable)           |
 | +===========================+ |
 | | order (4 octets)          | |
 | +---------------------------+ |
 | | identifier (4 octets)     | |
 | +---------------------------+ | 
 | | type (2 octets)           | |
 | +---------------------------+ |
 | | length-Subtlv (2 octets)  | |
 | +---------------------------+ |
 | | value (variable)          | |
 | +===========================+ |
 +-------------------------------+
 
 
 Figure 3-1: FSv2 format
  </artwork>
  </figure>
  </t>
  <t>
  where:
  <list style="symbols">
  <t> length: length of field including all SubTLVs in octets. 
  <list>
  <t> The combined lengths of any FSv2 NLRI in the 
      MP_REACH_NLRI or MP_UNREACH_NLRI. The BGP NLRI length
      must be less than the packet size minus the other fields
	  (BGP header, BGP Path Attributes, and NLRI).  	  
  </t>
  </list>
  </t> 
  <t> order: flow-specification global rule order number (4 octets). </t>
  <t>identifier: identifier for the rule (used for NM/Logging) (4 octets)   </t>
  <t> type: contains a type for FSv2 TLV format of the NRLI (2 octets) which can be: 
  <list>
  <t>0 - reserved, </t>
  <t>1 - IP Traffic Rules </t>
  <t>2 - Extended IP rules </t> 
  <t>3-  L2 traffic rules</t>
  <t>4-  SFC Traffic rules </t>
  <t>5-  SFC VPN Traffic rules </t>
  <t>6 - BGP/MPLS VPN IP Traffic Rules </t>
  <t>7 - BGP/MPLS VPN L2 Traffic Rules </t>
  <t>8 - Tunneled traffic </t> 
  </list>
  </t>
  <t> length-Subtlv: is the length of the value part of the Sub-TLV, 
  </t>
  <t>value: value depends on the subTLV (see sections below).</t>
 </list>  
  </t>
  <t>The FSv2 Basic DDOS function must recognize that the defined types are
  valid even if the implementation does not support anything except 
  </t> 
<section title="Basic IP Filters" >
<section title="IP header SubTLV (type=1(0x01))">
<t>
The format of the IP header TLV value field is shown in figure 3-2.  
The IP header for the VPN case is specified in section 3.5.      
</t>
<t>
<figure>
<artwork>
    +-------------------------------+
    | +--------------------------+  | 
    | | (subTLVs)+               |  |
    | +==========================+  |
    +-------------------------------+

      Figure 3-2 - IP Header TLV
</artwork>
  </figure>
</t>
<t>Where: Each SubTLV has the format: 
<figure>
<artwork>
    +-------------------------------+
    |  SubTLV type (1 octet)        |
    +-------------------------------+
    |  length (1 octet)             |
    + ------------------------------+
    |  value (variable)             |
    +-------------------------------+
     Figure 3-3 – IP header SubTLV format 

</artwork>
</figure>
</t>
<t>
Where:
<list>
<t>SubTLV type: component values are defined in 
the “Flow Specification Component types” registry for IPv4 and IPv6 by 
<xref target="RFC8955"></xref>, <xref target="RFC8956"></xref>, and 
<xref target="I-D.ietf-idr-flowspec-srv6"></xref>
</t>

<t>length: length of SubTLV (varies depending on SubTLV type).  
</t>
<t>value: dependent on the subTLV
<list>
<t> For descriptions of value portions for components 1-13 see 
<xref target="RFC8955"></xref> and <xref target="RFC8956"></xref>. 
 For component 14 see <xref target="I-D.ietf-idr-flowspec-srv6"></xref>. 
 </t>
 </list>
</t>
</list>
</t>
<t>Many of the components use the operators [numeric_op] and [bitmask_op] 
defined in <xref target="RFC8955"></xref>   
</t>
<t>The list of valid SubTLV types appears in Table 2.  
</t>
<t>
<figure> 
<artwork>
Table 2 IP SubTLV Types for IP Filters 
        DDOS support 
SubTLV  
-type     Definition
======    ============
   1 -    IP Destination prefix 
   2 -    IP Source prefix 
   3 –    IPv4 Protocol / 
          IPv6 Upper Layer Protocol
   4 –    Port  
   5 –    Destination Port 
   6 –    Source Port
   7 –    ICMPv4 type / ICMPv6 type  
   8 –    ICMPv4 code / ICPv6 code 
   9 –    TCP Flags 
  10 –    Packet length
  11 –    DSCP  
  12 –    Fragment 
  13 –    Flow Label 
  14 -    TTL  
  15-63   reserved for IP Extensions 
          (standards action) 
</artwork>
</figure>
</t>
<t>
<figure> 
<artwork>
Table 2b IP SubTLV types for non-IP Filters 
SubTLV   IP SubTLV types
-type    Definition
======   ===========
  64      Parts of SID
  65      MPLS LAbel Match-1
  66      MPLS Label Match-2 
  67-127  Match reserved for Non-IP 
  128-191 reserved (standards action)
  192-249 FCFS   
  250-    FSv2 Filter Error handling 
 251-255  Reserved
</artwork>
</figure>
</t>
<t>
Ordering within the TLV in FSv2: The transmission of SubTLVs within a 
flow specification rule MUST be sent ascending order by SubTLV type.  
If the SubTLV types are the same, then the value fields are compared 
using mechanisms defined in <xref target="RFC8955"></xref>
and <xref target="RFC8956"></xref> and MUST be in ascending order.  
NLRIs having TLVs which do not follow the above ordering rules MUST be considered as
 malformed by a BGP FSv2 propagator. This rule prevents any ambiguities that arise
 from the multiple copies of the same NLRI from multiple BGP FSv2 propagators. 
 A BGP implementation SHOULD treat such malformed NLRIs as "Treat-as-withdraw" 
<xref target="RFC7606"></xref>.  
</t>
<t>See <xref target="RFC8955"></xref>, <xref target="RFC8956"></xref>, and
<xref target="I-D.ietf-idr-flowspec-srv6"></xref>. for specific details. 
</t>
<section title="IP Destination Prefix (type = 1)">
<t>	IPv4 Name: IP Destination Prefix   (reference:  <xref target="RFC8955"></xref>) </t>
<t>	IPv6 Name: IPv6 Destination Prefix (reference:  <xref target="RFC8956"></xref>) </t>
<t></t>
<t>IPv4 length: Prefix length in bits 
</t>
<t>IPv4 value: IPv4 Prefix (variable length)
</t>
<t>IPv6 length: length of value 
</t>
<t>IPv6 value: [offset (1 octet)] [pattern (variable)] [padding(variable)] 
</t>
<t>If IPv6 length = 0 and offset = 0, then component matches every address.  
Otherwise, length must be offset "less than" length "less than" 129 or component is malformed. 
</t>
</section>
<section title="IP Source Prefix (type = 2) ">
<t>	IPv4 Name: IP Source Prefix      (reference:  <xref target="RFC8955"></xref>) </t>
<t>	IPv6 Name: IPv6 Source Prefix  (reference: <xref target="RFC8956"></xref>) </t>
<t></t>
<t>IPv4 length: Prefix length in bits </t>
<t>IPv4 value: Source IPv4 Prefix (variable length)</t>
<t>IPv6 length: length of value </t>
<t>IPv6 value: [offset (1 octet)] [pattern (variable)][padding(variable)] 
</t>
<t></t>
<t>
If IPv6 length = 0 and offset = 0, then component matches every address.  Otherwise, length must be offset &lt; length &lt; 129 
or component is malformed. 
</t>
</section>
 <section title="IP Protocol (type = 3) ">
<t>	IPv4 Name: IP Protocol  IP Source Prefix  (reference:  <xref target="RFC8955"></xref>) </t>
<t>	IPv6 Name: IPv6 Upper-Layer Protocol:   (reference: <xref target="RFC8956"></xref>) </t>
<t></t>
<t>IPv4 length: variable </t>
<t>IPv4 value: [numeric_op, value]+</t>
<t></t>
<t>IPv6 length: variable </t>
<t>IPv6 value: [numeric_op, value}+ </t>
<t>where the value following each numeric_op is a single octet. </t>
</section>
 <section title="Port (type = 4)">
<t>	IPv4/IPv6 Name: Port (reference:  <xref target="RFC8955"></xref>),
 <xref target="RFC8956"></xref>) </t>
<t>Filter defines: a set of port values to match either destination port or source port. 
</t>
<t></t>
<t>IPv4 length: variable </t>
<t>IPv4 value: [numeric_op, value]+</t>
<t></t>
<t>IPv6 length: variable </t>
<t>IPv6 value: [numeric_op, value]+</t>
<t></t>
<t>where the value following each numeric_op is a single octet. </t>
<t>Note-1: (from FSV1) In the presence of the port component (destination or source port), 
only a TCP (port 6) or UDP (port 17) packet can match the entire flow specification. 
If the packet is fragmented and this is not the first fragment, then the system
may not be able to find the header.  At this point, the FSv2 filter may fail to 
detect the correct flow.  Similarly, if other IP options or the encapsulating 
security payload (ESP) is present, then the  node may not be able to describe the transport header
and the FSv2 filter may fail to detect the flow. 
</t>
<t>The restriction in note-1 comes from the inheritance of the FSv1 filter component for port.  
If better resolution is desired, a new FSv2 filter should be defined. 
</t>
<t>Note-2: FSv2 component only matches the first upper layer protocol value. 
</t>
</section>
 <section title="Destination Port (type = 5) ">
<t>	IPv4/IPv6 Name: Destination Port    (reference:  <xref target="RFC8955"></xref>), <xref target="RFC8956"></xref>) </t>
<t>Filter defines: a list of match filters for destination port for TCP or UDP within a received packet
</t>
<t>Length: variable </t>
<t> Component Value format: [numeric_op, value]+
</t>
</section>
 <section title="Source Port (type = 6)  ">
<t>	IPv4/IPv6 Name: Source Port (reference:  <xref target="RFC8955"></xref>), <xref target="RFC8956"></xref>)
 </t>
<t>Filter defines: a list of match filters for source port for TCP or UDP within a received packet
</t>
<t>IPv4/IPv6 length: variable </t>
<t>IPv4/Ipv6 value: [numeric_op, value]+
</t>
</section>
 <section title="ICMP Type (type = 7) ">
<t>	IPv4: ICMP Type (reference:  <xref target="RFC8955"></xref>)
</t>
<t>	Filter defines: Defines: a list of match criteria for ICMPv4 type 
</t>  
<t>IPv6: ICMPv6 Type (reference: <xref target="RFC8956"></xref>) 
</t>
<t>Filter defines: a list of match criteria for ICMPv6 type. 
</t>
<t> </t>
<t>IPv4/IPv6 length: variable</t>
<t>IPv4/IPv6 value: [numeric_op, value]+ </t>
</section>
 <section title="ICMP Code (type = 8) ">
<t>	IPv4: ICMP Type (reference:  <xref target="RFC8955"></xref>) </t>
<t>	Filter defines: a list of match criteria for ICMPv4 code. 
</t>  
<t>IPv6: ICMPv6 Type (reference: <xref target="RFC8956"></xref>) </t>
<t>Filter defines: a list of match criteria for ICMPv6 code. </t>
<t> </t>
<t>IPv4/IPv6 length: variable</t>
<t>IPv4/IPv6 value: [numeric_op, value]+ </t>
</section>
 <section title="TCP Flags (type = 9) " >
<t>	IPv4/IPv6: TCP Flags Code  (reference:  <xref target="RFC8955"></xref>)
</t>
<t>Filter defines: a list of match criteria for TCP Control bits 
</t>  
<t> </t>
<t>IPv4/IPv6 length: variable</t>
<t>IPv4/IPv6 value: [bitmask_op, value]+ </t>
<t></t>
<t>Note: a 2 octets bitmask match is always used for TCP-Flags </t> 
</section>
 <section title="Packet length (type = 10 (0x0A)) ">
<t>	IPv4/IPv6: Packet Length (reference: <xref target="RFC8955"></xref>, <xref target="RFC8956"></xref>) 
</t>
<t>	Filter defines: a list of match criteria for length of packet 
(excluding L2 header but including IP header). 
</t>  
<t>IPv4/IPv6 length: variable</t>
<t>IPv4/IPv6 value: [numeric_op, value]+ </t>
<t></t>
<t>Note:<xref target="RFC8955"></xref> uses either 1 or 2 octet values. 
</t>
</section>
 <section title="DSCP (Differentiaed Services Code Point)(type = 11 (0x0B)) ">
 
<t>	IPv4/IPv6: DSCP Code  (reference:  <xref target="RFC8955"></xref>,  <xref target="RFC8956"></xref>) 
</t>
<t>	Filter defines: a list of match criteria for DSCP code values to match the
6-bit DSCP field.  
</t> 
<t> </t>
<t>IPv4/IPv6 length: variable</t>
<t>IPv4/IPv6 value: [numeric_op, value]+ </t>
<t></t>
<t>Note: This component uses the Numeric Operator (numeric_op) described in
   <xref target="RFC8955"></xref> in section 4.2.1.1.  
   Type 11 component values MUST be encoded as single
   octet (numeric_op len=00). 
  </t>
  <t>The six least significant bits contain the DSCP value.  All other
   bits SHOULD be treated as 0.
   </t>
</section>
 <section title="Fragment (type = 12 (0x0C))   ">
<t>	IPv4/IPv6: Fragment  (reference:  <xref target="RFC8955"></xref>,  <xref target="RFC8956"></xref>) 
</t>
<t>	Filter defines: a list of match criteria for specific IP fragments.
</t> 
<t> </t>
<t>Length: variable</t>
<t>Component Value format: [bitmask_op, value]+</t>
<t>Bitmask values are:</t>
<t>
<figure>
<artwork>
      0    1   2   3   4   5   6  7	
    +---+---+---+---+---+---+---+---+ 
    | 0 | 0 | 0 | 0 |LF |FF |IsF| DF| 
    +---+---+---+---+---+---+---+---+ 
                 Figure 3-4
</artwork>
</figure>
</t>
<t> Where:
<list>
<t> DF (don’t fragment): match If IP header flags bit 1 (DF) is 1.
</t>
<t>IsF(is a fragment other than first: match if IP header fragment offset is not 0. 
</t>
<t> FF (First Fragment): Match if <xref target="RFC0791"></xref> IP Header Fragment offset is zero and Flags Bit-2 (MF) is 1.
</t>
<t>LF (last Fragment): Match if [RFC7091] IP header Fragment is not 0 And Flags bit-2 (MF) is 0
</t>
<t>0: MUST be sent in NLRI encoding as 0, and MUST be ignored during reception. 
</t>
</list>
</t>
</section>
 <section title="Flow Label(type = 13 (0xOD)) ">
<t>	IPv4/IPv6: Fragment  (reference:  <xref target="RFC8956"></xref>) 
</t>
<t>	Filter defines: a list of match criteria for 20-bit Flow Label in the IPv6 header field.   
</t> 
<t> </t>
<t>Length: variable</t>
<t>Component Value format: [numeric_op, value]+
</t>
</section> 
<section title="TTL (type=14 (0x0E))">
<t>TTL: Defines matches for 8-bit TTL field in IP header
</t>
<t>Encoding: &lt;[numeric_op, value]+&gt;
</t>
<t>where: value is a 1 octet value for TTL.
</t>
<t>ordering: by full value of number_op concatenated with value </t>
<t>conflict: none</t>
<t>reference: draft-bergeon-flowspec-ttl-match-00.txt </t>
</section>
 </section> 
<section title="FS Filter Error handling  (type=250(0xFA)) ">
 <t>Editor note: This filters FSv2 information. 
 Is it useful?  If not, it can be moved to the non-IP section. 
 </t> 
 <t>
 <list style="hanging"> 
 <t hangText="Type Filter Error handling(0xFA)">
   	<list>
	<t>Function: This function suggests additional 
	for unknown types and missing fields in the FSv2 NLRI  
	</t>
	<t>reference: none 
    </t>	
	<t>Encoding:
	&lt;type(1 octet), length(1 octet), T-Err (1 octet), (M-Err (1 octet)    
	</t>
	<t>It contains a set of {operator, value} pairs that are used for 
	the matching filter.
	</t>
	<t> T-Err - specifies handling of unknown type. The values for this 
	type are:  
	<list> 
	<t> Disable AFI/SAFI
	</t>
	<t> Treat as withdrawl 
	</t> 
	<t> Ignore MPREACH_NLRI attribute 
    </t>
    <t> Ignore filter component (Sub-TLV) 
	</t> 
	</list>
	</t>
	<t> M-Error - specifies the handling of a missing field
	with values of: (TBD). 
	</t>
	</list>
	</t>
</list>
</t>
<t>
	<figure>
	<artwork>
	  0   1   2   3   4   5   6   7   8	  9	 10  11  12  13  14  15
    +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
    |            T-Err              |  M-error                      |
    +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
	         Figure 3-8b 
	</artwork>
	</figure>
</t>
</section>
</section> 
<section title="Encoding of FSV2 Actions for Basic DDOS ">
<t>
The long-term goal of the FSv2 actions is to allow user ordering of the 
flow specification actions.  Only Wide Communities provide enough 
structured space for user ordering of actions. The IDR WG draft 
<xref target="I-D.ietf-idr-flowspec-v2"></xref> 
contains the long-term plan for FSv2 filters with actions. 
To provide an easy migration between FSv1 and FSv2, a sequence of drafts will 
break allow adding of additional actions to the basic IP DDOS 
actions in the Extended Community. 
</t> 
<t>
The Basic IP DDOS FSv2 will support existing IPv4 from
 <xref target="RFC8955"></xref>, and 
existing IPv6 actions from <xref target="RFC8956"></xref> and 
one additional feature for action chain ordering (ACO). 
</t>
<t> 
An action chain for FSv2 Extended Community actions 
is defined as a series of Extended Communities which are
attached to a set of filters. 
</t> 
<t> The action chain ordering (ACO)action provides a 
set of flags that define a clear action if failure 
occurs. One of the issues with FSv1 is the lack of 
a clear definition on what happens if multiple 
actions interact.  The existance of the Action chain 
ordering action enforces that the actions will
have a deterministic outcome during failures.
</t>
<t>
The AC-Failure types are:  
 <list style="symbols">
 <t>0x00 – default – stop on failure  
 </t>
 <t>0x01 – continue on failure (best effort on actions)
 </t>
 <t>0x02 – conditional stop on failure (depends on AC-Failure-value/policy)  
 </t>
 <t>0x03 – rollback do all or nothing (depends on AC-Failure-value/policy)  
 </t>
 </list>
 </t>
<t>Editors note: The following options for encoding ACO exist. 
<list style="hanging">
<t hangText="Option 1:">redefine bits in Traffic Action subtype
</t> 
<t hangText="Option 2:">create a new Extended Community
</t>
</list>
</t> 
<section title="FSV2 Basic DDOS Actions">
<section title="Encoding FSv2 Actions in IPv4 Extended Communities ">
<t>
The Extended Community encodes the Flow Specification actions in the Extended Community format 
as generic transitive extended communities per <xref target="RFC4360"></xref>
per <xref target="RFC8955"></xref>, <xref target="RFC9117"></xref>, and
<xref target="RFC9184"></xref>.  
</t>
<t>The format of the these actions can be: 
<list style="hanging">
<t hangText="Generic Transitive Extended Community  (0x80):">where the 
Sub-Types are defined in the Generic Transitive Extended Community Sub-Types
registry.
</t>
<t hangText="Generic Transitive Extended Community Part 2(0x81):"> where the
Sub-Types are defined in the Generic Transitive Extended Community Part 2 Sub-Types registry.
</t>
<t hangText="Transitive Four-Octet AS-Specific Extended Communit(0x82):">where the 
Sub-Types defined in the Generic Transitive Extended Community Part 3 Sub-Types
registry.
</t>
<t hangText="Generic Transitive Extended Community Part 3 (0x83):">where the 
Sub-Types defined in the Transitive Opaque Extended Community Sub-Types" registry.
</t>
</list> 
</t>
<t>
<figure>
<artwork>

  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |  Type high    |  Type low(*)  |                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+          Value (6 octets)     |
 |                                                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                              Figure 3-9
</artwork>
</figure>
</t>
<t>
<figure>
<artwork>
				Table x-x 

IPv4 Extended Communities (Type 0x80) 2 byte AS, 
Value   Description                    Name  Reference
=====   =======================        ===== ==========
0x01    Flow Spec Action Chain         ACO   [This document]  
0x06	Flow spec traffic-rate-byte    TRB   [RFC8955]	
0x07	Flow spec traffic-action       TAIS  [RFC8955]
0x08	Flow spec rt-redirect          RDIP  [RFC8955]
        AS-2 octet format	                       
0x09	Flow spec traffic-remarking	   TM    [RFC8955]
0x0C    Flow Spec Traffic-rate-packets TRP   [RFC8955]
</artwork>
</figure>
</t>
<t>
<figure>
<artwork>   
				Table x-x 
				
IPv4 Extended Communities FSv2 action (Type 0x81) 
Value   Description                    Name  Reference
=====   =======================        ===== ==========
0x08	Flow spec rt-redirect          RDIP  [RFC8955]   
        IPv4 octet format	                 [this document]       

</artwork>
</figure>
</t>
<t>
<figure>
<artwork>  
				Table x-x 
IPv4 Extended Communities (Type 0x82) 
Value   Description                  Name  Reference
=====   =======================      ====  ==========
0x08	Flow spec rt-redirect        RDIP  [RFC8955]
        AS-4 octet format	                       
</artwork>
</figure>
</t>
</section> 
<section title="Encoding FSv2 Actions in IPv6 Extended Community"> 
<t>
The IPv6 Extended Community encodes the Flow Specification actions 
in the Extended Community format <xref target="RFC5701"></xref> 
per <xref target="RFC8956"></xref>, <xref target="RFC9117"></xref>, and
<xref target="RFC9184"></xref> in the transitive opaque format.
</t>
<t>
<figure>
<artwork>

  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |  Type         |  Sub-type     |   Global Administrator        |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
 |         Global Administrator (cont.)                          |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |         Global Administrator (cont.)                          |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |         Global Administrator (cont.)                          |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Global Administrator (cont.)  |   Local Administrator         |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

               figure 3-10  
 
The 20 octets of value are given in the following format: 

Type = 0x00 (transitive) 
Sub-Type = see table x-x

Global Administrator: IPv6 address assigned by Internet Registry 
Local Administrator:  2 bytes of 
</artwork>
</figure>
</t>
<t>
<figure>
<artwork>

Table x-x 

IPv6 Extended Communities (Type 1) 
Value   Description                  Name   Reference
=====   =======================      =====  ==========
0x01    Flow Spec Action Chain       ACO    [This document]
0x0C    Flow Spec redirect-v6-flag   RD6F   [ID-redirect-IP]
0x0D    Flow Spec rt-redirect        RD6    [RFC8956]  
        IPv6 format 
</artwork>
</figure>
</t>
</section> 
<section title="New Actions for FSv2 DDOS">
<t> There are two options for encoding the Action chain.
</t>
 <section title="Option 1: Action Chain operation IPv4 Extended (ACO)(1, 0x01)">
 <t>
 <figure>
 <artwork>
   0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |  Type high    |  Type low(01) |AC-failure-type|  AC-Failure   |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |          AC-Failure-value (cont.)                             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 </artwork> 
  </figure> 
 </t>
 <t>SubTLV: 0x01 
 </t>
 <t>Length: 6 octets
 </t>
 <t>Value:
 <list>
  <t>AC-dependence - 1 octet byte of flag regarding dependency 
 </t> 
 <t>AC-failure-type – 1 octet byte that determines the action on failure  
 </t> 
 <t>AC-failure-value – variable depending on AC-failure-type. 
 </t>
 </list>
 </t>
 <t>Actions may succeed or fail and an Action chain must deal with it.  
 The default value stored for an action chain that does not have this action chain is “stop on failure”.
</t>
 <t>where:
 <list>
 <t>AC-Failure types are:  
 <list style="symbols">
 <t>0x00 – default – stop on failure  
 </t>
 <t>0x01 – continue on failure (best effort on actions)
 </t>
 <t>0x02 – conditional stop on failure – depending on AC-Failure-value 
 </t>
 <t>0x03 – rollback – do all or nothing - depending in AC-Failure-value 
 </t>
 </list>
 </t>
 <t>AC-Failure values:  TBD</t>
 </list>
 </t>
 <t>Interactions with other actions: Interactions with all other Actions  </t>
 <t>Ordering within Action type: By AC-Failure type  </t>
</section>
 <section title="Option 2: Action Chain operation encoded in IPv4 Traffic Action (0x07) ">
 <t>
 <figure>
 <artwork>
   0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |  Type high    |  Type low(07) |traffic action field  (zero)   |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |          AC-Failure-value (cont.)                   | ACO |S|T|
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
 Where 
 ACO - is the Action Chain failure types (0x00 to 0x03) 
       00 - stop on failure 
	   01 - continue on failure 
	   02 - conditional stop on failure (by policy) 
	   03 - rollback on failure (with policy) 
 S - Sample flag 
 T - Terminal action 
 </artwork> 
  </figure> 
  </t>
  </section> 
</section>  
<section title="Interactions between FSv2 DDOS actions">
<t>
<figure>
<artwork>
 Table 5 – All FSv2 IPv4 Action types for IP DDOS  
  
 Action  Name  Description             May Interacts 
 ======  ====  ======================  =============== 
   01    ACO   Action Chain Operation  none 	  
   06    TRB   Traffic Rate limited    TRP 
                by Bytes 
   07    TA    Traffic Action          none
               (terminal/sample/ACO)  
   08    RDIP  Redirect IPv4           none 
   09    TM    Mark DSCP value         none 
   12    TRP   Traffic Rate limited    TRB
                by Packets  

          Figure 3-15  
  </artwork>
  </figure>
  </t>
  <t>
<figure>
<artwork>
 Table 5 – All FSv2 IPv6 Action types for IP DDOS  
  
 Action  Name  Description             May Interacts 
 ======  ====  ======================  =============== 
   01    ACO   Action Chain Operation  none 	  
   06    TRB   Traffic Rate limited    TRP 
                by Bytes 
   07    TA    Traffic Action          none
               (terminal/sample/ACO)  
   08    RDIP  Redirect IPv4           none 
   09    TM    Mark DSCP value         none 
   12    TRP   Traffic Rate limited    TRB
                by Packets  

          Figure 3-15  
  </artwork>
  </figure>
  </t>
</section>
</section> 
<section title="Summary of all FSv2 Actions (informative only) ">
<t>
<figure>
<artwork>
 Table 4  All IP Actions in Extended Communities  
 Action   Name Description
 ======   ===========  
   00     reserved 
   01     ACO:  action chain operation 
   02     reserved 
   03     TAIS: traffic actions per interface group
   04     LkBW: Link bandwidth    
          (draft-ietf-idr-linkbandwidth-07) [non-transitive]    
		  [juniper link bandwidth] [transitive] 
		  
   06     TRB:  traffic rate limited by bytes 
   07     TA: traffic action (terminal/sample) 
   08     RDIP: Redirect IPv4
   09     TM: mark DSCP value 
   10     TBA (to be assigned) 
   11     TBA (to be assigned) 
   12     TRP: traffic rate limited by packets 
   13     TISFC: SFC Classifier 
   14     RDIID: redirect to Indirection-id (move from 0x00) 
   
   31     TISFC: SFC classifier II (this document) 
   32     MPLSLA: MPLS label action    
   33     VLAN: VLAN-Action (0x16)[draft-ietf-idr-flowspec-l2vpn-17]
   34     TPID: TPID-Action (0x17)[draft-ietf-idr-flowspec-l2vpn-17]
   24-254 TBA (to be assigned)
   255    reserved 

          Figure 3-15  
  </artwork>
  </figure>
  </t>
<t>
  <figure> 
  <artwork> 
  IPv6 Extended Communities (Type 1) 
Value   Description                  Name   Reference
=====   =======================      =====  ==========
0x01    Flow Spec Action Chain       ACO    [This document]
0x0C    Flow Spec redirect-v6-flag   RD6F   [ID-redirect-IP]
0x0D    Flow Spec rt-redirect        RD6    [RFC8956]  
        IPv6 format 
</artwork>
</figure> 
</t> 
</section>
</section> 
</section>
<section title="Validation and Ordering">
<section title="Validation of FSv2 NLRI ">
<t>The validation of FSv2 NLRI adheres to the combination of rules for general 
BGP FSv1 NLRI found in <xref target="RFC8955"></xref>, <xref target="RFC8956"></xref>,
<xref target="RFC9117"></xref>, and the specific 
additions made for SFC NLRI <xref target="RFC9015"></xref>, and L2VPN NLRI 
<xref target="I-D.ietf-idr-flowspec-l2vpn"></xref>.
</t>
<t>To provide clarity, the full validation process for flow specification 
routes (FSv1 or FSv2) is described in this section rather 
than simply referring to the relevant portions of these RFCs.  
Validation only occurs after BGP UPDATE message reception and 
the FSv2 NLRI and the path attributes relating to FSv2 (Extended
community and Wide Community) have been determined to be well-formed.  Any 
MALFORMED FSv2 NRLI is handled as a “TREAT as WITHDRAW” <xref target="RFC7606"></xref>. 
</t>
<section title="Validation of FS NLRI (FSv1 or FSv2)">
<t>
Flow specifications received from a BGP peer that are accepted in the
respective Adj-RIB-In are used as input to the route selection process.
Although the forwarding attributes of the two routes for tbe same prefix may be 
the same, BGP is still required to perform its path selection algorithm in 
order to select the correct set of attributes to advertise. 
</t>
<t>The first step of the BGP Route selection procedure (section 9.1.2 of 
<xref target="RFC4271"></xref> is to exclude from the selection procedure routes that are 
considered unfeasible. In the context of IP routing information, this 
is used to validate that the NEXT_HOP Attribute of a given route is 
 resolvable.  
 </t>
<t>The concept can be extended in the case of the Flow Specification NLRI to allow other validation procedures. 
</t>
<t>The FSv2 validation process validates the FSv2 NLRI with following unicast 
routes received over the same AFI (1 or 2) but different SAFIs:
<list style="symbols">
<t>Flow specification routes (FSv1 or FSv2) received over SAFI=133 will be validated against SAFI=1, 
</t>
<t>Flow Specification routes (FSv1 or FSv2) received over SAFI=134 will be validated against SAFI=128, and
</t>
<t>Flow Specification routes (FSv1 or FSv2) [AFI =1, 2] received over SAFI=77 will be validated 
using only the Outer Flow Spec against SAFI = 133. 
</t>
</list>
</t>
<t>The FSv2 validates L2 FSv2 NLRI with the following L2 routes received over the 
same AFI (25), but a different SAFI:
<list style="symbols">
<t>Flow specification routes (FSv1 or FSv2)received over SAFI=135 are validated against SAFI=128. 
</t>
</list>
</t>
<t>In the absence of explicit configuration, a Flow specification NLRI (FSv1 or FSv2) 
MUST be validated such that it is considered feasible if and only if 
all of the conditions are true:
<list>
<t>a) A destination prefix component is embedded in the Flow Specification, </t>
<t>b) One of the following conditions holds true:
<list>
<t> 1.	The originator of the Flow Specification 
matches the originator of the best-math unicast route for the destination prefix 
embedded in the flow specification (this is the unicast route 
with the longest possible prefix length covering the destination 
prefix embedded in the flow specification).
</t>
<t>2.	The AS_PATH attribute of the flow specification is empty or 
contains only an AS_CONFED_SEQUENCE segment <xref target="RFC5065"></xref>.
<list>
<t>2a.This condition should be enabled by default. </t>
<t>2b.This condition may be disabled by explicit configuration on a BGP Speaker, </t>
<t>2c.As an extension to this rule, a given non-empty AS_PATH 
(besides AS_CONFED_SEQUENCE segments) MAY be permitted by policy].</t>
</list> 
</t>
</list>
</t>
<t>c)	There are no “more-specific” unicast routes when compared 
with the flow destination prefix that have been received from a different 
neighbor AS than the best-match unicast route, which has been 
determined in rule b. 
</t>
</list>
</t>
<t>However, part of rule a may be relaxed by explicit configuration, permitting Flow 
Specifications that include no destination prefix component.  If such is the 
case, rules b and c are moot and MUST be disregarded. 
</t>
<t>By “originator” of a BGP route, we mean either the address of the originator 
in the ORIGINATOR_ID Attribute [RFC4456] or the source address of the BGP
peer, if this path attribute is not present.  
</t>
<t>A BGP implementation MUST enforce that the AS in the left-most position of the 
AS_PATH attribute of a Flow Specification Route (FSv1 or FSv2) received via 
the Exterior Border Gateway Protocol (eBGP) matches the AS in the left-most
position of the AS_PATH attribute of the best-match unicast route for the 
destination prefix embedded in the Flow Specification (FSv1 or FSv2) NLRI. 
</t>
<t>The best-match unicast route may change over time independently of the Flow 
Specification NLRI (FSv1 or FSv2). Therefore, a revalidation of the Flow 
Specification MUST be performed whenever unicast routes change.  
Revalidation is defined as retesting rules a to c as described above. 
</t>
</section>
<section title="Validation of Flow Specification Actions">
<t> Flow Specifications may be mapped to actions using Extended Communities or a 
Wide Communities. The FSv2 actions in Extended Communities and Wide communities 
can be associated with large number of NLRIs. 
</t>
<t>
The ordering of precedence for these actions in the case when 
the user-defined order is the same follows 
the precedence of the FSv2 NLRI action TLV values (lowest to highest). 
User-defined order is the same when the order value for action is the same. 
All Extended Community actions MUST be translated to
the user-defined order data format for internal comparison. 
By default, all Extended Community actions SHOULD be translated
to a single value. 
</t>
<t>
Actions may conflict, duplicate, or complement other actions. An 
example of conflict is the packet rate limiting by byte and by packet.
An example of a duplicate is the request to copy or sample a packet under
one of the redirect functions (RDIPv4, RDIPv6, RDIID, )
Each FSv2 actions in this document defines the potential conflicts or duplications. 
Specifications for new FSv2 actions outside of this specification MUST
specify interactions or conflicts with any FSv2 actions (that appear in this specification or 
subsequent specifications).  
</t>
<t>Well-formed syntactically correct actions should be linked to a 
filtering rule in the order the actions should be taken.  
If one action in the ordered list fails, the default procedure is 
for the action process for this rule to stop and flag the error via system management.  
By explicit configuration, the action processing may continue after errors.
</t>
<t>Implementations MAY wish to log the actions taken by FS actions (FSv1 or FSv2).    
</t>
</section>
<section title="Error handling and Validation">
<t>The following two error handling rules must be followed by 
all BGP speakers which support FSv2:
<list style="symbols">
<t>FSv2 NLRI having TLVs which do not have the correct lengths or syntax must be considered MALFORMED.  
</t>
<t>FSv2 NLRIs having TLVs which do not follow the above ordering rules described in 
section 4.1 MUST be considered as malformed by a BGP FSv2 propagator.
</t>
</list>
The above two rules prevent any ambiguity that arises from the multiple copies of 
the same NLRI from multiple BGP FSv2 propagators. 
</t>
<t>A BGP implementation SHOULD treat such malformed NLRIs as ‘Treat-as-withdraw’ 
<xref target="RFC7606"></xref>  
</t>
<t>
An implementation for a BGP speaker supporting both FSv1 and FSv2 MUST 
support the error handling for both FSv1 and FSv2. 
</t>
</section>
</section>
<section title="Ordering for Flow Specification v2 (FSv2)">
<t>Flow Specification v2 allows the user to order flow specification rules and 
the actions associated with a rule. Each FSv2 rule has one or more match 
conditions and one or more actions associated with that match condition. 
</t>
<t>This section describes how to order FSv2 filters received from a peer prior 
to transmission to another peer. The same ordering should be used for the 
ordering of forwarding filtering installed based on only FSv2 filters.  
</t>
<t>Section 7.0 describes how a BGP peer that supports FSv1 and FSv2 should
order the flow specification filters during the installation of these flow  
specification filters into FIBs or firewall engines in routers. 
</t>
<t>The BGP distribution of FSv1 NLRI and FSv2 NLRI and their associated path 
attributes for actions (Wide Communities and Extended Communities) is 
“ships-in-the-night” forwarding of different AFI/SAFI information. This 
recommended ordering provides for deterministic ordering of filters sent by 
the BGP distribution. 
</t>
<section title="Ordering of FSv2 NLRI Filters  ">
<t>The basic principles regarding ordering of rules are simple: 
<list>
<t>1) Rule-0 (zero) is defined to be 0/0 with the “permit-all” action 
<list>
<t>BGP peers which do not support flow specification permit traffic for 
routes received.  Rule-0 is defined to be “permit-all” for 0/0 which 
is the normal case for filtering for routes received by BGP. 
</t>
<t>By configuration option, the “permit-all” may be set to “deny-all” if 
traffic rules on routers used as BGP must have a “route” AND a 
firewall filter to allow traffic flow.
</t>
</list>
</t>
<t>2) FSv2 rules are ordered based on the user-defined order numbers 
specified in the FSv2 NLRI (rules 1-n).  </t>
<t>3) If multiple FSv2 NLRI have the same user-defined order, then the filters are 
ordered by type of FSv2 NRLI filters (see Table 1, section 4) with 
lowest numerical number have the best precedence. 
<list>
<t>For the same user-defined order and the same value for the FSv2 
filters type, then the filters are ordered by FSv2 the component type 
for that FSv2 filter type (see Tables 3-6) with the lowest number 
having the best precedence.  
</t>
<t>For the same user-defined order, the same value of FSv2 Filter Type, 
and the same value for the component type, then the filters are 
ordered by value within the component type.  Each component type 
defines value ordering. 
</t>
<t>For component types inherited from the FSv1 component types, there are 
the following two types of comparisons: 
<list>
<t>FSv1 component value comparison for the IP prefix values, 
compares the length of the two prefixes.  If the length is 
different, the longer prefix has precedence.  If the length is 
the same, the lower IP number has precedence. 
</t>
<t>For all other FSv1 component types, unless specified, the 
component data is compared using the memcmp() function defined 
by [ISO_IEC_9899].  For strings with the same length, the lowest 
string memcmp() value has precedence. For strings of different 
lengths, the common prefix is compared. If the common string 
prefix is not equal, then the string with the lowest string 
prefix has higher precedence.  If the common prefix is equal,
the longest string is considered to have higher precedence 
</t>
</list>
</t>
</list>
</t>
</list>
</t>
<t>Notes:
<list style="symbols">
<t>Since the user can define rules that re-order these value comparisons, 
this order is arbitrary and set to provide a deterministic default. 
</t>
</list>
</t>
</section>
<section title="Ordering of the Actions ">
<t>The FSv2 specification allows for actions to be associated by:  
<list>
<t>a) a Wide Community path attribute, or 
</t>
<t>b) an Extended Community path attribute. </t> 
</list>
</t>
<t>Actions may be ordered by user-defined action order number from 1-n (where n 
is 2**16-2 and the value 2**16-1 is reserved. 
</t>
<t>Byy default, extended community actions are associated with default order number 32768 [0x8000] 
or a specific configured value for the FSv2 domain.  
</t>
<t>Action user-order number zero is defined to have an Action type of “Set Action Chain operation” (ACO) 
(value 0x01) that defines the default action chain process. 
For details on “set action chain operation” see section 3.2.1 or section 5.2.1 below. 
</t>
<t>If the user-defined action number for two actions are the same, then the 
actions are ordered by FSv2 action types (see Table 3 for a list of action 
types).  If the user-defined action number and the FSv2 action types are the 
same, then the order must be defined by the FSv2 action. 
</t>
<section title="Action Chain Operation (ACO)">
<t>The “Action Chain Operation” (ACO) changes the way the actions after the 
current action in an action chain are handled after a failure.  If no action chain operations 
are set, then the default action of “stop upon failure” (value 0x00) will be 
used for the chain.  
</t>
<section title="Example 1 - Default ACO">
<t>Use Case 1: Rate limit to 600 packets per second  </t>
<t>Description: The provider will support 600 packets per second 
All Packets sampled for reporting purposes and packet streams 
over 600 packets per second will be dropped. 
</t>
<t> Suppose BGP Peer A has a   
<list style="symbols">
<t> a Wide Community action with user-defined order 10 with Traffic Sampling</t>
<t> a Wide Community action with user-defined order 11 from AS 2020 
that limits packet-based rate limit of 600 packets per second. 
</t>
<t>an Extended Community from AS 2020 that 
does limits packet-based rate limit of 50 packets per second.    
</t>
</list>
</t>
<t>The FSv2 data base would store the following action chain: 
<list style="symbols">
<t>at user-defined action order 10
<list>
<t>A user action of type 7 (traffic action) with values of Sampling and logging.  
</t>
</list>  
</t>
<t> at user-defined action order 11
<list>
<t> a user action type of 12 (packet-based rate limit) with values of AS 2020 and float value 
for 600 packets per second (pps)  
</t>
</list>
</t>
<t>at user-defined action order 32768 (0x8000) with type 12 and values of 
A user action of type 12 with values of AS 2020 and float value of 50 packets/second.  
</t>
</list>
</t>
<t>Normal action: 
<list>
<t>The match on the traffic would cause a sample of the traffic (probably with
packet rate saved in logging) followed by a rate limit to 600 pps. 
The Extended community action would further limit the rate 
to 50 packets per second. </t>
</list>
</t>
<t>When does the action chain stop? 
<list>
<t>The default process for the action chain is to stop on failure. 
If there is no failure, then all three actions would occur. 
This is probably not what the user wants. 
</t>
<t>If there is failure at action 10 (sample and log), then 
there would be no rate limiting per packet (actions 11 and action 32768).  
</t>
<t>If there is failure at action 11 (rate limit to packet 600), 
then there would be no rate limiting per packet (action 32768). 
</t>
</list>
</t> 
<t> The different options for Action chain ordering (ACO) have been 
worked on with NETCONF/RESTCONF configuration and actions. 
</t>
</section> 
<section title="Example 2: Redirect traffic over limit to processing via SFC">
<t>
Use case 2:  Redirect traffic over limit to processing via SFC. 
</t>
<t>
Description: The normal function is for traffic over the limit to 
be forwarded for offline processing and reporting to a customer. 
</t>  
<t>Suppose we have the following 4 actions defined for a match: 
<list style="symbols">
<t> Sent
 Redirect to indirection ID (0x01) with user-defined match 2 attached in wide community, 
</t>
<t> Traffic rate limit by bytes (0x07) with user-defined match 1 attached in wide community,  
</t>
<t> Traffic sample (0x07) sent in extended community, and 
</t>
<t> SF classifier Info (0x0E) sent in extended community. 
</t>
</list>
</t>
<t>These 4 filters rate limit a potential DDoS attack by: a) redirect the 
packet to indirection ID (for slower speed processing), sample to local 
hardware, and forward the attack traffic via a SFC to a data collection box. 
</t>
<t>The FSv2 action list for the match would look like this 
<list>
<t>Action 0: Operation of action chain (0x01) (stop upon failure)</t>
<t>Action 1: Traffic Rate limit by byte (0x07)</t>
<t>Action 2: Redirect to Redirection ID (0x0F) </t>
<t>Action 32768 (0x8000) Traffic Action (0x07) Sample </t>
<t>Action 32768 (0x8000) SFC Classifier: (0xE)</t>
</list>
</t>
<t>If the redirect to a redirection ID fails, then Traffic Sample and sending the data to 
an SFC classifier for forwarding via SFC will not happen. The traffic is limited, 
but not redirect away from the network and a sample sent to DDOS processing 
via a SFC classifier. 
</t>
<t>Suppose the following 5 actions were defined for a 
FSV2 filter: 
<list style="symbols">
<t>Set Action Chain Operation (ACO) (0x01) to continue on failure (ox01) 
at user-order 2 attached in wide community,   
</t>
<t>redirect to indirection ID (0x0F) at user-order 2 attached in wide community, 
</t>
<t>traffic rate limit by bytes (0x07)with user-order 1 attached in wide community,  
</t>
<t>Traffic sample (0x07) attached via extended community, and 
</t>
<t>SFC classifier Info (0x0E) attached in extended community. 
</t>
</list>
</t>
<t>The FSv2 action list for the match would look like this:
<list>
<t>Action 00: Operation of action chain (0x01) (stop upon failure)
</t>
<t>Action 01:Traffic Rate limit by byte (0x07)
</t>
<t>Action 02:Set Action Chain Operation (ACO) (0x01) (continue on failure)
</t>
<t>Action 02: Redirect to Redirection ID (0F)
</t>
<t>Action 32768 (0x8000): Traffic Action (0x07) Sample 
</t>
<t>Action 32768 (0x8000): SFC classifier (0x0E) forward via SFC [to DDoS classifier]
</t>
</list>
If the redirect to a redirection ID fails, 
the action chain will continue on to sample the data and enact SFC classifier actions. 
</t>
</section> 
</section>
<section title="Summary of FSv2 ordering">
<t>Operators should use user-defined ordering to clearly specify the actions
desired upon a match.  The FSv2 actions default ordering is specified to  
provide deterministic order for actions which have the same user-defined 
order and same type.
</t>
<t>
<figure>
<artwork>

FS Action                          Value Order 
(lowest value to highest)          (lowest to highest) 
================================   ==============================
0x01: ACO: Action chain operation  Failure flag
0x02: TAIS:Traffic actions per     AS, then Group-ID, then Action ID 
       Interface group		 
	   
0x03-0x05 to be assigned           TBD
0x06: TRB: Traffic rate limit      AS, then float value 
      by bytes 
0x07: TA: Traffic Action           traffic action value 	
0x08: RDIP: Redirect to IP 	       AS, then IP Address, then ID
0x09: TM: Traffic Marking          DSCP value (lowest to highest)
0x0A: AL2: Associated L2 Info. 	   TBD 
0x0B: AET: Associated E-tree Info. TBD   
0x0C: TRP: Traffic Rate limit      AS, then float value 
         by bytes 
0x0D: RDIPv6: Traffic               
        Redirect to IPv6           AS, IPv6 value, then local Admin
0x0E: TISFC: Traffic insertion 
     to SFC                        SPI, then SI, the SFT
0xOF: Redirect to
          Indirection-ID           ID-type, then Generalized-ID
		  
0x10: MPLSLA: MPLS Label stack     order, action, label, Exp   
0x16 – VLAN action                 rewrite-actions, VALN1, VLAN2,
                                   PCP-DE1, PCP-DE2
0x17 – TPID action                 rewrite actions, TP-ID-1, TP-ID-2 
       	
		 Figure 6-1
</artwork>
</figure>
</t>
</section>
</section>
</section>
<section title="Ordering of FS filters for BGP Peers support FSv1 and FSv2">
<t>
FSv2 allows the user to order flow specification rules and the actions 
associated with a rule. Each FSv2 rule has one or more match conditions and 
one or more actions associated with each rule. 
</t>
<t>FSv1 and FSv2 filters are sent as different AFI/SAFI pairs so 
FSv1 and FSv2 operate as ships-in-the-night.  Some BGP peers 
in an AS may support both FSv1 and FSv2.  Other BGP peers may support
FSv1 or FSv2.  Some BGP will not support FSv1 or FSV2.  A coherent 
flow specification technology must have consistent best practices
for ordering the FSv1 and FSv2 filter rules. 
</t>
<t>One simple rule captures the best practice:  Order the FSv1 filters after
the FSv2 filter by placing the FSv1 filters after the FSv2 filters.  
</t>
<t>To operationally make this work, all flow specification filters should be 
included the same data base with the FSv1 filters being assigned a user-
defined order beyond the normal size of FSv2 user-ordered values. 
A few examples, may help to illustrate this best practice. 
</t>
<t>Example 1: User ordered numbering - 
Suppose you might have 1,000 rules for the FSv2 filters.  Assign all the 
FSv1 user defined rules to 1,001 (or better yet 2,000).  The FSv1 rules 
will be ordered by the components and component values. 
</t>
<t>
Example 2: Storage of actions - 
All FSv1 actions are defined ordered actions in FSv2.  Translate your FSv1 
actions into FSv2 ordered actions for storing in a common FSv1-FSv2 flow 
specification data base. 
</t>
<t>Example 3: Mixed Flow Specification Support - 
<list>
<t>Suppose an FSv2 peer (BGP Peer A) has the capability to send either FSv1 or FSv2.
  BGP Peer A peers with BGP Peers B, C, D and E.  
</t>
<t>BGP Peer B can only send FSv1 routes (NLRI + Extended Community). 
BGP Peer C can send FSv2 routes (NLRI + path attributes (wide community or extended community or none)).  
BGP Peer D cannot send any FS routes.  BGP E can send FSv2 and FSv1 routes
</t>
<t>BGP Peer A sends FSv1 routes in its databases to BGP B.  
Since the FSv2 NLRI cannot be sent to the FSv1 peer, only the FSv1 NLRI is sent. 
BGP Peer A sends to BGP C the FSv2 routes in its database (configured or received).  
</t>
<t>BGP peer A would not send the FSv1 NLRI or FSv2 NLRI to BGP Peer D.  
The BGP Peer D does not support for these NLRI.   
</t>
<t>BGP Peer A sends the NLRI for both FSv1 and FSv2 to BGP Peer E.  
</t>
</list>
<figure>
<artwork>
      +---------+                       +---------+
      |    A    |=======================|    C    |
      |FSv1+FSv2|.                   . .|  FSv2   |
      +---------+ .                 .   +---------+
       ||  |   \   .               .      .     ||
       ||  |    \   . . . . . . . . .     .     ||
       ||  |     \               .   .    .     ||
       ||  |      \-----\      .      .   .     ||
       ||  |             \    .        .  .     ||
      +---------+       +------+       +-----+  ||
      |    E    |-------|  B   |. . . .|  D  |  ||
      |FSv1+FSv2|       | FSv1 |       |no FS|  ||
      +---------+       +------+       +-----+  ||
        ||     .                         .      ||
        ||     . . . . . . . . . . . . . .      ||
        ||                                      ||
        |========================================|
   
        Double line = FSv2
        Single line = FSv1
        Dotted line = BGP peering with no FlowSpec

         Figure 6-2: FSv1 and FVs2 Peering

</artwork>
</figure>
</t>
</section>
</section> 
<section title="Scalability and Aspirations for FSv2">
<t>Operational issues drive the deployment of BGP flow specification as a quick 
and scalable way to distribute filters.  The early operations accepted the 
fact validation of the distribution of filter needed to be done outside of 
the BGP distribution mechanism.  Other mechanisms (NETCONF/RESTCONF or PCEP) 
have reply-request protocols.  
</t>
<t>These features within BGP have not changed. BGP still does not have an 
action-reply feature. 
</t>
<t>NETCONF/RESTCONF latest enhancements provide action/response features which 
scale.  The combination of a quick distribution of filters via BGP and a 
long-term action in NETCONF/RESTCONF that ask for reporting of the
installation of FSv2 filters may provide the best scalability.  
</t>
<t>The combination of NETCONF/RESTCONF network management protocols and BGP focuses each 
protocol on the strengths of scalability.  
</t>
<t>FSv2 will be deployed in webs of BGP peers which have some BGP peers passing 
FSv1, some BGP peers passing FSv2, some BGP peers passing FSv1 and FSv2, and 
some BGP peers not passing any routes. 
</t>
<t>The TLV encoding and deterministic behaviors of FSv2 will not deprecate the 
need for careful design of the distribution of flow specification filters in 
this mixed environment.  The needs of networks for flow specification are 
different depending on the network topology and the deployment technology 
for BGP peers sending flow specification.  
</t>
<t>Suppose we have a centralized RR connected to DDoS processing sending out 
flow specification to a second tier of RR who distribute the information to 
targeted nodes. This type of distribution has one set of needs for FSv2 and 
the transition from FSv1 to FSv2
</t>
<t>Suppose we have Data Center with a 3-tier backbone trying to distribute DDoS 
or other filters from the spine to combinational nodes, to the leaf BGP 
nodes.  The BGP peers may use RR or normal BGP distribution. This deployment
has another set of needs for FSv2 and the transition from FSv1 to FSV2. 
</t>
<t>Suppose we have a corporate network with a few AS sending DDoS filters using 
basic BGP from a variety of sites. Perhaps the corporate network will be 
satisfied with FSv1 for a long time. 
</t> 
<t>These examples are given to indicate that BGP FSv2, like so many BGP 
protocols, needs to be carefully tuned to aid the mitigation services within 
the network. This protocol suite starts the migration toward better tools 
using FSv2, but it does not end it.  With FSv2 TLVs and deterministic 
actions, new operational mechanisms can start to be understood and utilized.  
</t>
<t>This FSv2 specification is merely the start of a revolution of work – not the end. 
</t>
</section>
<section title="Optional Security Additions">
<t>This section discusses the optional BGP Security additions for BGP-FS v2
relating to BGPSEC <xref target="RFC8205"></xref> and ROA <xref target="RFC6482"></xref>. 
</t> 
 <section title="BGP FSv2 and BGPSEC">
 <t> Flow specification v1 (<xref target="RFC8955"></xref> and <xref target="RFC8956"></xref>)
do not comment on how BGP Flow specifications to be passed BGPSEC <xref target="RFC8205"></xref>
  BGP Flow Specification v2 can be passed in BGPSEC, but it is not required. 
  </t>
  <t>FSv1 and FSv2 may be sent via BGPSEC. 
  </t>
</section>
  <section title="BGP FSv2 with ROA">
  <t>
  BGP FSv2 can utilize ROAs in the validation. If BGP FSv2 is 
  used with BGPSEC and ROA, the first thing is to validate the 
  route within BGPSEC and second to utilize BGP ROA to validate
  the route origin. 
  </t>
  <t> The BGP-FS peers using both ROA and BGP-FS validation 
  determine that a BGP Flow specification is valid
  if and only if one of the following cases: 
  <list style="symbols">
  <t>If the BGP Flow Specification NLRI has a IPv4 or 
  IPv6 address in destination address match
  filter and the following is true:
  <list style="symbols">
  <t>A BGP ROA has been received to validate the originator, and</t>
  <t>The route is the best-match unicast route for the destination
  prefix embedded in the match filter; or </t>
  </list>
  </t>
  <t>If a BGP ROA has not been received that matches the 
  IPv4 or IPv6 destination address in the destination filter, the 
  match filter must abide by the <xref target="RFC8955"></xref> and
  <xref target="RFC8956"></xref> validation rules as follows:  
  <list>
  <t>The originator match of the flow specification matches the
  originator of the best-match unicast route for the destination
  prefix filter embedded in the flow specification", and
  </t>
  <t>No more specific unicast routes exist when compared with the 
   flow destination prefix that have been received from a different
   neighboring AS than the best-match unicast route, which has been 
   determined in step A.
   </t>
  </list>
  </t>
  </list>
  The best match is defined to be the longest-match NLRI with the highest preference. 
</t>
</section>
</section>
 <section anchor="IANA" title="IANA Considerations">
   <t>This section complies with <xref target="RFC7153"></xref>.
   </t>
   <section title="Flow Specification V2 SAFIs">
   <t> IANA is requested to assign two SAFI Values in the 
   registry at https://www.iana.org/assignments/safi-namespace 
   from the Standard Action Range as follows: 
   <figure>
   <artwork>
      Value   Description      Reference
     -----   -------------    ---------------
      TBD1   BGP FSv2        [this document] 
      TBD2   BGP FSv2 VPN    [this document]

   </artwork>
   </figure>
   </t>
   </section>
   <section title="BGP Capability Code">
   <t>
   IANA is requested to assign a Capability Code from the registry at 
   https://www.iana.org/assignments/capability-codes/ from the IETF Review
   range as follows:
    <figure>
   <artwork>                                                    
   Value   Description            Reference       Controller
   -----  ---------------------  ---------------  ----------
    TBD3  Flow Specification V2  [this document]  IETF
  </artwork>
   </figure>
   </t>
   </section>
   <section title="Filter IP Component types">
   <t>IANA is requested to indicate [this draft] as a reference on the 
   following assignments in the Flow Specification Component Types 
   Registry: 
   </t>
   <t>
   <figure>
   <artwork>
Value  Description         Reference        
-----  ------------------- ------------------------
 1     Destination filter  [RFC8955][RFC8956][this document] 
 2     Source Prefix       [RFC8955][RFC8956][this document] 
 3     IP Protocol         [RFC8955][RFC8956][this document] 
 4     Port                [RFC8955][RFC8956][this document]   
 5     Destination Port    [RFC8955][RFC8956][this document] 
 6     Source Port         [RFC8955][RFC8956][this document] 
 7     ICMP Type [v4 or v6][RFC8955][RFC8956][this document] 
 8     ICMP Code [v4 or v6][RFC8955][RFC8956][this document] 
 9     TCP Flags [v4]      [RFC8955][RFC8956][this document] 
 10    Packet Length       [RFC8955][RFC8956][this document] 
 11    DSCP marking        [RFC8955][RFC8956][this document] 
 12    Fragment            [RFC8955][RFC8956][this document] 
 13    Flow Label          [RFC8956][this document] 
 14    TTL                 [this document]
 15    Partial SID         [draft-ietf-idr-flowspec-srv6]
                           [this document] 
 16    MPLS Label Match 1  [this document] 
                           [draft-ietf-idr-flowspec-mpls-match]
 17    MPLS Label Match 2  [this document]  
                           [draft-ietf-idr-flowspec-mpls-match]
 
   </artwork>
   </figure>
   </t>
   </section>
   <section title="FSV2 NLRI TLV Types ">
   <t>IANA is requested to create the following two new registries 
      on a new "Flow Specification v2 TLV Types” web page.  
   </t>
   <t>
   <figure>
   <artwork>
   Name: BGP FSv2 TLV types 
   Reference: [this document]
   Registration Procedures: 0x01-0x3FFF Standards Action.

    Type          Use                     Reference
   -----          ---------------         ---------------
    0x00          Reserved                [this document]
    0x01          IP traffic rules        [this document]
    0x02          FSv2 Actions            [this document]
    0x03          L2 traffic rules        [this document]
    0x04          tunnel traffic rules    [this document]
    0x05          SFC AFI filter rules    [this document] 
    0x06          BGP/MPLS VPN IP 
                   traffic rules          [this document]
    0x07          BGP/MPLS VPN L2 
                    traffic rules         [this document]
    0x08-0x3FFF   Unassigned              [this document]
    0x4000-0x7FFF Vendor specific         [this document]
    0x8000-0xFFFF Reserved                [this document]

   </artwork>
   </figure>
   </t>
   <t>
   <figure>
   <artwork>
   
   Name: BGP FSv2 Action types 
   Reference: [this document]
   Registration Procedure: 0x01-0x3FFF Standards Action.

    Type     Use                           Reference
   -----  ---------------                 ---------------
   0x00   Reserved                        [this document]
   0x01   ACO: Action Chain Operation 	  [this document]
   0x02   TAIS: Traffic actions per 
          interface group                 [this document]
   0x03   Unassigned                      [this document]
   0x04   Unassigned                      [this document]		 
   0x05   Unassigned                      [this document]
   0x06   TRB: traffic rate 
           limited by bytes                [this document]
   0x07   TA: Traffic action 
          (terminal/sample)               [this document]  
   0x08   RDIPv4: redirect IPv4           [this document] 
   0x09   TM: traffic marking (DSCP)      [this document] 
   0x0A   AL2: associate L2 Information   [this document] 
   0x0B   AET: associate E-Tree 
           information                    [this document]  
   0x0C   TRP: traffic rate 
           limited by packets             [this document] 
   0x0D   RDIPv6: Redirect to IPv6        [this document]    
   0x0E   TISFC: Traffic insertion 
           to SFC                         [this document]
   0x0F   RDIID: Redirect 
           to indirection-iD              [this document]
   0x10   MPLS Label Action               [this document]
   0x11   unassigned                      [this document]
   0x12   unassigned                      [this document]
   0x13   unassigned                      [this document]
   0x14   unassigned                      [this document]
   0x15   unassigned                      [this document]
   0x16   VLAN action                     [this document]
   0x17   TIPD action                     [this document]
   0x18-
   0x3ff  Unassigned                      [this document]
   0x4000-
   0x7fff Vendor assigned                 [this document]
   0x8000-
   0xFFFF Reserved                        [this document]
   </artwork>
   </figure>
   </t>
   </section> 
   <section title="Wide Community Assignments">
   <t>
   IANA is requested to assign values in the 
   BGP Community Container Atom Type Registry
   <figure> 
   <artwork>
   Name                    Type value 
   -----                   -----------
   FSv2 action atom        TBD5
   
   </artwork>
   </figure>
   </t>
   <t>   
   IANA is requested to assign values from the 
   Registered Type 1 BGP Wide Community Types: 
   <figure> 
   <artwork>

   Name                    type Value 
   ------                  -----------
   FSv2 Actions            TBD4 
   
   </artwork>
   </figure>
   </t>
   </section>
 </section>
 <section title="Security Considerations">
   <t>The use of ROA improves on <xref target="RFC8955"></xref>
   by checking to see of the route origination. This check can improve the 
   validation sequence for a multiple-AS environment.  
   </t>
   <t>>The use of BGPSEC  <xref target="RFC8205"></xref> to secure the packet
   can increase security of BGP flow specification information sent in the packet.  
   </t>
   <t>The use of the reduced validation within an AS <xref target="RFC9117"></xref>
   can provide adequate validation for distribution of flow specification within a single 
   autonomous system for prevention of DDoS. 
   </t>
   <t>Distribution of flow filters may provide insight into traffic being sent within 
   an AS, but this information should be composite information that does not reveal the
   traffic patterns of individuals. 
   </t>
</section>
</middle>
<back>
    <references title="Normative References">
	  &RFC0791;
      &RFC2119;
	  &RFC3032;
      &RFC4271;
	  &RFC4360;
	  &RFC4760;
	  &RFC5065;
	  &RFC5701;
	  &RFC6482;
	  &RFC7153;
	  &RFC7606;
	  &RFC8174;
	  &RFC8955;
	  &RFC8956;
	  &RFC9015;
	  &RFC9117;
	  &RFC9184;
	  &I-D.ietf-idr-wide-bgp-communities;
	  &I-D.ietf-idr-flowspec-l2vpn;
	  &I-D.ietf-idr-flowspec-nvo3;
	  &I-D.ietf-idr-flowspec-srv6;
	  &I-D.ietf-idr-flowspec-interfaceset;
	  &I-D.ietf-idr-flowspec-path-redirect;
	  &I-D.ietf-idr-flowspec-mpls-match;
	  &I-D.ietf-idr-bgp-flowspec-label;
	</references>
	<references title="Informative References">
	&RFC6241; 
	&RFC8040;
	&RFC8205;
	&RFC8206;
	&I-D.ietf-idr-flowspec-v2;
	 </references>
  </back>
</rfc>