IDR Working Group S. Hares Internet-Draft Hickory Hill Consulting Intended status: Standards Track 8 May 2024 Expires: 9 November 2024 BGP Flow Specification Version 2 - More IP Actions draft-hares-idr-fsv2-more-ip-actions-00 Abstract The BGP flow specification version 2 (FSv2) for Basic IP defines user ordering of filters along with FSv1 IP Filters and FSv1 actions. This draft suggests additional IP Filters for Flow Specification FSv2. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 9 November 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Hares Expires 9 November 2024 [Page 1] Internet-Draft BGP FlowSpec v2 May 2024 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Definitions and Acronyms . . . . . . . . . . . . . . . . 4 1.2. RFC 2119 language . . . . . . . . . . . . . . . . . . . . 5 2. Format of FSv2 Actions . . . . . . . . . . . . . . . . . . . 5 2.1. Encoding FSv2 Actions in Generic Transitive Communities . . . . . . . . . . . . . . . . . . . . . . . 6 2.2. Encoding Path Forwarding in IPv4 Transitive Extended Communities . . . . . . . . . . . . . . . . . . . . . . . 8 2.3. Encoding FSv2 Actions in IPv6 Extended Community . . . . 9 2.4. FSv2 Actions encoded in Community Attribute . . . . . . . 10 2.4.1. FSv2 Actions in Community Path Attribute . . . . . . 10 3. Conflicts in FSvv2 Extended Communities Actions . . . . . . . 11 3.1. Conflicts between FSv1 Actions . . . . . . . . . . . . . 11 4. Actions Proposed for FSv2 for Basic IP . . . . . . . . . . . 12 4.1. Action Chain Ordering . . . . . . . . . . . . . . . . . . 13 4.1.1. Option 1: Action Chain operation IPv4 Extended (ACO)(1, 0x01) . . . . . . . . . . . . . . . . . . . . . . . . 13 4.1.2. Option 2: Action Chain operation encoded in IPv4 Traffic Action (0x07) . . . . . . . . . . . . . . . . 14 5. Actions Proposed for FSv2 Actions . . . . . . . . . . . . . . 15 5.1. Summary of FSv2 Extended Community [FSv2-EC] in WG (actual or proposed) . . . . . . . . . . . . . . . . . . . . . . 15 5.2. Actions proposed for FSv2 Community Path Attribte . . . . 16 6. Validation and Ordering of Actions . . . . . . . . . . . . . 17 6.1. Validation of Flow Specification Actions . . . . . . . . 17 6.2. Ordering of Actions . . . . . . . . . . . . . . . . . . . 18 6.3. Summary of FSv2 ordering . . . . . . . . . . . . . . . . 18 7. Error handling . . . . . . . . . . . . . . . . . . . . . . . 19 8. Example for Ordering of the Actions . . . . . . . . . . . . . 20 8.1. Example of Action Chain Operation (ACO) . . . . . . . . . 20 8.1.1. Example 1 - Default ACO . . . . . . . . . . . . . . . 20 8.1.2. Example 2: Redirect traffic over limit to processing via SFC . . . . . . . . . . . . . . . . . . . . . . . 21 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 9.1. FSV2 Action TLV Types . . . . . . . . . . . . . . . . . . 23 9.2. Wide Community Assignments . . . . . . . . . . . . . . . 24 10. Security Considerations . . . . . . . . . . . . . . . . . . . 25 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 11.1. Normative References . . . . . . . . . . . . . . . . . . 25 11.2. Informative References . . . . . . . . . . . . . . . . . 28 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 29 Hares Expires 9 November 2024 [Page 2] Internet-Draft BGP FlowSpec v2 May 2024 1. Introduction Version 2 of BGP flow specification was original defined in [I-D.ietf-idr-flowspec-v2] (denoted FSv2). However, the full FSv2 specification contains more than initial implementers desired. Therefore, this original FSv2 draft remains an WG draft, but the content will be split out into functions that implementers can manage. Section 1.4 contains the list of documents intended to be the split of the original FSv2 documents. FSv2 specifies new user-ordered filters that will be used with the IPv4 (AFI=1) and IPv6 (AFI=2) 2 new SAFIs (TBD1, TBD2) for FSv2 to be used with 5 AFIs (1, 2, 6, 25, and 31) to allow user-ordered lists of traffic match filters for user-ordered traffic match actions encoded in Communities (Wide or Extended). This draft specifies defines extensions to the FSv2 Basic IP package [I-D.hares-idr-fsv2-ip-basic]to support additional IP filters for IP packet and payload. The filters are passed in the Extended IP Filters (type 2) of the subTLVs. This filter form contains a filter version number so filters can be added easily. BGP Flow Specifiction version 1 (FSv1) as defined in [RFC8955], [RFC8956], and [RFC9117] specified 2 SAFIs (133, 134) to be used with IPv4 AFI (AFI = 1) and IPv6 AFI (AFI=2). FSV2 specifies 2 new SAFIs (TBD1, TBD2) for FSv2 to be used with 5 AFIs (1, 2, 6, 25, and 31) to allow user-ordered lists of traffic match filters for user-ordered traffic match actions encoded in Communities (Wide or Extended). The first SAFI (TBD1) will be used for IP forwarding, and the second SAFI (TBD2) will be used with VPNs. The supported AFI/SAFI combinations in FSV2 are: * IPV4 (AFI=1, SAFI=TBD1), * IPv6 (AFI=2, SAFI=TBD1), * L2 (AFI=6, SAFI=TBD1), * SFC (AFI=31, SAFI=TBD1), * BGP/MPLS IPv4 VPN (AFI=1, SAFI=TBD2), * BGP/MPLS IPV6 VPN (AFI=2, SAFI=TBD2), * BGP/MPLS L2VPN (AFI=25, SAFI=TBD2), and * SFC VPN (AFI=31, SAFI=TBD2) Hares Expires 9 November 2024 [Page 3] Internet-Draft BGP FlowSpec v2 May 2024 FSv2 specifies new IP filter that will be used with the IPv4 (AFI=1) and IPv6 (AFI=2) 2 new SAFIs (TBD1, TBD2) for FSv2 to be used with 5 AFIs (1, 2, 6, 25, and 31) to allow user-ordered lists of traffic match filters for user-ordered traffic match actions encoded in Communities (Wide or Extended). This document specifies IP filters used with IPvr (AFI=1) and IPv6 (AFI=2). FSv1 and FSv2 use different AFI/SAFIs to send flow specification filters. Since BGP route selection is performed per AFI/SAFI, this approach can be termed “ships in the night” based on AFI/SAFI. Section 2 contains a description of the format of the FSv2 actions in Extended Communities and Wide Communities. The issue with Extended Communities is that multiple Extended Communities might conflict with each other. Section 3 describes which FSv2 actions defined for Extended Communities might conflict each other. Sections 4 and 5 provide a short description of new actions proposed for FSv2. Section 4 provides a description of the Action Chain Ordering proposed for the FSv2 for Basic IP ([I-D.hares-idr-fsv2-ip-basic]. Section 5 lists the potential new actions from FSv2 actions described in IDR WG drafts or proposed as individual drafts. Sections 6, 7, and 8 provide information on validation, ordering, and error handling of FSv2 actions. Section 6 describes validation of actions and ordering of actions (user ordered and default). Section 7 describes error handling for FSv2 actions. Section 8 provides an example for ordering of actions. Section 9 provides details on IANA considerations 1.1. Definitions and Acronyms AFI - Address Family Identifier AS - Autonomous System BGPSEC - secure BGP [RFC8205] updated by [RFC8206] BGP Session ephemeral state - state which does not survive the loss of BGP peer session. Configuration state - state which persist across a reboot of software module within a routing system or a reboot of a hardware routing device. Hares Expires 9 November 2024 [Page 4] Internet-Draft BGP FlowSpec v2 May 2024 DDOs - Distributed Denial of Service. Ephemeral state - state which does not survive the reboot of a software module, or a hardware reboot. Ephemeral state can be ephemeral configuration state or operational state. FSv1 - Flow Specification version 1 [RFC8955] [RFC8956] FSv2 - Flow Specification version 2 (this document) NETCONF - The Network Configuration Protocol [RFC6241]. RESTCONF - The RESTCONF configuration Protocol [RFC8040] RIB - Routing Information Base. ROA - Route Origin Authentication [RFC6482] RR - Route Reflector. SAFI – Subsequent Address Family Identifier 1.2. RFC 2119 language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals as shown here. 2. Format of FSv2 Actions The FSv2 actions may be sent in an Extended Community or a Wide Community. User ordering of FSv2 actions requires using Wide Communities. This section review FSv1 actions in Extended Communities (IPv4 and IPv6), conflicts between FSv1 actions, and the format Wide Community attribute for FSv2 actions. This section provides background on FSv2 actions beyond the FSv1 actions that will be carried over into FSv2 specifications. The Extended Community encodes the Flow Specification actions in the Extended IPv4 Community format [RFC4360] or in the extended IPv6 Community format [RFC5701]. The Extended Community actions cannot be ordered by the user, but will be ordered by default. The implementer and the operator must be aware of interactions between any FSv2 actions must be specified in the extended community. Hares Expires 9 November 2024 [Page 5] Internet-Draft BGP FlowSpec v2 May 2024 The Community attribute [I-D.ietf-idr-wide-bgp-communities] describes an attribute with flexible format for specifying community information This specification specifies with a new FSv2 specific type (type = TBD) can support user ordered actions and dependency between actions. This specification only specifies that format to provide hints for the implementer This section first describes the following Information elated to FSv2 Actions in Extended Communities: * Generic Transitive Extended Communities for FSv2 Actions (FS-TG- EC) [RFC8955] * Transitive Extended Communities for redirect. This includes: - (Generalized redirection ID with Sequencing and copy) [I-D.ietf-idr-flowspec-path-redirect] - Redirect plus Copy bit [I-D.ietf-idr-flowspec-redirect-ip] - Transitive IPv6-Address Extended Community formats for FSv2 actions [RFC8956] 2.1. Encoding FSv2 Actions in Generic Transitive Communities The FSv2 actions encoded in Generic Transitive communities inherit the FSv1 actions in Generic Transitive communities. The Extended Community encodes the Flow Specification actions in the Extended Community format as generic transitive extended communities per [RFC4360] per [RFC8955], [RFC9117], and [RFC9184]. The format of the these actions can be: Generic Transitive Extended Community (0x80): where the Sub-Types are defined in the Generic Transitive Extended Community Sub-Types registry. Generic Transitive Extended Community Part 2(0x81): where the Sub- Types are defined in the Generic Transitive Extended Community Part 2 Sub-Types registry. Transitive Four-Octet AS-Specific Extended Communit(0x82): where the Sub-Types defined in the Generic Transitive Extended Community Part 3 Sub-Types registry. Generic Transitive Extended Community Part 3 (0x83): where the Sub- Hares Expires 9 November 2024 [Page 6] Internet-Draft BGP FlowSpec v2 May 2024 Types defined in the Transitive Opaque Extended Community Sub- Types" registry. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type high | Type low(*) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (6 octets) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3-9 Table x-x Generic Transitive Extended Community Part 1 - (0x80) IPv4 Extended Communities (Type 0x80) Value Description Name Reference ===== ======================= ===== ========== 0x01 FSv2 Action Chain Ordering ACO [This document] 0x06 FSv2 traffic-rate-byte TRB [RFC8955] 0x07 Flow spec traffic-action TAIS [RFC8955] 0x08 Flow spec rt-redirect RDIP [RFC8955] AS-2 octet format 0x09 Flow spec Remark DSCP TMDS [RFC8955] 0x0C Flow Spec Traffic-rate-packets TRP [RFC8955] 0xOD Flow Spec for SFC classifiers SFCC [RFC9015] Figure 3-10 Table x-x Generic Transitive Extended Community Part 2 (0x81) IPv4 Extended Communities FSv2 action (Type 0x81) Value Description Name Reference ===== ======================= ===== ========== 0x08 Flow spec rt-redirect RDIP [RFC8955] Figure 3-11 Hares Expires 9 November 2024 [Page 7] Internet-Draft BGP FlowSpec v2 May 2024 Table x-x Generic Transitive Extended Community Part 3 (Type 0x82) Value Description Name Reference ===== ======================= ==== ========== 0x08 Flow spec rt-redirect RDIP [RFC8955] AS-4 octet format Figure 3-12 Table x-x: Traffic Action bits Bit Name Name Reference ===== =============== ==== ========== 47 Terminal Action TAct [RFC8955] 46 Sample Samp [RFC8955] 45 Copy Copy [this document] 44 Drop drop [this document] Figure 3-13 2.2. Encoding Path Forwarding in IPv4 Transitive Extended Communities FSv2 needs to refine the following Transitive Extended Communities that are not "Transitive Generic Communities" to a specific set of functions. These features provide overlapping functions. While some of these features are implemented, these actions should be be reviewed. There are three types of functions: * Active filters on interfaces in group for inbound or outbound data traffic * Redirect to an IP address. Optionally perform a traffic action (copy) * Redirect to an Indirection ID of a specific type. Optionally perform a traffic action (copy). Hares Expires 9 November 2024 [Page 8] Internet-Draft BGP FlowSpec v2 May 2024 Table x-x Transitive Extended Community types (T-EC-types) sub-type FSv1 Description Name Reference ======== ================== ===== ================= 0x07 FS Interface set Ifset [IDR-WG-ifset] 0x08 FS Redirect/ RIPv4 [IDR-WG-redirect-ip] Mirror 0x09 FS Redirect to Indirection-id RGID [IDR-WG-redirect-iid] Figure 3-14 [IDR-WG-ifset] [I-D.ietf-idr-flowspec-interfaceset] [IDR-WG-redirect-ip] [I-D.ietf-idr-flowspec-redirect-ip] [IDR-WG-redirect-iid] [I-D.ietf-idr-flowspec-path-redirect] 2.3. Encoding FSv2 Actions in IPv6 Extended Community The IPv6 Extended Community encodes the Flow Specification actions in the Extended Community format [RFC5701] per [RFC8956], [RFC9117], and [RFC9184] in the transitive opaque format. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Sub-type | Global Administrator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | Global Administrator (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global Administrator (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global Administrator (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global Administrator (cont.) | Local Administrator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3-15 The 20 octets of value are given in the following format: Global Administrator: IPv6 address assigned by Internet Registry Local Administrator: 2 bytes of Local Administrator Hares Expires 9 November 2024 [Page 9] Internet-Draft BGP FlowSpec v2 May 2024 Table x-x transitive IPv6-Address-Specific Actions Value Description Name Reference ===== ======================= ===== ========== 0x01 Flow Spec Action Chain ACO [This document] 0x0C Flow Spec redirect-v6-flag RD6F [IDR-WG-RD6f] 0x0D Flow Spec rt-redirect RDv6 ]RFC8956] IPv6 format > Figure 3-16 [RFC8956] - [RFC8956] IDR-WG-RD6F - [I-D.ietf-idr-flowspec-redirect-ip] 2.4. FSv2 Actions encoded in Community Attribute The user ordered FSv2 Actions use the Communities Path Attribute defined in [I-D.ietf-idr-wide-bgp-communities]. The Community BGP Path attribute is a flexible Community container which allows different formats for different community applications. The FSv2 Community Type ([FSv2-CA], type=TBD1) is only used for FSv2 user- ordered actions. If both the Extended Community FSv2 Actions (FSv2-EC) and the FSv2 Community Attribute actions are specified (FSv2-CA) then the default preference will be the FSv2-CA prior to the FSv2-EC. This preference may be changed based on a configuration knob. However, this configuration MUST be consistent within an Autonomous System or a group of Autonomous Systems where both the FSv2-CA and FSv2-EC are deployed. 2.4.1. FSv2 Actions in Community Path Attribute TheCommunity attribute (Type = BGP Community Container, value 34) Community Path attribute common header 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 2 FSv2 | Flags |C|T| Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length |+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ figure 3-18 Hares Expires 9 November 2024 [Page 10] Internet-Draft BGP FlowSpec v2 May 2024 where: Type = the type of community (Type 1 or Type 2) Flag = include an octet of bits with only two bit that can be set T = 1 - Transitive across AS boundaries T = 0 - Non-Transitive across AS boundaries C = 1 - Transitive across Confederation boundaries C = 0 - Non-Transitive across Confederation boundaries figure 3-19 The FSv2 Action TLVs have the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | User Action order | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Dependency chain ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence of Action TLVs | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Each Action TLV has the format: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Action type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence of Action TLVs | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ figure 3-20 3. Conflicts in FSvv2 Extended Communities Actions 3.1. Conflicts between FSv1 Actions Hares Expires 9 November 2024 [Page 11] Internet-Draft BGP FlowSpec v2 May 2024 Table x-x: Conflicts between FSv2 Transitive Generic IPv4 actions IPv4 Extended Communities (Type 0x80) Value Name Conflicts with ===== ===== ======================== 0x01 ACO none 0x06 TRB TRP 0x07 TAIS duplication also done in RDIP, RIPv4, RGID 0x08 RDIP redirection done in RIPv4, RGID copy done in TAIS 0x09 TMDS none 0x0C TRP TRB 0xOD SFCC none Figure 3-17 Table x-x Transitive IPv6-Address-Specific Actions Value Name Conflicts with ===== ====== ================= 0x01 ACO none 0x0C RD6F RDv6 0x0D RDv6 RD6F Figure 3-17 4. Actions Proposed for FSv2 for Basic IP The long-term goal of the FSv2 actions is to allow user ordering of the flow specification actions. Only Wide Communities provide enough structured space for user ordering of actions. The IDR WG draft [I-D.ietf-idr-flowspec-v2] contains the long-term plan for FSv2 filters with actions. To provide an easy migration between FSv1 and FSv2, a sequence of drafts will break allow adding of additional actions to the basic IP DDOS actions in the Extended Community. The Basic IP DDOS FSv2 will support existing IPv4 from [RFC8955], and existing IPv6 actions from [RFC8956] and one additional feature for action chain ordering (ACO). An action chain for FSv2 Extended Community actions is defined as a series of Extended Communities which are attached to a set of filters. Hares Expires 9 November 2024 [Page 12] Internet-Draft BGP FlowSpec v2 May 2024 The action chain ordering (ACO)action provides a set of flags that define a clear action if failure occurs. One of the issues with FSv1 is the lack of a clear definition on what happens if multiple actions interact. The existance of the Action chain ordering action enforces that the actions will have a deterministic outcome during failures. The AC-Failure types are: * 0x00 – default – stop on failure * 0x01 – continue on failure (best effort on actions) * 0x02 – conditional stop on failure (depends on AC-Failure-value/ policy) * 0x03 – rollback do all or nothing (depends on AC-Failure-value/ policy) Editors note: The following options for encoding ACO exist. Option 1: redefine bits in Traffic Action subtype Option 2: create a new Extended Community 4.1. Action Chain Ordering 4.1.1. Option 1: Action Chain operation IPv4 Extended (ACO)(1, 0x01) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type high | Type low(01) |AC-failure-type| AC-Failure | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AC-Failure-value (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ SubTLV: 0x01 Length: 6 octets Value: AC-dependence - 1 octet byte of flag regarding dependency AC-failure-type – 1 octet byte that determines the action on failure AC-failure-value – variable depending on AC-failure-type. Hares Expires 9 November 2024 [Page 13] Internet-Draft BGP FlowSpec v2 May 2024 Actions may succeed or fail and an Action chain must deal with it. The default value stored for an action chain that does not have this action chain is “stop on failure”. where: AC-Failure types are: - 0x00 – default – stop on failure - 0x01 – continue on failure (best effort on actions) - 0x02 – conditional stop on failure – depending on AC-Failure- value - 0x03 – rollback – do all or nothing - depending in AC-Failure- value AC-Failure values: TBD Interactions with other actions: Interactions with all other Actions Ordering within Action type: By AC-Failure type 4.1.2. Option 2: Action Chain operation encoded in IPv4 Traffic Action (0x07) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type high | Type low(07) |traffic action field (zero) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AC-Failure-value (cont.) | ACO |S|T| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Where ACO - is the Action Chain failure types (0x00 to 0x03) 00 - stop on failure 01 - continue on failure 02 - conditional stop on failure (by policy) 03 - rollback on failure (with policy) S - Sample flag T - Terminal action Hares Expires 9 November 2024 [Page 14] Internet-Draft BGP FlowSpec v2 May 2024 5. Actions Proposed for FSv2 Actions 5.1. Summary of FSv2 Extended Community [FSv2-EC] in WG (actual or proposed) Table 4 shows the actions for Extended-Communities FSv2 actions from IDR RFCs, IDR WG drafts and drafts proposed to IDR. Table 6 has FSv2 actions proposed for IPv6. Table 5 contains FSv2 actions that are non-IP actions from IDR WG drafts, and draft proposals. Often, non- IP actions are often linked to IP filters. Table 4 All IP Actions in Extended Communities act-id Name Description Document ====== ===== ================ ====================== 00 RSV Reserved [this document] 01 ACO action chain order [this document] 02 TBA Unassigned [this document] 03 TAIS traffic actions [IDR-FSv2-ifset] per interface group 04 TBA to be assigned [this document] 05 TBA to be assigned [this document] 06 TRB traffic rate [RFC8955] limited by bytes 07 TA traffic action [RFC8955] (terminal/sample) 08 RDIP Redirect IPv4 [IDR-FSv2-RDP-ip] 09 TM Mark DSCP value {RFC8955] 10 TBA Unassigned [this document] 11 TBA Unassigned [this document] 12 TRP traffic rate [RFC8955] limit by packet 13 TISFC SFC Classifier [RFC9015] 14 RDIID redirect to [IDR-FSv2-RDPIID] Indirection-id [PD-FSv2-mobility] move from 0x00) 15 TBA Unassigned [this document] 16 TBA Unassigned [this document] 17 NRP-ID Encapsulate [IDR-net-slice-ts] NRP-ID value 18 GrP-ID Set Group ID [PD-peng-group-sub] Figure 3-15 Hares Expires 9 November 2024 [Page 15] Internet-Draft BGP FlowSpec v2 May 2024 Short-name Filename ================= =============================== IDR-FSv2-ifset draft-ietf-idr-flowspec-interfaceset-05 IDR-FSv2-linkbw draft-ietf-idr-linkbandwidth IDR-FSv2-RDP-ip draft-ietf-idr-flowspec-redirect-ip-02 IDR-FSv2-RDPIID draft-ietf-idr-flowspec-redirect-path IDR-net-slice-ts draft-ietf-idr-flowspec-network-slide-ts-02 IDR-FSv2-L2VPN draft-ietf-idr-flowspec-l2vpn-17 PD-FSv2-mobility draft-dmc-flowspec-tn-aware-mobility PD-peng-group-sub draft-peng-idr-apn-bgp-flowspec-00 PD-redirect-IPv6 draft-ietf0-idr-path-redirect-12 Table 5 All Non-IP Actions in Extended Communities act-id Name Description Reference ====== ===== ================ ================ 31 TISFC SFC classifier II [RFC9015]- moved 32 MPLSLA MPLS label action [RFC9015] - 33 VLAN VLAN-Action (0x16) [ID-FSv2-L2VPN] 34 TPID TPID-Action (0x17) [ID-FSv2-LVPN 24- TBA to be assigned 254 TBA (to be assigned) 255 reserved Figure 3-15 IPv6 Extended Communities (Type 1) Value Description Name Reference ===== ======================= ===== ========== 0x01 Flow Spec Action Chain ACO [This document] 0x0C Flow Spec redirect-v6-flag RD6F [PD-redirect-IPv6] 0x0D Flow Spec rt-redirect RD6 [RFC8956] IPv6 format 5.2. Actions proposed for FSv2 Community Path Attribte Hares Expires 9 November 2024 [Page 16] Internet-Draft BGP FlowSpec v2 May 2024 Table 7 All Actions Proposed for FSv2 Community Path Attribute act-id Name Description Document ====== ========= ============== ====================== TBD MatchSet Match and Set [I-D.ietf-idr-rpd] attribute TBD MatchNoA Match and No [I-D.ietf-idr-rpd] Advertise TBD DetLat Deterministic [PD-detnet-flow-mapping-05] Latency action TBD TSNMap Map flow to [PD-detnet-flow-mapping-05] TSN stream 6. Validation and Ordering of Actions The validation of FSv2 NLRI adheres to the combination of rules for general BGP FSv1 NLRI found in [RFC8955], [RFC8956], [RFC9117], and the specific additions made for SFC NLRI [RFC9015], and L2VPN NLRI [I-D.ietf-idr-flowspec-l2vpn]. The precedence for FSv2 actions are described in this section rather than simply referring to the relevant portions of these RFCs. Validation only occurs after BGP UPDATE message reception and the FSv2 NLRI and the path attributes relating to FSv2 (Extended community and Wide Community) have been determined to be well-formed. Any MALFORMED FSv2 NRLI is handled as a “TREAT as WITHDRAW” [RFC7606]. 6.1. Validation of Flow Specification Actions FSv2 actions may specify actions using Extended Communities or the path attribute Community with the FSv2 format. The FSv2 actions in Extended Communities and Wide communities can be associated with large number of NLRIs. Actions may conflict, duplicate, or complement other actions. An example of conflict is the packet rate limiting by byte and by packet. An example of a duplicate is the request to copy or sample a packet under one of the redirect functions (RDIPv4, RDIPv6, RDIID, ) Each FSv2 actions in this document defines the potential conflicts or duplications. Specifications for new FSv2 actions outside of this specification MUST specify interactions or conflicts with any FSv2 actions (that appear in this specification or subsequent specifications). Well-formed syntactically correct actions should be linked to a filtering rule in the order the actions should be taken. If one action in the ordered list fails, the default procedure is for the Hares Expires 9 November 2024 [Page 17] Internet-Draft BGP FlowSpec v2 May 2024 action process for this rule to stop and flag the error via system management. By explicit configuration, the action processing may continue after errors. Implementations MAY wish to log the actions taken by FS actions (FSv1 or FSv2). 6.2. Ordering of Actions The ordering of precedence for these actions in the case are: * Action user-order number zero is defined to have an Action type of “Set Action Chain operation” (ACO) that defines the default action chain process. * user order (1 to N-1) * Extended Community Actions {starting at N) By default, extended community actions are associated with default order number 32768 [0x8000] or a specific configured value for the FSv2 domain. Within the actions defined at the same order, the order is: Action ID (lowest to highest) If multiple Actions of the same value are define (e.g. Redirection to Indirection ID), the action must define the order. All Extended Community actions and Path Community attributes should be ordered in the same IP space. 6.3. Summary of FSv2 ordering Operators should use user-defined ordering to clearly specify the actions desired upon a match. The FSv2 actions default ordering is specified to provide deterministic order for actions which have the same user-defined order and same type. Hares Expires 9 November 2024 [Page 18] Internet-Draft BGP FlowSpec v2 May 2024 FS Action Value Order (lowest value to highest) (lowest to highest) ================================ ============================== 0x01: ACO: Action chain operation Failure flag 0x02: TAIS:Traffic actions per AS, then Group-ID, then Action ID Interface group 0x03-0x05 to be assigned TBD 0x06: TRB: Traffic rate limit AS, then float value by bytes 0x07: TA: Traffic Action traffic action value 0x08: RDIP: Redirect to IP AS, then IP Address, then ID 0x09: TM: Traffic Marking DSCP value (lowest to highest) 0x0A: AL2: Associated L2 Info. TBD 0x0B: AET: Associated E-tree Info. TBD 0x0C: TRP: Traffic Rate limit AS, then float value by bytes 0x0D: RDIPv6: Traffic Redirect to IPv6 AS, IPv6 value, then local Admin 0x0E: TISFC: Traffic insertion to SFC SPI, then SI, the SFT 0xOF: Redirect to Indirection-ID ID-type, then Generalized-ID 0x10: MPLSLA: MPLS Label stack order, action, label, Exp 0x16 – VLAN action rewrite-actions, VALN1, VLAN2, PCP-DE1, PCP-DE2 0x17 – TPID action rewrite actions, TP-ID-1, TP-ID-2 Figure 6-1 7. Error handling The following two error handling rules must be followed by all BGP speakers which support FSv2: * FSv2 NLRI having TLVs which do not have the correct lengths or syntax must be considered MALFORMED. * FSv2 NLRIs having TLVs which do not follow the above ordering rules described in section 4.1 MUST be considered as malformed by a BGP FSv2 propagator. The above two rules prevent any ambiguity that arises from the multiple copies of the same NLRI from multiple BGP FSv2 propagators. A BGP implementation SHOULD treat such malformed NLRIs as ‘Treat-as- withdraw’ [RFC7606] Hares Expires 9 November 2024 [Page 19] Internet-Draft BGP FlowSpec v2 May 2024 An implementation for a BGP speaker supporting both FSv1 and FSv2 MUST support the error handling for both FSv1 and FSv2. 8. Example for Ordering of the Actions 8.1. Example of Action Chain Operation (ACO) The “Action Chain Operation” (ACO) changes the way the actions after the current action in an action chain are handled after a failure. If no action chain operations are set, then the default action of “stop upon failure” (value 0x00) will be used for the chain. 8.1.1. Example 1 - Default ACO Use Case 1: Rate limit to 600 packets per second Description: The provider will support 600 packets per second All Packets sampled for reporting purposes and packet streams over 600 packets per second will be dropped. Suppose BGP Peer A has a * a Wide Community action with user-defined order 10 with Traffic Sampling * a Wide Community action with user-defined order 11 from AS 2020 that limits packet-based rate limit of 600 packets per second. * an Extended Community from AS 2020 that does limits packet-based rate limit of 50 packets per second. The FSv2 data base would store the following action chain: * at user-defined action order 10 - A user action of type 7 (traffic action) with values of Sampling and logging. * at user-defined action order 11 - a user action type of 12 (packet-based rate limit) with values of AS 2020 and float value for 600 packets per second (pps) * at user-defined action order 32768 (0x8000) with type 12 and values of A user action of type 12 with values of AS 2020 and float value of 50 packets/second. Normal action: Hares Expires 9 November 2024 [Page 20] Internet-Draft BGP FlowSpec v2 May 2024 The match on the traffic would cause a sample of the traffic (probably with packet rate saved in logging) followed by a rate limit to 600 pps. The Extended community action would further limit the rate to 50 packets per second. When does the action chain stop? The default process for the action chain is to stop on failure. If there is no failure, then all three actions would occur. This is probably not what the user wants. If there is failure at action 10 (sample and log), then there would be no rate limiting per packet (actions 11 and action 32768). If there is failure at action 11 (rate limit to packet 600), then there would be no rate limiting per packet (action 32768). The different options for Action chain ordering (ACO) have been worked on with NETCONF/RESTCONF configuration and actions. 8.1.2. Example 2: Redirect traffic over limit to processing via SFC Use case 2: Redirect traffic over limit to processing via SFC. Description: The normal function is for traffic over the limit to be forwarded for offline processing and reporting to a customer. Suppose we have the following 4 actions defined for a match: * Sent Redirect to indirection ID (0x01) with user-defined match 2 attached in wide community, * Traffic rate limit by bytes (0x07) with user-defined match 1 attached in wide community, * Traffic sample (0x07) sent in extended community, and * SF classifier Info (0x0E) sent in extended community. These 4 filters rate limit a potential DDoS attack by: a) redirect the packet to indirection ID (for slower speed processing), sample to local hardware, and forward the attack traffic via a SFC to a data collection box. The FSv2 action list for the match would look like this Action 0: Operation of action chain (0x01) (stop upon failure) Hares Expires 9 November 2024 [Page 21] Internet-Draft BGP FlowSpec v2 May 2024 Action 1: Traffic Rate limit by byte (0x07) Action 2: Redirect to Redirection ID (0x0F) Action 32768 (0x8000) Traffic Action (0x07) Sample Action 32768 (0x8000) SFC Classifier: (0xE) If the redirect to a redirection ID fails, then Traffic Sample and sending the data to an SFC classifier for forwarding via SFC will not happen. The traffic is limited, but not redirect away from the network and a sample sent to DDOS processing via a SFC classifier. Suppose the following 5 actions were defined for a FSV2 filter: * Set Action Chain Operation (ACO) (0x01) to continue on failure (ox01) at user-order 2 attached in wide community, * redirect to indirection ID (0x0F) at user-order 2 attached in wide community, * traffic rate limit by bytes (0x07)with user-order 1 attached in wide community, * Traffic sample (0x07) attached via extended community, and * SFC classifier Info (0x0E) attached in extended community. The FSv2 action list for the match would look like this: Action 00: Operation of action chain (0x01) (stop upon failure) Action 01:Traffic Rate limit by byte (0x07) Action 02:Set Action Chain Operation (ACO) (0x01) (continue on failure) Action 02: Redirect to Redirection ID (0F) Action 32768 (0x8000): Traffic Action (0x07) Sample Action 32768 (0x8000): SFC classifier (0x0E) forward via SFC [to DDoS classifier] If the redirect to a redirection ID fails, the action chain will continue on to sample the data and enact SFC classifier actions. Hares Expires 9 November 2024 [Page 22] Internet-Draft BGP FlowSpec v2 May 2024 9. IANA Considerations This section complies with [RFC7153]. 9.1. FSV2 Action TLV Types IANA is requested to create the following entries on a new "Flow Specification v2 Action” web page. Hares Expires 9 November 2024 [Page 23] Internet-Draft BGP FlowSpec v2 May 2024 Name: BGP FSv2 Action types Reference: [this document] Registration Procedure: 0x01-0x3FFF Standards Action. Type Use Reference ----- --------------- --------------- 0x00 Reserved [this document] 0x01 ACO: Action Chain Operation [this document] 0x02 TAIS: Traffic actions per interface group [this document] 0x03 Unassigned [this document] 0x04 Unassigned [this document] 0x05 Unassigned [this document] 0x06 TRB: traffic rate limited by bytes [this document] 0x07 TA: Traffic action (terminal/sample) [this document] 0x08 RDIPv4: redirect IPv4 [this document] 0x09 TM: traffic marking (DSCP) [this document] 0x0A AL2: associate L2 Information [this document] 0x0B AET: associate E-Tree information [this document] 0x0C TRP: traffic rate limited by packets [this document] 0x0D RDIPv6: Redirect to IPv6 [this document] 0x0E TISFC: Traffic insertion to SFC [this document] 0x0F RDIID: Redirect to indirection-iD [this document] 0x10 MPLS Label Action [this document] 0x11 unassigned [this document] 0x12 unassigned [this document] 0x13 unassigned [this document] 0x14 unassigned [this document] 0x15 unassigned [this document] 0x16 VLAN action [this document] 0x17 TIPD action [this document] 0x18- 0x3ff Unassigned [this document] 0x4000- 0x7fff Vendor assigned [this document] 0x8000- 0xFFFF Reserved [this document] 9.2. Wide Community Assignments IANA is requested to assign values from the Registered Type TBD4 BGP Wide Community Types: Hares Expires 9 November 2024 [Page 24] Internet-Draft BGP FlowSpec v2 May 2024 Name type Value ------ ----------- FSv2 Actions TBD4 10. Security Considerations The use of ROA improves on [RFC8955] by checking to see of the route origination. This check can improve the validation sequence for a multiple-AS environment. >The use of BGPSEC [RFC8205] to secure the packet can increase security of BGP flow specification information sent in the packet. The use of the reduced validation within an AS [RFC9117] can provide adequate validation for distribution of flow specification within a single autonomous system for prevention of DDoS. Distribution of flow filters may provide insight into traffic being sent within an AS, but this information should be composite information that does not reveal the traffic patterns of individuals. 11. References 11.1. Normative References [I-D.hares-idr-fsv2-ip-basic] Hares, S., Eastlake, D. E., Yadlapalli, C., and S. Maduschke, "BGP Flow Specification Version 2 - for Basic IP", Work in Progress, Internet-Draft, draft-hares-idr- fsv2-ip-basic-01, 28 April 2024, . [I-D.ietf-idr-bgp-flowspec-label] liangqiandeng, Hares, S., You, J., Raszuk, R., and D. Ma, "Carrying Label Information for BGP FlowSpec", Work in Progress, Internet-Draft, draft-ietf-idr-bgp-flowspec- label-02, 20 October 2022, . Hares Expires 9 November 2024 [Page 25] Internet-Draft BGP FlowSpec v2 May 2024 [I-D.ietf-idr-flowspec-interfaceset] Litkowski, S., Simpson, A., Patel, K., Haas, J., and L. Yong, "Applying BGP flowspec rules on a specific interface set", Work in Progress, Internet-Draft, draft-ietf-idr- flowspec-interfaceset-05, 18 November 2019, . [I-D.ietf-idr-flowspec-l2vpn] Weiguo, H., Eastlake, D. E., Litkowski, S., and S. Zhuang, "BGP Dissemination of L2 Flow Specification Rules", Work in Progress, Internet-Draft, draft-ietf-idr-flowspec- l2vpn-23, 15 April 2024, . [I-D.ietf-idr-flowspec-mpls-match] Yong, L., Hares, S., liangqiandeng, and J. You, "BGP Flow Specification Filter for MPLS Label", Work in Progress, Internet-Draft, draft-ietf-idr-flowspec-mpls-match-02, 20 October 2022, . [I-D.ietf-idr-flowspec-nvo3] Eastlake, D. E., Weiguo, H., Zhuang, S., Li, Z., and R. Gu, "BGP Dissemination of Flow Specification Rules for Tunneled Traffic", Work in Progress, Internet-Draft, draft-ietf-idr-flowspec-nvo3-19, 26 December 2023, . [I-D.ietf-idr-flowspec-path-redirect] Van de Velde, G., Patel, K., and Z. Li, "Flowspec Indirection-id Redirect", Work in Progress, Internet- Draft, draft-ietf-idr-flowspec-path-redirect-12, 24 November 2022, . [I-D.ietf-idr-flowspec-redirect-ip] Uttaro, J., Haas, J., Texier, M., akarch@cisco.com, Ray, S., Simpson, A., and W. Henderickx, "BGP Flow-Spec Redirect to IP Action", Work in Progress, Internet-Draft, draft-ietf-idr-flowspec-redirect-ip-02, 5 February 2015, . Hares Expires 9 November 2024 [Page 26] Internet-Draft BGP FlowSpec v2 May 2024 [I-D.ietf-idr-flowspec-srv6] Li, Z., Li, L., Chen, H., Loibl, C., Mishra, G. S., Fan, Y., Zhu, Y., Liu, L., and X. Liu, "BGP Flow Specification for SRv6", Work in Progress, Internet-Draft, draft-ietf- idr-flowspec-srv6-05, 29 March 2024, . [I-D.ietf-idr-wide-bgp-communities] Raszuk, R., Haas, J., Lange, A., Decraene, B., Amante, S., and P. Jakma, "BGP Community Container Attribute", Work in Progress, Internet-Draft, draft-ietf-idr-wide-bgp- communities-11, 9 March 2023, . [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI 10.17487/RFC0791, September 1981, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack Encoding", RFC 3032, DOI 10.17487/RFC3032, January 2001, . [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 10.17487/RFC4271, January 2006, . [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended Communities Attribute", RFC 4360, DOI 10.17487/RFC4360, February 2006, . [RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter, "Multiprotocol Extensions for BGP-4", RFC 4760, DOI 10.17487/RFC4760, January 2007, . [RFC5065] Traina, P., McPherson, D., and J. Scudder, "Autonomous System Confederations for BGP", RFC 5065, DOI 10.17487/RFC5065, August 2007, . Hares Expires 9 November 2024 [Page 27] Internet-Draft BGP FlowSpec v2 May 2024 [RFC5701] Rekhter, Y., "IPv6 Address Specific BGP Extended Community Attribute", RFC 5701, DOI 10.17487/RFC5701, November 2009, . [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route Origin Authorizations (ROAs)", RFC 6482, DOI 10.17487/RFC6482, February 2012, . [RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP Extended Communities", RFC 7153, DOI 10.17487/RFC7153, March 2014, . [RFC7606] Chen, E., Ed., Scudder, J., Ed., Mohapatra, P., and K. Patel, "Revised Error Handling for BGP UPDATE Messages", RFC 7606, DOI 10.17487/RFC7606, August 2015, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8955] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M. Bacher, "Dissemination of Flow Specification Rules", RFC 8955, DOI 10.17487/RFC8955, December 2020, . [RFC8956] Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed., "Dissemination of Flow Specification Rules for IPv6", RFC 8956, DOI 10.17487/RFC8956, December 2020, . [RFC9015] Farrel, A., Drake, J., Rosen, E., Uttaro, J., and L. Jalil, "BGP Control Plane for the Network Service Header in Service Function Chaining", RFC 9015, DOI 10.17487/RFC9015, June 2021, . [RFC9117] Uttaro, J., Alcaide, J., Filsfils, C., Smith, D., and P. Mohapatra, "Revised Validation Procedure for BGP Flow Specifications", RFC 9117, DOI 10.17487/RFC9117, August 2021, . [RFC9184] Loibl, C., "BGP Extended Community Registries Update", RFC 9184, DOI 10.17487/RFC9184, January 2022, . 11.2. Informative References Hares Expires 9 November 2024 [Page 28] Internet-Draft BGP FlowSpec v2 May 2024 [I-D.ietf-idr-flowspec-v2] Hares, S., Eastlake, D. E., Yadlapalli, C., and S. Maduschke, "BGP Flow Specification Version 2", Work in Progress, Internet-Draft, draft-ietf-idr-flowspec-v2-04, 28 April 2024, . [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, . [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, . [RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol Specification", RFC 8205, DOI 10.17487/RFC8205, September 2017, . [RFC8206] George, W. and S. Murphy, "BGPsec Considerations for Autonomous System (AS) Migration", RFC 8206, DOI 10.17487/RFC8206, September 2017, . Author's Address Susan Hares Hickory Hill Consulting 7453 Hickory Hill Saline, MI 48176 United States of America Phone: +1-734-604-0332 Email: shares@ndzh.com Hares Expires 9 November 2024 [Page 29]