Source Packet Routing in Networking T. Yu, Ed. Internet-Draft 1 January 2025 Intended status: Standards Track Expires: 5 July 2025 SRv6 Group Based Policy draft-yu-spring-srv6-gbp-00 Abstract This document extends the Segment Routing over IPv6 (SRv6) Network Programming framework [RFC8986] by incorporating group-based policy capabilities. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 5 July 2025. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Yu Expires 5 July 2025 [Page 1] Internet-Draft Abbreviated Title January 2025 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Specification of Requirements . . . . . . . . . . . . . . . . 2 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 4. SRv6 SIDs with GBP . . . . . . . . . . . . . . . . . . . . . 3 4.1. END.DX6 with GBP . . . . . . . . . . . . . . . . . . . . 3 4.2. END.DX4 with GBP . . . . . . . . . . . . . . . . . . . . 3 4.3. End.DT6 with GBP . . . . . . . . . . . . . . . . . . . . 4 4.4. End.DT4 with GBP . . . . . . . . . . . . . . . . . . . . 5 4.5. End.DT46 with GBP . . . . . . . . . . . . . . . . . . . . 6 4.6. End.DT2U with GBP . . . . . . . . . . . . . . . . . . . . 7 5. Source Node Behavior . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 10 Appendix A. Appendix 1 Examples of GBP Usage . . . . . . . . . . 10 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction The Group-based Policy (GBP) [GROUPBASEDPOLICY] initially was .It abstractions provide an intent-driven declarative policy model that presents simplified application-oriented interfaces to the user. Group-Based Policy (GBP) is a critical concept in networking and security, particularly in environments like Software-Defined Networking (SDN), cloud computing, and enterprise networks. It provides a flexible and scalable way to manage network policies based on groups of endpoints rather than individual devices, IP addresses, or flows. 2. Specification of Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Terminology GBP: Group-based Policy described in [GROUPBASEDPOLICY] EVPN: BGP MPLS-Based Ethernet VPN defined in [RFC7432]. Yu Expires 5 July 2025 [Page 2] Internet-Draft Abbreviated Title January 2025 4. SRv6 SIDs with GBP This documents defines the behaviors of END.DX6 with GBP, END.DX4 with GBP, END.DT6 with GBP, END.DT4 with GBP, END.DT46 with GBP, END.DT2U with GBP by allowing these SID behaviors taking an argument: "Arg.Src-GBP-ID". The Src-GBP-ID info allows endpoint node to determine the behavior (allowed or denied) when traffic is being forwarded to specific host. The allocation of the GBP-id argument values planned gloabally, and the behavior of traffic from one Src- GBP-ID to another Dst-GBP-ID is specified locally. The SRv6 SIDs with the GBP argument mentioned in this document is not signaled to other nodes via the control plane, which means they are local significant only. The control plane process described in [RFC9252] still applies. Group 0 is the default group based policy ID. If no group based policy is specified, then value 0 is used. The default behavior of the group 0 is implementation defined and SHOULD be configurable (allowed/denied). 4.1. END.DX6 with GBP When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DX6 with GBP SID, N does the following: S01. If (Upper-Layer header type == 41(IPv6) ) { S02. Remove the outer IPv6 header with all its extension headers S03. Search GBP matching table with exposed packet and get Dst-GBP-ID S04. Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID S05. If (Matched){ S06. Process the exposed IPv6 packet based on the action of match GBP enforcement rule S07. } Else { S08. Forward the exposed IPv6 packet to the L3 adjacency J S09. } S10. } Else { S11. Process as per Section 4.1.1 in RFC8986 S12. } 4.2. END.DX4 with GBP When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DX4 with GBP SID, N does the following: Yu Expires 5 July 2025 [Page 3] Internet-Draft Abbreviated Title January 2025 S01. If (Upper-Layer header type == 4(IPv4) ) { S02. Remove the outer IPv6 header with all its extension headers S03. Search GBP matching table with exposed packet and get Dst-GBP-ID S04. Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID S05. If (Matched){ S06. Process the exposed IPv6 packet based on the action of match GBP enforcement rule S07. } Else { S08. Forward the exposed IPv4 packet to the L3 adjacency J S09. } S10. } Else { S11. Process as per Section 4.1.1 in RFC8986 S12. } 4.3. End.DT6 with GBP When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DT6 with GBP SID, N does the following: S01. If (Upper-Layer header type == 41(IPv6) ) { S02. Remove the outer IPv6 header with all its extension headers S03. Set the packet's associated FIB table to T S04. Submit the packet to the egress IPv6 FIB lookup and get destination oIF S05. Search GBP matching table with exposed packet and get Dst-GBP-ID S06. Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID S07. If (Matched){ S08. Process the exposed IPv6 packet based on the action of match GBP enforcement rule S09. } Else { S10. Forward the exposed IPv6 packet to the oIF. S11. } S12. } Else { S13. Process as per Section 4.1.1 in RFC8986 S14. } An implementation which is hardware based might be restricted to the pipeline of the ASCI. The process below is also possible. The difference is that oIF is impossible to be part of the GBP match criteria. Yu Expires 5 July 2025 [Page 4] Internet-Draft Abbreviated Title January 2025 S01. If (Upper-Layer header type == 41(IPv6) ) { S02. Remove the outer IPv6 header with all its extension headers S03. Search GBP matching table with exposed packet and get Dst-GBP-ID S04. Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID S05. If (Matched){ S06. Process the exposed IPv6 packet based on the action of match GBP enforcement rule S07. } Else { S08. Set the packet's associated FIB table to T S09. Submit the packet to the egress IPv6 FIB lookup for transmission to the new destination S10. } S11. } Else { S12. Process as per Section 4.1.1 in RFC8986 S13. } 4.4. End.DT4 with GBP When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DT4 with GBP SID, N does the following: S01. If (Upper-Layer header type == 4(IPv4) ) { S02. Remove the outer IPv6 header with all its extension headers S03. Set the packet's associated FIB table to T S04. Submit the packet to the egress IPv6 FIB lookup and get destination oIF S05. Search GBP matching table with exposed packet and get Dst-GBP-ID S06. Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID S07. If (Matched){ S08. Process the exposed IPv6 packet based on the action of match GBP enforcement rule S09. } Else { S10. Forward the exposed IPv4 packet to the oIF. S11. } S12. } Else { S13. Process as per Section 4.1.1 in RFC8986 S14. } An implementation which is hardware based might be restricted to the pipeline of the ASCI. The process below is also possible. The difference is that oIF is impossible to be part of the GBP match criteria. Yu Expires 5 July 2025 [Page 5] Internet-Draft Abbreviated Title January 2025 S01. If (Upper-Layer header type == 4(IPv4) ) { S02. Remove the outer IPv6 header with all its extension headers S03. Search GBP matching table with exposed packet and get Dst-GBP-ID S04. Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID S05. If (Matched){ S06. Process the exposed IPv6 packet based on the action of match GBP enforcement rule S07. } Else { S08. Set the packet's associated FIB table to T S09. Submit the packet to the egress IPv4 FIB lookup for transmission to the new destination S10. } S11. } Else { S12. Process as per Section 4.1.1 in RFC8986 S13. } 4.5. End.DT46 with GBP When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DT46 with GBP SID, N does the following: S01. If (Upper-Layer header type == 4(IPv4) ) { S02. Remove the outer IPv6 header with all its extension headers S03. Set the packet's associated FIB table to T S04. Submit the packet to the egress IPv6 FIB lookup and get destination oIF S05. Search GBP matching table with exposed packet and get Dst-GBP-ID S06. Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID S07. If (Matched){ S08. Process the exposed IPv6 packet based on the action of match GBP enforcement rule S09. } Else { S10. Forward the exposed IPv4 packet to the oIF. S11. } S12. } Else If (Upper-Layer header type == 41(IPv6) ) { S13. Remove the outer IPv6 header with all its extension headers S14. Set the packet's associated FIB table to T S15. Submit the packet to the egress IPv6 FIB lookup and get destination oIF S16. Search GBP matching table with exposed packet and get Dst-GBP-ID S17. Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID S18. If (Matched){ S19. Process the exposed IPv6 packet based on the action of match GBP enforcement rule S20. } Else { S21. Forward the exposed IPv6 packet to the oIF. S22. } S23. } Else { S24. Process as per Section 4.1.1 in RFC8986 S25. } Yu Expires 5 July 2025 [Page 6] Internet-Draft Abbreviated Title January 2025 An implementation which is hardware based might be restricted to the pipeline of the ASCI. The process below is also possible. The difference is that oIF is impossible to be part of the GBP match criteria. S01. If (Upper-Layer header type == 4(IPv4) ) { S02. Remove the outer IPv6 header with all its extension headers S03. Search GBP matching table with exposed packet and get Dst-GBP-ID S04. Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID S05. If (Matched){ S06. Process the exposed IPv6 packet based on the action of match GBP enforcement rule S07. } Else { S08. Set the packet's associated FIB table to T S09. Submit the packet to the egress IPv4 FIB lookup for transmission to the new destination S10. } S11. } Else If (Upper-Layer header type == 41(IPv6) ) { S12. Remove the outer IPv6 header with all its extension headers S13. Search GBP matching table with exposed packet and get Dst-GBP-ID S14. Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID S15. If (Matched){ S16. Process the exposed IPv6 packet based on the action of match GBP enforcement rule S17. } Else { S18. Set the packet's associated FIB table to T S19. Submit the packet to the egress IPv6 FIB lookup for transmission to the new destination S20. } S21. } Else { S22. Process as per Section 4.1.1 in RFC8986 S23. } 4.6. End.DT2U with GBP When processing the Upper-Layer header of a packet matching a FIB entry locally instantiated as an End.DT4 SID, N does the following: Yu Expires 5 July 2025 [Page 7] Internet-Draft Abbreviated Title January 2025 S01. If (Upper-Layer header type == 143(Ethernet) ) { S02. Remove the outer IPv6 header with all its extension headers S03. Learn the exposed MAC Source Address in L2 table T S04. Look up the exposed MAC Destination Address in L2 table T S05. If (matched entry in T with destination oIF) { S06. Search GBP matching table with exposed packet and get Dst-GBP-ID S07. Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID S08. If (Matched){ S09. Process the exposed IPv6 packet based on the action of match GBP enforcement rule S10. } Else { S11. Forward the exposed packet to oIF S12. } S13. } Else { S14. Forward via all L2 OIFs in table T S15. } S16. } Else { S17. Process as per Section 4.1.1 in RFC8986 S18. } An implementation which is hardware based might be restricted to the pipeline of the ASCI. The process below is also possible. The difference is that oIF is impossible to be part of the GBP match criteria. S01. If (Upper-Layer header type == 143(Ethernet) ) { S02. Remove the outer IPv6 header with all its extension headers S03. Learn the exposed MAC Source Address in L2 table T S04. Search GBP matching table with exposed packet and get Dst-GBP-ID S05. Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID S06. If (Matched){ S07. Process the exposed IPv6 packet based on the action of match GBP enforcement rule S08. } Else { S09. Look up the exposed MAC Destination Address in L2 table T S10. If (matched entry in T with destination oIF){ S11. Forward the exposed packet to oIF S12. } Else { S13. Forward via all L2 OIFs in table T S14. } S15. } Else { S16. Process as per Section 4.1.1 in RFC8986 S17. } S18. } 5. Source Node Behavior The souce node can use various clarification methods to identify the Src-GBP-ID of a host it belongs to. Yu Expires 5 July 2025 [Page 8] Internet-Draft Abbreviated Title January 2025 When encapsulating the SRv6 header, the Src-GBP-ID is encapsulated into the argument part of the packet. 6. IANA Considerations This document requests the IANA to allocate, within the "SRv6 Endpoint Behaviors" sub-registry beloto the top-level "Segment- routing with IPv6 dataplane (SRv6) Parameters" registry, the following allocations: +=======+===================+=================+ | Value | Description | Reference | +=======+===================+=================+ | TBA1 | END.DX6 with GBP | [This document] | +-------+-------------------+-----------------+ | TBA2 | END.DX4 with GBP | [This document] | +-------+-------------------+-----------------+ | TBA3 | END.DT6 with GBP | [This document] | +-------+-------------------+-----------------+ | TBA4 | END.DT4 with GBP | [This document] | +-------+-------------------+-----------------+ | TBA4 | END.DT46 with GBP | [This document] | +-------+-------------------+-----------------+ | TBA4 | END.DT2U with GBP | [This document] | +-------+-------------------+-----------------+ Table 1 7. Security Considerations The mechanism described in this document leverage the security rules defined in Section 7 of RFC8986 [RFC8986]. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . Yu Expires 5 July 2025 [Page 9] Internet-Draft Abbreviated Title January 2025 [RFC8986] Filsfils, C., Ed., Camarillo, P., Ed., Leddy, J., Voyer, D., Matsushima, S., and Z. Li, "Segment Routing over IPv6 (SRv6) Network Programming", RFC 8986, DOI 10.17487/RFC8986, February 2021, . 8.2. Informative References [GROUPBASEDPOLICY] OpenStack, "Group Based Policy", 2015, . [RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February 2015, . [RFC9252] Dawra, G., Ed., Talaulikar, K., Ed., Raszuk, R., Decraene, B., Zhuang, S., and J. Rabadan, "BGP Overlay Services Based on Segment Routing over IPv6 (SRv6)", RFC 9252, DOI 10.17487/RFC9252, July 2022, . Appendix A. Appendix 1 Examples of GBP Usage This section describes the examples of GBP usage. An implementation is not enforced to achieve all scenarios mentioned in this section. Example 1: Deny traffic from specific Src-GBP-ID = 100 (e.g. traffic from guest network) rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = any, action: deny Example 2: Deny traffic from specific Src-GBP-ID = 100 to Dst-GBP-ID = 200 (e.g. traffic from untrusted host to server) rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = 200, action: deny Example 3: Redirect L3 traffic from specific Src-GBP-ID = 100 to Dst- GBP-ID = 200 (e.g. to a cleaning device) rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = 200, action: redirect Example 4: RSPAN traffic from specific Src-GBP-ID = 100 to Dst-GBP-ID = 200 (e.g. to a monitoring device) rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = 200, action: RSPAN Yu Expires 5 July 2025 [Page 10] Internet-Draft Abbreviated Title January 2025 Author's Address Tianpeng Yu (editor) Email: yutianpengietf@163.com Yu Expires 5 July 2025 [Page 11]