💾 Archived View for gemini.bortzmeyer.org › rfc-mirror › rfc7611.txt captured on 2023-01-29 at 04:59:59.

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-







Internet Engineering Task Force (IETF)                         J. Uttaro
Request for Comments: 7611                                          AT&T
Category: Standards Track                                   P. Mohapatra
ISSN: 2070-1721                                         Sproute Networks
                                                                D. Smith
                                                           Cisco Systems
                                                               R. Raszuk
                                                           Mirantis Inc.
                                                              J. Scudder
                                                        Juniper Networks
                                                             August 2015


                   BGP ACCEPT_OWN Community Attribute

Abstract

   Under certain conditions, it is desirable for a Border Gateway
   Protocol (BGP) route reflector to be able to modify the Route Target
   (RT) list of a Virtual Private Network (VPN) route that the route
   reflector distributes, enabling the route reflector to control how a
   route originated within one VPN Routing and Forwarding table (VRF) is
   imported into other VRFs.  This technique works effectively as long
   as the VRF that exports the route is not on the same Provider Edge
   (PE) router as the VRF(s) that imports the route.  However, due to
   the constraints of BGP, it does not work if the two are on the same
   PE.  This document describes a modification to BGP allowing this
   technique to work when the VRFs are on the same PE and to be used in
   a standard manner throughout an autonomous system.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7611.








Uttaro, et al.               Standards Track                    [Page 1]

RFC 7611                       ACCEPT_OWN                    August 2015


Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
   2.  ACCEPT_OWN Community  . . . . . . . . . . . . . . . . . . . .   3
     2.1.  Route Acceptance  . . . . . . . . . . . . . . . . . . . .   3
     2.2.  Propagating ACCEPT_OWN between Address Families . . . . .   4
     2.3.  Configuration Control . . . . . . . . . . . . . . . . . .   4
   3.  Decision Process  . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Deployment Considerations . . . . . . . . . . . . . . . . . .   5
   5.  Other Applications  . . . . . . . . . . . . . . . . . . . . .   5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Appendix A.  Local Extranet Application (Non-normative) . . . . .   7
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   In certain scenarios, a BGP speaker may maintain multiple VRFs
   [RFC4364].  Under certain conditions, it is desirable for a route
   reflector to be able to modify the RT list of a VPN route that the
   route reflector distributes, enabling the route reflector to control
   how a route originated within one VRF is imported into other VRFs.
   Though it is possible to perform such control directly on the
   originator, it may be operationally cumbersome in an autonomous
   system with a large number of border routers having complex BGP
   policies.





Uttaro, et al.               Standards Track                    [Page 2]

RFC 7611                       ACCEPT_OWN                    August 2015


   The technique of the route reflector modifying the RT list works
   effectively as long as the VRF that exports the route is not on the
   same PE as the VRF(s) that imports the route.  However, due to
   constraints of BGP, it does not work if the two are on the same PE.
   This is because, per the BGP specification [RFC4271], a BGP speaker
   rejects received prefix advertisements that were originated by
   itself.  In an autonomous system with route reflectors, the route
   reflector attaches the ORIGINATOR_ID attribute to the UPDATE messages
   so that if such prefix advertisements reach the originator, the
   originator can reject them by simply checking the ORIGINATOR_ID
   attribute.  The BGP specification also mandates that a route should
   not be accepted from a peer when the NEXT_HOP attribute matches the
   receiver's own IP address.

   This document proposes a modification to BGP's behavior by defining a
   new community [RFC1997] value, in order to allow the technique of RT
   list modification by the route reflector to be used in a standard
   manner throughout an autonomous system, irrespective of whether or
   not the VRFs are on the same or different PEs.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.  ACCEPT_OWN Community

   This memo defines ACCEPT_OWN, a new well-known BGP community in the
   First Come First Served [RFC5226] range, whose value as assigned by
   IANA is 0xFFFF0001.  Processing of the ACCEPT_OWN community SHOULD be
   controlled by configuration.  The functionality SHOULD default to
   being disabled, as further specified in Section 2.3.

2.1.  Route Acceptance

   A router MAY accept a route whose ORIGINATOR_ID or NEXT_HOP value
   matches that of the receiving speaker if all of the following are
   true:

   o  Processing of the ACCEPT_OWN community is enabled by
      configuration.

   o  The route in question carries the ACCEPT_OWN community.







Uttaro, et al.               Standards Track                    [Page 3]

RFC 7611                       ACCEPT_OWN                    August 2015


   o  The route in question originated from a source VRF on the router.
      The source VRF is a VRF on the router whose configured Route
      Distinguisher is equal to the Route Distinguisher carried in the
      route.

   o  The route in question is targeted to one or more destination VRFs
      on the router (as determined by inspecting the Route Target(s)).

   o  At least one destination VRF is different from the source VRF.

   A route MUST NOT ever be accepted back into its source VRF, even if
   it carries one or more RTs that match that VRF.

2.2.  Propagating ACCEPT_OWN between Address Families

   The ACCEPT_OWN community controls propagation of routes that can be
   associated with a source VRF by inspection of their Route
   Distinguisher and with a target VRF by inspection of their Route
   Target list (for example, VPN routes with a Subsequent Address Family
   Identifier (SAFI) of 128).  As such, it SHOULD NOT be attached to any
   routes that cannot be associated with a source VRF.  This implies
   that when propagating routes into a VRF, the ACCEPT_OWN community
   SHOULD NOT be propagated.  Likewise, if a route carrying the
   ACCEPT_OWN community is received in an address family that does not
   allow the source VRF to be looked up, the ACCEPT_OWN community MUST
   be discarded.  An OPTIONAL message may be logged in this case.

2.3.  Configuration Control

   ACCEPT_OWN handling SHOULD be controlled by configuration, and if
   controlled by configuration, it MUST default to being disabled.  When
   ACCEPT_OWN is disabled by configuration (either explicitly or by
   default), the router MUST NOT apply the special route acceptance
   rules detailed in Section 2.1.  The router SHOULD still apply the
   propagation rules detailed in Section 2.2.

3.  Decision Process

   If a BGP speaker supports ACCEPT_OWN and is configured for the
   extensions defined in this document, the following step is inserted
   after the LOCAL_PREF comparison step in the BGP decision process:

      When comparing a pair of routes for a BGP destination, the route
      with the ACCEPT_OWN community attached is preferred over the route
      that does not have the community.






Uttaro, et al.               Standards Track                    [Page 4]

RFC 7611                       ACCEPT_OWN                    August 2015


   In all other respects, the decision process remains unchanged.  This
   extra step MUST only be invoked during the best path selection
   process of VPN-IP routes [RFC4364] (i.e., it MUST NOT be invoked for
   the best path selection of imported IP routes in a VRF).  The purpose
   of this extra step is to allow the paths advertised by the route
   reflector with ACCEPT_OWN community to be selected as best over other
   paths that the BGP speaker may have received, hence enabling the
   applications ACCEPT_OWN is designed for.

4.  Deployment Considerations

   The ACCEPT_OWN community as described in this document is useful
   within a single autonomous system that uses a single layer of route
   reflectors.  Its use with hierarchical route reflectors would require
   further specification and is out of the scope of this document.
   Likewise, its use across multiple autonomous systems is out of the
   scope of this document.

5.  Other Applications

   This approach may also be relevant in other scenarios where a BGP
   speaker maintains multiple routing contexts using an approach
   different from that of [RFC4364], as long as the specific approach in
   use has the property that the BGP speaker originates and receives
   routes within a particular context.  In such a case, "VRF" in this
   document should be understood to mean whatever construct provides a
   routing context in the specific technology under consideration.
   Likewise, "Route Distinguisher" should be understood to mean whatever
   construct allows a route's originator to associate that route with
   its source context, and "Route Target" should be understood to mean
   whatever construct allows a route to be targeted for import into a
   context other than its source.

6.  Security Considerations

   ACCEPT_OWN as described in this document permits a router's own route
   prefix to be advertised to a different VRF on that router.  In this
   respect, such a route is similar to any other BGP route and shares
   the same set of security vulnerabilities and concerns.  This
   extension does not change the underlying security issues inherent in
   BGP VPN [RFC4364].

7.  IANA Considerations

   IANA has assigned the value 0xFFFF0001 in the "BGP Well-known
   Communities" registry for the ACCEPT_OWN community.





Uttaro, et al.               Standards Track                    [Page 5]

RFC 7611                       ACCEPT_OWN                    August 2015


8.  References

8.1.  Normative References

   [RFC1997]  Chandra, R., Traina, P., and T. Li, "BGP Communities
              Attribute", RFC 1997, DOI 10.17487/RFC1997, August 1996,
              <http://www.rfc-editor.org/info/rfc1997>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC4271]  Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
              Border Gateway Protocol 4 (BGP-4)", RFC 4271,
              DOI 10.17487/RFC4271, January 2006,
              <http://www.rfc-editor.org/info/rfc4271>.

   [RFC4364]  Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
              Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February
              2006, <http://www.rfc-editor.org/info/rfc4364>.

8.2.  Informative References

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              DOI 10.17487/RFC5226, May 2008,
              <http://www.rfc-editor.org/info/rfc5226>.























Uttaro, et al.               Standards Track                    [Page 6]

RFC 7611                       ACCEPT_OWN                    August 2015


Appendix A.  Local Extranet Application (Non-normative)

   One of the applications for the BGP well-known community described in
   this document is auto-configuration of extranets within MPLS VPN
   networks.  Consider the following topology:

   CE1 --------+
               |
              (VRF 1, RD 1, RT 1)
                       PE1 ................... RR
              (VRF 2, RD 2, RT 2)
               |
   CE2 --------+

                      Figure 1: Extranet Application

   Within this topology, PE1 receives a prefix X from CE1.  Prefix X is
   installed in VRF 1 and is advertised to the route reflector (RR) with
   Route Distinguisher (RD) 1 and Route Target (RT) 1 as configured on
   PE1.  The requirement is to import prefix X into VRF 2 and advertise
   it to CE2 in support of extranet VPN connectivity between CE1/VRF1
   and CE2/VRF2.  Current BGP mechanisms for MPLS VPNs [RFC4364] require
   changing the import RT value and/or import policy for VRF 2 on PE1.
   This is operationally cumbersome in a network with a large number of
   border routers having complex BGP policies.

   Alternatively, using the new ACCEPT_OWN community value, the route
   reflector can simply re-advertise prefix X back to PE1 with RT 2
   appended.  In this way, PE1 will accept prefix X despite its
   ORIGINATOR_ID or NEXT_HOP value, import it into VRF 2 as a result of
   the presence of RT 2 in the route's Extended Community path
   attribute, and then determine the correct adjacency rewrite within
   VRF 1 based on the RD value and the prefix.  Note that the presence
   of RT 1 in the route's Extended Community path attribute will simply
   be ignored since RT 1 is associated with the source VRF 1.  The same
   operation also needs to happen in the reverse direction (VRF 1
   learning a route from VRF 2) to achieve establishment of an extranet
   VPN strictly via the route reflector without changing the BGP policy
   of PE1 in any way.

   A router performing such an extranet application can accept a route
   with its own ORIGINATOR_ID or NEXT_HOP value only if the VRF in which
   the router originated the route is different from the VRF in which
   the router accepts the re-advertised route.







Uttaro, et al.               Standards Track                    [Page 7]

RFC 7611                       ACCEPT_OWN                    August 2015


Acknowledgments

   The authors would like to thank Yakov Rekhter, Jim Guichard, Clarence
   Filsfils, John Mullooly, Jeff Haas, Pranav Mehta, and Tamas Mondal
   for their valuable comments and suggestions.  The decision process
   changes were suggested by Pranav Mehta to solve the remote extranet
   problem.

Authors' Addresses

   James Uttaro
   AT&T
   200 S. Laurel Avenue
   Middletown, NJ  07748
   United States
   Email: uttaro@att.com


   Pradosh Mohapatra
   Sproute Networks
   Email: mpradosh@yahoo.com


   David J. Smith
   Cisco Systems
   111 Wood Avenue South
   Iselin, NJ  08830
   United States
   Email: djsmith@cisco.com


   Robert Raszuk
   Mirantis Inc.
   615 National Ave. #100
   Mountain View, CA  94043
   United States
   Email: robert@raszuk.net


   John Scudder
   Juniper Networks
   1194 N. Mathilda Ave.
   Sunnyvale, CA  94089
   United States
   Email: jgs@juniper.net






Uttaro, et al.               Standards Track                    [Page 8]