PCEP Extension for Layer 2 (L2) Flow Specification

defines the Path Computation Element (PCE), as a functional component capable of computing paths for use in traffic engineering networks. PCE was originally conceived for use in Multiprotocol Label Switching (MPLS) for traffic engineering (TE) networks to derive the routes of Label Switched Paths (LSPs). However, the scope of PCE was quickly extended to make it applicable to networks controlled by Generalized MPLS (GMPLS), and more recent work has brought other traffic engineering technologies and planning applications into scope (for example, Segment Routing (SR) ). describes the PCE Communication Protocol (PCEP). PCEP defines the communication between a Path Computation Client (PCC) and a PCE, or between PCE and PCE, enabling computation of the path for MPLS-TE LSPs. Stateful PCE specifies a set of extensions to PCEP to enable control of TE-LSPs by a PCE that retains the state of the LSPs provisioned in the network (a stateful PCE). describes the setup, maintenance, and teardown of LSPs initiated by a stateful PCE without the need for local configuration on the PCC, thus allowing for a dynamic network that is centrally controlled. introduces the architecture for PCE as a central controller and describes how PCE can be viewed as a component that performs computation to place "flows" within the network and decide how these flows are routed. The description of traffic flows by the combination of multiple Flow Specification components and their dissemination as traffic flow specifications (Flow Specifications) is described for BGP in . In BGP, a Flow Specification is comprised of traffic filtering rules and is associated with actions to perform on the packets that match the Flow Specification. The BGP routers that receive a Flow Specification can classify received packets according to the traffic filtering rules and can direct packets based on the associated actions. specifies version 2 of the BGP flow specification protocol that resolves some of the issues with version 1. When a PCE is used to initiate tunnels (such as TE-LSPs or SR paths) using PCEP, it is important that the head end of the tunnels understands what traffic to place on each tunnel. The data flows intended for a tunnel can be described using Flow Specification components. When PCEP is in use for tunnel initiation it makes sense for that same protocol to be used to distribute the Flow Specification components that describe what data is to flow on those tunnels. specifies a set of extensions to PCEP to support the dissemination of Flow Specification components. It includes the creation, update, and withdrawal of Flow Specifications via PCEP. It can be applied to tunnels initiated by the PCE or to tunnels where control is delegated to the PCE by the PCC. Furthermore, a PCC requesting a new path can include Flow Specifications in the request to indicate the purpose of the tunnel allowing the PCE to factor this into the path computation. defines a BGP flowspec extension to disseminate Ethernet Layer 2 (L2) and Layer 2 Virtual Private Network (L2VPN) traffic filtering rules either by themselves or in conjunction with L3 flowspecs as per . This document extends the same support for PCEP by defining a new L2 Flow Filter TLV to be carried within the FLOWSPEC object. The context and the procedures for the use of Flow Specifications are as per .

This document uses the following terms defined in : PCC, PCE, PCEP Peer. The following term from is used frequently throughout this document: A Flow Specification is an n-tuple consisting of several matching criteria that can be applied to IP traffic. A given IP packet is said to match the defined Flow Specification if it matches all the specified criteria. Its usage in PCEP is further clarified in . This document uses the terms "stateful PCE" and "active PCE" as advocated in . The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

As per , to carry Flow Specifications in PCEP messages, a PCEP object called the PCEP FLOWSPEC object is defined. To describe a traffic flow, a PCEP TLV called the Flow Filter TLV is also defined. This document extends the support for L2 flow specifications by creating a new PCEP TLV called L2 Flow Filter TLV and updating the processing rules. The PCEP FLOWSPEC object carries a FlowSpec filter rule encoded in a TLV. To describe a traffic flow based on both L3 and L2 fields, a new L2 Flow Filter TLV is introduced by this document. The PCEP FLOWSPEC object could carry one of the following combinations of TLVs: no TLV one Flow Filter TLV one L2 Flow Filter TLV both a Flow Filter TLV and an L2 Flow Filter TLV At most one L2 Flow Filter TLV MAY be included in the PCEP FLOWSPEC object. The TLV is OPTIONAL when the R (remove) bit is set in the object. At least one Flow Filter TLV or one L2 Flow Filter TLV MUST be present when the R bit is clear. If both TLVs are missing when the R bit is clear, the PCEP peer MUST respond with a PCErr message with error-type TBD1 (FlowSpec Error) and error-value 2 (Malformed FlowSpec). A Flow Filter TLV and an L2 Flow Filter TLV MAY be present when filtering is based on L3 and L2 fields. The TLV follows the format of all PCEP TLVs as defined in . The Type field values come from the codepoint space for PCEP TLVs and has the value TBD2. The value field of L2 Flow Filter TLV contains one or more sub-TLVs (, and they represent the complete definition of a Flow Specification for traffic to be placed on the tunnel. The set of Flow Specification TLVs and L2 Flow Filter TLVs in a single instance of a Flow Filter TLV are combined to indicate the specific Flow Specification. Note that the PCEP FLOWSPEC object can include just one Flow Filter TLV, just one L2 Flow Filter TLV, or one of each TLV. The rest of the procedures are same as .

The L2 Flow Filter TLV carries one or more L2 Flow Specification TLV. The L2 Flow Specification TLV follows the format of all PCEP TLVs as defined in . However, the Type values are selected from a separate IANA registry (see ) rather than from the common PCEP TLV registry. Type values are chosen so that there can be commonality with L2 Flow Specifications defined for use with BGP . This is possible because the BGP Flow Spec encoding uses a single octet to encode the type whereas PCEP uses two octets. Thus the space of values for the Type field is partitioned as shown in .

is the reference for the registry "L2 Flow Spec Component Types" and defines the allocations it contains. The content of the Value field in each TLV is specific to the type and describes the parameters of the Flow Specification. The definition of the format of many of these Value fields is inherited from BGP specifications. Specifically, the inheritance is from , but may also be inherited from future BGP specifications. When multiple L2 Flow Specification TLVs are present in a single L2 Flow Filter TLV they are combined to produce a more detailed specification of a flow. Similarly, when both Flow Filter TLV and L2 Flow Filter TLV are present, they are combined to produce a more detailed specification of a flow. An implementation that receives a PCEP message carrying a L2 Flow Specification TLV with a type value that it does not recognize or does not support MUST respond with a PCErr message with error-type TBD1 (FlowSpec Error), error-value 1 (Unsupported FlowSpec) and MUST NOT install the Flow Specification. All L2 Flow Specification TLVs with Types in the range 0 to 255 have their Values interpreted as defined for use in BGP (for example, in ) and are set using the BGP encoding, but without the type octet (the relevant information is in the Type field of the TLV). The Value field is padded with trailing zeros to achieve 4-byte alignment. This document defines no new types.

As per , Flow Specification v2 allows the user to order the flow specification rules and the actions associated with a rule. Each FSv2 rule may have one or more match conditions and one or more associated actions. It further lists the rules and principles to keep filters in a deterministic order between FSv1 and FSv2. Note that this document relies on the processing rules as per . A future PCEP specification could consider updating rules to align to (FSv2 adds explicit "order" for instance).

created the "PCEP Flow Specification TLV Type Indicators" registry and set the assignment policies for the range "256-64506" to "Specification Required". This memo changes the policy from Specification Required to IETF Review in alignment with the rest of the registries in the "Path Computation Element Protocol (PCEP) Numbers" registry group. Note that did not follow the guidelines for "Specification Required" as per .

IANA maintains the "Path Computation Element Protocol (PCEP) Numbers" registry. This document requests IANA actions to allocate code points for the protocol elements defined in this document.

IANA maintains a registry called "PCEP TLV Type Indicators" under the "Path Computation Element Protocol (PCEP) Numbers" registry group. IANA is requested to make an assignment from this registry as follows:

IANA is requested to create a new registry called the "PCEP L2 Flow Specification TLV Type Indicators" registry. Allocations from this registry are to be made according to the following assignment policies :

This document makes no allocations in the newly created registry.

created the "PCEP Flow Specification TLV Type Indicators" registry. IANA is requested to update the assignment policies for the range "256-64506" from "Specification Required" to "IETF Review" .

[NOTE TO RFC EDITOR : This whole section and the reference to RFC 7942 is to be removed before publication as an RFC] This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in . The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to , "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". At the time of posting the -05 version of this document, there are no known implementations of this mechanism. It is believed that some vendors are considering prototype implementations, but these plans are too vague to make any further assertions.

We may assume that a system that utilizes a remote PCE is subject to a number of vulnerabilities that could allow spurious LSPs or SR paths to be established or that could result in existing paths being modified or torn down. Such systems, therefore, apply security considerations as described in , Section 2.5 of , , and . As per , the description of Flow Specifications associated with paths set up or controlled by a PCE add a further detail that could be attacked without tearing down LSPs or SR paths, but causing traffic to be misrouted within the network. Therefore, the use of the security mechanisms for PCEP referenced above is important. It further lists the security considerations with respect to flow specifications which are applicable to L2 flowspec as well.

describe the management of multiple flowspecs as well as control via configurations and policies. This is applicable to the L2 flowspec defined in this document.

As per , the PCEP YANG module would need to be augmented to cover flowspec include L2.

Mechanisms defined in this document do not imply any new liveness detection and monitoring requirements in addition to those already listed in .

Mechanisms defined in this document do not imply any new operation verification requirements in addition to those already listed in .

Mechanisms defined in this document do not imply any new requirements on other protocols.

The use of the features described in this document clearly has an important impact on network traffic since they cause traffic to be routed on specific paths in the network. However, in practice, these changes make no direct changes to the network operation because traffic is already placed on those paths using some pre-existing configuration mechanism. Thus, the significant change is the reduction in the mechanisms that have to be applied, rather than a change to how the traffic is passed through the network.

Thanks to Susan Hares for the discussion related to BGP Flowspec V2.