<?xml version="1.0" encoding="utf-8"?>
<?xml-model href="rfc7991bis.rnc"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" docName="draft-kao-idr-bitwise-ip-filters-05" ipr="trust200902" obsoletes="" updates="" submissionType="IETF" xml:lang="en" consensus="true" version="3">
  <front>
    <title abbrev="FlowSpec Bitwise IP Filters">
      Bitwise IP Filters for BGP FlowSpec
    </title>
    <seriesInfo name="Internet-Draft" value="draft-kao-idr-bitwise-ip-filters-05"/>
    <author fullname="Nat Kao" initials="N" surname="Kao">
      <organization>Individual Contributor</organization>
      <address>
        <email>pyxislx@gmail.com</email>
      </address>
    </author>
    <author fullname="Susan Hares" initials="S" surname="Hares">
      <organization>Hickory Hill Consulting</organization>
      <address>
        <postal>
          <street>7453 Hickory Hill</street>
          <city>Saline</city>
          <region>MI</region>
          <code>48176</code>
          <country>USA</country>
        </postal>
        <phone>+1-734-604-0332</phone>
        <email>shares@ndzh.com</email>
      </address>
    </author>
    <author initials="Y." surname="Gao" fullname="Yujia Gao">
      <organization>Zhongguancun Laboratory</organization>
      <address>
        <postal>
          <region>Beijing</region>
          <code>100094</code>
          <country>China</country>
        </postal>
        <phone>+86-185-1028-7458</phone>
        <email>gaoyj@zgclab.edu.cn</email>
      </address>
    </author>
    <date year="2026"/>
    <area>Routing Area</area>
    <workgroup>IDR Working Group</workgroup>
    <keyword>RFC</keyword>
    <keyword>Request for Comments</keyword>
    <keyword>I-D</keyword>
    <keyword>Internet-Draft</keyword>
    <keyword>Bitwise IP Filters, BGP FlowSpec</keyword>
    <abstract>
      <t>
        This document introduces the bitwise match filter component for source and destination
        IPv4/IPv6 address fields.
        These components enhance the BGP Flow Specification framework and provide a solution for
        dynamic symmetric traffic load-balancing.
      </t>
    </abstract>
  </front>

  <middle>
    <section>
      <name>Introduction</name>
      <t>
        Symmetric paths for traffic in both directions are required to allow session inspection
        service instances (such as deep packet inspection(DPI) or firewall service instances) to
        process traffic correctly.
        If a single instance cannot handle the traffic load, symmetric load-balancing across
        multiple inspecting service instances is required.
      </t>
      <t>
        Hash-based load-balancing may not be suitable for this purpose. Since the order of the
        packet header fields for the hashing mechanism is not always configurable, and different
        vendors implement various proprietary hashing functions.
        In a multi-vendor environment, it is desirable to load-balance traffic using a standardized
        approach.
      </t>
      <t>
        The BGP Flow Specification (BGP-FS) Network Layer Reachability Information (NLRI) is a
        standardized approach to distributing traffic filters via BGP.
        The BGP Flow Specification version 2 (FSv2) <xref target="I-D.ietf-idr-fsv2-ip-basic"/>
        is an enhancement to BGP-FS.
        It allows a user-defined order of filters.
      </t>
      <t>
        This document defines the bitwise match filter component Sub-TLVs for source and destination
        IPv4/IPv6 address fields.
        Using these Sub-TLVs allows operators to match arbitrary bit positions against the
        corresponding address fields.
        We can symmetrically load-balance traffic using this property if the traffic is distributed
        almost uniformly across combinations of the least significant bits of the source or
        destination address fields.
      </t>
      <section title="Requirements Language" anchor="requirements">
        <t>
          The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD
          NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document
          are to be interpreted as described in BCP 14
          <xref target="RFC2119"/>
          <xref target="RFC8174"/>
          when, and only when, they appear in all capitals, as shown here.
        </t>
      </section>
      <section title="Definitions and Acronyms" anchor="definitions">
        <dl>
          <dt>AFI: </dt><dd>Address Family Identifier</dd>
          <dt>BGP-FS: </dt>
          <dd>
            BGP Flow Specification
            <xref target="RFC8955"/>
            <xref target="RFC8956"/>
          </dd>
          <dt>DPI: </dt><dd>Deep Packet Inspection</dd>
          <dt>ECMP: </dt><dd>Equal-Cost Multipath</dd>
          <dt>FSv2: </dt>
          <dd>
            BGP Flow Specification Version 2
            <xref target="I-D.ietf-idr-fsv2-ip-basic"/>
          </dd>
          <dt>SAFI: </dt><dd>Subsequent Address Family Identifier</dd>
          <dt>Service Instance: </dt>
          <dd>
            A service instance is an instance of VNF or a physical device that instantiates a
            service function. It is spawned and terminated dynamically based on traffic
            usage.
          </dd>
          <dt>VNF: </dt><dd>Virtual Network Function</dd>
        </dl>
        <t>
        </t>
      </section>
    </section>

    <section title="Bitwise Address Filters for FSv2">
      <t>
        This section defines the bitwise address filter component Sub-TLVs for FSv2.
        Sub-TLVs for both source and destination address fields are defined.
      </t>
      <section title="Destination Address Bitwise Filter Component Sub-TLV" anchor="dst-bitwise-subtlv-definition">
        <dl>
          <dt>Summary: </dt>
          <dd>
            This section defines bitwise matches for the destination address field.
          </dd>
          <dt>Component Type: </dt>
          <dd>TBD1</dd>
          <dt>Description: </dt>
          <dd>
            <t>
              This component matches against designated bits in the destination address field.
            </t>
            <t>
              It contains a list of &lt;Pattern, Mask&gt; pairs.
              If the destination address matches any pair in the list, this component is considered
              a match.
            </t>
            <t>
              A destination address D is a match for a pair &lt;Pattern, Mask&gt; if
              and only if:
            </t>
            <t>
              (D &amp; Mask) = (Pattern &amp; Mask)
            </t>
            <t>
              where &amp; is the bitwise AND
              operator.
            </t>
          </dd>
          <dt>The field that the component targets in the IPv4 Packets: </dt>
          <dd>Destination address field</dd>
          <dt>The field that the component targets in the IPv6 Packets: </dt>
          <dd>Destination address field</dd>
          <dt>Length: </dt>
          <dd>
            This field indicates the length of the value field in octets. The length is
            a nonzero multiple of 8 for AFI = 1 (IPv4) or a nonzero multiple of 32 for AFI = 2
            (IPv6).
          </dd>
          <dt>Encoding of Component Value field: </dt>
          <dd>
            The value field is encoded as a sorted list with no repetition of pairs: [ &lt;Pattern,
            Mask&gt;, &lt;Pattern, Mask&gt;, ..., &lt;Pattern, Mask&gt; ]
          </dd>
        </dl>
        <dl>
          <dt>Pattern: </dt>
          <dd>
            a 4-octet bit string for AFI = 1 and a 16-octet bit string for AFI = 2.
            It indicates the destination address value to match.
            Only bit positions set to 1 in the Mask field are considered for matching; other bit
            positions are ignored.
            Ignored bit positions MUST be set to zero on transmission and MUST be treated as zero on
            receipt.
          </dd>
          <dt>Mask: </dt>
          <dd>
            a 4-octet bit mask for AFI = 1 and a 16-octet bit mask for AFI = 2.
            It indicates the bit positions to match with the Pattern field.
            Only bit positions set to 1 in the Mask field are considered for matching.
            These bit positions can be discontiguous.
          </dd>
          <dt>Construction of the list: </dt>
          <dd>
            <t>
              The following procedures guarantee the same result for the same list of &lt;Pattern,
              Mask&gt; pairs.
              Note that two pairs are identical if they are encoded exactly the same using the
              encoding described above.
            </t>
            <ul>
              <li>
                Each &lt;Pattern, Mask&gt; pair is treated as a binary string.
              </li>
              <li>
                Each pair MUST be present no more than once in a single component Sub-TLV.
              </li>
              <li>
                Each pair is compared using the memcmp() function as defined in
                <xref target="ISO_IEC_9899"/>.
              </li>
              <li>
                Each pair MUST follow strict ascending order by the memcmp() results.
                That is, the lower pair MUST precede the higher pairs.
              </li>
            </ul>
          </dd>
          <dt>Conflicts with other filters: </dt>
          <dd>
            None.
            However, it is recommended to use either the bitwise filter
            or the "Destination Prefix filter" defined in
            <xref target="I-D.ietf-idr-fsv2-ip-basic"/>, not both.
            See also in <xref target="existing-filter"/>.
          </dd>
        </dl>
      </section>
      <section title="Source Address Bitwise Filter Component Sub-TLV" anchor="src-bitwise-subtlv-definition">
        <dl>
          <dt>Summary: </dt>
          <dd>
            This section defines bitwise matches for the source address field.
          </dd>
          <dt>Component Type: </dt>
          <dd>TBD2</dd>
          <dt>Description: </dt>
          <dd>
            <t>
              This component matches against designated bits in the source address field.
            </t>
            <t>
              It contains a list of &lt;Pattern, Mask&gt; pairs.
              If the source address matches any pair in the list, this component is considered a
              match.
            </t>
            <t>
              A source address S is a match for a pair &lt;Pattern, Mask&gt; if
              and only if:
            </t>
            <t>
              (S &amp; Mask) = (Pattern &amp; Mask)
            </t>
            <t>
              where &amp; is the bitwise AND
              operator.
            </t>
          </dd>
          <dt>The field that the component targets in the IPv4 Packets: </dt>
          <dd>Source address field</dd>
          <dt>The field that the component targets in the IPv6 Packets: </dt>
          <dd>Source address field</dd>
          <dt>Length: </dt>
          <dd>
            This field indicates the length of the value field in octets. The length is
            a nonzero multiple of 8 for AFI = 1 (IPv4) or a nonzero multiple of 32 for AFI = 2
            (IPv6).
          </dd>
          <dt>Encoding of Component Value field: </dt>
          <dd>
            The value field is encoded as a sorted list with no repetition of pairs: [ &lt;Pattern,
            Mask&gt;, &lt;Pattern, Mask&gt;, ..., &lt;Pattern, Mask&gt; ]
          </dd>
        </dl>
        <dl>
          <dt>Pattern: </dt>
          <dd>
            a 4-octet bit string for AFI = 1 and a 16-octet bit string for AFI = 2.
            It indicates the source address value to match.
            Only bit positions set to 1 in the Mask field are considered for matching; other bit
            positions are ignored.
            Ignored bit positions MUST be set to zero on transmission and MUST be treated as zero on
            receipt.
          </dd>
          <dt>Mask: </dt>
          <dd>
            a 4-octet bit mask for AFI = 1 and a 16-octet bit mask for AFI = 2.
            It indicates the bit positions to match with the Pattern field.
            Only bit positions set to 1 in the Mask field are considered for matching.
            These bit positions can be discontiguous.
          </dd>
          <dt>Construction of the list: </dt>
          <dd>
            <t>
              The following procedures guarantee the same result for the same list of &lt;Pattern,
              Mask&gt; pairs.
              Note that two pairs are identical if they are encoded exactly the same using the
              encoding described above.
            </t>
            <ul>
              <li>
                Each &lt;Pattern, Mask&gt; pair is treated as a binary string.
              </li>
              <li>
                Each pair MUST be present no more than once in a single component Sub-TLV.
              </li>
              <li>
                Each pair is compared using the memcmp() function as defined in
                <xref target="ISO_IEC_9899"/>.
              </li>
              <li>
                Each pair MUST follow strict ascending order by the memcmp() results.
                That is, the lower pair MUST precede the higher pairs.
              </li>
            </ul>
          </dd>
          <dt>Conflicts with other filters: </dt>
          <dd>
            None.
            However, it is recommended to use either the bitwise filter
            or the "Source Prefix filter" defined in
            <xref target="I-D.ietf-idr-fsv2-ip-basic"/>, not both.
            See also in <xref target="existing-filter"/>.
          </dd>
        </dl>
      </section>
      <section title="Comparing the Sub-TLVs between NLRIs">
        <t>
          This section describes the procedures for comparing two Sub-TLVs of the same type in two
          different FSv2 NLRIs.
          Note that inside every individual Sub-TLV, each &lt;Pattern,
          Mask&gt; pair has already been sorted by the procedures defined in
          <xref target="dst-bitwise-subtlv-definition"/>
          and <xref target="src-bitwise-subtlv-definition"/>.
        </t>
        <t>
          When comparing two NLRIs with the same type of bitwise matching filter component Sub-TLV,
          the following procedures apply:
        </t>
        <ol>
          <li>
            Every bitwise filter component Sub-TLV, regardless of its length, is treated as a binary
            string.
          </li>
          <li>
            Compare the bitwise filter component Sub-TLVs of the same type from each NLRI as binary
            strings using the memcmp() function defined by <xref target="ISO_IEC_9899"/>.
          </li>
          <li>
            For strings of equal length, the lowest string has the highest precedence.
          </li>
          <li>
            <t>For strings of different lengths, compare the common prefix of the string only.</t>
            <ul>
              <li>
                If the common prefix is unequal, the string with the lowest common prefix has higher
                precedence.
              </li>
              <li>
                If the common prefix is equal, the longest string has higher precedence than the
                shorter one.
              </li>
            </ul>
          </li>
        </ol>
      </section>
      <section title="Error Handling for the Sub-TLVs">
        <t>
          When receiving a Bitwise Filter Component Sub-TLV, the following error handling procedures
          apply:
        </t>
        <ul>
          <li>
            If the length is not a nonzero multiple of 8 for AFI = 1, the component Sub-TLV is
            considered MALFORMED. Similarly, if the length is not a nonzero multiple of
            32 for AFI = 2, the component Sub-TLV is also considered MALFORMED.
          </li>
          <li>
            If there is more than one identical &lt;Pattern, Mask&gt; pair, the component Sub-TLV is
            considered MALFORMED.
          </li>
          <li>
            If the &lt;Pattern, Mask&gt; pairs are not in a strict ascending order as
            described in <xref target="dst-bitwise-subtlv-definition"/> and
            <xref target="src-bitwise-subtlv-definition"/>,
            the component Sub-TLV is considered MALFORMED.
          </li>
        </ul>
        <t>
          The error handling procedures for NLRIs with MALFORMED Sub-TLVs are defined in
          <xref target="I-D.ietf-idr-fsv2-ip-basic"/>.
        </t>
      </section>
      <section title="Interactions with Existing Filter Components">
        <t>
          This section describes the interactions with the existing IPv4/IPv6 Source/Destination
          Prefix filter components defined in
          <xref target="I-D.ietf-idr-fsv2-ip-basic"/>.
        </t>
        <t>
          When a filter component defined in this document resides in an NLRI containing other
          existing prefix filter components, typical logical AND semantics between components should
          be honored.
        </t>
        <t>
          For example, if there are a source address bitwise filter component and a source prefix
          filter component in the same NLRI, a source address is considered a match if it matches
          both components.
        </t>
        <t>
          However, it is recommended to use only one filter component for a packet header field.
          See also in <xref target="existing-filter"/>.
        </t>
      </section>
    </section>
    <section title="Use Cases" anchor="use-cases">
      <t>
        This section describes various use cases for these filter components.
      </t>
      <section title="Symmetric Traffic Load Balancing" anchor="symmetric-load-balancing-section">
        <t>
          Referring to <xref target="symmetric-load-balancing"/>,
          subscriber traffic passes through a set of inline service instances(e.g., DPIs, stateful
          firewalls) before entering the Internet.
        </t>
        <t>
          Inline service instances SVC0, SVC1, SVC2, and SVC3 need to process the same session in
          both directions. Any single service instance cannot handle the traffic volume
          alone. Assuming the traffic is distributed almost uniformly among combinations
          of the least significant 2 bits of the subscribers' addresses.
        </t>
          <figure title="Symmetric Traffic Load Balancing Between Routers" anchor="symmetric-load-balancing">
            <artwork type="ascii-art">
              <![CDATA[
                 +------+   +--------+   +------+
                 |      |---|  SVC0  |---|      |
                 |      |   +--------+   |      |
                 |      |   +--------+   |      |
 +-----------+   |      |---|  SVC1  |---|      |   +-------------+
 |Subscribers|---|Router|   +--------+   |Router|---| Services on |
 +-----------+   |  X   |   +--------+   |  Y   |   |  Internet   |
                 |      |---|  SVC2  |---|      |   +-------------+
                 |      |   +--------+   |      |
                 |      |   +--------+   |      |
                 |      |---|  SVC3  |---|      |
                 +------+   +--------+   +------+
                ]]>
            </artwork>
          </figure>
          <t>
            The order of fields for hashing functions is not always configurable, and different
            vendors implement various proprietary hashing functions.
            Therefore, hash-based load-balancing may not be suitable.
          </t>
          <t>
            Deploying bitwise address filters is a viable multi-vendor solution in this case.
            For example, we can deploy:
          </t>
          <t>
            On X:
          </t>
          <ul spacing="normal">
            <li>
              FSv2 rule X0 matches pattern 00 against the least significant 2 bits in the source
              address field and directs traffic to SVC0.
            </li>
            <li>
              FSv2 rule X1 matches pattern 01 against the least significant 2 bits in the source
              address field and directs traffic to SVC1.
            </li>
            <li>
              FSv2 rule X2 matches pattern 10 against the least significant 2 bits in the source
              address field and directs traffic to SVC2.
            </li>
            <li>
              FSv2 rule X3 matches pattern 11 against the least significant 2 bits in the source
              address field and directs traffic to SVC3.
            </li>
          </ul>
          <t>
            On Y:
          </t>
          <ul spacing="normal">
            <li>
              FSv2 rule Y0 matches pattern 00 against the least significant 2 bits in the
              destination address field and directs traffic to SVC0.
            </li>
            <li>
              FSv2 rule Y1 matches pattern 01 against the least significant 2 bits in the
              destination address field and directs traffic to SVC1.
            </li>
            <li>
              FSv2 rule Y2 matches pattern 10 against the least significant 2 bits in the
              destination address field and directs traffic to SVC2.
            </li>
            <li>
              FSv2 rule Y3 matches pattern 11 against the least significant 2 bits in the
              destination address field and directs traffic to SVC3.
            </li>
          </ul>
          <t>
            If, instead, we want to load-balance a subset of subscribers from subnet P1/M1 only, the
            bitwise components also support that.
          </t>
          <t>
            For example, FSv2 rule X0 can be modified to match both the most significant M1 bits as
            P1 and the least significant 2 bits as 00 in a single &lt;Pattern, Mask&gt;
            pair since the matching positions indicated by the Mask can be discontiguous as
            mentioned in <xref target="src-bitwise-subtlv-definition"/>.
          </t>
          <t>
            FSv2 rule Y0 can be modified to match both the most significant M1 bits as P1 and the
            least significant 2 bits as 00 in a single &lt;Pattern, Mask&gt; pair since
            the matching positions indicated by the Mask can be discontiguous as mentioned in
            <xref target="dst-bitwise-subtlv-definition"/>.
          </t>
          <t>
            The matched traffic is directed to a specific service instance by various mechanisms,
            such as(but not limited to) the following:
          </t>
          <ul spacing="normal">
            <li>
              RT-redirect action defined in <xref target="RFC8955"/>
            </li>
            <li>
              Redirect-to-IP action as described in
              <xref target="I-D.ietf-idr-flowspec-redirect-ip"/>
            </li>
            <li>
              Redirect into an SR Policy as described in
              <xref target="I-D.ietf-idr-ts-flowspec-srv6-policy"/>
            </li>
            <li>
              Indirection-id redirection as described in
              <xref target="I-D.ietf-idr-flowspec-path-redirect"/>
            </li>
          </ul>
          <t>
            Using this approach, the bitwise filter components load-balance traffic into N service
            instances while keeping the same session on the same instance.
          </t>
      </section>
      <section title="Dynamic Service Scaling">
        <t>
          Consider the same example depicted in <xref target="symmetric-load-balancing"/>.
          If the traffic load drops and we want to scale down the service by shutting down SVC2 and
          SVC3 to reduce costs, we can deploy new rules:
        </t>
        <t>
          On X:
        </t>
        <ul spacing="normal">
          <li>
            FSv2 rule X0 matches pattern 0 against the least significant bit in the source address
            field and directs traffic to SVC0.
          </li>
          <li>
            FSv2 rule X1 matches pattern 1 against the least significant bit in the source address
            field and directs traffic to SVC1.
          </li>
        </ul>
        <t>
          On Y:
        </t>
        <ul spacing="normal">
          <li>
            FSv2 rule Y0 matches pattern 0 against the least significant bit in the destination
            address field and directs traffic to SVC0.
          </li>
          <li>
            FSv2 rule Y1 matches pattern 1 against the least significant bit in the destination
            address field and directs traffic to SVC1.
          </li>
        </ul>
        <t>
          We can remove the old rules and then shut down SVC2 and SVC3 after the new rules are
          activated.
        </t>
      </section>
      <section title="Symmetric Traffic Sampling">
        <t>
          Some capacity-limited devices, such as DPI equipment, may benefit from traffic sampling.
          Since these devices may require traffic from both directions, we can deploy bitwise
          filters to sample traffic flows by matching against specific least significant bits from
          different subnets.
        </t>
      </section>
    </section>
    <section title="Comparisons with Other Approaches">
      <t>
        This section compares the proposed solution with other existing approaches.
      </t>
      <section title="Comparison with Existing Prefix Filter Components" anchor="existing-filter">
        <t>
          IPv4 Source/Destination Prefix filter components defined in
          <xref target="RFC8955"/>
          and <xref target="I-D.ietf-idr-fsv2-ip-basic"/>
          cannot match the least significant bits.
        </t>
        <t>
          IPv6 Source/Destination Prefix filter components defined in
          <xref target="RFC8956"/>
          and <xref target="I-D.ietf-idr-fsv2-ip-basic"/>
          can either match the least significant bits or the IPv6 Prefix, but not both.
        </t>
        <t>
          These components may not be suitable for the use cases described in
          <xref target="use-cases"/>
          without intensive real-time traffic monitoring mechanisms for every possible
          source/destination prefix.
          The manageability and flexibility are not as good as the proposed solution, either.
        </t>
        <t>
          Since the bitwise filter component provides both prefix and bitwise matching
          capabilities(as briefly described in Section 3.1), it
          is the recommended component for matching both.
        </t>
        <t>
          If only prefix matching is required, using filters defined in
          <xref target="RFC8955"/>, <xref target="RFC8956"/>,
          or <xref target="I-D.ietf-idr-fsv2-ip-basic"/>
          is more efficient and recommended.
        </t>
      </section>
      <section title="Comparison with the Content Filter Component">
        <t>
          The content filter component defined in
          <xref target="I-D.cui-idr-content-filter-flowspec"/>
          also provides the bitwise matching capability.
          Although the component supports bitwise matching against any position in the packet,
          address matching is not its primary design goal.
          Manual offset calculation is required to use this filter component.
          Therefore, the bitwise matching-based solution is more optimal for this scenario.
        </t>
      </section>
      <section title="Comparison with the Hash-based ECMP">
        <t>
          With the following conditions met, traditional hash-based ECMP may be used for the
          scenario described in <xref target="symmetric-load-balancing-section"/>.
        </t>
        <ul spacing="normal">
          <li>
            Routers X and Y implement the same hashing algorithm for ECMP, which usually means they
            are from the same vendor.
          </li>
          <li>
            The order of the fields for hashing must be reversible.
            Therefore, the hashing outcome for the same session will be on the same ECMP member for
            both directions.
          </li>
          <li>
            A mechanism to signal the order of ECMP members is needed.
            The BGP MultiNexthop(MNH) attribute, as defined in
            <xref target="I-D.ietf-idr-multinexthop-attribute"/>,
            can distribute such information.
          </li>
        </ul>
        <t>
          Even with all conditions met, before the packet enters the router, we cannot determine
          which ECMP member it passes through unless the router provides an interface to query that
          beforehand.
        </t>
        <t>
          Therefore, the bitwise matching filter-based solution is more suitable for this scenario.
        </t>
      </section>
    </section>
    <section anchor="Deployment" title="Deployment Guidelines">
      <t>
        The filter component defined in this document matches against arbitrary bit positions in the
        address fields.
        Syntactically, this component does not conflict with the existing
        <xref target="RFC8955"/>/<xref target="RFC8956"/> prefix filter component;
        however, using either the bitwise filter or the existing filter as described in
        <xref target="existing-filter"/> is recommended.
      </t>
      <t>
        The general guideline is:
      </t>
      <ul>
        <li>
          If only single prefix-matching is needed, use the existing filter components.
          It is more encoding-wise efficient.
        </li>
        <li>
          Use the bitwise filter components otherwise. Since it provides a union of the
          listed &lt;Pattern, Mask&gt; pairs.
        </li>
      </ul>
      <t>
        When deployed with redirection actions, these rules actually become PBR rules.
        Since these rules bypass the typical routing lookups, just like typical PBR rules, it is
        possible to form forwarding loops. User discretion is required.
      </t>
      <t>
        If deployed with redirection actions and there are ECMPs to the redirection destination,
        matched packets are subject to hash-based load-balancing towards that destination.
      </t>
      <t>
        While some platforms process bitwise filter components at line-rate speeds, some don't.
        Therefore, it is recommended to determine the performance of the bitwise match filter
        components beforehand.
      </t>
    </section>
    <section anchor="IANA" title="IANA Considerations">
      <t>
        IANA is requested to indicate [this document] as a reference on the
        following assignments in the "BGP FSv2 IP Basic Component Types" registry:
      </t>
      <table>
        <thead>
          <tr>
            <th>Type Value</th>
            <th>IPv4 Name</th>
            <th>IPv6 Name</th>
            <th>Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="right">TBD1</td>
            <td align="left">Bitwise Destination IPv4 Address Filter</td>
            <td align="left">Bitwise Destination IPv6 Address Filter</td>
            <td align="left">[this document]</td>
          </tr>
          <tr>
            <td align="right">TBD2</td>
            <td align="left">Bitwise Source IPv4 Address Filter</td>
            <td align="left">Bitwise Source IPv6 Address Filter</td>
            <td align="left">[this document]</td>
          </tr>
        </tbody>
      </table>
    </section>
    
    <section anchor="Security" title="Security Considerations">
      <t>
        The security considerations discussed in 
        <xref target="RFC8955"/>,
        <xref target="RFC8956"/>,
        and <xref target="I-D.ietf-idr-fsv2-ip-basic"/>
        also apply to this document.
      </t>
      <t>
        If deployed with redirection actions, the security considerations discussed in
        <xref target="I-D.ietf-idr-flowspec-redirect-ip"/>
        should also be evaluated.
      </t>
    </section>
  </middle>

  <back>
    <references title="Normative References">
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8955.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8956.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-idr-fsv2-ip-basic.xml"/>
      <reference anchor="ISO_IEC_9899" quoteTitle="true" derivedAnchor="ISO_IEC_9899">
        <front>
          <title>Information technology -- Programming languages -- C</title>
          <seriesInfo name="ISO/IEC" value="9899:2018"/>
          <author>
            <organization showOnFrontPage="true">
              ISO
            </organization>
          </author>
          <date month="June" year="2018"/>
        </front>
      </reference>
    </references>
    <references title="Informative References">
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-idr-flowspec-redirect-ip.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-idr-ts-flowspec-srv6-policy.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-idr-flowspec-path-redirect.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.cui-idr-content-filter-flowspec.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-idr-multinexthop-attribute.xml"/>
    </references>
    <section title="Acknowledgements" anchor="Acknowledgements" numbered="false">
      <t>
        The authors would like to thank Robert Raszuk for comments and suggestions.
      </t>
    </section>
 </back>
</rfc>
