| Internet-Draft | FlowSpec Bitwise IP Filters | June 2026 |
| Kao, et al. | Expires 1 January 2027 | [Page] |
This document introduces the bitwise match filter component for source and destination IPv4/IPv6 address fields. These components enhance the BGP Flow Specification framework and provide a solution for dynamic symmetric traffic load-balancing.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 1 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Symmetric paths for traffic in both directions are required to allow session inspection service instances (such as deep packet inspection(DPI) or firewall service instances) to process traffic correctly. If a single instance cannot handle the traffic load, symmetric load-balancing across multiple inspecting service instances is required.¶
Hash-based load-balancing may not be suitable for this purpose. Since the order of the packet header fields for the hashing mechanism is not always configurable, and different vendors implement various proprietary hashing functions. In a multi-vendor environment, it is desirable to load-balance traffic using a standardized approach.¶
The BGP Flow Specification (BGP-FS) Network Layer Reachability Information (NLRI) is a standardized approach to distributing traffic filters via BGP. The BGP Flow Specification version 2 (FSv2) [I-D.ietf-idr-fsv2-ip-basic] is an enhancement to BGP-FS. It allows a user-defined order of filters.¶
This document defines the bitwise match filter component Sub-TLVs for source and destination IPv4/IPv6 address fields. Using these Sub-TLVs allows operators to match arbitrary bit positions against the corresponding address fields. We can symmetrically load-balance traffic using this property if the traffic is distributed almost uniformly across combinations of the least significant bits of the source or destination address fields.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This section defines the bitwise address filter component Sub-TLVs for FSv2. Sub-TLVs for both source and destination address fields are defined.¶
This component matches against designated bits in the destination address field.¶
It contains a list of <Pattern, Mask> pairs. If the destination address matches any pair in the list, this component is considered a match.¶
A destination address D is a match for a pair <Pattern, Mask> if and only if:¶
(D & Mask) = (Pattern & Mask)¶
where & is the bitwise AND operator.¶
The following procedures guarantee the same result for the same list of <Pattern, Mask> pairs. Note that two pairs are identical if they are encoded exactly the same using the encoding described above.¶
This component matches against designated bits in the source address field.¶
It contains a list of <Pattern, Mask> pairs. If the source address matches any pair in the list, this component is considered a match.¶
A source address S is a match for a pair <Pattern, Mask> if and only if:¶
(S & Mask) = (Pattern & Mask)¶
where & is the bitwise AND operator.¶
The following procedures guarantee the same result for the same list of <Pattern, Mask> pairs. Note that two pairs are identical if they are encoded exactly the same using the encoding described above.¶
This section describes the procedures for comparing two Sub-TLVs of the same type in two different FSv2 NLRIs. Note that inside every individual Sub-TLV, each <Pattern, Mask> pair has already been sorted by the procedures defined in Section 2.1 and Section 2.2.¶
When comparing two NLRIs with the same type of bitwise matching filter component Sub-TLV, the following procedures apply:¶
For strings of different lengths, compare the common prefix of the string only.¶
When receiving a Bitwise Filter Component Sub-TLV, the following error handling procedures apply:¶
The error handling procedures for NLRIs with MALFORMED Sub-TLVs are defined in [I-D.ietf-idr-fsv2-ip-basic].¶
This section describes the interactions with the existing IPv4/IPv6 Source/Destination Prefix filter components defined in [I-D.ietf-idr-fsv2-ip-basic].¶
When a filter component defined in this document resides in an NLRI containing other existing prefix filter components, typical logical AND semantics between components should be honored.¶
For example, if there are a source address bitwise filter component and a source prefix filter component in the same NLRI, a source address is considered a match if it matches both components.¶
However, it is recommended to use only one filter component for a packet header field. See also in Section 4.1.¶
This section describes various use cases for these filter components.¶
Referring to Figure 1, subscriber traffic passes through a set of inline service instances(e.g., DPIs, stateful firewalls) before entering the Internet.¶
Inline service instances SVC0, SVC1, SVC2, and SVC3 need to process the same session in both directions. Any single service instance cannot handle the traffic volume alone. Assuming the traffic is distributed almost uniformly among combinations of the least significant 2 bits of the subscribers' addresses.¶
+------+ +--------+ +------+
| |---| SVC0 |---| |
| | +--------+ | |
| | +--------+ | |
+-----------+ | |---| SVC1 |---| | +-------------+
|Subscribers|---|Router| +--------+ |Router|---| Services on |
+-----------+ | X | +--------+ | Y | | Internet |
| |---| SVC2 |---| | +-------------+
| | +--------+ | |
| | +--------+ | |
| |---| SVC3 |---| |
+------+ +--------+ +------+
The order of fields for hashing functions is not always configurable, and different vendors implement various proprietary hashing functions. Therefore, hash-based load-balancing may not be suitable.¶
Deploying bitwise address filters is a viable multi-vendor solution in this case. For example, we can deploy:¶
On X:¶
On Y:¶
If, instead, we want to load-balance a subset of subscribers from subnet P1/M1 only, the bitwise components also support that.¶
For example, FSv2 rule X0 can be modified to match both the most significant M1 bits as P1 and the least significant 2 bits as 00 in a single <Pattern, Mask> pair since the matching positions indicated by the Mask can be discontiguous as mentioned in Section 2.2.¶
FSv2 rule Y0 can be modified to match both the most significant M1 bits as P1 and the least significant 2 bits as 00 in a single <Pattern, Mask> pair since the matching positions indicated by the Mask can be discontiguous as mentioned in Section 2.1.¶
The matched traffic is directed to a specific service instance by various mechanisms, such as(but not limited to) the following:¶
Using this approach, the bitwise filter components load-balance traffic into N service instances while keeping the same session on the same instance.¶
Consider the same example depicted in Figure 1. If the traffic load drops and we want to scale down the service by shutting down SVC2 and SVC3 to reduce costs, we can deploy new rules:¶
On X:¶
On Y:¶
We can remove the old rules and then shut down SVC2 and SVC3 after the new rules are activated.¶
Some capacity-limited devices, such as DPI equipment, may benefit from traffic sampling. Since these devices may require traffic from both directions, we can deploy bitwise filters to sample traffic flows by matching against specific least significant bits from different subnets.¶
This section compares the proposed solution with other existing approaches.¶
IPv4 Source/Destination Prefix filter components defined in [RFC8955] and [I-D.ietf-idr-fsv2-ip-basic] cannot match the least significant bits.¶
IPv6 Source/Destination Prefix filter components defined in [RFC8956] and [I-D.ietf-idr-fsv2-ip-basic] can either match the least significant bits or the IPv6 Prefix, but not both.¶
These components may not be suitable for the use cases described in Section 3 without intensive real-time traffic monitoring mechanisms for every possible source/destination prefix. The manageability and flexibility are not as good as the proposed solution, either.¶
Since the bitwise filter component provides both prefix and bitwise matching capabilities(as briefly described in Section 3.1), it is the recommended component for matching both.¶
If only prefix matching is required, using filters defined in [RFC8955], [RFC8956], or [I-D.ietf-idr-fsv2-ip-basic] is more efficient and recommended.¶
The content filter component defined in [I-D.cui-idr-content-filter-flowspec] also provides the bitwise matching capability. Although the component supports bitwise matching against any position in the packet, address matching is not its primary design goal. Manual offset calculation is required to use this filter component. Therefore, the bitwise matching-based solution is more optimal for this scenario.¶
With the following conditions met, traditional hash-based ECMP may be used for the scenario described in Section 3.1.¶
Even with all conditions met, before the packet enters the router, we cannot determine which ECMP member it passes through unless the router provides an interface to query that beforehand.¶
Therefore, the bitwise matching filter-based solution is more suitable for this scenario.¶
The filter component defined in this document matches against arbitrary bit positions in the address fields. Syntactically, this component does not conflict with the existing [RFC8955]/[RFC8956] prefix filter component; however, using either the bitwise filter or the existing filter as described in Section 4.1 is recommended.¶
The general guideline is:¶
When deployed with redirection actions, these rules actually become PBR rules. Since these rules bypass the typical routing lookups, just like typical PBR rules, it is possible to form forwarding loops. User discretion is required.¶
If deployed with redirection actions and there are ECMPs to the redirection destination, matched packets are subject to hash-based load-balancing towards that destination.¶
While some platforms process bitwise filter components at line-rate speeds, some don't. Therefore, it is recommended to determine the performance of the bitwise match filter components beforehand.¶
IANA is requested to indicate [this document] as a reference on the following assignments in the "BGP FSv2 IP Basic Component Types" registry:¶
| Type Value | IPv4 Name | IPv6 Name | Reference |
|---|---|---|---|
| TBD1 | Bitwise Destination IPv4 Address Filter | Bitwise Destination IPv6 Address Filter | [this document] |
| TBD2 | Bitwise Source IPv4 Address Filter | Bitwise Source IPv6 Address Filter | [this document] |
The security considerations discussed in [RFC8955], [RFC8956], and [I-D.ietf-idr-fsv2-ip-basic] also apply to this document.¶
If deployed with redirection actions, the security considerations discussed in [I-D.ietf-idr-flowspec-redirect-ip] should also be evaluated.¶
The authors would like to thank Robert Raszuk for comments and suggestions.¶