OSPFv3 Extensions for BIERCisco Systems, Inc.Apollo Business CenterMlynske nivy 43Bratislava821 09Slovakiappsenak@cisco.comCisco Systems, Inc.7200 Kit Creek RoadResearch Triangle ParkNC27709USnaikumar@cisco.comIndividual ContributorDiegem1831Belgiumice@braindump.be
Internet
Network Work groupbierBit Index Explicit Replication (BIER) is an architecture that
provides multicast forwarding through a "BIER domain" without
requiring intermediate routers to maintain multicast related per-flow
state. Neither does BIER require an explicit tree-building
protocol for its operation. A multicast data packet enters a BIER
domain at a "Bit-Forwarding Ingress Router" (BFIR), and leaves the
BIER domain at one or more "Bit-Forwarding Egress Routers" (BFERs).
The BFIR router adds a BIER header to the packet. Such header
contains a bit-string in which each bit represents exactly one BFER
to forward the packet to. The set of BFERs to which the multicast
packet needs to be forwarded is expressed by the according set of bits
set in BIER packet header.
This document describes the OSPFv3 [RFC8362] protocol extensions required for
BIER with MPLS encapsulation [RFC8296]. Support for other encapsulation types is
outside the scope of this document. The use of multiple encapsulation types is
outside the scope of this document. Bit Index Explicit Replication (BIER) is an architecture that provides
optimal multicast forwarding through a "BIER domain"
without requiring intermediate routers to maintain any multicast related per-flow
state. Neither does BIER explicitly require a tree-building protocol for its
operation. A multicast data packet enters a BIER domain at a "Bit-Forwarding
Ingress Router" (BFIR), and leaves the BIER domain at one or more "Bit-Forwarding
Egress Routers" (BFERs). The BFIR router adds a BIER header to the packet. The BIER
header contains a bit-string in which each bit represents exactly one BFER to forward
the packet to. The set of BFERs to which the multicast packet needs to be forwarded
is expressed by setting the bits that correspond to those routers in the BIER header.
BIER architecture requires routers participating in BIER to exchange
BIER related information within a given domain. BIER architecture permits link-state
routing protocols to perform distribution of such information.
proposes the OSPFv2 protocol
extensions to distribute BIER specific information. This document describes extensions
to OSPFv3 necessary to advertise BIER specific information in the case where BIER
uses MPLS encapsulation as described in .The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .
All BIER specific information that a Bit-Forwarding Router (BFR) needs to
advertise to other BFRs is associated with a BFR-Prefix. A BFR prefix is a unique
(within a given BIER domain) routable IPv4 or IPv6 address that is assigned to each
BFR as described in more detail in . defines the encoding of OSPFv3
LSA in TLV format that allows to carry additional informations. This section defines
the required Sub-TLVs to carry BIER information that is associated with the BFR-Prefix.
The Sub-TLV defined in this section MAY be carried in the below OSPFv3 Extended LSA
TLVs :
Intra-Area-Prefix TLVInter-Area-Prefix TLVA Sub-TLV of the above mentioned Prefix TLVs is defined for distributing BIER
information. The Sub-TLV is called the BIER Sub-TLV. Multiple BIER Sub-TLVs may be
included in any of the above mentioned Prefix TLV.The BIER Sub-TLV has the following format:
Type: TBD1
Length: Variable, dependent on sub-TLVs.
Sub-domain-ID: Unique value identifying the BIER sub-domain within
the BIER domain, as described in MT-ID: Multi-Topology ID (as defined in that
identifies the topology that is associated with the BIER sub-domain.
BFR-id: A 2 octet field encoding the BFR-id, as documented in
section 2 of . If the BFR is not
locally configured with a valid BFR-id, the value of this field is
set to 0, which is defined as illegal in .
BAR: Single octet BIER specific algorithm used to calculate underlay paths to
reach other BFRs. Values are allocated from the "BIER Algorithm" registry which is
defined in .
IPA: Single octet IGP algorithm to either modify, enhance or replace the
calculation of underlay paths to reach other BFRs as defined by the BAR
value. Values are defined in the "IGP Algorithm Types" registry.
Each BFR sub-domain MUST be associated with one and only one OSPF topology that is
identified by the MT-ID. If the association between BIER
sub-domain and OSPF topology advertised in the BIER sub-TLV by other BFRs is in conflict
with the association locally configured on the receiving router, the BIER Sub-TLV MUST
be ignored.
If the MT-ID value is outside of the values specified in ,
the BIER Sub-TLV MUST be ignored.
If a BFR advertises the same Sub-domain-ID in multiple BIER sub-TLVs, the BFR MUST
be treated as if it did not advertise a BIER sub-TLV for such sub-domain.All BFRs MUST detect advertisement of duplicate valid BFR-IDs for a given
MT-ID and Sub-domain-ID. When such duplication is detected by the BFR, it MUST
behave as described in section 5 of . The supported BAR and IPA algorithms MUST be consistent for all routers
supporting a given
BFR sub-domain. A router receiving BIER Sub-TLV advertisement with a value in BAR
or IPA fields which does
not match the locally configured value for a given BFR sub-domain, MUST report
a misconfiguration for such BIER sub-domain and MUST ignore such BIER sub-TLV.The use of non-zero values in either the BAR field or the IPA field is
outside the scope of this
document.
The BIER MPLS Encapsulation Sub-TLV is a Sub-TLV of the BIER Sub-TLV defined
in . The BIER MPLS Encapsulation Sub-TLV is used
in order to advertise MPLS specific information used for BIER. It MAY appear
multiple times in the BIER Sub-TLV.The BIER MPLS Encapsulation Sub-TLV has the following format:Type: Set to TBD2.Length: 8 octetsMax SI: A 1 octet field encoding the maximum Set Identifier (section 1
of ), used in the encapsulation for this BIER
sub-domain for this bitstring length.Label: A 3 octet field, where the 20 rightmost bits represent the first
label in the label range. The 4 leftmost bits MUST be ignored.Bit String Length: A 4 bits field encoding the supported BitString length
associated with this BFR-prefix. The values allowed in this field
are specified in section 2 of .Reserved: SHOULD be set to 0 on transmission and MUST be ignored on
reception.
The "label range" is the set of labels beginning with the Label and
ending with (Label + (Max SI)). A unique label range is allocated
for each BitString length and Sub-domain-ID. These labels are used for BIER
forwarding as described in and
.The size of the label range is determined by the number of Set Identifiers (SI)
(section 1 of ) that are used in the
network. Each SI maps to a single label in the label range. The first label is for
SI=0, the second label is for SI=1, etc.If the label associated with the Maximum Set Identifier exceeds the 20 bit range, the
BIER MPLS Encapsulation Sub-TLV MUST be ignored.
If the BS length is set to a value that does not match any of the allowed values
specified in , the BIER MPLS Encapsulation Sub-TLV MUST be
ignored.
If same BS length is repeated in multiple BIER MPLS Encapsulation Sub-TLV inside
the same BIER Sub-TLV, the BIER sub-TLV MUST be ignored.Label ranges within all BIER MPLS Encapsulation Sub-TLVs advertised by the same BFR
MUST NOT overlap. If the overlap is detected, the advertising router MUST be treated
as if it did not advertise any BIER sub-TLVs.The flooding scope of the Extended LSAs that is used
for advertising the BIER Sub-TLV is area-local. To allow BIER deployment
in a multi-area environment, OSPFv3 must propagate BIER information
between areas.The following procedure is used in order to propagate BIER related information
between areas:
When an OSPFv3 Area Border Router (ABR) advertises E-Inter-Area-Prefix-LSA from an
intra-area or inter-area prefix to all its attached areas, it determines whether
a BIER Sub-TLV should be included in this LSA. When doing so, an OSPFv3 ABR will:
Examine its best path to the prefix in the source area and find the
advertising router associated with the best path to that prefix.
Determine if such advertising router advertised a BIER Sub-TLV for the
prefix. If yes, the ABR will copy the information from such BIER Sub-TLV
when advertising BIER Sub-TLV to each attached area.
In the Figure 1, R1 advertises a prefix 2001:db8:b1e6::1/128 in Area 1. It
also includes BIER Sub-TLV in E-Intra-Area-Prefix-LSA. ABR R2 calculates the
reachability for prefix 2001:bdb8:b1e6::1/128 inside Area 1 and propagates
it to Area 0 using E-Inter-Area-Prefix-LSA. When doing so, it copies the entire
BIER Sub-TLV (including all its Sub-TLVs) it received from R1 in Area 1 and
includes it in the E-Inter-Area-Prefix-LSA it generates for the prefix in
Area 0. ABR R3 calculates the reachability for prefix 2001:bdb8:b1e6::1/128
inside Area 0 and propagates it to Area 2. When doing so, it copies the entire
BIER Sub-TLV (including all its Sub-TLVs) it received from R2 in Area 0 and
includes it in E-Inter-Area-Prefix-LSA it generates for 2001:bdb8:b1e6::1/128
in Area 2.
This document introduces new sub-TLVs for OSPFv3 Extended-LSAs. It does not
introduce any new security risks to OSPFv3. Existing security concerns
documented in is applicable for
the Sub-TLVs defined in this document.
It is assumed that both BIER and OSPF layer is under a single
administrative domain. There can be deployments where potential
attackers have access to one or more networks in the OSPFv3 routing
domain. In these deployments, stronger authentication mechanisms
such as those specified in SHOULD be used.
The Security Considerations section of [RFC8279] discusses the
possibility of performing a Denial of Service (DoS) attack by setting
too many bits in the BitString of a BIER-encapsulated packet.
However, this sort of DoS attack cannot be initiated by modifying the
OSPF BIER advertisements specified in this document. A BFIR decides
which systems are to receive a BIER-encapsulated packet. In making
this decision, it is not influenced by the OSPF control messages.
When creating the encapsulation, the BFIR sets one bit in the
encapsulation for each destination system. The information in the
OSPF BIER advertisements is used to construct the forwarding tables
that map each bit in the encapsulation into a set of next hops for
the host that is identified by that bit, but is not used by the BFIR
to decide which bits to set. Hence an attack on the OSPF control
plane cannot be used to cause this sort of DoS attack.
While a BIER-encapsulated packet is traversing the network, a BFR
that receives a BIER-encapsulated packet with n bits set in its
BitString may have to replicate the packet and forward multiple
copies. However, a given bit will only be set in one copy of the
packet. That means that each transmitted replica of a received
packet has fewer bits set (i.e., is targeted to fewer destinations)
than the received packet. This is an essential property of the BIER
forwarding process as defined in [RFC8279]. While a failure of this
process might cause a DoS attack (as discussed in the Security
Considerations of [RFC8279]), such a failure cannot be caused by an
attack on the OSPF control plane.
Implementations MUST assure that malformed TLV and Sub-TLV defined in
this document are detected and do not provide a vulnerability for attackers
to crash the OSPFv3 router or routing process. Reception of malformed TLV or
Sub-TLV SHOULD be counted and/or logged for further analysis. Logging of malformed
TLVs and Sub-TLVs SHOULD be rate-limited to prevent a Denial of Service (DoS)
attack (distributed or otherwise) from overloading the OSPFv3 control plane.
The document requests two new allocations from the OSPFv3 Extended-LSA
sub-TLV registry as defined in .
BIER Sub-TLV: TBD1BIER MPLS Encapsulation Sub-TLV: TBD2TBD