BGP Flow Specification Version 2

Version 2 of BGP flow specification was original defined in (denoted FSv2). However, the full FSv2 specification contains more than initial implementers desired. Therefore, this original FSv2 draft remains an WG draft, but the content will be split out into functions that implementers can manage. Section 1.4 contains the list of documents intended to be the split of the original FSv2 documents. FSv2 specifies new user-ordered filters that will be used with the IPv4 (AFI=1) and IPv6 (AFI=2) 2 new SAFIs (TBD1, TBD2) for FSv2 to be used with 5 AFIs (1, 2, 6, 25, and 31) to allow user-ordered lists of traffic match filters for user-ordered traffic match actions encoded in Communities (Wide or Extended). This draft specifies defines extensions to the FSv2 Basic IP package to support additional IP filters for IP packet and payload. The filters are passed in the Extended IP Filters (type 2) of the subTLVs. This filter form contains a filter version number so filters can be added easily. BGP Flow Specifiction version 1 (FSv1) as defined in , , and specified 2 SAFIs (133, 134) to be used with IPv4 AFI (AFI = 1) and IPv6 AFI (AFI=2). FSV2 specifies 2 new SAFIs (TBD1, TBD2) for FSv2 to be used with 5 AFIs (1, 2, 6, 25, and 31) to allow user-ordered lists of traffic match filters for user-ordered traffic match actions encoded in Communities (Wide or Extended). The first SAFI (TBD1) will be used for IP forwarding, and the second SAFI (TBD2) will be used with VPNs. The supported AFI/SAFI combinations in FSV2 are: IPV4 (AFI=1, SAFI=TBD1), IPv6 (AFI=2, SAFI=TBD1), L2 (AFI=6, SAFI=TBD1), SFC (AFI=31, SAFI=TBD1), BGP/MPLS IPv4 VPN (AFI=1, SAFI=TBD2), BGP/MPLS IPV6 VPN (AFI=2, SAFI=TBD2), BGP/MPLS L2VPN (AFI=25, SAFI=TBD2), and SFC VPN (AFI=31, SAFI=TBD2) FSv2 specifies new IP filter that will be used with the IPv4 (AFI=1) and IPv6 (AFI=2) 2 new SAFIs (TBD1, TBD2) for FSv2 to be used with 5 AFIs (1, 2, 6, 25, and 31) to allow user-ordered lists of traffic match filters for user-ordered traffic match actions encoded in Communities (Wide or Extended). This document specifies IP filters used with IPvr (AFI=1) and IPv6 (AFI=2). FSv1 and FSv2 use different AFI/SAFIs to send flow specification filters. Since BGP route selection is performed per AFI/SAFI, this approach can be termed “ships in the night” based on AFI/SAFI. Section 2 contains a description of the format of the FSv2 NLRI for the the Extended IP Filters type (type 2). Section 3 provides three new Filters approved in IDR WG drafts. Section 4 provides potential filters from individual drafts.

AFI - Address Family Identifier AS - Autonomous System BGPSEC - secure BGP updated by BGP Session ephemeral state - state which does not survive the loss of BGP peer session. Configuration state - state which persist across a reboot of software module within a routing system or a reboot of a hardware routing device. DDOs - Distributed Denial of Service. Ephemeral state - state which does not survive the reboot of a software module, or a hardware reboot. Ephemeral state can be ephemeral configuration state or operational state. FSv1 - Flow Specification version 1 [RFC8955] [RFC8956] FSv2 - Flow Specification version 2 (this document) NETCONF - The Network Configuration Protocol . RESTCONF - The RESTCONF configuration Protocol RIB - Routing Information Base. ROA - Route Origin Authentication RR - Route Reflector. SAFI – Subsequent Address Family Identifier

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals as shown here.

Note from Editor: This review section is here for the initial drafts to help with interim. It will be deleted as it is in . A BGP Flow Specification (version 1 or version 2) is an n-tuple containing one or more match criteria that can be applied to IP traffic, traffic encapsulated in IP traffic or traffic associated with IP traffic. The following are examples of such traffic: IP packet or an IP packet inside a L2 packet (Ethernet), an MPLS packet, and SFC flow. Flow Specification NLRI may be associated with a set of path attributes depending on the particular application to determine what happens upon matching the data flow filter. FSv1 and FSv2 support specifying the Extended Community specify a set of actions with a default order and known interactions. FSv2 also supports the ability to have user ordered actions by using the FSv2 type of Community BGP Path Attribute. A particular application is identified by a specific AFI/SAFI (Address Family Identifier/Subsequent Address Family Identifier) and corresponds to a distinct set of RIBs. Those RIBs should be treated independently of each other in order to assure noninterference between distinct applications. FSv1 data is sent in a different NLRI than FSv2 NLRI. BGP processing treats the NLRI as a key to entries in AFI/SAFI BGP databases. Entries that are placed in the Loc-RIB are then associated with a given set of semantics which are application dependent. Standard BGP mechanisms such as update filtering by NLRI or by attributes such as AS_PATH or large communities apply to the BGP Flow Specification defined NLRI-types. Network operators can control the propagation of BGP routes by enabling or disabling the exchange of routes for a particular AFI/SAFI pair on a particular peering session. As such, the Flow Specification may be distributed to only a portion of the BGP infrastructure. Flow Specification v2 allows the user to order the flow specification rules and the actions associated with a rule. Each FSv2 rule may have one or more match conditions and one or more associated actions. The IDR WG draft contains the complete solution for FSv2. However, this complete solution makes implementation of these features a large task so, please see the next section on how the complete solution is broken into a series of solutions. This section describres the complete solution. This FSv2 specification supports the components and actions for the following: IPv4 (AFI=1, SAFI=TBD1) [defined in FSv2-DDOS], IPv6 (AFI=2, SAFI=TBD2) [defined in FSv2-DDOS], L2 (AFI=6, SAFI=TDB1) [defined in FSv2-L2], BGP/MPLS IPv4 VPN: (AFI=1, SAFI=TBD2), BGP/MPLS IPv6 VPN: (AFI=2, SAFI=TBD2), BGP/MPLS L2VPN (AFI=25, SAFI=TDB2) [defined in FSv2-L2], SFC: (AFI=31, SAFI=TBD1) [defined in FSv2-SFC], and SFC VPN (AFI=31, SAFI=TBD2) [defined in FSv2-SFC]. The FSv2 specification for tunnel traffic is outside the scope of this specification. The FSv1 specification for tunneled traffic is in . The FSv2 tunnel traffic for FSv2 will be added to this list. FSv2 operates in the ships-in-the night model with FSv1 so network operators can manipulate which the distribution of FSv2 and FSv1 using configuration parameters. Since the lack of deterministic ordering was an FSv1 problem, this specification provides rules and protocol features to keep filters in a deterministic order between FSv1 and FSv2. The basic principles regarding ordering of flow specification filter rules are: 1) Rule-0 (zero) is defined to be 0/0 with the “permit-all” action. 2) FSv2 rules are ordered based on user-specified order. The user-specified order is carried in the FSv2 NLRI and a numerical lower value takes precedence over a numerically higher value. For rules received with the same order value, the FSv1 rules apply (order by component type and then by value of the components). 3) FSv2 rules are added starting with Rule 1 and FSv1 rules are added after FSv2 rules For example, BGP Peer A has FSv2 data base with 10 FSv2 rules (1-10). FSv1 user number is configured to start at 301 so 10 FSv1 rules are added at 301-310. 4) An FSv2 peer may receive BGP NLRI routes from a FSv1 peer or a BGP peer that does not support FSv1 or FSv2. The capabilities sent by a BGP peer indicate whether the AFI/SAFI can be received (FSv1 NLRI or FSv2 NLRI). 5) Associate a chain of actions to rules based on user-defined action number (1-n). (optional) If no actions are associated with a filter rule, the default is to drop traffic the filter rules match An action chain of 1-n actions can be associated with a set of filter rules can via Extended Communities or Wide Communities. Only Wide Communities can associate a user-defined order for the actions. Extended Community actions occur after actions with a user specified order (see section 5.2 for details). Figure 2-2 provides a logical diagram of the FSv2 structure

+--------------------------------+ | Rule Group | +--------------------------------+ ^ ^ ^ | |--------- | | | ------ | | | +--------^-------+ +-------^-----+ +---^-----+ | Rule1 | | Rule2 | ... | Rule-n | +----------------+ +-------------+ +---------+ : : : : :.................: : : : : |...........: : : +--V--+ +--V-------+ : : |order| |identifie | .......: : +-----+ +----------+ : : : : +------------------V--+ +-----V----------------+ |Rule Match condition | | Rule Action | +---------------------+ +----------------------+ : : : : : : : : | +--V--+ : : : +--V---+ : : : V | Rule| : : : |action| : : : +-----------+ | name| : : : |order | : : : |action name| +-----+ : : : +------+ : : : +-----------+ : : : : : :............. : : : : : : .....: . :..... ..: :...... : : : : : : : +----V---+ +---V----+ +--V---+ +-V------+ +--V-----+ +--V---+ | Match | | match | |match | | Action | | action | |action| |Operator| |variable| |Value | |Operator| |Variable| | Value| +--------+ +--------+ +------+ +--------+ +--------+ +------+ Figure 2-2: BGP FSv2 Data storage

The full FSV2 information is contained in . Feedback from the implementers indicate that the Flow Specification v2 needs to broken into drafts based on the use cases the technology supports. These include IPv4/IPv6 IP Basic Filters for DDOS, IPv4/IPv6 filters beyond DDOS, BGP/MPLS IPv4 VPN, BGP/MPLS IPv6 VPN, BGP/MPLS L2VPN, Segment routing (SRMPLS, SRv6), SFC, SFC VPN, L2, L2 VPNs, and tunneled traffic (e.g., nv03 WG tunnels). The following is the list of planned drafts: () describes the minimal set of functions each FSv2 implementation must support. (this document) defines a road map for additional IP filters. This base specification provides the format of the NLRI for IP Extended Filters" and gives templates for components used in the IP Extended Filters for FSv2. Temporarily, it list the IP Extended Filters - both filters approved by the IDR WG and the proposed filters. () This draft provides: Template for additional FSv2 IP Actions in Extended Communities, Template for additional FSv2 IP Actions in Community Path Attribute, List of IDR WG approved IP Actions (in standardization process), List of IP Actions proposed for IDR WG standarization) This group of drafts will include new proposals and revisions of the following existing IDR work: ((draft-hares-idr-fsv2-mpls-Filters) This base specification provides the format of the MPLS filters and actions. Revision of [I-D.ietf-idr-flowspec-l2vpn] for FSv2. Revision of [I-D.ietf-idr-flowspec-nvo3] for FSv2.

The format of the FSv2 NLRI field for IP Filters is defined in the original FSv2 draft and in the first of the FSv2 series drafts . As a review, the FSv2 NLRI with The format of the NLRI for Basic IP Filters (type 1) is also defined in . This document defines the format of NLRI for the FSv2 Extended IP Filter type (type 2). Figure 3-1 provides the general header and Figure 3-2 provides the definition of the "value" portion. Figure 3-3 provides a diagram of the component types. The key differences is that the extended IP filter types starts with a IP Filters identifier before SubTLVs with the filter components.

+-------------------------------+ | NLRI length (2 octets) | +-------------------------------+ | TLVs+ | | +===========================+ | | | order (4 octets) | | | +---------------------------+ | | | Dependent filters chain | | | |(type, chain ID, count, | | | | item) (8 octets) | | | +---------------------------+ | | + FSv2 Filter type 2 + | | +---------------------------+ | | + length TLVs (2 octet) + | | + --------------------------+ | | + value (variable) + | | +---------------------------+ | +-------------------------------+ Figure 3-1 - FSv2 NLRI with Extended IP Filter type. Where: Dependent Filters Chain: 8 octets for identifying a chain of FSv2 filters that must be deployed at the same time. Flow spedcification filters distributed in BGP UPDATE packets may be broken into multiple packets. In FSv2, the dependent filter ID allows the filter chains to be identified across all user-defined or default filters. The rules can be installed from BGP into the firewall after all filters have been installed. The field has the following components: version: (1 octet) identifies format of field (zero is reserved) Chain ID: (3 octet): Identifier for filter chain (zero is reserved) Count of items (2 octet): count of item on chains item on chain: (2 octets): filter sequence number on chain Where: the IP Filter type has a value field has a series of SubTLV as shown in figure 3-2.

+-------------------------------+ | +--------------------------+ | | | FSv2 Extended Filters | | | | version (1 octet) | | | +--------------------------+ | | | Components+ (SUB-TLVs) | | | +--------------------------+ | +-------------------------------+ Figure 3-2 - FSv2 for Extended IP filters Where: FSv2 Extended Filters version - gives a version number for the group of Extended IP Components supported. For example, the first version could support just the components listed in Table 3-1. And Component SubTLV has the format of

+-------------------------------+ | Component Type (1 octet) | +-------------------------------+ | length (2 octets) | + ------------------------------+ | value (variable) | +-------------------------------+ Figure 3-3 – IP header SubTLV format Where: Component type: component values are defined in the “Flow Specification Component types” registry for IPv4 and IPv6 by , , and length: length of SubTLV (varies depending on the component type)> value: dependent on component type. The component types supported are based on the FSv2 filter version. The component types supported for FSv2 IP Extended Filters depends on the Extended Capability version. For descriptions of value portions for components 1-13 see and . Potential new filter components are listed in Table 3-3.

Table 3-1 Extended IP Filters Components SubTLV -type Definition ====== ========================== 0 - Reserved 1 - IP Destination prefix 2 - IP Source prefix 3 – IPv4 Protocol / IPv6 Upper Layer Protocol 4 – Port 5 – Destination Port 6 – Source Port 7 – ICMPv4 type / ICMPv6 type 8 – ICMPv4 code / ICPv6 code 9 – TCP Flags 10 – Packet length 11 – DSCP 12 – Fragment 13 – Flow Label 14 - TTL 15 - Reserved 16 - SID in Routing IPv6 Header 17 - NRP-ID in Hop-by-Hop IPv6 Header 18 - Payload component

Table 3-2 Extended IP Component Ranges (proposed) Sub-TLV range Definition ------------- ------------- 1-13 V1 filters 14-63 IP Extended Filters 64-150 Non-IP filters 151-180 Associated Data filters 181-191 Reserved 192-249 FCFS 250-255 Reserved Ordering within the TLV in FSv2: The transmission of SubTLVs within a flow specification rule MUST be sent ascending order by SubTLV type. If the SubTLV types are the same, then the value fields are compared using mechanisms defined in and and MUST be in ascending order. NLRIs having TLVs which do not follow the above ordering rules MUST be considered as malformed by a BGP FSv2 propagator. This rule prevents any ambiguities that arise from the multiple copies of the same NLRI from multiple BGP FSv2 propagators. A BGP implementation SHOULD treat such malformed NLRIs as "Treat-as-withdraw" . See , , and . for specific details.

Summary: 1 line summary of function Component ID: TBD-X1 (14) Packet filtering: This should be a choice of IPv4, IPv6, L2 Frame, MPLS frame, tunnel What fitering in packet: specific field Encoding: encoding of values in component. (below is example of v1 component) <[numeric_op, value]+> where: numeric_op - definition value - (give definition) Ordering within component: by full value of number_op concatenated with value dependency between components: no issues conflict with other filters: none reference document: [this document] Examples in: in section (fill in section number)

This section provides examples of the use of templates for existing drafts. This section is for example only.

This approved Filters will be moved into individual drafts

Summary: TTL filter defines matches for 8-bit TTL field in IP header Component ID: TBD-X1 What packet filtering: IPv4 What fitering in packet: 8 bit TTL field Encoding: <[numeric_op, value]+> where: numeric_op - is defined by Flow Specification v1 value is a 1 octet value for TTL. ordering within component: by full value of number_op concatenated with value dependency between components: User ordering of filters can place this at any point in the filter chain. Default component order: V1 ordering does not have TTL default need to be set by IDR WG. User ordering cn set this in order. conflict: none reference: draft-bergeon-flowspec-ttl-match-00.txt examples in: section 6

Summary: IPv6 Service Identifier (SRv6 SID) Matches ( ) component ID: TBD-X2 (16) What Packet filtering: IPv6 What filtering in IPv6 Packet: Segment Routing Header (SRH) () SID in SRH: defines SRv6 Segment Identifier (SID) as an IPv6 address explicitly associated with the segment. defines the SID format as: "LOC:FUNCT:ARG" where: locator (LOC) is encoded in the L most significant bits of the SID, followed by F bits of function (FUNCT), and A bits of arguments (ARG). Encoding FSv2 Component: Parts of SID Filter: defines a list of match bit match criteria for some combinations of the LOC (location), FUNCT (function) and ARG (arguments) fields in the SID or or whole SID. Length: variable Component Value format: [type, LOC-Len, FUNCT-Len, ARG-Len, [op, value]+] where: type (1 octet): This indicates the new component type (TBD1, which is to be assigned by IANA). LOC-Len (1 octet): This indicates the length in bits of LOC in SID. FUNCT-Len (1 octet): This indicates the length in bits of FUNCT in SID. ARG-Len (1 octet): This indicates the length in bits of ARG in SID. [op, value]+: This contains a list of {operator, value} pairs that are used to match some parts of SID. The total of three lengths (i.e., LOC length + FUNCT length + ARG length) MUST NOT be greater than 128. If it is greater than 128, an error occurs and it is treated as a withdrawal [RFC7606] and [RFC4760]. The operator (op) byte is encoded as:

0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | e | a | field type|lt |gt |eq | +---+---+---+---+---+---+---+---+ Figure 3-5 where: where the behavior of each operator bit has clear similarity with that of [RFC8955]'s Numeric Operator field. e (end-of-list bit): Set in the last {op, value} pair in the sequence. a - AND bit: If unset, the previous term is logically ORed with the current one. If set, the operation is a logical AND. It should be unset in the first operator byte of a sequence. The AND operator has higher priority than OR for the purposes of evaluating logical expressions. field type: 000: SID's LOC 001: SID's FUNCT 010: SID's ARG 011: SID's LOC:FUNCT (the concatenation of the LOC and FUNCTION fields) 100: SID's FUNCT:ARG (the concatenation of the FUNCTION and ARG fields) 101: SID's LOC:FUNCT:ARG (the concatenation of the FUNCTION and ARG fields) Note: For an unknown field type, Error Handling is to "treat as withdrawal" [RFC7606] and [RFC4760]. lt: less than comparison between data' and value'. gt: greater than comparison between data' and value'. eq: equality between data' and value'. The data' and value' used in lt, gt and eq are indicated by the field type in an operator and the value field following the operator. The length of the value field depends on the field type and is the length of the SID parts being matched (see Table 3, Figure 3-6) in bytes, rounded up if that length is not a multiple of 8.

------------------ SID, 128 bits ---------------- / \ +-----------+-----------+-----------+----------------+ | LOC | FUNCT | ARG | ... | +-----------+-----------+-----------+----------------+ \ / \ / \ / \ / j bits k bits m bits 128-j-k-m bits \ / LOC:FUNCT, j+k bits \ / FUNCT:ARG, k+m bits \ / -- LOC:FUNCT:ARG, j+k+m bits – Figure 3-6 Dependency between components: TBD conflicts between components: TBD reference: Examples in: TBD

Summary: Network Resource Partition ID Component IP Packet filtering: IPv6 What filtering: IPv6 Hop-by-Hop Options Header () Description: Option in Next-Hop-Options header in IPv6 packet (, section 4). A Network Resource Partition (NRP) option carries around the network resource partition information (NRP) in the Hop-by-Hop options header (). This IPv6 Extension head has: Flags (flags): This is a 8 bit flag field in a single octet. One bit, "S" defined in most significant bit. The S stands for strict match of NRP ID field. The NRP Flags field is filtered for by the FSv2 component Flags field. Context type (CT): - 1 octet field indicating the semantics and length of NRP-ID field. The value of CT=0 indicates a 4-octet NRP ID. followed by F bits of function (FUNCT), and A bits of arguments (ARG). FSv2 NRP ID Component: Defines match for NRP ID in the NRP option of Hop-by-Hop Header. This FSv2 component has following format:

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Type | Opt Data Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | Context Type | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ NRP ID ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure: NRP FSv2 Component Flags - This field is 2 octets with only the most signficant bit defined as Global Bit (g). Global bit (g): When set, it indicates the NRP ID to be matched with a globally unique NRP ID. Otherwise, the NRP-ID is to be a domain significant NRP ID. The global NRP ID has been coordinated among these domains. Reserved: This a 2-octet field reserved for future use. It SHOULD be set to zero on transmission and MUST be ignored on receipt. NRP ID: This is a 4-octet identifier which is used to identify an NRP Interactions with: (TBD) reference:

The documents in this section are proposed filters. Each of these proposals would be included in an individual draft.

Summary: IP Payload filter IP Packet filtering: IPv4 or IPv6 What filtering in packet: Data in header or within the payload. Encoding: The filter has an offset to filter data from the point specified in the "offset-type field" for using a filter of specific length (content-length) with a specific pattern (content). The type of packet IPv4 or IPv6 is specified in Type of IP packet. The structure of the component is:

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Type | component Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PType | Otype | offset (offset-value) | content length| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | content | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3-x: FSv2 IP Payload Match Component Where the Ptype - 4 bit field indicating the packet type via AFI (IPv4 or IPv6) IPv4 = 1 IPv6 = 2 Otype - 4 bit field indicating the offset type where 0 = IP header 1 = IP header data 2 = Data within TCP/UDP offset - is number of bytes to the payload from the point defined by Ptype and Otype. content length - length of the content. content - content filter field to match (significant field bit zero). Ordering within component: (TBD) interacts with components: (TBD) reference:

Summary: Filter on Group ID IP Packet filtering: IPv4 or IPv6 What filtering: Group ID specified sub-type What Filtering in Packet: The filter looks for a specific type of group ID within either the IPv4 or IPv6 packet header. Encoding of component: The structure of the component is the following

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Type | Opt Data Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Packet Type | Offset type | Group type | SubGroup type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Offset value | GMask length | SG Mask length| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Group Mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Group ID value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sub-Group Mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sub-Group Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3-x: FSv2 IP Payload Match Component Where the Packet type - 8 bit field indicating the packet type IPv4 = 1 IPv6 = 2 Offset type - 4 bit field indicating the offset type where 0 = IP header 1 = IP header data 2 = Data within TCP/UDP offset - is number of bytes to the payload from the point defined by Ptype and Otype. Group type - 1 octet field indicating the type of group ID 0 = Reserved 1 = Indirection ID 2 = Interface group 3 = CATS ID 4 = SAV ID 5 = APN ID Sub-Group type - Sub group within filters. 0 = Reserved 1 = data traffic (Inbound/outbound) 1 = data traffic Inbound only 2 = data traffic outbound only Group Mask - (variable) Group field mask Group ID value - (variable) Group ID value to match Sub Group Mask - (variable) Sub-Group Mask Sub-Group Value - (variable) Sub-Group value to match on ordering within component: TBD dependency between components: TBD conflicts with other components: (TBD) reference: TBD (this is just a sample).

This section complies with .

IANA is requested to indicate [this draft] as a reference on the following assignments in the Flow Specification Component Types Registry:

ID Name Reference ---- ----------- ----------------------------------------- 14 TTL [this document] 15 Partial SID [draft-ietf-idr-flowspec-srv6] [this document] 16 NRP ID [this document] [draft-ietf-idr-flowspec-network-slice-ts] 17 payload [this document] [draft-cui-content-filter-flowspec-00] 18 Group ID [this document] [draft-ietf-idr-flowspec-path-redirect] [draft-peng-idr-apn-bgp-flowspec] [draft-lin-idr-cats-flowspec-ts] [draft-geng-idr-flowspec-sav]

IANA is requested to create the following three new egistries on a new "Flow Specification v2 Parameters” web page.

Name: BGP FSv2 Filter Version types Reference: [this document] Registration Procedures: 0x01-0x3F Standards Action. 0x40-0x6F FCFS 0x70-0xFF reserved Type Use Reference ----- --------------- --------------- 0x00 IP basic only [this document] [FSv2 IP basic] 0x01 Extended IP Filters 1 [This document] Figure 4-1

Name: BGP Group Types Reference: [this document] Registration Procedures: 0x01-0x3F Standards Action. 0x40-0x6F FCFS 0x70-0xFF reserved Type Use Reference ----- --------------- --------------- 0x00 reserved [this document] 0x01 Indirection ID [this document] 0x01 Interface Group [this document] 0x02 CATs group [this document] 0x03 SAVNet group [this document] 0x04 APN group [this document] Figure 4-2 Groups

Name: BGP Sub Group Types Reference: [this document] Registration Procedures: 0x01-0x3F Standards Action. 0x40-0x5F FCFS 0x5F-0xFF reserved Type Use Reference ----- --------------- --------------- 0x00 Inbound/outbound [this document] 0x01 Inbound on [this document] 0x02 Outbound only [this document] 0x03 SubGroup ID based [this document] figure 4-3 Sub-Group types

The use of ROA improves on by checking to see of the route origination. This check can improve the validation sequence for a multiple-AS environment. >The use of BGPSEC to secure the packet can increase security of BGP flow specification information sent in the packet. The use of the reduced validation within an AS can provide adequate validation for distribution of flow specification within a single autonomous system for prevention of DDoS. Distribution of flow filters may provide insight into traffic being sent within an AS, but this information should be composite information that does not reveal the traffic patterns of individuals.