Source Packet Routing in Networking                           T. Yu, Ed.
Internet-Draft                                            1 January 2025
Intended status: Standards Track                                        
Expires: 5 July 2025


                        SRv6 Group Based Policy
                      draft-yu-spring-srv6-gbp-00

Abstract

   This document extends the Segment Routing over IPv6 (SRv6) Network
   Programming framework [RFC8986] by incorporating group-based policy
   capabilities.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 5 July 2025.

Copyright Notice

   Copyright (c) 2025 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.






Yu                         Expires 5 July 2025                  [Page 1]

Internet-Draft              Abbreviated Title               January 2025


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Specification of Requirements . . . . . . . . . . . . . . . .   2
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   2
   4.  SRv6 SIDs with GBP  . . . . . . . . . . . . . . . . . . . . .   3
     4.1.  END.DX6 with GBP  . . . . . . . . . . . . . . . . . . . .   3
     4.2.  END.DX4 with GBP  . . . . . . . . . . . . . . . . . . . .   3
     4.3.  End.DT6 with GBP  . . . . . . . . . . . . . . . . . . . .   4
     4.4.  End.DT4 with GBP  . . . . . . . . . . . . . . . . . . . .   5
     4.5.  End.DT46 with GBP . . . . . . . . . . . . . . . . . . . .   6
     4.6.  End.DT2U with GBP . . . . . . . . . . . . . . . . . . . .   7
   5.  Source Node Behavior  . . . . . . . . . . . . . . . . . . . .   8
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Appendix A.  Appendix 1 Examples of GBP Usage . . . . . . . . . .  10
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   The Group-based Policy (GBP) [GROUPBASEDPOLICY] initially was .It
   abstractions provide an intent-driven declarative policy model that
   presents simplified application-oriented interfaces to the user.
   Group-Based Policy (GBP) is a critical concept in networking and
   security, particularly in environments like Software-Defined
   Networking (SDN), cloud computing, and enterprise networks.  It
   provides a flexible and scalable way to manage network policies based
   on groups of endpoints rather than individual devices, IP addresses,
   or flows.

2.  Specification of Requirements

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
   NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
   this document are to be interpreted as described in [RFC2119].

3.  Terminology

   GBP: Group-based Policy described in [GROUPBASEDPOLICY]

   EVPN: BGP MPLS-Based Ethernet VPN defined in [RFC7432].







Yu                         Expires 5 July 2025                  [Page 2]

Internet-Draft              Abbreviated Title               January 2025


4.  SRv6 SIDs with GBP

   This documents defines the behaviors of END.DX6 with GBP, END.DX4
   with GBP, END.DT6 with GBP, END.DT4 with GBP, END.DT46 with GBP,
   END.DT2U with GBP by allowing these SID behaviors taking an argument:
   "Arg.Src-GBP-ID".  The Src-GBP-ID info allows endpoint node to
   determine the behavior (allowed or denied) when traffic is being
   forwarded to specific host.  The allocation of the GBP-id argument
   values planned gloabally, and the behavior of traffic from one Src-
   GBP-ID to another Dst-GBP-ID is specified locally.  The SRv6 SIDs
   with the GBP argument mentioned in this document is not signaled to
   other nodes via the control plane, which means they are local
   significant only.  The control plane process described in [RFC9252]
   still applies.

   Group 0 is the default group based policy ID.  If no group based
   policy is specified, then value 0 is used.  The default behavior of
   the group 0 is implementation defined and SHOULD be configurable
   (allowed/denied).

4.1.  END.DX6 with GBP

   When processing the Upper-Layer header of a packet matching a FIB
   entry locally instantiated as an End.DX6 with GBP SID, N does the
   following:

   S01. If (Upper-Layer header type == 41(IPv6) ) {
   S02.    Remove the outer IPv6 header with all its extension headers
   S03.    Search GBP matching table with exposed packet and get Dst-GBP-ID
   S04.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
   S05.    If (Matched){
   S06.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
   S07.    } Else {
   S08.        Forward the exposed IPv6 packet to the L3 adjacency J
   S09.    }
   S10. } Else {
   S11.    Process as per Section 4.1.1 in RFC8986
   S12. }

4.2.  END.DX4 with GBP

   When processing the Upper-Layer header of a packet matching a FIB
   entry locally instantiated as an End.DX4 with GBP SID, N does the
   following:







Yu                         Expires 5 July 2025                  [Page 3]

Internet-Draft              Abbreviated Title               January 2025


   S01. If (Upper-Layer header type == 4(IPv4) ) {
   S02.    Remove the outer IPv6 header with all its extension headers
   S03.    Search GBP matching table with exposed packet and get Dst-GBP-ID
   S04.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
   S05.    If (Matched){
   S06.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
   S07.    } Else {
   S08.        Forward the exposed IPv4 packet to the L3 adjacency J
   S09.    }
   S10. } Else {
   S11.    Process as per Section 4.1.1 in RFC8986
   S12. }

4.3.  End.DT6 with GBP

   When processing the Upper-Layer header of a packet matching a FIB
   entry locally instantiated as an End.DT6 with GBP SID, N does the
   following:

   S01. If (Upper-Layer header type == 41(IPv6) ) {
   S02.    Remove the outer IPv6 header with all its extension headers
   S03.    Set the packet's associated FIB table to T
   S04.    Submit the packet to the egress IPv6 FIB lookup and get destination oIF
   S05.    Search GBP matching table with exposed packet and get Dst-GBP-ID
   S06.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
   S07.    If (Matched){
   S08.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
   S09.    } Else {
   S10.        Forward the exposed IPv6 packet to the oIF.
   S11.    }
   S12. } Else {
   S13.    Process as per Section 4.1.1 in RFC8986
   S14. }

   An implementation which is hardware based might be restricted to the
   pipeline of the ASCI.  The process below is also possible.  The
   difference is that oIF is impossible to be part of the GBP match
   criteria.













Yu                         Expires 5 July 2025                  [Page 4]

Internet-Draft              Abbreviated Title               January 2025


   S01. If (Upper-Layer header type == 41(IPv6) ) {
   S02.    Remove the outer IPv6 header with all its extension headers
   S03.    Search GBP matching table with exposed packet and get Dst-GBP-ID
   S04.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
   S05.    If (Matched){
   S06.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
   S07.    } Else {
   S08.        Set the packet's associated FIB table to T
   S09.        Submit the packet to the egress IPv6 FIB lookup for transmission to the new destination
   S10.    }
   S11. } Else {
   S12.    Process as per Section 4.1.1 in RFC8986
   S13. }

4.4.  End.DT4 with GBP

   When processing the Upper-Layer header of a packet matching a FIB
   entry locally instantiated as an End.DT4 with GBP SID, N does the
   following:

   S01. If (Upper-Layer header type == 4(IPv4) ) {
   S02.    Remove the outer IPv6 header with all its extension headers
   S03.    Set the packet's associated FIB table to T
   S04.    Submit the packet to the egress IPv6 FIB lookup and get destination oIF
   S05.    Search GBP matching table with exposed packet and get Dst-GBP-ID
   S06.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
   S07.    If (Matched){
   S08.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
   S09.    } Else {
   S10.        Forward the exposed IPv4 packet to the oIF.
   S11.    }
   S12. } Else {
   S13.    Process as per Section 4.1.1 in RFC8986
   S14. }

   An implementation which is hardware based might be restricted to the
   pipeline of the ASCI.  The process below is also possible.  The
   difference is that oIF is impossible to be part of the GBP match
   criteria.












Yu                         Expires 5 July 2025                  [Page 5]

Internet-Draft              Abbreviated Title               January 2025


   S01. If (Upper-Layer header type == 4(IPv4) ) {
   S02.    Remove the outer IPv6 header with all its extension headers
   S03.    Search GBP matching table with exposed packet and get Dst-GBP-ID
   S04.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
   S05.    If (Matched){
   S06.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
   S07.    } Else {
   S08.        Set the packet's associated FIB table to T
   S09.        Submit the packet to the egress IPv4 FIB lookup for transmission to the new destination
   S10.    }
   S11. } Else {
   S12.    Process as per Section 4.1.1 in RFC8986
   S13. }

4.5.  End.DT46 with GBP

   When processing the Upper-Layer header of a packet matching a FIB
   entry locally instantiated as an End.DT46 with GBP SID, N does the
   following:

   S01. If (Upper-Layer header type == 4(IPv4) ) {
   S02.    Remove the outer IPv6 header with all its extension headers
   S03.    Set the packet's associated FIB table to T
   S04.    Submit the packet to the egress IPv6 FIB lookup and get destination oIF
   S05.    Search GBP matching table with exposed packet and get Dst-GBP-ID
   S06.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
   S07.    If (Matched){
   S08.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
   S09.    } Else {
   S10.        Forward the exposed IPv4 packet to the oIF.
   S11.    }
   S12. } Else If (Upper-Layer header type == 41(IPv6) ) {
   S13.    Remove the outer IPv6 header with all its extension headers
   S14.    Set the packet's associated FIB table to T
   S15.    Submit the packet to the egress IPv6 FIB lookup and get destination oIF
   S16.    Search GBP matching table with exposed packet and get Dst-GBP-ID
   S17.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
   S18.    If (Matched){
   S19.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
   S20.    } Else {
   S21.        Forward the exposed IPv6 packet to the oIF.
   S22.    }
   S23. } Else {
   S24.    Process as per Section 4.1.1 in RFC8986
   S25. }






Yu                         Expires 5 July 2025                  [Page 6]

Internet-Draft              Abbreviated Title               January 2025


   An implementation which is hardware based might be restricted to the
   pipeline of the ASCI.  The process below is also possible.  The
   difference is that oIF is impossible to be part of the GBP match
   criteria.

   S01. If (Upper-Layer header type == 4(IPv4) ) {
   S02.    Remove the outer IPv6 header with all its extension headers
   S03.    Search GBP matching table with exposed packet and get Dst-GBP-ID
   S04.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
   S05.    If (Matched){
   S06.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
   S07.    } Else {
   S08.        Set the packet's associated FIB table to T
   S09.        Submit the packet to the egress IPv4 FIB lookup for transmission to the new destination
   S10.    }
   S11. } Else If (Upper-Layer header type == 41(IPv6) ) {
   S12.    Remove the outer IPv6 header with all its extension headers
   S13.    Search GBP matching table with exposed packet and get Dst-GBP-ID
   S14.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
   S15.    If (Matched){
   S16.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
   S17.    } Else {
   S18.        Set the packet's associated FIB table to T
   S19.        Submit the packet to the egress IPv6 FIB lookup for transmission to the new destination
   S20.    }
   S21. } Else {
   S22.    Process as per Section 4.1.1 in RFC8986
   S23. }

4.6.  End.DT2U with GBP

   When processing the Upper-Layer header of a packet matching a FIB
   entry locally instantiated as an End.DT4 SID, N does the following:


















Yu                         Expires 5 July 2025                  [Page 7]

Internet-Draft              Abbreviated Title               January 2025


   S01. If (Upper-Layer header type == 143(Ethernet) ) {
   S02.    Remove the outer IPv6 header with all its extension headers
   S03.    Learn the exposed MAC Source Address in L2 table T
   S04.    Look up the exposed MAC Destination Address in L2 table T
   S05.    If (matched entry in T with destination oIF) {
   S06.        Search GBP matching table with exposed packet and get Dst-GBP-ID
   S07.        Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
   S08.        If (Matched){
   S09.            Process the exposed IPv6 packet based on the action of match GBP enforcement rule
   S10.        } Else {
   S11.            Forward the exposed packet to oIF
   S12.        }
   S13.    } Else {
   S14.       Forward via all L2 OIFs in table T
   S15.    }
   S16. } Else {
   S17.    Process as per Section 4.1.1 in RFC8986
   S18. }

   An implementation which is hardware based might be restricted to the
   pipeline of the ASCI.  The process below is also possible.  The
   difference is that oIF is impossible to be part of the GBP match
   criteria.

   S01. If (Upper-Layer header type == 143(Ethernet) ) {
   S02.    Remove the outer IPv6 header with all its extension headers
   S03.    Learn the exposed MAC Source Address in L2 table T
   S04.    Search GBP matching table with exposed packet and get Dst-GBP-ID
   S05.    Search GBP enforcement table with Src-GBP-ID and Dst-GBP-ID
   S06.    If (Matched){
   S07.        Process the exposed IPv6 packet based on the action of match GBP enforcement rule
   S08.    } Else {
   S09.        Look up the exposed MAC Destination Address in L2 table T
   S10.        If (matched entry in T with destination oIF){
   S11.            Forward the exposed packet to oIF
   S12.        } Else {
   S13.       Forward via all L2 OIFs in table T
   S14.       }
   S15.   } Else {
   S16.    Process as per Section 4.1.1 in RFC8986
   S17.   }
   S18. }

5.  Source Node Behavior

   The souce node can use various clarification methods to identify the
   Src-GBP-ID of a host it belongs to.




Yu                         Expires 5 July 2025                  [Page 8]

Internet-Draft              Abbreviated Title               January 2025


   When encapsulating the SRv6 header, the Src-GBP-ID is encapsulated
   into the argument part of the packet.

6.  IANA Considerations

   This document requests the IANA to allocate, within the "SRv6
   Endpoint Behaviors" sub-registry beloto the top-level "Segment-
   routing with IPv6 dataplane (SRv6) Parameters" registry, the
   following allocations:

              +=======+===================+=================+
              | Value | Description       | Reference       |
              +=======+===================+=================+
              | TBA1  | END.DX6 with GBP  | [This document] |
              +-------+-------------------+-----------------+
              | TBA2  | END.DX4 with GBP  | [This document] |
              +-------+-------------------+-----------------+
              | TBA3  | END.DT6 with GBP  | [This document] |
              +-------+-------------------+-----------------+
              | TBA4  | END.DT4 with GBP  | [This document] |
              +-------+-------------------+-----------------+
              | TBA4  | END.DT46 with GBP | [This document] |
              +-------+-------------------+-----------------+
              | TBA4  | END.DT2U with GBP | [This document] |
              +-------+-------------------+-----------------+

                                  Table 1

7.  Security Considerations

   The mechanism described in this document leverage the security rules
   defined in Section 7 of RFC8986 [RFC8986].

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.






Yu                         Expires 5 July 2025                  [Page 9]

Internet-Draft              Abbreviated Title               January 2025


   [RFC8986]  Filsfils, C., Ed., Camarillo, P., Ed., Leddy, J., Voyer,
              D., Matsushima, S., and Z. Li, "Segment Routing over IPv6
              (SRv6) Network Programming", RFC 8986,
              DOI 10.17487/RFC8986, February 2021,
              <https://www.rfc-editor.org/info/rfc8986>.

8.2.  Informative References

   [GROUPBASEDPOLICY]
              OpenStack, "Group Based Policy", 2015,
              <https://wiki.openstack.org/wiki/GroupBasedPolicy>.

   [RFC7432]  Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A.,
              Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based
              Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February
              2015, <https://www.rfc-editor.org/info/rfc7432>.

   [RFC9252]  Dawra, G., Ed., Talaulikar, K., Ed., Raszuk, R., Decraene,
              B., Zhuang, S., and J. Rabadan, "BGP Overlay Services
              Based on Segment Routing over IPv6 (SRv6)", RFC 9252,
              DOI 10.17487/RFC9252, July 2022,
              <https://www.rfc-editor.org/info/rfc9252>.

Appendix A.  Appendix 1 Examples of GBP Usage

   This section describes the examples of GBP usage.  An implementation
   is not enforced to achieve all scenarios mentioned in this section.

   Example 1: Deny traffic from specific Src-GBP-ID = 100 (e.g. traffic
   from guest network)

   rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = any, action: deny

   Example 2: Deny traffic from specific Src-GBP-ID = 100 to Dst-GBP-ID
   = 200 (e.g. traffic from untrusted host to server)

   rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = 200, action: deny

   Example 3: Redirect L3 traffic from specific Src-GBP-ID = 100 to Dst-
   GBP-ID = 200 (e.g. to a cleaning device)

   rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = 200, action: redirect

   Example 4: RSPAN traffic from specific Src-GBP-ID = 100 to Dst-GBP-ID
   = 200 (e.g. to a monitoring device)

   rule 1: match Src-GBP-ID = 100 and Dst-GBP-ID = 200, action: RSPAN




Yu                         Expires 5 July 2025                 [Page 10]

Internet-Draft              Abbreviated Title               January 2025


Author's Address

   Tianpeng Yu (editor)
   Email: yutianpengietf@163.com















































Yu                         Expires 5 July 2025                 [Page 11]