Filter-Based RIB Information Model

The Interface to the Routing System (I2RS) architecture provides dynamic read and write access to the information and state within the routing elements. The I2RS client interacts with the I2RS agent in one or more network routing systems. This document provides an information module for Filter Based Routing Information Base (FB-RIB) and describes the I2RS interaction with routing filters within a routing element.

Filter-based routing is a technique used to make packet forwarding decisions based policy-based filters that are matched to the incoming packets. These filter policies are a minimalistic "event-Match Condition-Action" policy with one event - the reception of a frame or packet on an associated interface. The ECA policies have: event = reception of frame/packet on associated interface, match condition = policy filters which match portions of frame/packet, actions - to modify frame/packet, and forward or drop frame/packet Filter-Based forwarding may match on the condition of any portion of the frame/packet. Figure 1 shows some of the filters that can be applied to the reception of packets. The filter for individual fields can be combined with an "AND" or and "OR", but the default combination is that of an "AND".

Ingress filter Matches (for ECA policy) | | +--------+------+------+---+--+-----+-----+----+-----+------+------+ | | | | | | | | | | | | | | | | | | | | L1 L2 L3 L4 VLAN VNID size Time packet/ ... header header header header header frame receive count Figure 1: Possible matching conditions for basic network filters A Filter-Based Routing Information Base (FB-RIB)) is a set of packet-reception ECA policy rules which are: ordered, and apply to specific interfaces If all matches fail, default action is to forward the packet using a specific RIB from: routing RIBs as described in " ephemeral I2RS RIBs as described in .

The I2RS use cases which benefit from Filter-Based Routing are: Protocol independent Use cases and large flow use cases described in . the use cases of steering traffic to their designated service functions that are different than the packet's destinations, and large flow use cases described in

Command Line Interface Filter-Based Routing Information Base One filter in the filter-based RIB. The filters are Event-Condition-Action filters often represented by the form "if Condition then action". Policy Groups are groups of policy rules. The groups of policy in the basic network policy allow grouping of policy by name. This name allow easier management of customer-based or provider based filters. RIB Informational Model (RIB IM) is an information model which describes a Routing Information Base A routing instance is a core data model within . An instance creates a logical slice of the router and allows different logical slices to communicate to communicate with each other.

The following three types of Filter-Based RIBs exist: Policy Based Routing - configured by packet ECA policy, I2RS Filter-Based RIBs - proposed by this document, BGP Flow Specification . This section examines issues regarding ephemeral versus config state, the need for order within policies, and the current yang support for packet-reception ECA policy.

Filter-Based RIBs with packet-reception ECA policy exist in three types of state: configuration state, ephemeral reboot state (I2RS), and BGP Session state. Policy Routing configures the packet-reception ECA policy in configuration state, and runs this policy to specific interfaces. This configuration state may be configured by NETCONF/RESTCONF in yang modules or proprietary configuation via CLI. This specification examines configuration state specified in yang modules and extended by proprietary additions to yang modules. Yang modules which specify the normal routing RIBs include: statics routes (TBD) Configuration state set via secure protocols (NETCONF or RESTCONF ) and survives the reboot of the system. draft-hares-rtgwg-fb-rib refers to Filter-Based RIB described above which contains an ordered list of packet I2RS ephemeral state is state which does not persist across a reboot (software or hardware). I2RS ephemeral state can be indicated a portion of a sub-tree, a sub-tree, tree within a yang modules, or a full module. I2RS Ephemeral state may reference configuration state or protocol state (E.g. MPLS LSP or BGP peer state). The I2RS Filter-Based RIB is defined as a ephemeral module with possible links to the following: default RIBs either in the I2RS RIB module or configured RIB , interfaces that I2RS Filter-Based RIB is running on. BGP Flow Specification passes packet-reception ECA Policy in BGP UPDATE packets (NLRI and BGP Extended Communities). The BGP Flow Specification packet-reception ECA policy is bgp peer session ephemeral state which disappears when the BGP peer closes the BGP Session. This bgp session ephemeral state can refer to configuration state for interfaces configured, and for default RIBs. does not consider I2RS configuration state. Precedence between these three types of state is defined as most dynamic to least dyanmic, or BGP Session packet-reception Filter Policy, I2RS Filter-Based RIB Policy, Configuration Filter-RIB Policy (aka Policy RIB). Precedence impacts when two types of state try to operate on the exact same filter match in the policy. However, Filter-Based RIBS operate first on "order" and priority within the order, and then on the level of ephemeral state.

Filter-Based RIBs use packet-reception ECA policy instead of destination based forwarding to determine where to forward/send a packet. A packet which matches multiple filters in a Filter-Based RIB will be forwarded based on the first filter matched. Due to first-match processing, the order of filters matters in the process. All Filter-Based RIBs (configuration, I2RS, and BGP Flow Specification) forwarded based on the first match filter. Filter-Based Policy is inserted in the RIB by order number. If order number is tied, then precedence is based on the type of filter, longest prefix match (MAC or IP address (IPv4/IPv6), lowest value, or longest string). It is expected that order will contain a large enough number space to differentiate most policies. Note: does not support order, but current work is beginning draft-hares-idr-flow-spec-combo-00.txt to support order in BGP flow specification.

flow-rule-cmp (a,b) { comp1 = next_component(a); /component is the type of filter comp2 = next_component(b); while (comp1 || comp2) { // component_type returns infinity on end of list if (component_type(comp1) < component_type(comp2)) { return A_HAS_PRECEDENCE; } if (component_type(comp1) > component_type(comp2)) { return B_HAS_PRECEDENCE; } // IP values) if (component_type(comp1) == IP_DESTINATION || IP_SOURCE) { common = MIN(prefix_length(comp1),prefix_length(comp2)); cmp = prefix_compare (comp1,comp2,common); // not equal, lowest value has precedence // equal, longest match has precedence; } else if (component_type (comp1) == MAC_DESTINATION || MAC_SOURCE) { common = MIN(MAC_address_length(comp1), MAC_address_length(comp2)); cmp = MAC_Address_compare(comp1,comp2,common); //not equal, lowest value has precedence //equal, longest match has precedence } else { common = MIN(component_length(comp1), component_length(comp2)); cmp = memcmp(data(comp1), data(comp2), common); //not equal, lowest value has precedence //equal, longest string has precedence } } } Figure 2 - precedence

The filter based-RIB uses event-condition-action policy (ECA) rules. The following policies are used in this version of the yang module: Access lists (ACLs) Packet-reception ECA policy Proprietary filters may augment these IETF defined ECA rules. The IETF filters support basic filtering plus QOS and load balancing. Below is an example set of match conditions on ingreessI2RS that the basic I2RS FB-RIB can support.

Filter-based RIBS (FB-RIBs) provide packet-reception event-match condition-action policy, but if the filters do not provide match the Filter-Based RIBs provide default RIBs for destination based forwarding (IP or MAC). The following are restrictionsThe for the default RIBs: The configuration FB-RIBs can only refer to another configuration RIB. The I2RS FB-RIBs can refer to a configuration RIB, an I2RS reboot ephemeral RIB, or a BGP Session ephemeral RIB. The BGP peer session may be dropped while a I2RS FB-RIB is in session. If so, all defaults pointing to the BGP RIB must be removed. The I2RS RIB may be removed, and if so all defaults pointing to that route must be removed. The default order of precedence for the default RIB is the BGP-Peer default RIB, the I2RS default FB-RIB, and the configuration default RIB. The BGP session FB-RIBs can refer to a configuration RIBs, a I2RS Ephemeral RIB, and a BGP RIB. Just as with the I2RS FB-RIB, the precedence if multiple default RIBs exist are: BGP Peer default RIB, then I2RS default RIB, followed by configuration default RIB. The I2RS Ephemeral RIB module is described in and . The I2RS RIB contains a collection of RIBs with the following information per instance: The set of interfaces indicates which interfaces are associated with this routing instance. The RIBs specify how incoming traffic is to be forwarded based on destination (E.g. RIB and FB-RIB). The routing parameters control the information in the RIBs. A routing instance may have both an I2RS RIB modules and I2RS FB-FIB modules associated with it. If the I2RS RIB list of interfaces does not contain the list of interfaces the FB-RIB is operating on, then the I2RS RIB must not be installed as a default RIB. FB-RIB and RIB can not be used at the same time, which means: If a router doesn’t support filter-based routing, a router MUST use RIB and MUST not use FB-RIB. The default RIB for a FB-RIB should destination-based RIB, and this RIB may be generated by routing protocols. However, the FB-RIB forwarding must take precedence over the default RIB. If a router supports filter-based routing: FB-RIB is used Multiple FB-RIBs may exist within a routing instance An interface can be associated with at most one FB-RIB The Default RIB for a FB-RIB is used if several criteria beyond destination address is not matched.

A Filter-Based RIB (FB-RIB)contains an ordered set of filter routes where each filter-route is a match condition followed by an action. An FB-RIB is contained in a routing-instance defined by . An FB-RIB has a list of interfaces that is a subset of the list of interfaces in the routing-instance that it is contained in. An incoming packet on an interface belonging to a FB-RIB is first handled by the FIB programmed using that FB-RIB. If no match action succeeds, then the packet is forwarded using the FIB programmed using the RIB of that routing instance. An ordered set of filters implies that the insertion of a filter route into a FB-RIB MUST provide the ability to insert a filter route at any specific position and delete of a filter-based route at a specific position. The ability to change a filter route at a specific position combines these two functions (delete an existing filter route rule and add a new policy rule). Each FB-RIB is contained within a routing instance, but one routing instance (named by an INSTANCE_NAME) can contain multiple FB-RIBs. Each routing instance is associated with a set of interfaces, a router-id, and list of FB-RIBs. Each interface can be associated with at most one FB RIB. The processing within the FB-RIB process within the routing system is expected to do the following: When a packet successfully matches match term/entry in a filter-route, the corresponding rule-actions are applied. If a packet does not match the match term/entry in the filter route, the filter route processing goes to the next term/entry in the order, and looks for a match, within the current filter or goes to the next filter in the list. This continues until either a filter route match term/entry is successfully matched, or no more filters in the list exists. If no match has been found within list of filters in FB-RIB list, then the packet will be forwarded using the I2RS RIB specified by the FB-RIB if one exists. If no I2RS RIB is specified, the FB-RIB will check a configured RIB. If no configured RIB exists, the packet will be discarded. Groups within a I2RS FB-RIB allow the logical grouping of rules under a name for ease of access. For example, take two customers. Customer-A has three packet-reception ECA policies that insert rules at order 5, 10, and 20. Customer-B has three packet-reception ECA policies that insert rules at 4, 8, and 9. The use of the group names "Customer-A" and "Customer-B" allow easy addition or deletion of these rules, but do not change the ordering of these rules.

The FB-RIB configuration entries associated with each FB-RIB in a routing instance are: default Routing Instance name for all FB-RIBs router id associated with the FB-RIB function of the Routing instance list of filter-based RIBs created by configuration processes, and described in draft-hares-rtgwg-fb-rib which utilizes to define common filter-based RIB structures. list of I2RS reboot ephemeral filter-based RIBs. Described in this draft with data model in which utilizes to define common filter-based RIB structures. list of BGP Session ephemeral filter-based RIBs Described in this draft, and data model in (draft-hares-idr-bgp-fb-rib-data-model). which utilizes to define common filter-based RIB structures, and to the common packet-reception ECA filters.

Configuration RIBS +-----------------------------------------+ | routing instance | +-------|-------------|----------------|--+ | | | | | | +---------|----+ +-----|-----+ +--------|-----+ |config-fb-rib | |i2rs-fb-rib| |bgp-fs-fb-rib | +------|-------+ +-----|------+ +------|------+ |............:....|...............| : (uses common structures : in separate lists of FB-RIBs) +--------|----+ |fd-ribs* | | | +--|----------+ | Figure 3: Routing instance with three types of Filter-FIB lists The Top-level Yang structure for a global configuration of Filter-Based RIBs are:

Augments rt:logical-network-elements:\ :logical-network-element:network-instances: \ network-instance ietf-fb-rib module +--rw ietf-fb-rib +--rw default-instance-name string +--rw default-router-id rt:router-id +--rw config-fb-ribs if-feature "config-filter-based-RIB"; uses fb-ribs; +--rw i2rs-fb-ribs if-feature "I2RS-filter-based-RIB"; uses fb-rib-t:fb-ribs; +--rw bgp-fs-fb-ribs if-feature "BGP-FS-filter-based-RIB"; uses fb-rib-t:fb-ribs; Figure 5: configuration state

The FB-RIB operational state entries associated with each FB-RIB in a routing instance are: Default Routing Instance for FB-RIBs. Default Router ID associated FB-RIBs. operational state for config RIB described in draft-hares-rtgwg-fb-rib which utilizes to define common structures. operational state for I2RS reboot ephemeral Filter-Based RIB. Logic is described in this draft, and data model is described in . Common structures are defined in . BGP Session ephemeral Filter-Based RIB-interface with logic described in this draft, and data model in (draft-hares-bgp-fb-rib-data-model). Common structures are also defined in , and .

Operational state +-----------------------------------------+ | routing instance | +-------|-------------|----------------|--+ | | | | | | +---------|----+ +-----|------+ +--------|-----+ |config-fb-rib-| |i2rs-fb-rib-| |bgp-fs-fb-rib-| | opstate | | opstate | | opstate | +------|-------+ +-----|------+ +------|-------+ |............:....|...............| : (uses common structures : in separate lists of FB-RIBs) +--------|-----------+ |fb-ribs_oper_status | | | +--|-----------------+ | Figure 4: Routing instance with three types of Filter-FIB lists The Top-level Yang structure for a global operational state of Filter-Based RIBs are:

Augments rt:logical-network-elements:\ :logical-network-element:network-instances: \ network-instance ietf-fb-rib module +--rw ietf-fb-rib-opstate +--rw default-instance-name string +--rw default-router-id rt:router-id +--rw config-fb-rib-opstate if-feature "config-filter-based-RIB"; uses fb-rib-t:fb-ribs-oper-status; +--rw i2rs-fb-rib-opstate { if-feature "I2RS-filter-based-RIB"; uses fb-rib-t:fb-ribs-oper-status; +--rw bgp-fs-fb-rib-opstate if-feature "BGP-FS-filter-based-RIB"; uses fb-rib-t:fb-ribs-oper-status; Figure 5: operational state

Filter-Based RIB structures for configuration (fb-ribs) contain a list of fb-rib structures with the following high-level structure: Name of fb-Rib (key), AFI for Address Family, type of FB-RIB (config, I2RS reboot ephemeral, or BGP Flow Specification session ephemeral). A list of interfaces that all of the FB-RIB RIB operates over. This list must be a subset of the interface_list associated with the routing instance. structure with default RIBS in configuration space, I2RS RIB space, or BGP VPN space. list of instances using this FB-RIB (normally one). Tracking Write-References to this RIB. pkt ECA Policy described in

+--------|----+ |FB-RIBs* | | | +--|----------+ | ^ /|\ +-----^---------------------------+ | FB-RIB | +----|-------|----------|-----|---+ | +-----|-----+ +--------+ +-------+ | |interface | |default | |default| | | list | |I2RS | | Config| | | (Names) | | RIB | | RIB | | +-----------+ +--------+ +-------+ | +-----------------------+ | FB-RIB Ordered List | | of pkt ECA policy |---------+ +-----------|-----------+ | | | +-----------|-----------+ | | Groups | | +-----------|-----------+ | | | +-----------|--------------+ | | Rules |------+ |(ordered list of rules of | | the form match-action) | +--------------------------+ Figure 5: fb-rib (configuration FB-RIB) The Top-level Yang structure for the FB-RIB types is:

The Filter-Based RIB structures for operational state have the following entries: Name of fb-Rib (key) pkt ECA policy operational state described in

HIgh Level Yang +--rw fb-ribs-oper-status +--rw fb-rib-oper-status* [fb-rib-name] uses pkt-eca:pkt-eca-opstate

The three levels of policy are expressed as:

Config Policy definitions ======================================= Policy level: pkt-eca-policy-set group level: pkt-eca-policy-set:groups rule level: bnp-eca-policy-set:rules Operational State for Policy ======================================= Policy level: pkt-eca-policy-opstate group level: pkt-eca-policy-opstate:groups-status rule level: bnp-eca-policy-opstate:rules_opstate* bnp-eca-policy-opstate:rules_opstats* figure High level Yang structure for Configuration and operational status are shown in figure x below.

This informational draft does not specify any IANA requests.

A I2RS defines an ephemeral data store that will dyanamically change traffic paths set by the routing configuration. An I2RS FB-RIB provides dynamic Event-Condition-Action policy that will further change the operation of forwarding by allow dyanmic policy and ephemeral RIBs to alter the traffic paths set by routing configuration. Care must be taken in deployments to use the appropriate security and operational control to make use of the tools the I2RS RIB and I2RS FB-RIB provide.