8. Dissemination of Traffic Filtering in BGP/MPLS VPN Networks
8. Dissemination of Traffic Filtering in BGP/MPLS VPN Networks
Provider-based Layer 3 VPN networks, such as the ones using a BGP/MPLS IP VPN [RFC4364] control plane, may have different traffic filtering requirements than Internet service providers. But also Internet service providers may use those VPNs for scenarios like having the Internet routing table in a VRF, resulting in the same traffic filtering requirements as defined for the global routing table environment within this document. This document defines an additional BGP NLRI type (AFI=1, SAFI=134) value, which can be used to propagate Flow Specification in a BGP/MPLS VPN environment.
The NLRI format for this address family consists of a fixed-length Route Distinguisher field (8 octets) followed by the Flow Specification NLRI value (Section 4.2). The NLRI length field shall include both the 8 octets of the Route Distinguisher as well as the subsequent Flow Specification NLRI value. The resulting encoding is shown in Figure 7.
+--------------------------------+
| length (0xnn or 0xfnnn) |
+--------------------------------+
| Route Distinguisher (8 octets) |
+--------------------------------+
| NLRI value (variable) |
+--------------------------------+
Figure 7: Flow Specification NLRI for MPLS
Propagation of this NLRI is controlled by matching Route Target extended communities associated with the BGP path advertisement with the VRF import policy, using the same mechanism as described in BGP/MPLS IP VPNs [RFC4364].
Flow Specifications received via this NLRI apply only to traffic that belongs to the VRF(s) in which it is imported. By default, traffic received from a remote PE is switched via an MPLS forwarding decision and is not subject to filtering.
Contrary to the behavior specified for the non-VPN NLRI, Flow Specifications are accepted by default, when received from remote PE routers.
The validation procedure (Section 6) and Traffic Filtering Actions (Section 7) are the same as for IPv4.