<?xmlversion="1.0" encoding="iso-8859-1"?> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <?rfc strict="no" ?> <?rfc toc="yes"?> <?rfc tocompact="yes"?> <?rfc tocdepth="3"?> <?rfc tocindent="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes" ?> <?rfc comments="yes"?> <?rfc inline="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?>version='1.0' encoding='UTF-8'?> <!DOCTYPE rfcSYSTEM "rfc2629.dtd"[ <!ENTITYRFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">nbsp " "> <!ENTITYRFC4271 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4271.xml">zwsp "​"> <!ENTITYRFC4272 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4272.xml">nbhy "‑"> <!ENTITYRFC4360 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4360.xml"> <!ENTITY RFC4364 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4364.xml"> <!ENTITY RFC4684 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4684.xml"> <!ENTITY RFC4760 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4760.xml"> <!ENTITY RFC5291 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5291.xml"> <!ENTITY RFC5925 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5925.xml"> <!ENTITY RFC6952 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6952.xml"> <!ENTITY RFC7752 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7752.xml"> <!ENTITY RFC7911 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7911.xml"> <!ENTITY RFC7926 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7926.xml"> <!ENTITY RFC8126 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8126.xml"> <!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml"> <!ENTITY RFC8402 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8402.xml"> <!ENTITY RFC9012 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9012.xml"> <!ENTITY I-D.ietf-idr-bgpls-segment-routing-epe SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-idr-bgpls-segment-routing-epe"> <!ENTITY I-D.farrel-spring-sr-domain-interconnect SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.farrel-spring-sr-domain-interconnect"> <!ENTITY I-D.ietf-idr-bgp-ls-segment-routing-ext SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-idr-bgp-ls-segment-routing-ext">wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" number="9125" docName="draft-ietf-bess-datacenter-gateway-13"ipr="trust200902">ipr="trust200902" obsoletes="" updates="" submissionType="IETF" xml:lang="en" tocInclude="true" tocDepth="3" symRefs="true" sortRefs="true" version="3" consensus="true"> <front> <title abbrev="SR DC Gateways">Gateway Auto-Discovery and Route Advertisement forSegment Routing EnabledSiteInterconnection</title>Interconnection Using Segment Routing</title> <seriesInfo name="RFC" value="9125"/> <author fullname="Adrian Farrel" initials="A." surname="Farrel"> <organization>Old Dog Consulting</organization> <address> <email>adrian@olddog.co.uk</email> </address> </author> <author fullname="John Drake" initials="J." surname="Drake"> <organization>Juniper Networks</organization> <address> <email>jdrake@juniper.net</email> </address> </author> <author fullname="Eric Rosen" initials="E." surname="Rosen"> <organization>Juniper Networks</organization> <address> <email>erosen52@gmail.com</email> </address> </author> <author fullname="Keyur Patel" initials="K." surname="Patel"> <organization>Arrcus, Inc.</organization> <address> <email>keyur@arrcus.com</email> </address> </author> <author fullname="Luay Jalil" initials="L" surname="Jalil"> <organization>Verizon</organization> <address> <email>luay.jalil@verizon.com</email> </address> </author> <dateyear="2021" />month="August" year="2021"/> <area>Routing</area> <workgroup>BESS Working Group</workgroup> <keyword>SR</keyword> <keyword>GW</keyword> <keyword>BGP</keyword> <abstract> <t>Data centers are attached to the Internet or a backbone network by gateway routers. One data center typically has more than one gateway for commercial,load balancing,load-balancing, and resiliency reasons. Other sites, such as access networks, also need to be connected across backbone networks through gateways.</t> <t>This document defines a mechanism using the BGP Tunnel Encapsulation attribute to allow data center gateway routers to advertise routes to the prefixes reachable in the site, including advertising them on behalf of other gateways at the same site. This allows segment routing to be used to identify multiple paths across the Internet or backbone network between different gateways. The paths can be selected for load-balancing, resilience, and quality purposes.</t> </abstract> </front> <middle> <section anchor="introduction"title="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>Data centers (DCs) are critical components of the infrastructure used by network operators to provide services to their customers. DCs (sites) are interconnected by a backbone network, which consists of any number of private networks and/or the Internet. DCs are attached to the backbone network bygatewayrouters that are gateways (GWs). One DC typically has more than one GW for various reasons including commercial preferences, load balancing, or resiliency against connection or device failure.</t> <t>Segment Routing (SR)<xref(<xref target="RFC8402"/>format="default"/>) is a protocol mechanism that can be used within aDC, and alsoDC as well as for steering traffic that flows between two DC sites. In order for a source site (also known as an ingress site) that uses SR toload balanceload-balance the flows it sends to a destination site (also known as an egress site), it needs to know the complete set of entry nodes (i.e., GWs) for that egress DC from the backbone network connecting the two DCs. Note that it is assumed that the connected set of DC sites and the border nodes in the backbone network on the paths that connect the DC sites are part of the same SR BGP - Link State (LS) instance(<xref(see <xref target="RFC7752"/>format="default"/> and <xreftarget="I-D.ietf-idr-bgpls-segment-routing-epe" />)target="RFC9086" format="default"/>) so that traffic engineering using SR may be used for these flows.</t> <t>Other sites, such as access networks, also need to be connected across backbone networks through gateways. For illustrative purposes, consider the ingress and egress sites shown in <xref target="david_hockney"/>format="default"/> as separateASesAutonomous Systems (ASes) (noting that the sites could be implemented as part of the ASes to which they are attached, or as separate ASes). The various ASes that provide connectivity between the ingress and egress sites could each be constructed differently and use different technologies such asIP,IP; MPLS using global table routing information fromnative BGP,BGP; MPLS IPVPN,VPN; SR-MPLS IPVPN,VPN; or SRv6 IP VPN. That is, the ingress and egress sites can be connected by tunnels across a variety of technologies. This document describes how SRidentifiersSegment Identifiers (SIDs) are used to identify the paths between the ingress and egress sites.</t> <t>The solution described in this document is agnostic as to whether the transit ASes do or do not have SR capabilities. The solution uses SR to stitch together path segments between GWs and through theASBRs.Autonomous System Border Routers (ASBRs). Thus, there is a requirement that the GWs and ASBRs areSR-capable.SR capable. The solution supports the SR path being extended into the ingress and egress sites if they areSR-capable.</t>SR capable.</t> <t>The solution defined in this document can be seen in the broader context of site interconnection in <xref target="I-D.farrel-spring-sr-domain-interconnect"/>.format="default"/>. That document shows how other existing protocol elements may be combined with the solution defined in this document to provide a full system, but it is not a necessary reference for understanding this document.</t> <t>Suppose that there are two gateways, GW1 and GW2 as shown in <xref target="david_hockney"/>,format="default"/>, for a given egress site and that they each advertise a route to prefixXX, which is located within the egress site with each setting itself as next hop. One might think that the GWs for X could be inferred from theroutes' next hoproutes' next-hop fields, but typically it is not the case that both routes get distributed across the backbone: rather only the best route, as selected by BGP, is distributed. This precludesload balancingload-balancing flows across both GWs.</t> <figureanchor="david_hockney" title="Exampleanchor="david_hockney"> <name>Example SiteInterconnection">Interconnection</name> <artworkalign="center"> <![CDATA[align="center" name="" type="" alt=""><![CDATA[ ----------------- --------------------- | Ingress | | Egress ------ | | Site | | Site |Prefix| | | | | | X | | | | | ------ | | -- | | --- --- | | |GW| | | |GW1| |GW2| | -------++-------- ----+-----------+-+-- | \ | / | | \ | / | | -+------------- --------+--------+-- | | ||ASBR| ----| |---- |ASBR| |ASBR| | | | | ---- |ASBR+------+ASBR| ---- ---- | | | | ----| |---- | | | | | | | | | | ----| |---- | | | | AS1 |ASBR+------+ASBR| AS2 | | | | ----| |---- | | | --------------- -------------------- | --+-----------------------------------------------+-- | |ASBR| |ASBR| | | ---- AS3 ---- | | | -----------------------------------------------------]]> </artwork>]]></artwork> </figure> <t>The obvious solution to this problem is to use the BGP feature that allows the advertisement of multiple paths in BGP (known as Add-Paths)<xref(<xref target="RFC7911"/>format="default"/>) to ensure that all routes to X get advertised by BGP. However, even if this is done, the identity of the GWs will be lost as soon as the routes get distributed through anAutonomous System Border Router (ASBR)ASBR that will set itself to be the next hop. And if there are multipleAutonomous Systems (ASes)ASes in the backbone, not only will the next hop change several times, but the Add-Paths technique will experience scaling issues. This all means that the Add-Paths approach is effectively limited to sites connected over a single AS.</t> <t>This document defines a solution that overcomes this limitation and works equally well with a backbone constructed from one or more ASes using the Tunnel Encapsulation attribute<xref(<xref target="RFC9012"/>format="default"/>) as follows:<list style="empty"> <t>When</t> <ul empty="true" spacing="normal"> <li>When a GW to a given site advertises a route to a prefix X within that site, it will include a Tunnel Encapsulation attribute that contains the union of the Tunnel Encapsulation attributes advertised by each of the GWs to that site, includingitself.</t> </list></t>itself.</li> </ul> <t>In other words, each route advertised by a GW identifies all of the GWs to the same site (see <xref target="DCGWautodisco"/>format="default"/> for a discussion of how GWs discover eachother). I.e.,other), i.e., the Tunnel Encapsulation attribute advertised by each GW contains multiple Tunnel TLVs, one or more from each active GW, and each Tunnel TLV will contain a Tunnel Egress EndpointSub-TLVsub-TLV that identifies the GW for that Tunnel TLV. Therefore, even if only one of the routes is distributed to other ASes, it will not matter how many times the next hop changes, as the Tunnel Encapsulation attribute will remain unchanged.</t> <t>To put this in the context of <xref target="david_hockney"/>,format="default"/>, GW1 and GW2 discover each other as gateways for the egress site. Both GW1 and GW2 advertise themselves as having routes to prefix X. Furthermore, GW1 includes a Tunnel Encapsulationattributeattribute, which is the union of its Tunnel Encapsulation attribute andGW2'sGW2's Tunnel Encapsulation attribute. Similarly, GW2 includes a Tunnel Encapsulationattributeattribute, which is the union of its Tunnel Encapsulation attribute andGW1'sGW1's Tunnel Encapsulation attribute. The gateway in the ingress site can now see all possible paths to X in the egress site regardless of which route is propagated to it, and it can chooseone,one or balance traffic flows as it sees fit.</t> </section> <sectiontitle="Requirements Language"> <t>Thenumbered="true" toc="default"> <name>Requirements Language</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xreftarget="RFC2119" />target="RFC2119"/> <xreftarget="RFC8174" />target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> </section> <section anchor="DCGWautodisco"title="Sitenumbered="true" toc="default"> <name>Site GatewayAuto-Discovery">Auto-Discovery</name> <t>To allow a givensite'ssite's GWs to auto-discover each other and to coordinate their operations, the following procedures are implemented:<list style="symbols"> <t>A</t> <ul spacing="normal"> <li>A route target (<xref target="RFC4360"/>) MUSTformat="default"/>) <bcp14>MUST</bcp14> be attached to eachGW'sGW's auto-discovery route (definedbelow)below), and its valueMUST<bcp14>MUST</bcp14> be set to a value that indicates the site identifier. The rules for constructing a route target are detailed in <xref target="RFC4360"/>.format="default"/>. It isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that a Type x00 or x02 route target beused.</t> <t>Siteused.</li> <li>Site identifiers are set through configuration. The site identifiersMUST<bcp14>MUST</bcp14> be the same across all GWs to the site (i.e., the same identifier is used by all GWs to the samesite),site) andMUST<bcp14>MUST</bcp14> be unique across all sites that are connected (i.e., across all GWs to all sites that areinterconnected).</t> <t>Eachinterconnected).</li> <li>Each GWMUST<bcp14>MUST</bcp14> construct an import filtering rule to import any route that carries a route target with the same site identifier that the GW itself uses. This means that only these GWs will import those routes, and that all GWs to the same site will import eachother'sother's routes and will learn (auto-discover) the current set of active GWs for thesite.</t> </list> </t>site.</li> </ul> <t>The auto-discovery route that each GW advertises consists of the following:<list style="symbols"> <t>An IPv4</t> <ul spacing="normal"> <li>IPv4 or IPv6 Network Layer Reachability Information (NLRI)<xref target="RFC4760"/>(<xref target="RFC4760" format="default"/>) containing one of theGW'sGW's loopback addresses (that is, with an AFI/SAFI pair that is one of the following: IPv4/NLRI used for unicast forwarding(1/1),(1/1); IPv6/NLRI used for unicast forwarding(2/1),(2/1); IPv4/NLRI with MPLS Labels(1/4),(1/4); or IPv6/NLRI with MPLS Labels(2/4)).</t> <t>A(2/4)).</li> <li>A Tunnel Encapsulation attribute<xref(<xref target="RFC9012"/>format="default"/>) containing theGW'sGW's encapsulation information encoded in one or more TunnelTLVs.</t> </list> </t>TLVs.</li> </ul> <t>To avoid the side effect of applying the Tunnel Encapsulation attribute to any packet that is addressed to the GW itself, the address advertised for auto-discoveryMUST<bcp14>MUST</bcp14> be a different loopback address than is advertised for packets directed to the gateway itself.</t> <t>As described in <xref target="introduction"/>,format="default"/>, each GW will include a Tunnel Encapsulation attribute with the GW encapsulation information for each of thesite'ssite's active GWs (including itself) in every route advertised externally to that site. As the current set of active GWs changes (due to the addition of a new GW or the failure/removal of an existingGW)GW), each externally advertised route will be re-advertised with a new Tunnel Encapsulationattributeattribute, which reflects the current set of active GWs.</t> <t>If a gateway becomes disconnected from the backbone network, or if the site operator decides to terminate thegateway'sgateway's activity, itMUST<bcp14>MUST</bcp14> withdraw the advertisements described above. This means that remote gateways at other sites will stop seeing advertisements from or about this gateway. Note that if the routing within a site is broken (for example, such that there is a route from one GW toanother,another but not in the reverse direction), then it is possible that incoming traffic will be routed to the wrong GW to reach the destinationprefix -prefix; in this degraded network situation, traffic may be dropped.</t> <t>Note that if a GW is (mis)configured with a different site identifier from the other GWs to the samesitesite, then it will not be auto-discovered by the other GWs (and will not auto-discover the other GWs). This would result in a GW for another site receiving only the Tunnel Encapsulation attribute included in the BGP bestroute;route, i.e., the Tunnel Encapsulation attribute of the (mis)configured GW or that of the other GWs.</t> </section> <section anchor="EPE"title="Relationshipnumbered="true" toc="default"> <name>Relationship to BGP - Link State and Egress PeerEngineering">Engineering</name> <t>When a remote GW receives a route to a prefix X, it uses the Tunnel Egress EndpointSub-TLVssub-TLVs in the containing Tunnel Encapsulation attribute to identify the GWs through which X can be reached. It uses this information to compute SR Traffic Engineering (SR TE) paths across the backbone network looking at the information advertised to it in SR BGP - Link State (BGP-LS)<xref target="I-D.ietf-idr-bgp-ls-segment-routing-ext" />(<xref target="RFC9085" format="default"/>) and correlated using the site identity. SR Egress Peer Engineering (EPE)<xref target="I-D.ietf-idr-bgpls-segment-routing-epe" />(<xref target="RFC9086" format="default"/>) can be used to supplement the information advertised in BGP-LS.</t> </section> <section anchor="advertising"title="Advertisingnumbered="true" toc="default"> <name>Advertising a Site RouteExternally">Externally</name> <t>When a packet destined for prefix X is sent on an SR TE path to a GW for the site containing X (that is, the packet is sent in the ingress site on an SR TE path that describes the whole path including those parts that are within the egress site), it needs to carry the receivingGW'sGW's SID for X such that this SID becomes the next SID that is due to be processed before the GW completes its processing of the packet. To achieve this, each Tunnel TLV in the Tunnel Encapsulation attribute contains a Prefix-SID sub-TLV<xref(<xref target="RFC9012"/>format="default"/>) for X.</t> <t>As defined in <xref target="RFC9012"/>,format="default"/>, the Prefix-SID sub-TLV is only for IPv4/IPV6labelled unicastLabeled Unicast routes, so the solution described in this document only applies to routes of those types. If the use of the Prefix-SID sub-TLV for routes of other types is defined in the future, further documents will be needed to describe their use for site interconnection consistent with this document.</t> <t>Alternatively, if MPLS SR is in use and if the GWs for a given egress site are configured to allow GWs at remote ingress sites to perform SR TE through that egress site for a prefix X, then each GW to the egress site computes an SR TE path through the egress site toX,X and places each in an MPLSlabel stackLabel Stack sub-TLV<xref(<xref target="RFC9012"/>format="default"/>) in the SR Tunnel TLV for that GW.</t> <t>Please refer toSection 7 of<xref target="I-D.farrel-spring-sr-domain-interconnect"/>sectionFormat="of" section="7" format="default"/> for worked examples of how the SID stack is constructed in thiscase,case and how the advertisements would work.</t> </section> <section anchor="encaps"title="Encapsulation"> <t>Ifnumbered="true" toc="default"> <name>Encapsulation</name> <t> If a site is configured to allow remote GWs to send packets to the site in thesite'ssite's native encapsulation, then each GW to the site will also include multiple instances of a Tunnel TLV for that native encapsulation in externally advertised routes: one for eachGW and each containingGW. Each Tunnel TLV contains a Tunnel Egress Endpoint sub-TLV with the address of the GW thatGW's address.the Tunnel TLV identifies. A remote GW may then encapsulate a packet according to the rules defined via the sub-TLVs included in each of the Tunnel TLVs.</t> </section> <section anchor="iana"title="IANA Considerations"> <t>IANAnumbered="true" toc="default"> <name>IANA Considerations</name> <t> IANA maintainsa registry called "Border Gateway Protocol (BGP) Parameters" with a sub-registry calledthe "BGP Tunnel Encapsulation Attribute TunnelTypes." The registration policy for thisTypesā€¯ registryis First-Come First-Served <xref target="RFC8126" />.</t> <t>IANAin the "Border Gateway Protocol (BGP) Tunnel Encapsulation" registry. </t> <t> IANA had previously assigned the value 17 from thissub-registrysubregistry for "SR Tunnel", referencing thisdocument.document as an Internet-Draft. At that time, the assignment policy for this range of the registry was "First Come First Served" <xref target="RFC8126"/>. </t> <t> IANAis now requested to markhas marked that assignment as deprecated. IANA may reclaim that codepoint at such a time that the registry isdepleted.</t>depleted. </t> </section> <section anchor="security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>From a protocol point of view, the mechanisms described in this document can leverage the security mechanisms already defined for BGP. Further discussion of security considerations for BGP may be found in the BGP specification itself<xref(<xref target="RFC4271"/>format="default"/>) and in the security analysis for BGP<xref(<xref target="RFC4272"/>.format="default"/>). The original discussion of the use of the TCP MD5 signature option to protect BGP sessions is found in <xref target="RFC5925"/>,format="default"/>, while <xref target="RFC6952"/>format="default"/> includes an analysis of BGP keying and authentication issues.</t> <t>The mechanisms described in this document involve sharing routing or reachability information betweensites: thatsites, which may mean disclosing information that is normally contained within a site. So it needs to be understood that normal security paradigms based on the boundaries of sites are weakened and interception of BGP messages may result in information being disclosed to third parties. Discussion of these issues with respect to VPNs can be found in <xref target="RFC4364"/>,format="default"/>, while <xref target="RFC7926"/>format="default"/> describes many of the issues associated with the exchange of topology or TE information between sites.</t> <t>Particular exposures resulting from this work include:<list style="symbols"> <t>Gateways</t> <ul spacing="normal"> <li>Gateways to a site will know about all other gateways to the same site. This feature applies within asite andsite, so it is not a substantial exposure, but it does mean that if the BGP exchanges within a site can be snooped or if a gateway can besubvertedsubverted, then an attacker may learn the full set of gateways to a site. This would facilitate more effective attacks on thatsite.</t> <t>Thesite.</li> <li>The existence of multiple gateways to a site becomes more visible across the backbone and even into remote sites. This means that an attacker is able to prepare a more comprehensive attack than exists when only the locally attached backbone network (e.g., the AS that hosts the site) can see all of the gateways to a site. For example, aDenial of ServiceDenial-of-Service attack on a single GW is mitigated by the existence of other GWs, but if the attacker knows about all thegatewaysgateways, then the whole set can be attacked atonce.</t> <t>Aonce.</li> <li>A node in a site that does not have external BGP peering (i.e., is not really a site gateway and cannot speak BGP into the backbone network) may be able to get itself advertised as a gateway by letting other genuine gateways discover it (by speaking BGP to them within thesite) andsite), so it may get those genuine gateways to advertise it as a gateway into the backbone network. This would allow the malicious node to attract traffic without having to have secure BGP peerings with out-of-sitenodes.</t> <t>Annodes.</li> <li>An external party intercepting BGP messages anywhere between sites may learn information about the functioning of the sites and the locations ofend points.endpoints. While this is not necessarily a significant security or privacy risk, it is possible that the disclosure of this information could be used by anattacker.</t> <t>Ifattacker.</li> <li>If it is possible to modify a BGP message within the backbone, it may be possible to spoof the existence of a gateway. This could cause traffic to be attracted to a specific node and might result inblack-holing of traffic.</t> </list></t>traffic not being delivered. </li> </ul> <t>All of the issues in the list above could cause disruption to site interconnection, but they are not new protocol vulnerabilities so much as new exposures of information thatSHOULD<bcp14>SHOULD</bcp14> be protected against using existing protocol mechanisms such as securing the TCP sessions over which the BGP messages flow. Furthermore, it is a general observation that if these attacks arepossiblepossible, then it is highly likely that far more significant attacks can be made on the routing system. It should be noted that BGP peerings are notdiscovered,discovered but always arise from explicit configuration.</t> <t>Given that the gateways and ASBRs are connected by tunnels that may run across parts of the network that are not trusted, data center operators using the approach set out in this networkMUST<bcp14>MUST</bcp14> consider using gateway-to-gateway encryption to protect the data center traffic. Additionally, due considerationMUST<bcp14>MUST</bcp14> be given to encrypting end-to-end traffic as it would be for any traffic that uses a public or untrusted network for transport.</t> </section> <section anchor="manageability"title="Manageability Considerations">numbered="true" toc="default"> <name>Manageability Considerations</name> <t>The principal configuration item added by this solution is the allocation of a site identifier. The same identifierMUST<bcp14>MUST</bcp14> be assigned to every GW to the same site, and each siteMUST<bcp14>MUST</bcp14> have a different identifier. This requires coordination, probably through a central management agent.</t> <t>It should be noted that BGP peerings are notdiscovered,discovered but always arise from explicit configuration. This is no different from any other BGP operation.</t> <t>The site identifiers that are configured and carried in route targets (see <xref target="DCGWautodisco"/>)format="default"/>) are an important feature to ensure that all of the gateways to a site discover each other.It is, therefore,Therefore, it is important that this value is not misconfigured since that would result in the gateways not discovering each other and not advertising each other.</t> <section anchor="rtc"title="Relationshipnumbered="true" toc="default"> <name>Relationship to Route TargetConstraint"> <t>InConstraint</name> <t> In order to limit the VPN routing information that is maintained at a given route reflector, <xreftarget="RFC4364" />target="RFC4364"/> suggeststhethat route reflectors useof"Cooperative Route Filtering", which was renamed "Outbound Route Filtering" and defined in <xreftarget="RFC5291" /> between route reflectors.target="RFC5291"/>. <xref target="RFC4684"/>format="default"/> defines an extension to that mechanism to include support for multiple autonomous systems and asymmetric VPN topologies such as hub-and-spoke. The mechanism in RFC 4684 is known as Route Target Constraint (RTC).</t> <t>An operator would not normally configure RTC by default for any AFI/SAFIcombination,combination and would only enable it after careful consideration. When using the mechanisms defined in this document, the operator shouldconsidercarefully consider the effects of filtering routes. In somecasescases, this may be desirable, and inothersothers, it could limit the effectiveness of the procedures.</t> </section> </section><!-- <section anchor="contrib" title="Contributors"> <t>The following people contributed to discussions that led to the development of this document:</t> <figure> <artwork align="left"> <![CDATA[ TBD name Email: email ]]> </artwork> </figure> </section> --></middle> <back> <displayreference target="I-D.farrel-spring-sr-domain-interconnect" to="SR-INTERCONNECT"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4271.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4360.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4760.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5925.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7752.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9012.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4272.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4364.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4684.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5291.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6952.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7911.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7926.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8402.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9085.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9086.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-farrel-spring-sr-domain-interconnect.xml"/> </references> </references> <section anchor="acks"title="Acknowledgements">numbered="false" toc="default"> <name>Acknowledgements</name> <t>Thanks toBruno Rijsman, Stephane Litkowski, Boris Hassanov, Linda Dunbar, Ravi Singh, and Daniel Migault<contact fullname="Bruno Rijsman"/>, <contact fullname="Stephane Litkowski"/>, <contact fullname="Boris Hassanov"/>, <contact fullname="Linda Dunbar"/>, <contact fullname="Ravi Singh"/>, and <contact fullname="Daniel Migault"/> for review comments, and toRobert Raszuk<contact fullname="Robert Raszuk"/> for useful discussions.Gyan Mishra<contact fullname="Gyan Mishra"/> provided a helpful GenArt review, andJohn Scudder<contact fullname="John Scudder"/> andBenjamin Kaduk<contact fullname="Benjamin Kaduk"/> made helpful comments during IESG review.</t> </section></middle> <back> <references title="Normative References"> &RFC2119; &RFC4271; &RFC4360; &RFC4760; &RFC5925; &RFC7752; &RFC8174; &RFC9012; </references> <references title="Informative References"> &RFC4272; &RFC4364; &RFC4684; &RFC5291; &RFC6952; &RFC7911; &RFC7926; &RFC8126; &RFC8402; &I-D.farrel-spring-sr-domain-interconnect; &I-D.ietf-idr-bgp-ls-segment-routing-ext; &I-D.ietf-idr-bgpls-segment-routing-epe; </references></back> </rfc>