Internet-Draft | OSPF Administrative Tags | August 2022 |
Lindem & Psenak | Expires 2 March 2023 | [Page] |
It is useful for routers in an OSPFv2 or OSPFv3 routing domain to be able to associate tags with prefixes. Previously, OSPFv2 and OSPFv3 were relegated to a single tag for AS External and Not-So-Stubby-Area (NSSA) prefixes. With the flexible encodings provided by OSPFv2 Prefix/Link Attribute Advertisement and OSPFv3 Extended LSAs, multiple administrative tags may advertised for all types of prefixes. These administrative tags can be used for many applications including route redistribution policy, selective prefix prioritization, selective IP Fast-ReRoute (IPFRR) prefix protection, and many others.¶
The ISIS protocol supports a similar mechanism that is described in RFC 5130.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 2 March 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
It is useful for routers in an OSPFv2 [RFC2328] or OSPFv3 [RFC5340] routing domain to be able to associate tags with prefixes. Previously, OSPFv3 and OSPFv3 were relegated to a single tag for AS External and Not-So-Stubby-Area (NSSA) prefixes. With the flexible encodings provided by OSPFv2 Prefix/Link Attribute Advertisement ([RFC7684]) and OSPFv3 Extended LSA ([RFC8362]), multiple administrative tags may be advertised for all types of prefixes. These administrative tags can be used many applications including (but not limited to):¶
Throughout this document, OSPF is used when the text applies to both OSPFv2 and OSPFv3. OSPFv2 or OSPFv3 is used when the text is specific to one version of the OSPF protocol.¶
The ISIS protocol supports a similar mechanism that is described in RFC 5130 [RFC5130].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document creates a new Administrative Tag Sub-TLV for OSPFv2 and OSPFv3. This Sub-TLV specifies one or more 32-bit unsigned integers that may be associated with an OSPF advertised prefix. The precise usage of these tags is beyond the scope of this document.¶
The format of this Sub-TLV is the same as the format used by the Traffic Engineering Extensions to OSPF [RFC3630]. The LSA payload consists of one or more nested Type/Length/Value (TLV) triplets. The format of each TLV is:¶
The Length field defines the length of the value portion in octets (thus a TLV with no value portion would have a length of 0). The TLV is padded to 4-octet alignment; padding is not included in the length field (so a 3-octet value would have a length of 3, but the total size of the TLV would be 8 octets).¶
The format of the 32-bit Administrative Tag TLV is as follows:¶
This sub-TLV will carry one or more 32-bit unsigned integer values that will be used as administrative tags.¶
The administrative tag TLV specified herein will be valid as a sub-TLV of the following TLVs specified in [RFC7684]:¶
The administrative tag TLV specified herein will be valid as a sub-TLV of the following TLVs specified in [RFC8362]:¶
An OSPF router supporting this specification MUST propagate administrative tags when acting as an Area Border Router and originating summary advertisements into other areas. Similarly, an OSPF router supporting this specification and acting as an ABR for a Not-So-Stubby Area (NSSA) MUST propagate tags when translating NSSA routes to AS External advertisements [RFC3101]. The number of tags supported MAY limit the number of tags that are propagated. When propagating multiple tags, the order of the the tags must be preserved.¶
For configured area ranges, NSSA ranges, and configurated summarization of redistributed routes, tags from component routes SHOULD NOT be propagated to the summary. Implementations SHOULD provide a mechanism to configure tags for area ranges, NSSA ranges, and redistributed route summaries.¶
An OSPF router supporting this specification MUST be able to advertise and interpret one 32-bit tag for prefixes. An OSPF router supporting this specification MAY be able to advertise and propagate multiple 32-bit tags. The maximum tags that an implementation supports is a local matter depending upon supported applications using the prefix or link tags.¶
When a single tag is advertised for AS External or NSSA LSA prefix, the existing tag in OSPFv2 and OSPFv3 AS-External-LSA and NSSA-LSA encodings SHOULD be utilized. This will facilitate backward compatibilty with implementations that do not support this specification.¶
When multiple LSAs contribute to an OSPF route, it is possible that these LSAs will all have different tags. In this situation, the OSPF router MUST associate the tags from one of the LSAs contributing a path and, if the implementation supports multiple tags, MAY associate tags for multiple contributing LSAs up to the maximum number of tags supported.¶
This document describes a generic mechanism for advertising administrative tags for OSPF prefixes. The administrative tags are generally less critical than the topology information currently advertised by the base OSPF protocol. The security considerations for the generic mechanism are dependent on their application. One such application is to control leaking of OSPF routes to other protocols (e.g., BGP [RFC4271]). If an attacker were able to modify the admin tags associated with OSPF routes and they were be used for this application, such routes could be prevented from being advertised in routing domains where they are required (subtle denial or service) or they could be advertised into routing domains where they shouldn't be advertised (routing vulnerability). Security considerations for the base OSPF protocol are covered in [RFC2328] and [RFC5340].¶
The following values should be allocated from the OSPF Extended Prefix TLV Sub-TLV Registry [RFC7684]:¶
The following values should be allocated from the OSPFv3 Extended-LSA Sub-TLV Registry [RFC8362]:¶
The authors of RFC 5130 are acknowledged since this document draws upon both the ISIS specification and deployment experience.¶
Thanks to Donnie Savage for his comments and questions.¶
The RFC text was produced using Marshall Rose's xml2rfc tool.¶
The definition of the 64-bit tag was considered but discard given that there is no strong requirement or use case. The specification is included here for information.¶
This sub-TLV will carry one or more 64-bit unsigned integer values that will be used as administrative tags.¶
The format of the 64-bit Administrative Tag TLV is as follows:¶
The advertisement of administrative tags corresponding to links has been removed from the document. The specification of advertising link administrative groups as specified in [RFC8920] advertising administrative tags for links.¶