doc: add bgp flowspec ipv6 documentation

add bgp flowspdec ipv6 documentation.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

diff --git a/doc/user/flowspec.rst b/doc/user/flowspec.rst
index b274afe8a25fdac34b27f6f2650593329fe7e8fb..d3eb25a7c7fc6a31bdc37b384fc2c4b0b6ed0cd1 100644 (file)
--- a/doc/user/flowspec.rst
+++ b/doc/user/flowspec.rst
@@ -22,6 +22,9 @@ more or less complex combination of the following:
 - Layer 3 information: DSCP value, Protocol type, packet length, fragmentation.
 - Misc layer 4 TCP flags.
 
+Note that if originally Flowspec defined IPv4 rules, this is also possible to use
+IPv6 address-family. The same set of combinations as defined for IPv4 can be used.
+
 A combination of the above rules is applied for traffic filtering. This is
 encoded as part of specific BGP extended communities and the action can range
 from the obvious rerouting (to nexthop or to separate VRF) to shaping, or
@@ -31,6 +34,7 @@ The following IETF drafts and RFCs have been used to implement FRR Flowspec:
 
 - :rfc:`5575`
 - [Draft-IETF-IDR-Flowspec-redirect-IP]_
+- [Draft-IETF-IDR-Flow-Spec-V6]_
 
 .. _design-principles-flowspec:
 
@@ -108,9 +112,13 @@ As of today, it is only possible to configure Flowspec on the default VRF.
 
    router bgp <AS>
      neighbor <A.B.C.D> remote-as <remoteAS>
+     neighbor <A:B::C:D> remote-as <remoteAS2>
      address-family ipv4 flowspec
       neighbor <A.B.C.D> activate
-    exit
+     exit
+     address-family ipv6 flowspec
+      neighbor <A:B::C:D> activate
+     exit
    exit
 
 You can see Flowspec entries, by using one of the following show commands:
@@ -118,6 +126,8 @@ You can see Flowspec entries, by using one of the following show commands:
 .. index:: show bgp ipv4 flowspec [detail | A.B.C.D]
 .. clicmd:: show bgp ipv4 flowspec [detail | A.B.C.D]
 
+.. index:: show bgp ipv6 flowspec [detail | A:B::C:D]
+.. clicmd:: show bgp ipv6 flowspec [detail | A:B::C:D]
 
 Per-interface configuration
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -183,6 +193,28 @@ interfaces are created with private IP addressing scheme.
     exit
    exit
 
+Similarly, it is possible to do the same for IPv6 flowspec rules, by using
+an IPv6 extended community. The format is defined on :rfc:`5701`, and that
+community contains an IPv6 address encoded in the attribute, and matches the
+locally configured imported route target IPv6 defined under the appropriate
+BGP VRF instance. Below example defines an IPv6 extended community containing
+`E:F::G:H` address followed by 2 bytes chosen by admin ( here `JJ`).
+
+.. code-block:: frr
+
+   router bgp <ASx>
+    neighbor <A:B::C:D> remote-as <ASz>
+    address-family ipv6 flowspec
+     neighbor A:B::C:D activate
+    exit
+   exit
+   router bgp <ASy> vrf vrf2
+    address-family ipv6 unicast
+     rt6 redirect import <E:F::G:H:JJ>
+    exit
+   exit
+
+
 Flowspec monitoring & troubleshooting
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -348,4 +380,5 @@ inside FRRouting.
 
 .. [Draft-IETF-IDR-Flowspec-redirect-IP] <https://tools.ietf.org/id/draft-ietf-idr-flowspec-redirect-ip-02.txt>
 .. [Draft-IETF-IDR-Flowspec-Interface-Set] <https://tools.ietf.org/id/draft-ietf-idr-flowspec-interfaceset-03.txt>
+.. [Draft-IETF-IDR-Flow-Spec-V6] <https://tools.ietf.org/id/draft-ietf-idr-flow-spec-v6-10.txt>
 .. [Presentation] <https://docs.google.com/presentation/d/1ekQygUAG5yvQ3wWUyrw4Wcag0LgmbW1kV02IWcU4iUg/edit#slide=id.g378f0e1b5e_1_44>