bess V. Nagaraj Internet-Draft V. Nagarajan Intended status: Standards Track Z. Zhang Expires: 27 April 2023 Juniper Networks J. Rabadan Nokia 24 October 2022 Enhancements to Multicast Source Redundancy in EVPN Networks draft-nagaraj-bess-evpn-redundant-mcast-src-update-00 Abstract draft-ietf-bess-evpn-redundant-mcast-source specifies Warm Standby (WS) and Hot Standby (HS) procedures for handling redundant multicast traffic into an EVPN tenant domain. With the Hot Standby procedure, multiple ingress PEs may inject traffic and an egress PE will decide from which ingress PE traffic will be accepted and forwarded. The decision is based on certain signaling messages and/or BFD status of provider tunnels from the ingress PEs, and the traffic is associated with ingress PEs based on Ethernet Segment Identifier (ESI) labels. As a result, the procedures in that document only apply to MPLS data plane. This document extends the Hot Standby procedures to non-MPLS data planes and EVPN Data Center Interconnect scenarios. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 27 April 2023. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. Nagaraj, et al. Expires 27 April 2023 [Page 1] Internet-Draft EVPN Multicast Source Redundancy Update October 2022 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Background . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Hot Standby mode in non-MPLS IP tunnels . . . . . . . . . 3 1.2. EVPN DCI Use Case . . . . . . . . . . . . . . . . . . . . 3 1.2.1. True Source Redundancy . . . . . . . . . . . . . . . 3 1.2.2. GW-introduced Flow Redundancy . . . . . . . . . . . . 4 1.2.3. Co-existence of Source Redundancy and GW-introduced Redundancy . . . . . . . . . . . . . . . . . . . . . 5 2. Specifications . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Hot Standby Procedures for non-MPLS IP tunnels . . . . . 5 2.2. Procedures for EVPN DCI Use Case . . . . . . . . . . . . 7 3. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 5.1. Normative References . . . . . . . . . . . . . . . . . . 7 5.2. Informative References . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Background [I-D.ietf-bess-evpn-redundant-mcast-source] specifies Warm Standby and Hot Standby procedures for handling redundant multicast traffic into an EVPN tenant domain. With the Hot Standby procedure, multiple ingress PEs will inject traffic and an egress PE will decide from which ingress PE traffic will be accepted and forwarded. The PEs that inject redundant traffic advertises Selective Provider Multicast Service Interface (S-PMSI) A-D routes. The routes carry an EVPN Multicast Flags Extended Community with a bit to indicate that matching traffic is from redundant sources. With MPLS data plane, the routes also carry an Ethernet Segment Identifier (ESI) label, indicating the Ethernet Segment on which the traffic is received. When an egress PE receives S-PMSI A-D routes, it decides from which ingress PE it should accept the traffic. The decision could be based on the following factors: Nagaraj, et al. Expires 27 April 2023 [Page 2] Internet-Draft EVPN Multicast Source Redundancy Update October 2022 * The presence/lack of S-PMSI A-D routes from ingress PEs of the redundant traffic * The presence/lack of Ethernet A-D per EVI routes from ingress PEs for the Ethernet Segment that redundant traffic arrives on * BFD status of provider tunnels for redundant traffic All the above options are local behaviors on individual egress PEs. 1.1. Hot Standby mode in non-MPLS IP tunnels With MPLS data plane, the Hot Standby redundant flows from different PEs are distinguished via ESI labels. With non-MPLS IP encapsulations like VXLAN/NVGRE, this document specifies that the redundant flows are distinguished by the source IP address (Source VTEP IP) in the outer IP header. This document also makes explicit that non-MPLS IP tunnels that carry an identifier of the source Ethernet Segment reuse all the procedures of [I-D.ietf-bess-evpn-redundant-mcast-source] for Hot Standby redundancy. Examples of these tunnels used by EVPN are GENEVE [I-D.ietf-bess-evpn-geneve] and SRv6 [RFC9252]. 1.2. EVPN DCI Use Case When an EVPN network is used as Data Center Interconnect (DCI) for DCs (e.g., VxLAN or EVPN), multiple gateways (GWs) are placed between a DC and DCI, as described in [RFC9014]. A virtual Ethernet Segment is defined for each EVPN (the DC and/or DCI) and multi-homed to the GWs. A Designated Forwarder (DF) is elected for each virtual ES (ethernet segment). Each GW can receive the same BUM traffic from a DC/DCI EVPN but only the DF will forward traffic to the next DCI/DC (corresponding to the virtual ES). This section discusses how source redundancy works with DCI, and how DCI GWs can optionally introduce redundant flows even when there is no source redundancy at source DC. 1.2.1. True Source Redundancy [I-D.ietf-bess-evpn-redundant-mcast-source] is MPLS-based. It is "true" source redundancy in that multiple of sources of the same flow are attached to different Ethernet Segments. S-PMSI A-D routes announce the redundant flows and carry ESI Label Extended Communities (ECs) for the ESes so that an egress PE can choose from which source ES the packets will be accepted. Nagaraj, et al. Expires 27 April 2023 [Page 3] Internet-Draft EVPN Multicast Source Redundancy Update October 2022 With DCI, the source ESes are hidden outside the source DC, and different DC/DCI may use different data planes. Additionally, currently only the GW that is the DF for the Interconnect Ethernet Segment (I-ES) will forward BUM traffic to the downstream DC/DCI, so the benefit of HS is lost once the first DC boundary is crossed. The above issues are solved as following: * The GWs forward accepted redundant flows regardless of DF status. Note that, a GW will only accept one of the redundant flows from its redundant upstream PEs/GWs. * The GWs remove ESI Label ECs when they re-originate the S-PMSI A-D routes into the next DC/DCI. Note that, Even if the downstream DC/DCI is MPLS, the re-originated S-PMSI A-D routes do not carry the ESI Label EC for the I-ES. This is because the GWs use the same ESI label for the I-ES, so the ESI label cannot be used to distinguish the flows. * When the S-PMSI A-D routes do not carry ESI Label ECs, an egress PE chooses from which PE/GW (vs. ES) to accept traffic from. - In case of IP based data plane, this is the same as non-DCI case. - In case of MPLS data plane, a PE needs to be able to distinguish from which node the traffic is. In some cases, the PE Distinguisher Label concept [RFC6513] need to be used. 1.2.2. GW-introduced Flow Redundancy In the "true source redundancy" case, S-PMSI A-D routes announce the redundancy and the DCI GWs always forward accepted flows regardless of the DF status. The GWs may also forward all BUM traffic regardless of DF status - not just those redundant flows announced by S-PMSI A-D routes. This creates a similar scenario of source redundancy, though it is introduced by the GWs. A downstream GW/PE can choose which redundant flows need to be accepted/discarded based on the A-D per ES routes for the I-ES instead of S-PMSI A-D routes. This requires that all downstream PEs/GWs behave consistently. That is ensured either based on provisioning or based on signaling (details to be added in a future revision). Nagaraj, et al. Expires 27 April 2023 [Page 4] Internet-Draft EVPN Multicast Source Redundancy Update October 2022 In the "true source redundancy" case, all flows covered by the (_, g) or (s-prefix, g) in the S-PMSI A-D routes are treated as redundant flows. In the GW-introduced redundancy, (_, g) flows are treated as distinct flows that have redundant copies. They may be from different PEs in the local DC and all must be accepted, or they may be from different DCs in which case only traffic from one GW for each upstream DC can be accepted, as explained below. Consider that a DCI interconnects three DCs. GW1a/GW1b connect DC1 and the DCI, GW2a/GW2b connect DC2 and the DCI, and GW3a/GW3b connect DC3 and the DCI. An egress PE1 in DC1 may need to accept and forward (_, G) traffic from all local PEs in DC1 and GW1a but not from the GW1b. To do so, it installs a (_, G) forwarding state in a BD (Broadcast Domain) with indication that traffic from GW1b must be discarded. Similarly, GW3a/GE3b may need to accept and forward (_, G) traffic from GW1a/ GW2a but not from GW1b/GW2b. To do so, it installs a (_, G) forwarding state with indication that traffic from GW1b/GW2b must be discarded. The reverse logic (of specifying PEs/GWs from which traffic should not be accepted) is only needed for (*, G) entries in the DCI case. For (S, G) case, the reverse logic is not needed because an egress PE should be able to decide from which PE/GW the traffic should be accepted. 1.2.3. Co-existence of Source Redundancy and GW-introduced Redundancy Both flavors of redundancy can co-exist. For redundant flows announced by S-PMSI A-D routes, the method described in Section 1.2.1 is used. For GW-introduced redundancy, the method described in Section 1.2.2 is used. The difference between the two on downstream PEs/GWs is that one uses S-PMSI A-D routes while the other uses I-ES A-D per ES routes to choose which flow to accept, and for (*,g) flows in the latter case, reverse logic is needed. 2. Specifications 2.1. Hot Standby Procedures for non-MPLS IP tunnels In case the EVPN network uses non-MPLS IP tunnels without source Ethernet Segment identification, e.g., VXLAN/NVGRE, the procedures in [I-D.ietf-bess-evpn-redundant-mcast-source] for Hot Standby redundancy are modified as follows: Nagaraj, et al. Expires 27 April 2023 [Page 5] Internet-Draft EVPN Multicast Source Redundancy Update October 2022 * The S-PMSI A-D routes advertised for each SFG (Single Flow Group) by the upstream PEs MUST NOT carry any ESI Label Extended Communities. The rest of the procedures on the upstream PEs remain the same. * Upon receiving the S-PMSI A-D routes, the downstream PEs select a primary upstream PE out of the list of (S-PMSI A-D route) next hops and add an RPF check to the (_,G)/(S,G) state in the BD or SBD (Supplementary Broadcast Domain). This RPF check discards all ingress packets to (_,G)/(S,G) that are not received from the selected primary Source VTEP. The selection of the primary upstream PE is a matter of local policy, for instance, an egress PE could keep track of traffic statistics of redundant flows and dynamically decide which flow is accepted based on traffic threshold information. The selection of the upstream PE for non-MPLS IP tunnels, instead of the primary Source Ethernet Segment, provides a solution for redundant sources connected to different upstream PEs, however it MUST NOT be used when the redundant sources are connected to the same upstream PE, or multi-homed to the same set of upstream PEs. In case the EVPN network uses non-MPLS IP tunnels that can carry a source Ethernet Segment identification, e.g., GENEVE or SRv6, all the procedures in [I-D.ietf-bess-evpn-redundant-mcast-source] for Hot Standby redundancy are followed. The following considerations apply: * In case of GENEVE [I-D.ietf-bess-evpn-geneve], an Ethernet option TLV MUST encode the ESI (Ethernet Segment Identifier) label value. This ESI label value is signaled by the EVPN A-D per ES routes, and advertised for SFG sources in S-PMSI A-D routes in the ESI Label Extended Communities as described in [I-D.ietf-bess-evpn-redundant-mcast-source]. The downstream PE can identify the packets coming from a selected primary Source Ethernet Segment based on a lookup on the Source Identifier of the Ethernet option TLV. Nagaraj, et al. Expires 27 April 2023 [Page 6] Internet-Draft EVPN Multicast Source Redundancy Update October 2022 * In case of SRv6 [RFC9252], the upstream PEs send multicast packets encapsulated in SRv6 tunnels that use End.DT2M as function and Arg.FE2 as argument. The Arg.FE2 argument in the packets identify the Source Ethernet Segment. The argument is signaled by the EVPN A-D per ES routes as specified in [RFC9252], and this document uses the same encoding of the argument also for the S-PMSI A-D routes that signal the Source Ethernet Segments for SFG sources, with the consideration that there may be multiple arguments signaled and that the arguments for the same Ethernet Segment in different upstream PEs MUST match. The downstream PE can then identify the packets coming from a selected primary Source Ethernet Segment based on the received argument. 2.2. Procedures for EVPN DCI Use Case To be added. 3. Security Considerations No additional security considerations are needed besides what are in [I-D.ietf-bess-evpn-redundant-mcast-source]. 4. Acknowledgements 5. References 5.1. Normative References [I-D.ietf-bess-evpn-geneve] Boutros, S., Sajassi, A., Drake, J., Rabadan, J., and S. Aldrin, "EVPN control plane for Geneve", Work in Progress, Internet-Draft, draft-ietf-bess-evpn-geneve-04, 23 May 2022, . [I-D.ietf-bess-evpn-redundant-mcast-source] Rabadan, J., Kotalwar, J., Sathappan, S., Zhang, Z. J., Lin, W., and E. C. Rosen, "Multicast Source Redundancy in EVPN Networks", Work in Progress, Internet-Draft, draft- ietf-bess-evpn-redundant-mcast-source-04, 7 October 2022, . [RFC6513] Rosen, E., Ed. and R. Aggarwal, Ed., "Multicast in MPLS/ BGP IP VPNs", RFC 6513, DOI 10.17487/RFC6513, February 2012, . Nagaraj, et al. Expires 27 April 2023 [Page 7] Internet-Draft EVPN Multicast Source Redundancy Update October 2022 [RFC9252] Dawra, G., Ed., Talaulikar, K., Ed., Raszuk, R., Decraene, B., Zhuang, S., and J. Rabadan, "BGP Overlay Services Based on Segment Routing over IPv6 (SRv6)", RFC 9252, DOI 10.17487/RFC9252, July 2022, . 5.2. Informative References [RFC9014] Rabadan, J., Ed., Sathappan, S., Henderickx, W., Sajassi, A., and J. Drake, "Interconnect Solution for Ethernet VPN (EVPN) Overlay Networks", RFC 9014, DOI 10.17487/RFC9014, May 2021, . Authors' Addresses Vinod Kumar Nagaraj Juniper Networks Email: vinkumar@juniper.net Vikram Nagarajan Juniper Networks Email: vikramna@juniper.net Zhaohui Zhang Juniper Networks Email: zzhang@juniper.net Jorge Rabadan Nokia Email: jorge.rabadan@nokia.com Nagaraj, et al. Expires 27 April 2023 [Page 8]