idnits 2.17.1 draft-eastlake-bess-evpn-vxlan-bypass-vtep-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 4, 2019) is 1629 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT D. Eastlake 2 Intended status: Proposed Standard Futurewei Technologies 3 Z. Li 4 S. Zhuang 5 Huawei Technologies 7 Expires: May 3, 2020 November 4, 2019 9 EVPN VXLAN Bypass VTEP 10 12 Abstract 14 A principal feature of EVPN is the ability to support multihoming 15 from a customer equipment (CE) to multiple provider edge equipment 16 (PE) with all-active links. This draft specifies a mechanism to 17 simplify PEs used with VXLAN tunnels and enhance VXLAN Active-Active 18 reliability. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Distribution of this document is unlimited. Comments should be sent 26 to the BESS working group mailing list . 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF), its areas, and its working groups. Note that 30 other groups may also distribute working documents as Internet- 31 Drafts. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 The list of current Internet-Drafts can be accessed at 39 http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft 40 Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 Table of Contents 45 1. Introduction............................................3 46 1.1 Terminology and Acronyms...............................3 48 2. VXLAN Gateway High Reliability..........................4 49 3. Detailed Problem and Solution Requirement...............6 50 4. The Bypass VXLAN Extended Community Attribute...........7 51 5. Control Plane Processing................................9 52 6. Data Packet Processing................................10 53 6.1 Layer 2 Unicast Packet Forwarding.....................10 54 6.1.1 Uplink..............................................10 55 6.1.2 Downlink............................................10 56 6.2 BUM Packet Forwarding................................11 58 7. IANA Considerations....................................12 59 7.1 IPv4 Specific.........................................12 60 7.2 IPv6 Specific.........................................12 62 8. Security Considerations................................13 64 Acknowledgements..........................................13 65 Contributors..............................................14 67 Normative References......................................14 68 Informative References....................................14 70 Authors' Addresses........................................15 72 1. Introduction 74 A principal feature of EVPN is the ability to support multihoming 75 from a customer equipment (CE) to multiple provider edge equipment 76 (PE) with links used in the all-active redundancy mode. That mode is 77 where a device is multihomed to a group of two or more PEs and where 78 all PEs in such a redundancy group can forward traffic to/from the 79 multihomed device or network for a given VLAN [RFC7209]. This draft 80 specifies a VXLAN gateway mechanism to simplify PE processing in the 81 multi-homed case and enhance VXLAN Active-Active reliability. 83 1.1 Terminology and Acronyms 85 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 86 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 87 "OPTIONAL" in this document are to be interpreted as described in BCP 88 14 [RFC2119] [RFC8174] when, and only when, they appear in all 89 capitals, as shown here. 91 This document uses the following acronyms and terms: 93 All-Active Redundancy Mode - When a device is multihomed to a group 94 of two or more PEs and when all PEs in such redundancy group can 95 forward traffic to/from the multihomed device or network for a 96 given VLAN. 98 BUM - Broadcast, Unknown unicast, and Multicast. 100 CE - Customer Edge equipment. 102 DCI - Data Center Interconnect. 104 ESI - Ethernet Segment Identifier - A unique non-zero identifier that 105 identifies an Ethernet segment. 107 NVE - Network Virtualization Edge. 109 PE - Provider Edge equipment. 111 Single-Active Redundancy Mode - When a device or a network is 112 multihomed to a group of two or more PEs and when only a single PE 113 in such a redundancy group can forward traffic to/from the 114 multihomed device or network for a given VLAN. 116 VTEP - VXLAN Tunnel End Point. 118 VXLAN - Virtual eXtensible Local Area Network [RFC7348]. 120 2. VXLAN Gateway High Reliability 122 One example of the current situation would be a DCI (data center 123 interconnect) using VXLAN tunnels that is multihomed for reliability 124 as show in Figure 1. Each PE as a VXLAN Tunnel End Point (VTEP) uses 125 a different IP adress. Thus each PE must process EVPN updates based 126 on the ESIs [RFC7432]. 128 ......... 129 . DCI . 130 +----------+ . . +----------+ 131 | PE +---------------------+ PE | 132 |VTEP IP-1 +--- . VXLAN . ---+VTEP IP-3 | 133 +----------+ \ .Tunnels. / +----------= 134 / | ----- ----- | \ 135 +--+ | . \ / . | +--+ 136 |CE| | . X . | |CE| 137 +--+ | . / \ . | +--+ 138 \ | ----- ----- | / 139 +----------+ / . VXLAN . \ +----------+ 140 | PE +--- .Tunnels. ---+ PE | 141 |VTEP IP-2 +---------------------+VTEP IP-4 | 142 +----------+ . . +----------+ 143 ......... 145 Figure 1. Current Situtation 147 The situation is greatly simplified if the set of VTEPs connected to 148 a particular Ethernet segment all use the same anycast IP address. 149 PEs no longer need to conern themselves with whether a remote CE is 150 single or multi-homed. The situation is as shown in Figure 2. The IP 151 address within each VTEP group is synchronized by messages within 152 that group. 154 ......... 155 . DCI . 156 +----------+ . . +----------+ 157 | Anycast | . . | Anycast | 158 |VTEP IP-1 +--- . . ---+VTEP IP-2 | 159 +----------+ \ . . / +----------= 160 / ^ \ . . / ^ \ 161 +--+ | \. ./ | +--+ 162 |CE| Sy|nc >-------< Sy|nc |CE| 163 +--+ | /. VXLAN .\ | +--+ 164 \ v / . Tunnel. \ v / 165 +----------+ / . . \ +----------+ 166 | Anycast +--- . . ---+ Anycast | 167 |VTEP IP-1 | . . |VTEP IP-2 | 168 +----------+ . . +----------+ 169 ......... 171 Figure 2. Situtation Using Anycast 173 3. Detailed Problem and Solution Requirement 175 In the scenario illustrated in Figure 3, where an enterprise site and 176 a data center are interconnected, the VPN gateways (PE1 and PE2) and 177 the enterprise site (CPE) are connected through a VXLAN tunnel to 178 provide L2/L3 services between the enterprise site (CPE) and data 179 center. The data center gateway (CE1) is dual-homed to PE1 and PE2 180 to access the VXLAN network, which enhances network access 181 reliability. When one PE fails, services can be rapidly switched to 182 the other PE, minimizing the impact on services. 184 As shown in Figure 3, PE1 and PE2 use a virtual address as a Network 185 Virtualization Edge (NVE) interface address at the network side, 186 namely, the Anycast VTEP address. In this way, the CPE is aware of 187 only one remote NVE interface and establishes a VXLAN tunnel with the 188 virtual address. The packets from the CPE can reach CE1 through 189 either PE1 or PE2. However, single-homed CEs may exist, such as CE2 190 and CE3. As a result, after reaching a PE, the packets from the CPE 191 may need to be forwarded by the other PE to a single-homed CE. 192 Therefore, a bypass VXLAN tunnel needs to be established between PE1 193 and PE2. An EVPN peer relationship is established between PE1 and 194 PE2. Different addresses, namely, bypass VTEP addresses, are 195 configured for PE1 and PE2 so that they can establish a bypass VXLAN 196 tunnel. 198 +-----+ 199 ---------------- | CPE | 200 ^ +-----+ 201 | / \ 202 | / \ 203 VXLAN Tunnel / \ 204 | / \ 205 | / Anycast \ 206 v +-----+ VTEP +-----+ 207 --------- | PE1 |------| PE2 | 208 +-----+ +-----+ 209 /\ /\ 210 / \ / \ 211 / \ Trunk / \ 212 / \ / \ 213 / +\---/+ \ 214 / | \ / | \ 215 / +--+--+ \ 216 / | \ 217 +-----+ +-----+ +-----+ 218 | CE2 | | CE1 | | CE3 | 219 +-----+ +-----+ +-----+ 221 Figure 3. Basic networking of the VXLAN active-active scenario 223 4. The Bypass VXLAN Extended Community Attribute 225 This sections describes the extensions specified to meeting the 226 requirements given in Section 3 and enhance VXLAN active-active 227 reliability. 229 This document specifies two new BGP extended communities, called the 230 Bypass VXLAN Extended Community. The extended communities have a 231 Type indicating they are transitive and are IPv4-address-specific or 232 IPv6-address-specific, depending on whether the VTEP address to be 233 accommodated is IPv4 or IPv6. In the new extended communities, the 234 4-byte or 16-byte global administrator field encodes the IPv4 or IPv6 235 address that is the VTEP address and the 2-byte local administrator 236 field is formatted as shown in Figures 4 and 5. 238 0 1 2 3 239 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 240 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 241 | Type=0x01 | Sub-Type=TBA1 | IPv4 Address | 242 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 243 | IPv4 Address (cont.) | Flags | Reserved | 244 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 246 Figure 4. IPv4-address-specific Bypass VXLAN Extended Community 248 0 1 2 3 249 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 250 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 251 | Type=0x00/0x40| Sub-Type=TBA2 | Target IPv6 Address | 252 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 253 | Target IPv6 Address (cont.) | 254 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 255 | Target IPv6 Address (cont.) | 256 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 257 | Target IPv6 Address (cont.) | 258 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 259 | Target IPv6 Address (cont.) | Flags | Reserved | 260 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 262 Figure 5. IPv6-address-specific Bypass VXLAN Extended Community 264 Where 266 Type: 267 0x01 = type for IPv4 specific use. 268 0x00 = type for transitive IPv6 specific use. 269 0x40 = type for non-transitive IPv6 specific use. 271 Sub-Type: 272 TBA1 = subtype for IPv4 specific use. 274 TBA2 = subtype for IPv6 specific use. 276 IPv4/IPv6: An address of that type. 278 Flags: MUST be sent as zero and ignored on receipt. 280 Reserved: MUST be sent as zero and ignored on receipt. 282 5. Control Plane Processing 284 Using the topology in Figure 3: 286 1) PE2 sends a multicast route to PE1. The source address of the 287 route is the Anycast VTEP address shared by PE1 and PE2. The 288 route carries the bypass VXLAN extended community attribute, 289 including the bypass VTEP address of PE1. 291 2) After receiving the multicast route from PE2, PE1 considers that 292 an Anycast relationship be established with PE2. This is because 293 the source address (Anycast VTEP address) of the route is the same 294 as the local virtual address of PE1 and the route carries the 295 bypass VTEP extended community attribute. Based on the bypass 296 VXLAN extended attribute of the route, PE1 establishes a bypass 297 VXLAN tunnel to PE2. 299 3) PE1 learns the MAC address of the CEs through upstream packets 300 from the CEs and advertises them as routes to PE2 through BGP 301 EVPN. The routes carry the ESI of the links accessed by the CEs, 302 and information about the VLANs that the CE access, and the bypass 303 VXLAN extended community attribute. 305 4) PE1 learns the MAC address of the CPE through downstream packets 306 at the network side, specifies that the next-hop address of the 307 MAC route can be iterated to a static VXLAN tunnel, and advertises 308 the route to PE2. The next-hop address of the MAC route cannot be 309 changed. 311 6. Data Packet Processing 313 This section describes how Layer 2 unicast and BUM (Broadcast, 314 Unknown unicast, and Multicast) packets are forwarded. A description 315 of how Layer 3 packets transmitted on the same subnet and Layer 3 316 packets transmitted across subnets cases are forwarded will be 317 provided in a furture version of this document. 319 6.1 Layer 2 Unicast Packet Forwarding 321 The following two subsections discuss Layer 2 unicast forwarding in 322 the topology shown in Figure 3. 324 6.1.1 Uplink 326 After receiving Layer 2 unicast packets destined for the CPE from 327 CE1, CE2, and CE3, PE1 and PE2 search for their local MAC address 328 table to obtain outbound interfaces, perform VXLAN encapsulation on 329 the packets, and forward them to the CPE. 331 6.1.2 Downlink 333 After receiving a Layer 2 unicast packet sent by the CPE to CE1, PE1 334 performs VXLAN decapsulation on the packet, searches the local MAC 335 address table for the destination MAC address, obtains the outbound 336 interface, and forwards the packet to CE1. 338 After receiving a Layer 2 unicast packet sent by the CPE to CE2, PE1 339 performs VXLAN decapsulation on the packet, searches the local MAC 340 address table for the destination MAC address, obtains the outbound 341 interface, and forwards the packet to CE2. 343 After receiving a Layer 2 unicast packet sent by the CPE to CE3, PE1 344 performs VXLAN decapsulation on the packet, searches the local MAC 345 address table for the destination MAC address, and forwards it to PE2 346 over the bypass VXLAN tunnel. After the packet reaches PE2, PE2 347 searches the destination MAC address, obtains the outbound interface, 348 and forwards the packet to CE3. 350 The process for PE2 to forward packets from the CPE is the same as 351 that for PE1 to forward packets from the CPE with the roles of CE2 352 and CE3 swapped. 354 6.2 BUM Packet Forwarding 356 Using the topology in Figure 3, if the destination address of a BUM 357 packet from the CPE is the Anycast VTEP address of PE1 and PE2, the 358 BUM packet may be forwarded to either PE1 or PE2. If the BUM packet 359 reaches PE2, PE2 sends a copy of the packet to CE3 and CE1. In 360 addition, PE2 sends a copy of the packet to PE1 through the bypass 361 VXLAN tunnel between PE1 and PE2. After the copy of the packet 362 reaches PE1, PE1 sends it to CE2, not to the CPE or CE1. In this 363 way, CE1 receives only one copy of the packet. 365 Using the topology in Figure 3, after a BUM packet from CE2 reaches 366 PE1, PE1 sends a copy of the packet to CE1 and the CPE. In addition, 367 PE1 sends a copy of the packet to PE2 through the bypass VXLAN tunnel 368 between PE1 and PE2. After the copy of the packet reaches PE2, PE2 369 sends it to CE3, not to the CPE or CE1. 371 Using the topology in Figure 3, after a BUM packet from CE1 reaches 372 PE1, PE1 sends a copy of the packet to CE2 and the CPE. In addition, 373 PE1 sends a copy of the packet to PE2 through the bypass VXLAN tunnel 374 between PE1 and PE2. After the copy of the packet reaches PE2, PE2 375 sends it to CE3, not to the CPE or CE1. 377 7. IANA Considerations 379 IANA is requested to assign two new Extended Community attribute 380 SubTypes as follows: 382 7.1 IPv4 Specific 384 Sub-Type Value Name Reference 385 -------------- ------------------------------- ---------- 386 TBA1 Bypass VXLAN Extended Community [this doc] 388 7.2 IPv6 Specific 390 Sub-Type Value Name Reference 391 -------------- ------------------------------- ---------- 392 TBA2 Bypass VXLAN Extended Community [this doc] 394 8. Security Considerations 396 TBD 398 For general EVPN Security Considerations, see [RFC7432]. 400 Acknowledgements 402 The authors would like to thank the following for their comments and 403 review of this document: 405 TBD 407 Contributors 409 The following individuals made significant contributions to this 410 document: 412 Haibo Wang 413 Huawei Technologies 414 Huawei Bldg., No. 156 Beiqing Road 415 Beijing 100095 416 China 418 Email: rainsword.wang@huawei.com 420 Normative References 422 [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate 423 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, 424 March 1997, . 426 [RFC7432] - Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., 427 Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based 428 Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February 2015, 429 . 431 [RFC8174] - Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 432 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 433 2017, . 435 Informative References 437 [RFC7209] - Sajassi, A., Aggarwal, R., Uttaro, J., Bitar, N., 438 Henderickx, W., and A. Isaac, "Requirements for Ethernet VPN 439 (EVPN)", RFC 7209, DOI 10.17487/RFC7209, May 2014, 440 . 442 [RFC7348] - Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, 443 L., Sridhar, T., Bursell, M., and C. Wright, "Virtual 444 eXtensible Local Area Network (VXLAN): A Framework for 445 Overlaying Virtualized Layer 2 Networks over Layer 3 Networks", 446 RFC 7348, DOI 10.17487/RFC7348, August 2014, . 449 Authors' Addresses 451 Donald E. Eastlake, 3rd 452 Futurewei Technologies 453 2386 Panormaic Circle 454 Apopka, FL 32703 USA 456 Phone: +1-508-333-2270 457 Email: d3e3e3@gmail.com 459 Zhenbin Li 460 Huawei Technologies 461 Huawei Bld., No.156 Beiqing Rd. 462 Beijing 100095 463 China 465 Email: lizhenbin@huawei.com 467 Shunwan Zhuang 468 Huawei Technologies 469 Huawei Bld., No.156 Beiqing Rd. 470 Beijing 100095 471 China 473 Email: zhuangshunwan@huawei.com 475 Copyright, Disclaimer, and Additional IPR Provisions 477 Copyright (c) 2019 IETF Trust and the persons identified as the 478 document authors. All rights reserved. 480 This document is subject to BCP 78 and the IETF Trust's Legal 481 Provisions Relating to IETF Documents 482 (http://trustee.ietf.org/license-info) in effect on the date of 483 publication of this document. Please review these documents 484 carefully, as they describe your rights and restrictions with respect 485 to this document. Code Components extracted from this document must 486 include Simplified BSD License text as described in Section 4.e of 487 the Trust Legal Provisions and are provided without warranty as 488 described in the Simplified BSD License. The definitive version of 489 an IETF Document is that published by, or under the auspices of, the 490 IETF. Versions of IETF Documents that are published by third parties, 491 including those that are translated into other languages, should not 492 be considered to be definitive versions of IETF Documents. The 493 definitive version of these Legal Provisions is that published by, or 494 under the auspices of, the IETF. Versions of these Legal Provisions 495 that are published by third parties, including those that are 496 translated into other languages, should not be considered to be 497 definitive versions of these Legal Provisions. For the avoidance of 498 doubt, each Contributor to the IETF Standards Process licenses each 499 Contribution that he or she makes as part of the IETF Standards 500 Process to the IETF Trust pursuant to the provisions of RFC 5378. No 501 language to the contrary, or terms, conditions or rights that differ 502 from or are inconsistent with the rights and licenses granted under 503 RFC 5378, shall have any effect and shall be null and void, whether 504 published or posted by such Contributor, or included with or in such 505 Contribution.