idnits 2.17.1 draft-eastlake-bess-evpn-vxlan-bypass-vtep-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 27, 2020) is 1459 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT D. Eastlake 2 Intended status: Proposed Standard Futurewei Technologies 3 Z. Li 4 S. Zhuang 5 Huawei Technologies 7 Expires: October 26, 2020 April 27, 2020 9 EVPN VXLAN Bypass VTEP 10 12 Abstract 14 A principal feature of EVPN is the ability to support multihoming 15 from a customer equipment (CE) to multiple provider edge equipment 16 (PE) with all-active links. This draft specifies a mechanism to 17 simplify PEs used with VXLAN tunnels and enhance VXLAN Active-Active 18 reliability. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Distribution of this document is unlimited. Comments should be sent 26 to the BESS working group mailing list . 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF), its areas, and its working groups. Note that 30 other groups may also distribute working documents as Internet- 31 Drafts. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 The list of current Internet-Drafts can be accessed at 39 http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft 40 Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 Table of Contents 45 1. Introduction............................................3 46 1.1 Terminology and Acronyms...............................3 48 2. VXLAN Gateway High Reliability..........................4 49 3. Detailed Problem and Solution Requirement...............6 50 4. The Bypass VXLAN Extended Community Attribute...........7 51 5. Control Plane Processing................................9 53 6. Data Packet Processing................................10 54 6.1 Layer 2 Unicast Packet Forwarding.....................10 55 6.1.1 Uplink..............................................10 56 6.1.2 Downlink............................................10 57 6.2 BUM Packet Forwarding................................11 59 7. IANA Considerations....................................12 60 7.1 IPv4 Specific.........................................12 61 7.2 IPv6 Specific.........................................12 63 8. Security Considerations................................13 65 Acknowledgements..........................................13 66 Contributors..............................................14 68 Normative References......................................14 69 Informative References....................................14 71 Authors' Addresses........................................15 73 1. Introduction 75 A principal feature of EVPN is the ability to support multihoming 76 from a customer equipment (CE) to multiple provider edge equipment 77 (PE) with links used in the all-active redundancy mode. That mode is 78 where a device is multihomed to a group of two or more PEs and where 79 all PEs in such a redundancy group can forward traffic to/from the 80 multihomed device or network for a given VLAN [RFC7209]. This draft 81 specifies a VXLAN gateway mechanism to simplify PE processing in the 82 multi-homed case and enhance VXLAN Active-Active reliability. 84 1.1 Terminology and Acronyms 86 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 87 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 88 "OPTIONAL" in this document are to be interpreted as described in BCP 89 14 [RFC2119] [RFC8174] when, and only when, they appear in all 90 capitals, as shown here. 92 This document uses the following acronyms and terms: 94 All-Active Redundancy Mode - When a device is multihomed to a group 95 of two or more PEs and when all PEs in such redundancy group can 96 forward traffic to/from the multihomed device or network for a 97 given VLAN. 99 BUM - Broadcast, Unknown unicast, and Multicast. 101 CE - Customer Edge equipment. 103 DCI - Data Center Interconnect. 105 ESI - Ethernet Segment Identifier - A unique non-zero identifier that 106 identifies an Ethernet segment. 108 NVE - Network Virtualization Edge. 110 PE - Provider Edge equipment. 112 Single-Active Redundancy Mode - When a device or a network is 113 multihomed to a group of two or more PEs and when only a single PE 114 in such a redundancy group can forward traffic to/from the 115 multihomed device or network for a given VLAN. 117 VTEP - VXLAN Tunnel End Point. 119 VXLAN - Virtual eXtensible Local Area Network [RFC7348]. 121 2. VXLAN Gateway High Reliability 123 One example of the current situation would be a DCI (data center 124 interconnect) using VXLAN tunnels that is multihomed for reliability 125 as show in Figure 1. Each PE as a VXLAN Tunnel End Point (VTEP) uses 126 a different IP adress. Thus each PE must process EVPN updates based 127 on the ESIs [RFC7432]. 129 ......... 130 . DCI . 131 +----------+ . . +----------+ 132 | PE +---------------------+ PE | 133 |VTEP IP-1 +--- . VXLAN . ---+VTEP IP-3 | 134 +----------+ \ .Tunnels. / +----------= 135 / | ----- ----- | \ 136 +--+ | . \ / . | +--+ 137 |CE| | . X . | |CE| 138 +--+ | . / \ . | +--+ 139 \ | ----- ----- | / 140 +----------+ / . VXLAN . \ +----------+ 141 | PE +--- .Tunnels. ---+ PE | 142 |VTEP IP-2 +---------------------+VTEP IP-4 | 143 +----------+ . . +----------+ 144 ......... 146 Figure 1. Current Situtation 148 The situation is greatly simplified if the set of VTEPs connected to 149 a particular Ethernet segment all use the same anycast IP address. 150 PEs no longer need to conern themselves with whether a remote CE is 151 single or multi-homed. The situation is as shown in Figure 2. The IP 152 address within each VTEP group is synchronized by messages within 153 that group. 155 ......... 156 . DCI . 157 +----------+ . . +----------+ 158 | Anycast | . . | Anycast | 159 |VTEP IP-1 +--- . . ---+VTEP IP-2 | 160 +----------+ \ . . / +----------= 161 / ^ \ . . / ^ \ 162 +--+ | \. ./ | +--+ 163 |CE| Sy|nc >-------< Sy|nc |CE| 164 +--+ | /. VXLAN .\ | +--+ 165 \ v / . Tunnel. \ v / 166 +----------+ / . . \ +----------+ 167 | Anycast +--- . . ---+ Anycast | 168 |VTEP IP-1 | . . |VTEP IP-2 | 169 +----------+ . . +----------+ 170 ......... 172 Figure 2. Situtation Using Anycast 174 3. Detailed Problem and Solution Requirement 176 In the scenario illustrated in Figure 3, where an enterprise site and 177 a data center are interconnected, the VPN gateways (PE1 and PE2) and 178 the enterprise site (CPE) are connected through a VXLAN tunnel to 179 provide L2/L3 services between the enterprise site (CPE) and data 180 center. The data center gateway (CE1) is dual-homed to PE1 and PE2 181 to access the VXLAN network, which enhances network access 182 reliability. When one PE fails, services can be rapidly switched to 183 the other PE, minimizing the impact on services. 185 As shown in Figure 3, PE1 and PE2 use a virtual address as a Network 186 Virtualization Edge (NVE) interface address at the network side, 187 namely, the Anycast VTEP address. In this way, the CPE is aware of 188 only one remote NVE interface and establishes a VXLAN tunnel with the 189 virtual address. The packets from the CPE can reach CE1 through 190 either PE1 or PE2. However, single-homed CEs may exist, such as CE2 191 and CE3. As a result, after reaching a PE, the packets from the CPE 192 may need to be forwarded by the other PE to a single-homed CE. 193 Therefore, a bypass VXLAN tunnel needs to be established between PE1 194 and PE2. An EVPN peer relationship is established between PE1 and 195 PE2. Different addresses, namely, bypass VTEP addresses, are 196 configured for PE1 and PE2 so that they can establish a bypass VXLAN 197 tunnel. 199 +-----+ 200 ---------------- | CPE | 201 ^ +-----+ 202 | / \ 203 | / \ 204 VXLAN Tunnel / \ 205 | / \ 206 | / Anycast \ 207 v +-----+ VTEP +-----+ 208 --------- | PE1 |------| PE2 | 209 +-----+ +-----+ 210 /\ /\ 211 / \ / \ 212 / \ Trunk / \ 213 / \ / \ 214 / +\---/+ \ 215 / | \ / | \ 216 / +--+--+ \ 217 / | \ 218 +-----+ +-----+ +-----+ 219 | CE2 | | CE1 | | CE3 | 220 +-----+ +-----+ +-----+ 222 Figure 3. Basic networking of the VXLAN active-active scenario 224 4. The Bypass VXLAN Extended Community Attribute 226 This sections describes the extensions specified to meeting the 227 requirements given in Section 3 and enhance VXLAN active-active 228 reliability. 230 This document specifies two new BGP extended communities, called the 231 Bypass VXLAN Extended Community. The extended communities have a 232 Type indicating they are transitive and are IPv4-address-specific or 233 IPv6-address-specific, depending on whether the VTEP address to be 234 accommodated is IPv4 or IPv6. In the new extended communities, the 235 4-byte or 16-byte global administrator field encodes the IPv4 or IPv6 236 address that is the VTEP address and the 2-byte local administrator 237 field is formatted as shown in Figures 4 and 5. 239 0 1 2 3 240 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 241 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 242 | Type=0x01 | Sub-Type=TBA1 | IPv4 Address | 243 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 244 | IPv4 Address (cont.) | Flags | Reserved | 245 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 247 Figure 4. IPv4-address-specific Bypass VXLAN Extended Community 249 0 1 2 3 250 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 251 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 252 | Type=0x00/0x40| Sub-Type=TBA2 | Target IPv6 Address | 253 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 254 | Target IPv6 Address (cont.) | 255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 256 | Target IPv6 Address (cont.) | 257 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 258 | Target IPv6 Address (cont.) | 259 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 260 | Target IPv6 Address (cont.) | Flags | Reserved | 261 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 263 Figure 5. IPv6-address-specific Bypass VXLAN Extended Community 265 Where 267 Type: 268 0x01 = type for IPv4 specific use. 269 0x00 = type for transitive IPv6 specific use. 270 0x40 = type for non-transitive IPv6 specific use. 272 Sub-Type: 273 TBA1 = subtype for IPv4 specific use. 275 TBA2 = subtype for IPv6 specific use. 277 IPv4/IPv6: An address of that type. 279 Flags: MUST be sent as zero and ignored on receipt. 281 Reserved: MUST be sent as zero and ignored on receipt. 283 5. Control Plane Processing 285 Using the topology in Figure 3: 287 1) PE2 sends a multicast route to PE1. The source address of the 288 route is the Anycast VTEP address shared by PE1 and PE2. The 289 route carries the bypass VXLAN extended community attribute, 290 including the bypass VTEP address of PE1. 292 2) After receiving the multicast route from PE2, PE1 considers that 293 an Anycast relationship be established with PE2. This is because 294 the source address (Anycast VTEP address) of the route is the same 295 as the local virtual address of PE1 and the route carries the 296 bypass VTEP extended community attribute. Based on the bypass 297 VXLAN extended attribute of the route, PE1 establishes a bypass 298 VXLAN tunnel to PE2. 300 3) PE1 learns the MAC address of the CEs through upstream packets 301 from the CEs and advertises them as routes to PE2 through BGP 302 EVPN. The routes carry the ESI of the links accessed by the CEs, 303 and information about the VLANs that the CE access, and the bypass 304 VXLAN extended community attribute. 306 4) PE1 learns the MAC address of the CPE through downstream packets 307 at the network side, specifies that the next-hop address of the 308 MAC route can be iterated to a static VXLAN tunnel, and advertises 309 the route to PE2. The next-hop address of the MAC route cannot be 310 changed. 312 6. Data Packet Processing 314 This section describes how Layer 2 unicast and BUM (Broadcast, 315 Unknown unicast, and Multicast) packets are forwarded. A description 316 of how Layer 3 packets transmitted on the same subnet and Layer 3 317 packets transmitted across subnets cases are forwarded will be 318 provided in a furture version of this document. 320 6.1 Layer 2 Unicast Packet Forwarding 322 The following two subsections discuss Layer 2 unicast forwarding in 323 the topology shown in Figure 3. 325 6.1.1 Uplink 327 After receiving Layer 2 unicast packets destined for the CPE from 328 CE1, CE2, and CE3, PE1 and PE2 search for their local MAC address 329 table to obtain outbound interfaces, perform VXLAN encapsulation on 330 the packets, and forward them to the CPE. 332 6.1.2 Downlink 334 After receiving a Layer 2 unicast packet sent by the CPE to CE1, PE1 335 performs VXLAN decapsulation on the packet, searches the local MAC 336 address table for the destination MAC address, obtains the outbound 337 interface, and forwards the packet to CE1. 339 After receiving a Layer 2 unicast packet sent by the CPE to CE2, PE1 340 performs VXLAN decapsulation on the packet, searches the local MAC 341 address table for the destination MAC address, obtains the outbound 342 interface, and forwards the packet to CE2. 344 After receiving a Layer 2 unicast packet sent by the CPE to CE3, PE1 345 performs VXLAN decapsulation on the packet, searches the local MAC 346 address table for the destination MAC address, and forwards it to PE2 347 over the bypass VXLAN tunnel. After the packet reaches PE2, PE2 348 searches the destination MAC address, obtains the outbound interface, 349 and forwards the packet to CE3. 351 The process for PE2 to forward packets from the CPE is the same as 352 that for PE1 to forward packets from the CPE with the roles of CE2 353 and CE3 swapped. 355 6.2 BUM Packet Forwarding 357 Using the topology in Figure 3, if the destination address of a BUM 358 packet from the CPE is the Anycast VTEP address of PE1 and PE2, the 359 BUM packet may be forwarded to either PE1 or PE2. If the BUM packet 360 reaches PE2, PE2 sends a copy of the packet to CE3 and CE1. In 361 addition, PE2 sends a copy of the packet to PE1 through the bypass 362 VXLAN tunnel between PE1 and PE2. After the copy of the packet 363 reaches PE1, PE1 sends it to CE2, not to the CPE or CE1. In this 364 way, CE1 receives only one copy of the packet. 366 Using the topology in Figure 3, after a BUM packet from CE2 reaches 367 PE1, PE1 sends a copy of the packet to CE1 and the CPE. In addition, 368 PE1 sends a copy of the packet to PE2 through the bypass VXLAN tunnel 369 between PE1 and PE2. After the copy of the packet reaches PE2, PE2 370 sends it to CE3, not to the CPE or CE1. 372 Using the topology in Figure 3, after a BUM packet from CE1 reaches 373 PE1, PE1 sends a copy of the packet to CE2 and the CPE. In addition, 374 PE1 sends a copy of the packet to PE2 through the bypass VXLAN tunnel 375 between PE1 and PE2. After the copy of the packet reaches PE2, PE2 376 sends it to CE3, not to the CPE or CE1. 378 7. IANA Considerations 380 IANA is requested to assign two new Extended Community attribute 381 SubTypes as follows: 383 7.1 IPv4 Specific 385 Sub-Type Value Name Reference 386 -------------- ------------------------------- ---------- 387 TBA1 Bypass VXLAN Extended Community [this doc] 389 7.2 IPv6 Specific 391 Sub-Type Value Name Reference 392 -------------- ------------------------------- ---------- 393 TBA2 Bypass VXLAN Extended Community [this doc] 395 8. Security Considerations 397 TBD 399 For general EVPN Security Considerations, see [RFC7432]. 401 Acknowledgements 403 The authors would like to thank the following for their comments and 404 review of this document: 406 TBD 408 Contributors 410 The following individuals made significant contributions to this 411 document: 413 Haibo Wang 414 Huawei Technologies 415 Huawei Bldg., No. 156 Beiqing Road 416 Beijing 100095 417 China 419 Email: rainsword.wang@huawei.com 421 Normative References 423 [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate 424 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, 425 March 1997, . 427 [RFC7432] - Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., 428 Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based 429 Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February 2015, 430 . 432 [RFC8174] - Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 433 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 434 2017, . 436 Informative References 438 [RFC7209] - Sajassi, A., Aggarwal, R., Uttaro, J., Bitar, N., 439 Henderickx, W., and A. Isaac, "Requirements for Ethernet VPN 440 (EVPN)", RFC 7209, DOI 10.17487/RFC7209, May 2014, 441 . 443 [RFC7348] - Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, 444 L., Sridhar, T., Bursell, M., and C. Wright, "Virtual 445 eXtensible Local Area Network (VXLAN): A Framework for 446 Overlaying Virtualized Layer 2 Networks over Layer 3 Networks", 447 RFC 7348, DOI 10.17487/RFC7348, August 2014, . 450 Authors' Addresses 452 Donald E. Eastlake, 3rd 453 Futurewei Technologies 454 2386 Panormaic Circle 455 Apopka, FL 32703 USA 457 Phone: +1-508-333-2270 458 Email: d3e3e3@gmail.com 460 Zhenbin Li 461 Huawei Technologies 462 Huawei Bld., No.156 Beiqing Rd. 463 Beijing 100095 464 China 466 Email: lizhenbin@huawei.com 468 Shunwan Zhuang 469 Huawei Technologies 470 Huawei Bld., No.156 Beiqing Rd. 471 Beijing 100095 472 China 474 Email: zhuangshunwan@huawei.com 476 Copyright, Disclaimer, and Additional IPR Provisions 478 Copyright (c) 2020 IETF Trust and the persons identified as the 479 document authors. All rights reserved. 481 This document is subject to BCP 78 and the IETF Trust's Legal 482 Provisions Relating to IETF Documents 483 (http://trustee.ietf.org/license-info) in effect on the date of 484 publication of this document. Please review these documents 485 carefully, as they describe your rights and restrictions with respect 486 to this document. Code Components extracted from this document must 487 include Simplified BSD License text as described in Section 4.e of 488 the Trust Legal Provisions and are provided without warranty as 489 described in the Simplified BSD License. The definitive version of 490 an IETF Document is that published by, or under the auspices of, the 491 IETF. Versions of IETF Documents that are published by third parties, 492 including those that are translated into other languages, should not 493 be considered to be definitive versions of IETF Documents. The 494 definitive version of these Legal Provisions is that published by, or 495 under the auspices of, the IETF. Versions of these Legal Provisions 496 that are published by third parties, including those that are 497 translated into other languages, should not be considered to be 498 definitive versions of these Legal Provisions. For the avoidance of 499 doubt, each Contributor to the IETF Standards Process licenses each 500 Contribution that he or she makes as part of the IETF Standards 501 Process to the IETF Trust pursuant to the provisions of RFC 5378. No 502 language to the contrary, or terms, conditions or rights that differ 503 from or are inconsistent with the rights and licenses granted under 504 RFC 5378, shall have any effect and shall be null and void, whether 505 published or posted by such Contributor, or included with or in such 506 Contribution.