idnits 2.17.1 draft-eastlake-bess-evpn-vxlan-bypass-vtep-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 19, 2020) is 1282 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT D. Eastlake 2 Intended status: Proposed Standard Futurewei Technologies 3 Z. Li 4 S. Zhuang 5 Huawei Technologies 7 Expires: April 18, 2021 October 19, 2020 9 EVPN VXLAN Bypass VTEP 10 12 Abstract 14 A principal feature of EVPN is the ability to support multihoming 15 from a customer equipment (CE) to multiple provider edge equipment 16 (PE) with all-active links. This draft specifies a mechanism to 17 simplify PEs used with VXLAN tunnels and enhance VXLAN Active-Active 18 reliability. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Distribution of this document is unlimited. Comments should be sent 26 to the BESS working group mailing list . 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF), its areas, and its working groups. Note that 30 other groups may also distribute working documents as Internet- 31 Drafts. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 The list of current Internet-Drafts can be accessed at 39 http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft 40 Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 Table of Contents 45 1. Introduction............................................3 46 1.1 Terminology and Acronyms...............................3 48 2. VXLAN Gateway High Reliability..........................4 49 3. Detailed Problem and Solution Requirement...............6 50 4. The Bypass VXLAN Extended Community Attribute...........7 51 5. Control Plane Processing................................9 53 6. Data Packet Processing................................10 54 6.1 Layer 2 Unicast Packet Forwarding.....................10 55 6.1.1 Uplink..............................................10 56 6.1.2 Downlink............................................10 57 6.2 BUM Packet Forwarding................................11 59 7. IANA Considerations....................................12 60 7.1 IPv4 Specific.........................................12 61 7.2 IPv6 Specific.........................................12 63 8. Security Considerations................................13 65 Acknowledgements..........................................13 66 Contributors..............................................14 68 Normative References......................................14 69 Informative References....................................14 71 1. Introduction 73 A principal feature of EVPN is the ability to support multihoming 74 from a customer equipment (CE) to multiple provider edge equipment 75 (PE) with links used in the all-active redundancy mode. That mode is 76 where a device is multihomed to a group of two or more PEs and where 77 all PEs in such a redundancy group can forward traffic to/from the 78 multihomed device or network for a given VLAN [RFC7209]. This draft 79 specifies a VXLAN gateway mechanism to simplify PE processing in the 80 multi-homed case and enhance VXLAN Active-Active reliability. 82 1.1 Terminology and Acronyms 84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 86 "OPTIONAL" in this document are to be interpreted as described in BCP 87 14 [RFC2119] [RFC8174] when, and only when, they appear in all 88 capitals, as shown here. 90 This document uses the following acronyms and terms: 92 All-Active Redundancy Mode - When a device is multihomed to a group 93 of two or more PEs and when all PEs in such redundancy group can 94 forward traffic to/from the multihomed device or network for a 95 given VLAN. 97 BUM - Broadcast, Unknown unicast, and Multicast. 99 CE - Customer Edge equipment. 101 DCI - Data Center Interconnect. 103 ESI - Ethernet Segment Identifier - A unique non-zero identifier that 104 identifies an Ethernet segment. 106 NVE - Network Virtualization Edge. 108 PE - Provider Edge equipment. 110 Single-Active Redundancy Mode - When a device or a network is 111 multihomed to a group of two or more PEs and when only a single PE 112 in such a redundancy group can forward traffic to/from the 113 multihomed device or network for a given VLAN. 115 VTEP - VXLAN Tunnel End Point. 117 VXLAN - Virtual eXtensible Local Area Network [RFC7348]. 119 2. VXLAN Gateway High Reliability 121 One example of the current situation would be a DCI (data center 122 interconnect) using VXLAN tunnels that is multihomed for reliability 123 as show in Figure 1. Each PE as a VXLAN Tunnel End Point (VTEP) uses 124 a different IP adress. Thus each PE must process EVPN updates based 125 on the ESIs [RFC7432]. 127 ......... 128 . DCI . 129 +----------+ . . +----------+ 130 | PE +---------------------+ PE | 131 |VTEP IP-1 +--- . VXLAN . ---+VTEP IP-3 | 132 +----------+ \ .Tunnels. / +----------= 133 / | ----- ----- | \ 134 +--+ | . \ / . | +--+ 135 |CE| | . X . | |CE| 136 +--+ | . / \ . | +--+ 137 \ | ----- ----- | / 138 +----------+ / . VXLAN . \ +----------+ 139 | PE +--- .Tunnels. ---+ PE | 140 |VTEP IP-2 +---------------------+VTEP IP-4 | 141 +----------+ . . +----------+ 142 ......... 144 Figure 1. Current Situtation 146 The situation is greatly simplified if the set of VTEPs connected to 147 a particular Ethernet segment all use the same anycast IP address. 148 PEs no longer need to conern themselves with whether a remote CE is 149 single or multi-homed. The situation is as shown in Figure 2. The IP 150 address within each VTEP group is synchronized by messages within 151 that group. 153 ......... 154 . DCI . 155 +----------+ . . +----------+ 156 | Anycast | . . | Anycast | 157 |VTEP IP-1 +--- . . ---+VTEP IP-2 | 158 +----------+ \ . . / +----------= 159 / ^ \ . . / ^ \ 160 +--+ | \. ./ | +--+ 161 |CE| Sy|nc >-------< Sy|nc |CE| 162 +--+ | /. VXLAN .\ | +--+ 163 \ v / . Tunnel. \ v / 164 +----------+ / . . \ +----------+ 165 | Anycast +--- . . ---+ Anycast | 166 |VTEP IP-1 | . . |VTEP IP-2 | 167 +----------+ . . +----------+ 168 ......... 170 Figure 2. Situtation Using Anycast 172 3. Detailed Problem and Solution Requirement 174 In the scenario illustrated in Figure 3, where an enterprise site and 175 a data center are interconnected, the VPN gateways (PE1 and PE2) and 176 the enterprise site (CPE) are connected through a VXLAN tunnel to 177 provide L2/L3 services between the enterprise site (CPE) and data 178 center. The data center gateway (CE1) is dual-homed to PE1 and PE2 179 to access the VXLAN network, which enhances network access 180 reliability. When one PE fails, services can be rapidly switched to 181 the other PE, minimizing the impact on services. 183 As shown in Figure 3, PE1 and PE2 use a virtual address as a Network 184 Virtualization Edge (NVE) interface address at the network side, 185 namely, the Anycast VTEP address. In this way, the CPE is aware of 186 only one remote NVE interface and establishes a VXLAN tunnel with the 187 virtual address. The packets from the CPE can reach CE1 through 188 either PE1 or PE2. However, single-homed CEs may exist, such as CE2 189 and CE3. As a result, after reaching a PE, the packets from the CPE 190 may need to be forwarded by the other PE to a single-homed CE. 191 Therefore, a bypass VXLAN tunnel needs to be established between PE1 192 and PE2. An EVPN peer relationship is established between PE1 and 193 PE2. Different addresses, namely, bypass VTEP addresses, are 194 configured for PE1 and PE2 so that they can establish a bypass VXLAN 195 tunnel. 197 +-----+ 198 ---------------- | CPE | 199 ^ +-----+ 200 | / \ 201 | / \ 202 VXLAN Tunnel / \ 203 | / \ 204 | / Anycast \ 205 v +-----+ VTEP +-----+ 206 --------- | PE1 |------| PE2 | 207 +-----+ +-----+ 208 /\ /\ 209 / \ / \ 210 / \ Trunk / \ 211 / \ / \ 212 / +\---/+ \ 213 / | \ / | \ 214 / +--+--+ \ 215 / | \ 216 +-----+ +-----+ +-----+ 217 | CE2 | | CE1 | | CE3 | 218 +-----+ +-----+ +-----+ 220 Figure 3. Basic networking of the VXLAN active-active scenario 222 4. The Bypass VXLAN Extended Community Attribute 224 This sections specifies the extensions to meet the requirements given 225 in Section 3 and enhance VXLAN active-active reliability. 227 This document specifies two new BGP extended communities, the IPv4 228 and IPv6 Bypass VXLAN Extended Communities. These extended 229 communities are IPv4-address-specific or IPv6-address-specific, 230 depending on whether the VTEP address to be accommodated is IPv4 or 231 IPv6. In the new extended communities, the 4-byte or 16-byte global 232 administrator field encodes the IPv4 or IPv6 address that is the VTEP 233 address and the 2-byte local administrator field is formatted as 234 shown in Figures 4 and 5. 236 0 1 2 3 237 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 238 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 239 | Type=0x01 | Sub-Type=TBA1 | IPv4 Address | 240 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 241 | IPv4 Address (cont.) | Flags | Reserved | 242 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 244 Figure 4. IPv4-address-specific Bypass VXLAN Extended Community 246 0 1 2 3 247 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 248 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 249 | Type=0x00/0x40| Sub-Type=TBA2 | Target IPv6 Address | 250 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 251 | Target IPv6 Address (cont.) | 252 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 253 | Target IPv6 Address (cont.) | 254 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 255 | Target IPv6 Address (cont.) | 256 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 257 | Target IPv6 Address (cont.) | Flags | Reserved | 258 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 260 Figure 5. IPv6-address-specific Bypass VXLAN Extended Community 262 Where 264 Type: 265 0x01 = type for transitive IPv4 specific use. 266 0x00 = type for transitive IPv6 specific use. 267 0x40 = type for non-transitive IPv6 specific use. 269 Sub-Type: 270 TBA1 = subtype for IPv4 specific use. 271 TBA2 = subtype for IPv6 specific use. 273 IPv4/IPv6: An address of that type. 275 Flags: MUST be sent as zero and ignored on receipt. 277 Reserved: MUST be sent as zero and ignored on receipt. 279 5. Control Plane Processing 281 Using the topology in Figure 3: 283 1) PE2 sends a multicast route to PE1. The source address of the 284 route is the Anycast VTEP address shared by PE1 and PE2. The 285 route carries the bypass VXLAN extended community attribute, 286 including the bypass VTEP address of PE1. 288 2) After receiving the multicast route from PE2, PE1 considers that 289 an Anycast relationship be established with PE2. This is because 290 the source address (Anycast VTEP address) of the route is the same 291 as the local virtual address of PE1 and the route carries the 292 bypass VTEP extended community attribute. Based on the bypass 293 VXLAN extended attribute of the route, PE1 establishes a bypass 294 VXLAN tunnel to PE2. 296 3) PE1 learns the MAC address of the CEs through upstream packets 297 from the CEs and advertises them as routes to PE2 through BGP 298 EVPN. The routes carry the ESI of the links accessed by the CEs, 299 and information about the VLANs that the CE access, and the bypass 300 VXLAN extended community attribute. 302 4) PE1 learns the MAC address of the CPE through downstream packets 303 at the network side, specifies that the next-hop address of the 304 MAC route can be iterated to a static VXLAN tunnel, and advertises 305 the route to PE2. The next-hop address of the MAC route cannot be 306 changed. 308 6. Data Packet Processing 310 This section describes how Layer 2 unicast and BUM (Broadcast, 311 Unknown unicast, and Multicast) packets are forwarded. A description 312 of how Layer 3 packets transmitted on the same subnet and Layer 3 313 packets transmitted across subnets cases are forwarded will be 314 provided in a furture version of this document. 316 6.1 Layer 2 Unicast Packet Forwarding 318 The following two subsections discuss Layer 2 unicast forwarding in 319 the topology shown in Figure 3. 321 6.1.1 Uplink 323 After receiving Layer 2 unicast packets destined for the CPE from 324 CE1, CE2, and CE3, PE1 and PE2 search for their local MAC address 325 table to obtain outbound interfaces, perform VXLAN encapsulation on 326 the packets, and forward them to the CPE. 328 6.1.2 Downlink 330 After receiving a Layer 2 unicast packet sent by the CPE to CE1, PE1 331 performs VXLAN decapsulation on the packet, searches the local MAC 332 address table for the destination MAC address, obtains the outbound 333 interface, and forwards the packet to CE1. 335 After receiving a Layer 2 unicast packet sent by the CPE to CE2, PE1 336 performs VXLAN decapsulation on the packet, searches the local MAC 337 address table for the destination MAC address, obtains the outbound 338 interface, and forwards the packet to CE2. 340 After receiving a Layer 2 unicast packet sent by the CPE to CE3, PE1 341 performs VXLAN decapsulation on the packet, searches the local MAC 342 address table for the destination MAC address, and forwards it to PE2 343 over the bypass VXLAN tunnel. After the packet reaches PE2, PE2 344 searches the destination MAC address, obtains the outbound interface, 345 and forwards the packet to CE3. 347 The process for PE2 to forward packets from the CPE is the same as 348 that for PE1 to forward packets from the CPE with the roles of CE2 349 and CE3 swapped. 351 6.2 BUM Packet Forwarding 353 Using the topology in Figure 3, if the destination address of a BUM 354 packet from the CPE is the Anycast VTEP address of PE1 and PE2, the 355 BUM packet may be forwarded to either PE1 or PE2. If the BUM packet 356 reaches PE2, PE2 sends a copy of the packet to CE3 and CE1. In 357 addition, PE2 sends a copy of the packet to PE1 through the bypass 358 VXLAN tunnel between PE1 and PE2. After the copy of the packet 359 reaches PE1, PE1 sends it to CE2, not to the CPE or CE1. In this 360 way, CE1 receives only one copy of the packet. 362 Using the topology in Figure 3, after a BUM packet from CE2 reaches 363 PE1, PE1 sends a copy of the packet to CE1 and the CPE. In addition, 364 PE1 sends a copy of the packet to PE2 through the bypass VXLAN tunnel 365 between PE1 and PE2. After the copy of the packet reaches PE2, PE2 366 sends it to CE3, not to the CPE or CE1. 368 Using the topology in Figure 3, after a BUM packet from CE1 reaches 369 PE1, PE1 sends a copy of the packet to CE2 and the CPE. In addition, 370 PE1 sends a copy of the packet to PE2 through the bypass VXLAN tunnel 371 between PE1 and PE2. After the copy of the packet reaches PE2, PE2 372 sends it to CE3, not to the CPE or CE1. 374 7. IANA Considerations 376 IANA is requested to assign two new Extended Community attribute 377 SubTypes as follows: 379 7.1 IPv4 Specific 381 Sub-Type Value Name Reference 382 -------------- ------------------------------- ---------- 383 TBA1 Bypass VXLAN Extended Community [this doc] 385 7.2 IPv6 Specific 387 Sub-Type Value Name Reference 388 -------------- ------------------------------- ---------- 389 TBA2 Bypass VXLAN Extended Community [this doc] 391 8. Security Considerations 393 TBD 395 For general EVPN Security Considerations, see [RFC7432]. 397 Acknowledgements 399 The authors would like to thank the following for their comments and 400 review of this document: 402 TBD 404 Contributors 406 The following individuals made significant contributions to this 407 document: 409 Haibo Wang 410 Huawei Technologies 411 Huawei Bldg., No. 156 Beiqing Road 412 Beijing 100095 413 China 415 Email: rainsword.wang@huawei.com 417 Normative References 419 [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate 420 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, 421 March 1997, . 423 [RFC7432] - Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., 424 Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based 425 Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February 2015, 426 . 428 [RFC8174] - Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 429 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 430 2017, . 432 Informative References 434 [RFC7209] - Sajassi, A., Aggarwal, R., Uttaro, J., Bitar, N., 435 Henderickx, W., and A. Isaac, "Requirements for Ethernet VPN 436 (EVPN)", RFC 7209, DOI 10.17487/RFC7209, May 2014, 437 . 439 [RFC7348] - Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, 440 L., Sridhar, T., Bursell, M., and C. Wright, "Virtual 441 eXtensible Local Area Network (VXLAN): A Framework for 442 Overlaying Virtualized Layer 2 Networks over Layer 3 Networks", 443 RFC 7348, DOI 10.17487/RFC7348, August 2014, . 446 Authors' Addresses 448 Donald E. Eastlake, 3rd 449 Futurewei Technologies 450 2386 Panormaic Circle 451 Apopka, FL 32703 USA 453 Phone: +1-508-333-2270 454 Email: d3e3e3@gmail.com 456 Zhenbin Li 457 Huawei Technologies 458 Huawei Bld., No.156 Beiqing Rd. 459 Beijing 100095 460 China 462 Email: lizhenbin@huawei.com 464 Shunwan Zhuang 465 Huawei Technologies 466 Huawei Bld., No.156 Beiqing Rd. 467 Beijing 100095 468 China 470 Email: zhuangshunwan@huawei.com 472 Copyright, Disclaimer, and Additional IPR Provisions 474 Copyright (c) 2020 IETF Trust and the persons identified as the 475 document authors. All rights reserved. 477 This document is subject to BCP 78 and the IETF Trust's Legal 478 Provisions Relating to IETF Documents 479 (http://trustee.ietf.org/license-info) in effect on the date of 480 publication of this document. Please review these documents 481 carefully, as they describe your rights and restrictions with respect 482 to this document. Code Components extracted from this document must 483 include Simplified BSD License text as described in Section 4.e of 484 the Trust Legal Provisions and are provided without warranty as 485 described in the Simplified BSD License. The definitive version of 486 an IETF Document is that published by, or under the auspices of, the 487 IETF. Versions of IETF Documents that are published by third parties, 488 including those that are translated into other languages, should not 489 be considered to be definitive versions of IETF Documents. The 490 definitive version of these Legal Provisions is that published by, or 491 under the auspices of, the IETF. Versions of these Legal Provisions 492 that are published by third parties, including those that are 493 translated into other languages, should not be considered to be 494 definitive versions of these Legal Provisions. For the avoidance of 495 doubt, each Contributor to the IETF Standards Process licenses each 496 Contribution that he or she makes as part of the IETF Standards 497 Process to the IETF Trust pursuant to the provisions of RFC 5378. No 498 language to the contrary, or terms, conditions or rights that differ 499 from or are inconsistent with the rights and licenses granted under 500 RFC 5378, shall have any effect and shall be null and void, whether 501 published or posted by such Contributor, or included with or in such 502 Contribution.