idnits 2.17.1 draft-hasmit-otv-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (October 24, 2010) is 4904 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'IS-IS-Layer2' is mentioned on line 1077, but not defined == Unused Reference: 'IS-IS' is defined on line 1131, but no explicit reference was found in the text == Unused Reference: 'IS-IS-Layer-2' is defined on line 1136, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'IS-IS' -- Possible downref: Non-RFC (?) normative reference: ref. 'IS-IS-Layer-2' -- Possible downref: Non-RFC (?) normative reference: ref. 'IS-IS-OTV' Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group H. Grover 3 Internet-Draft D. Rao 4 Intended status: Standards Track D. Farinacci 5 Expires: April 27, 2011 Cisco Systems 6 October 24, 2010 8 Overlay Transport Virtualization 9 draft-hasmit-otv-01 11 Abstract 13 In today's networking environment most enterprise networks span 14 multiple physical sites. Overlay Transport Virtualization (OTV) 15 provides a scalable solution for L2/L3 connectivity across different 16 sites using the currently deployed service provider and enterprise 17 networks. It is a very cost-effective and simple solution requiring 18 deployment of a one or more OTV functional device at each of the 19 enterprise sites. This solution is agnostic to the technology used 20 in the service provider network and connectivity between the 21 enterprise and the service provider network. This document provides 22 an overview of this technology. 24 Status of this Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on April 27, 2011. 41 Copyright Notice 43 Copyright (c) 2010 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 60 2. Control Plane . . . . . . . . . . . . . . . . . . . . . . . . 8 61 2.1. Provider Control Plane . . . . . . . . . . . . . . . . . . 9 62 2.2. Overlay Control Plane . . . . . . . . . . . . . . . . . . 9 63 2.2.1. Edge Device Discovery and Adjacency setup . . . . . . 10 64 2.2.2. Extended VLANs . . . . . . . . . . . . . . . . . . . . 10 65 2.2.3. Multiple Instances . . . . . . . . . . . . . . . . . . 11 66 2.2.4. Advertising Unicast MAC Routes . . . . . . . . . . . . 11 67 2.2.5. Advertising Multicast Routes . . . . . . . . . . . . . 11 68 2.2.6. Adjacency Server . . . . . . . . . . . . . . . . . . . 12 69 2.3. Connecting an Edge Device to the Overlay . . . . . . . . . 12 70 2.3.1. Edge Devices as MAC Routers . . . . . . . . . . . . . 13 71 2.3.2. Internal Interface Behavior . . . . . . . . . . . . . 13 72 2.3.3. Overlay Interface Behavior . . . . . . . . . . . . . . 13 73 3. Data Plane . . . . . . . . . . . . . . . . . . . . . . . . . . 14 74 3.1. Encapsulation . . . . . . . . . . . . . . . . . . . . . . 14 75 3.2. Forwarding Process . . . . . . . . . . . . . . . . . . . . 16 76 3.2.1. Forwarding between Internal Links . . . . . . . . . . 17 77 3.2.2. Forwarding from an Internal Link to the Overlay . . . 17 78 3.2.3. Forwarding from the Overlay to an Internal Link . . . 17 79 3.2.4. Unicast Packet Flows . . . . . . . . . . . . . . . . . 18 80 3.2.5. Unknown Unicast Packet Handling . . . . . . . . . . . 18 81 3.2.6. Multicast Packet Flows . . . . . . . . . . . . . . . . 19 82 3.2.7. Broadcast Packet Flows . . . . . . . . . . . . . . . . 19 83 3.3. STP BPDU Handling . . . . . . . . . . . . . . . . . . . . 20 84 4. MAC Address Mobility . . . . . . . . . . . . . . . . . . . . . 20 85 5. Multi-homing . . . . . . . . . . . . . . . . . . . . . . . . . 21 86 5.1. Authoritative Edge Device Selection . . . . . . . . . . . 21 87 5.2. Site Identifier . . . . . . . . . . . . . . . . . . . . . 22 88 6. IS-IS as an Overlay Control Protocol . . . . . . . . . . . . . 22 89 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 90 8. Security Considerations . . . . . . . . . . . . . . . . . . . 24 91 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 92 10. Normative References . . . . . . . . . . . . . . . . . . . . . 25 93 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 95 1. Overview 97 OTV is a new "MAC in IP" technique for supporting L2 VPNs over an 98 L2/L3 infrastructure. OTV provides an "over-the-top" method of doing 99 virtualization among a large number of sites where the routing and 100 forwarding state is maintained at the network edges, but not within 101 the site or in the core. 103 OTV can be incrementally deployed and reside in a small number of 104 devices at the edge between sites and the core. We call these 105 devices "Edge Devices" which perform typical layer-2 learning and 106 forwarding functions on their site facing interfaces (internal 107 interfaces) and perform IP-based virtualization functions on their 108 core facing interfaces (for which an overlay network is realized). 110 Traditional L2VPN technologies rely heavily on tunnels. Rather than 111 creating stateful tunnels, OTV encapsulates layer 2 traffic with an 112 IP header ("MAC in IP"), but does not create any fixed tunnels. 113 Based on the IP header, traffic is forwarded natively in the core 114 over which OTV is being deployed. This is an important feature as 115 the native IP treatment of the encapsulated packet allows optimal 116 multi-point connectivity as well as optimal broadcast and multicast 117 forwarding, plus any other benefits the routed core may provide to 118 native IP traffic. OTV virtualization is independent of the 119 technology deployed in the core; the core network may be a layer-2 120 metro Ethernet core, a layer-3 IP network core, or an MPLS network 121 core. 123 Layer-2 traffic which requires traversing the overlay to reach its 124 destination, is prepended with an IP header which ensures the packet 125 is delivered to the edge boxes that provide connectivity to the 126 Layer-2 destination in the original MAC header. As shown in figure 127 1, if a destination is reachable via Edge Device X2 (with a core 128 facing IP address of IPB), other Edge Devices forwarding traffic to 129 such destination will add an IP header with a destination IP address 130 of IPB and forward the traffic into the core. The core will forward 131 traffic based on IP address IPB, once the traffic makes it to Edge 132 Device X2 it will be stripped of the overlay IP header and it will be 133 forwarded into the site in the same way a regular bridge would 134 forward a packet at layer-2. Broadcast or multicast traffic is 135 encapsulated with a multicast header and follows a similar process. 137 +----+ +----+ 138 | H1 |------- ------------ -------| H2 | 139 +----+ \ / \ / +----+ 140 \+----+IPA / L3 Core \ IPB+----+/ 141 ---------| X1 |----< >---| X2 |-------- 142 /+----+ \ Network / +----+\ 143 / \ / \ 144 ------------ 146 +------------+ 147 | DA = IPB | 148 +------------+ 149 | SA = IPA | 150 +-----------+ +------------+ +-----------+ 151 | DMAC = H2 | | DMAC = H2 | | DMAC = H2 | 152 +-----------+ +------------+ +-----------+ 153 | SMAC = H1 | | SMAC = H1 | | SMAC = H1 | 154 +-----------+ +------------+ +-----------+ 155 | VLAN-ID | | VLAN-ID | | VLAN-ID | 156 +-----------+ +------------+ +-----------+ 157 | Payload | | Payload | | Payload | 158 +-----------+ +------------+ +-----------+ 160 Figure 1. Traffic flow from H1 to H2 with encapsulation in the core. 162 The key piece that OTV adds is the state to map a given destination 163 MAC address in the L2 VPN to an IP address of the OTV Edge Device 164 behind which that MAC address is located. OTV forwarding is a 165 function of mapping a destination MAC address in the VPN site to an 166 Edge Device IP address in the overlay network. 168 To achieve all this, a control plane is required to exchange the 169 reachability information among the different OTV Edge Devices. We 170 will refer to this control plane as the oURP and oMRP (Overlay 171 Unicast Routing Protocol and Overlay Multicast Routing Protocol). 172 OTV does not flood unknown unicast traffic among Edge Devices and 173 therefore precludes data-plane learning on the "overlay interface". 174 Data-plane learning continues to happen on the "internal interfaces" 175 to provide compatibility and transparency within the layer-2 sites 176 connecting to the OTV overlay. The Edge Devices appear to each VPN 177 site to be providing L2 switched network connectivity amongst those 178 sites. 180 This document describes the use of IS-IS as an IGP capable of 181 carrying both MAC unicast and multicast and IP multicast group 182 addresses, thereby serving as both the oURP and oMRP. However, any 183 other suitable routing protocol can be used as the OTV control 184 protocol. The information carried in IS-IS LSPs will be MAC unicast 185 addresses and multicast addresses with their associated VLAN IDs and 186 IP next hops. The MAC addresses are those of the hosts connecting to 187 the network and the IP next hops are the addresses of the Edge 188 Devices through which these are reachable in the core. Figure 2 189 shows what the resulting tables would look like in a simple two site 190 example. 192 +----+ +----+ 193 | H1 |------- ------------ -------| H2 | 194 +----+ \ / \ / +----+ 195 E1\+----+IPA / L3 Core \ IPB+----+/E1 196 ---------| X1 |----< >---| X2 |-------- 197 /+----+ \ Network / +----+\ 198 / Overlay1 \ /Overlay1 \ 199 ------------ 201 At X1 At X2 202 +----------------------------+ +----------------------------+ 203 | Destination | Interface/NH | | Destination | Interface/NH | 204 |----------------------------| |----------------------------| 205 | H1 | E1 | | H1 | Overlay1:IPA | 206 | H2 | Overlay1:IPB | | H2 | E1 | 207 +----------------------------+ +----------------------------+ 209 Figure 2. OTV Forwarding Tables. 211 Edge Devices will have an IP address reachable through their core 212 facing interface(s), and these nodes join a configured ASM/Bidir 213 multicast group in the core transport network. The core or the 214 provider network relies on a provider Unicast Routing Protocol (pURP) 215 and a provider Multicast Routing Protocol (pMRP) to connect the Edge 216 Devices to one another. It is not strictly required that the Edge 217 Devices participate in the pURP/pMRP. They typically connect as 218 hosts to the core network. This is compatible and consistent with 219 today's interconnection policies. However, the solution also 220 supports the scenario where the Edge Devices do actively participate 221 at Layer-3 in the pURP/pMRP. 223 The multicast group that the Edge Devices join is referred to as the 224 "Provider Multicast Group (pMG)". The pMG will be used for Edge 225 Devices to become adjacent with each other to exchange their IS-IS 226 Hellos, LSPs and CSNPs. Thus, by virtue of the pMG, all Edge Devices 227 will see each other as if they were directly connected to the same 228 multi-access multicast-capable segment for the purposes of IS-IS 229 peering. The pMG also defines a VPN; thus, when an Edge Device joins 230 a pMG the site becomes part of a VPN. Multiple pMGs can be defined 231 to define multiple VPNs. 233 The pMG can also be used to broadcast data traffic to all Edge 234 Devices when necessary. Broadcast transmission will not incur head- 235 end replication overhead. OTV allows the pMRP to efficiently 236 distribute broadcast traffic by the provider ASM/Bidir group. 238 When forwarding of VPN multicast is required, new multicast state 239 will be used in order to tailor the distribution trees to the optimal 240 group of receivers, these multicast groups are to be created in the 241 provider control plane (pMRP). For instance, each core device will 242 resort to using SSM multicast in the core by having the Edge Device 243 IGMPv3/ MLDv2 join a {source, group} pair. 245 Edge Devices must combine data-plane learning on their bridged 246 internal interfaces with control-plane learning on their overlay 247 interfaces. The key to this combination is a series of rules through 248 which data-plane events can trigger control-plane advertisements 249 and/or learning events. 251 OTV supports L2 multi-homing for sites where one or more of the 252 bridge domains may be connected to multiple Edge Devices. It 253 supports both active-backup and active-active multi-homing 254 capabilities to sites. OTV provides loop elimination for multi-homed 255 "sites" and does not require the extension of STP across sites. This 256 means each site can run it own STP rather than have to create one 257 large STP domain across sites. 259 1.1. Terminology 261 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 262 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 263 document are to be interpreted as described in RFC 2119. 265 Site - A Site is a single or multi-homed connected network which 266 is typically under the control of a single organization. Sites 267 are connected together via Edge Devices that operate in an overlay 268 network. The Edge Devices provide layer-2 connectivity among the 269 sites. A site will not be used by IS-IS as a transit network. A 270 layer-2 site is one that is mostly made up of hosts and switches. 271 Routers may exist but the majority of the topology to the Edge 272 Devices are L2 switched. The MAC addresses advertised on the 273 overlay network are all the hosts and routers connected to the L2 274 devices at the site. The site typically has several VLANs or 275 bridging domains being actively used. A layer-3 site is one that 276 is mostly made up of routers connecting to hosts via switches. 277 The majority of the topology to the Edge Devices are L3 routed. 279 The number of MAC addresses advertised on the overlay network are 280 limited to the router devices at the site. 282 VPN - A VPN is a collection of sites which are controlled by a 283 single administration. The addressing plan, router and switch 284 configuration is consistent as it would be if the sites were 285 physically at the same location. There is one overlay network per 286 VPN which connects all sites. Each VPN uses a dedicated ASM/Bidir 287 provider multicast group allocated by the core network, which 288 provides the separation from other VPNs for the control plane, as 289 well as in the data plane. 291 Edge Device - A modified L2 switch that performs OTV functions. 292 It will run as an L2 device on the site side, but performs L3 293 functions on the core facing interfaces. When OTV functionality 294 is described, this functionality only occurs in an Edge Device. 296 Internal Interface - These are Layer-2 interfaces connected to 297 site based switches or site based routers. The internal interface 298 is layer-2 regardless if it connects to a switch or a router. 300 Overlay Interface - This is a logical multi-access multicast- 301 capable interface. The overlay interface can replicate broadcast 302 and multicast packets efficiently. The overlay interface provides 303 an IP unicast or multicast encapsulation for L2 frames transmitted 304 from the site. The overlay interface is realized by one or more 305 physical core facing interfaces. The core facing interfaces are 306 assigned IP addresses out of the core provider's address space. 308 MAC Table - This is a forwarding table of 48-bit MAC addresses. 309 The table can contain unicast or multicast MAC addresses. The 310 table is populated by two sources. One being traditional data- 311 plane learning on internal interfaces and the other by the URP/MRP 312 at the control-plane on the overlay interface. A MAC table is 313 scoped by VLAN therefore allowing the same MAC address to be used 314 in different VLANs, and potentially in different VPNs. 316 Authoritative Edge Device (AED) - This is an Edge Device that 317 forwards Layer-2 frames in and out of a site from and to the 318 overlay interface. Depending on the multi-homing granularity in 319 use, there will be a single AED in the site for a given VLAN or 320 for a given MAC-level flow. 322 Site-ID - Each Edge Device which resides in an OTV site will 323 advertise over the overlay network the same site-id. The site-id 324 may be determined dynamically or by static configuration. 326 (VLAN, uMAC) - This is the designation of layer-2 network 327 reachability information as encoded in the URP and as stored in 328 the MAC table. This notation describes a given unicast MAC 329 address within a particular VLAN. 331 (VLAN, mMAC, mIP) - This is the designation of layer-2 network 332 reachability information as encoded in the MRP and as stored in 333 the MAC/IP table. This notation describes a given multicast 334 MAC/IP address within a particular VLAN. The 'mIP' part of the 335 3-tuple is provided so both Layer-2 switching and the SSM based 336 tree joins can occur based on the IP group address (since 32-to-1 337 aliasing can happen for IPv4 group address to MAC mappings and 338 worse for IPv6). 340 2. Control Plane 342 This section discusses the control plane hierarchy. At the very base 343 of the hierarchy we find the provider control plane, which enables 344 unicast reachability among the edge boxes and also provides the 345 multicast group that makes edge boxes adjacent from the overlay 346 control plane perspective. The provider control plane also provides 347 the multicast trees in the core that will be used for optimal 348 forwarding of the layer-2 site data traffic. 350 At the next level, the overlay control plane provides discovery of 351 the Edge Devices that are part of the overlay and conveys client-MAC- 352 address reachability and client-multicast group information between 353 the edge devices. 355 In general, the control planes are independent of each other. 356 However, in order to optimize multicasting, multicast control-plane 357 events (reports, joins, leaves) that occur in one MRP may initiate 358 events in another MRP so that the optimal tree is always being used 359 to forward traffic. Also, events in the overlay control plane are 360 triggered by forwarding events in the client data plane (however both 361 client and overlay control planes remain independent of each other). 363 |<------------------------ cURP/cMRP ------------------------>| 364 | | 365 | | 366 | |<--------- oURP/oMRP --------->| | 367 | | | | 368 | | | | 369 | | |<--- pURP/pMRP -->| | | 370 | | | (pMG) | | | 371 | | | | | | 372 | | | | | | 373 +----+ +--+ | | | | +--+ +----+ 374 | R1 |----|S1| | | ------------ | | |S2|----| R2 | 375 +----+ +--+ | | / \ | | +--+ +----+ 376 \+----+IPA | / L3 Core \ | IPB+----+/ 377 ------| X1 |-----< >-----| X2 |----- 378 /+----+ \ Network / +----+\ 379 \ / 380 ------------ 382 Figure 3. OTV Control Plane Hierarchy 384 2.1. Provider Control Plane 386 The provider control plane is the set of routing protocols which run 387 in the core infrastructure to be able to deliver packets sourced from 388 the site networks. There is no required coordination of routing 389 protocols between the site and the core. That is, no more than 390 typically necessary to connect to a core service. In terms of 391 addressing, the Edge Device is allocated an IP address out of the 392 core block of addresses. 394 For each VPN the Edge Device is to support, a multicast group is 395 required to be allocated from the provider core at a minimum. This 396 multicast group is typically ASM/BiDir. In addition, the multicast 397 state created in the client site network will map to some amount of 398 state in the core network. However, it is not required to provision 399 a unique group for every client data group. The Edge Device takes a 400 client multicast packet and encapsulates it in a core-deliverable 401 multicast packet. 403 2.2. Overlay Control Plane 405 The overlay control plane provides auto-discovery of the Edge Devices 406 that are members of an Overlay VPN. It also conveys Layer-2 unicast 407 and multicast reachability information from a site to Edge Devices in 408 other sites and the VLANs or layer-2 bridge domains being extended. 410 The MAC addresses that are locally connected to an Edge Device are 411 advertised in the overlay URP to other Edge Devices in the VPN. 412 Thus, MAC learning on the overlay is not based on data plane 413 flooding, but is based on explicit advertisements of MAC addresses 414 done by the overlay control plane. Similarly, the multicast groups 415 that a site has receivers or sources for are advertised in the 416 overlay MRP to other Edge Devices in the VPN. 418 2.2.1. Edge Device Discovery and Adjacency setup 420 The overlay URP establishes adjacencies only between Edge Devices 421 that are in the same VPN. Edge Devices become part of a VPN when 422 they join a multicast group defined in the core (provider MRP); 423 devices using the same group are members of the same VPN. Thus, the 424 adjacency setup provides a very simple mechanism to automatically 425 discover members of the VPN. The hellos and updates between overlay- 426 URP peers travel over the multicast group defined in the pMRP. Thus, 427 Edge Devices peer with each other as if they were directly connected 428 at layer-2. This peering is possible as all the traffic for the oURP 429 is encapsulated with the pMRP group address and sent into the core. 430 Thus, all Edge Devices in a given VPN receive the oURP multicast 431 traffic as if they were all on the same segment. Similarly, the 432 overlay MRP packets are encapsulated with the pMRP group address 433 corresponding to the VPN. The overlay MRP is used to inform all the 434 Edge Devices that the subscribers to a particular group are reachable 435 over the overlay network. 437 An Edge Device can support multiple overlay VPNs. Each overlay has 438 its own dedicated provider-multicast group address and a distinct set 439 of adjacencies. There may be multiple overlay adjacencies between 440 the same set of Edge Devices, or the membership may be disjoint for 441 each overlay. 443 2.2.2. Extended VLANs 445 Each overlay basically extends a set of VLANs or layer-2 bridge 446 domains among the member sites. On a given Edge Device, a set of 447 VLANs is uniquely extended on a specific overlay. Other VLANs may be 448 extended on other overlays. This entails both advertising and 449 accepting information in the control plane such as VLANs and their 450 associated MAC and group information, as well as forwarding unicast, 451 multicast and broadcast traffic for these VLANs. 453 To allow scalability of connecting large L2 sites together via the 454 overlay, by default, an Edge Device will not advertise any 455 information for any VLANs. To avoid inadvertent merging of VLANs 456 among sites, Edge Devices will be required to configure the VLANs for 457 which Edge Devices will advertise reachability information for. 459 2.2.3. Multiple Instances 461 An Edge Device may support bridging of multiple distinct layer-2 462 domains with overlapping VLANs which are to be treated as distinct. 463 These VLANs may be extended on the overlay by treating them as 464 separate instances both in advertising control plane information and 465 while forwarding in the data plane. A single overlay VPN can support 466 more than one instance among the Edge Devices in that overlay. 468 2.2.4. Advertising Unicast MAC Routes 470 When a MAC address is learned by arrival of a data packet on an 471 internal interface, the Edge Device advertises the MAC address on the 472 overlay URP. In addition to conveying the MAC address reachability 473 to other edge devices, it also provides a mapping to one of the IP 474 addresses of the advertising Edge Device; i.e., the IP next-hop and 475 encapsulation for that MAC address. Typically, even if a site is 476 multi-homed, a unicast MAC address is advertised by a single Edge 477 device, that is the Authoritative Edge Device. Hence, remote Edge 478 Devices will see a single path to reach a given MAC address. 479 However, when active-active multihoming is being used, there will be 480 equal-cost paths to reach a MAC address in a site and the sender Edge 481 Device will load-balance flows among the paths. 483 2.2.5. Advertising Multicast Routes 485 An Edge Device learns about the multicast groups that hosts in the 486 site are interested in by snooping IGMP/MLD reports on the internal 487 interfaces. When a multicast MAC or group address is learned, the 488 Edge Device notifies other Edge Devices about it by placing a 489 (VLAN,mMAC,mIP) entry in a multicast control PDU. Thus, the overlay 490 MRP informs all the Edge Devices that the subscribers to a particular 491 group are reachable over the overlay network. This information is 492 used by Edge Devices to populate their multicast oif-list at the 493 source site. As long as there is one site that has a receiver for a 494 multicast group, the Edge Devices at the source site will forward 495 traffic for that group onto the overlay. Edge Devices at the 496 receiving sites will also join the corresponding multicast group in 497 the provider plane (pMRP). Thus, multicast trees are built natively 498 in the core, not on the overlay, and provide optimal delivery of 499 multicast data. 501 2.2.5.1. Delivery Groups 503 Delivery groups are multicast groups used in the core network to 504 transport site multicast traffic. Multicast data for various 505 customer data groups are aggregated into a typically smaller set of 506 core multicast trees, without requiring extensive coordination 507 between OTV edge boxes. Delivery group selection is centralized at 508 each source OTV Edge Device which controls the mapping of a (S,G) to 509 a (DS, DG). It exports this mapping to other Edge Devices so that 510 they can join the (DS, DG) in the core. Link-local site multicast 511 groups may also map to a specific delivery group instead of the 512 provider multicast group used for control packets. Delivery group 513 mapping allows for fair amount of flexibility for the customer sites 514 and the provider to decide control of state versus bandwidth tradeoff 515 in the core. 517 When a receiver site Edge Device learns a (S, G) to (DS, DG) mapping, 518 it joins the (DS, DG) tree in the core. As an optimization, this 519 join may be done only if there are local receivers for the group. It 520 also installs a layer-3 multicast route for (DS,DG) to decapsulate 521 incoming packets with the appropriate core uplink interface as the 522 RPF interface. 524 2.2.5.2. Active Source Discovery 526 An OTV Edge Device will advertise a delivery group mapping for a 527 (*,G) or (S,G) route only when there is an active source sending data 528 in its site. For this, the Edge Device will learn the active sources 529 by snooping multicast data received on the internal interfaces. If a 530 remote receiver interested in this group, a (VLAN, S,G) entry is 531 installed with the overlay as an OIF and the (DS,DG) as outer 532 encapsulation. When IGMP/MLD is being used on the core uplink, the 533 (DS,DG) encapsulated packet may be emitted directly on the uplink 534 interface. The first-hop router on the other end of the core uplink 535 will then forward this packet along the core multicast tree. 537 2.2.6. Adjacency Server 539 In case the provider core does not support ASM/Bidir multicast, there 540 is an alternate mechanism to discover the remote Edge Devices which 541 are part of a VPN. In this scenario, an Edge Device is configured as 542 an Adjacency Server. All other Edge Devices inform the Adjacency 543 Server regarding their reachability and capability information via 544 the overlay control plane. Adjacency Server is responsible for 545 informing all the other existing Edge Devices regarding addition or 546 loss of an Edge Device. Based on the reachability information, the 547 Edge Devices can further communicate with one another directly using 548 unicast or multicast data path. 550 2.3. Connecting an Edge Device to the Overlay 552 In order to successfully connect to the overlay, the Edge Device has 553 several functions on its different interfaces. These are summarized 554 in this section. 556 2.3.1. Edge Devices as MAC Routers 558 The Edge Device need not participate in the provider URP (pURP) as a 559 router, but can simply behave as a host. This keeps its requirements 560 and functionality simple. In this mode, the Edge Device has an IP 561 address which is significant in the core/provider addressing space. 562 The Edge Device joins the multicast groups in the core by issuing 563 IGMPv3/MLDv2 reports, just like a host would. Thus the Edge Device 564 does not have an IGP relationship with the core. This allows for 565 simpler insertion into any type of core network. 567 However, the Edge Device does participate in the overlay URP and its 568 IP address is used as a router ID and a next-hop address for unicast 569 traffic by the overlay URP. However, the Edge Device does not build 570 an IP routing table with the information received from the oURP, but 571 rather builds a hybrid table where MAC address destinations are 572 reachable via IP next-hop addresses. This may be termed as a MAC 573 router because it can route packets based on MAC addresses. 575 Thus, Edge Devices are IP hosts in the provider plane, MAC routers in 576 the overlay plane and bridges in the client bridging plane. It 577 should be noted that Edge Devices can also support full IP routing 578 functionality and participate in the pURP/pMRP as routers. 580 2.3.2. Internal Interface Behavior 582 The internal interfaces on an Edge Device are bridged interfaces and 583 are indifferent to whether the site itself is L2 or L3. These 584 interfaces behave as regular switch interfaces and learn the source 585 MAC addresses of traffic they receive. Spanning tree BPDUs are 586 received, processed and sourced on internal interfaces as they would 587 on a regular 802.1d, 802.1s and 802.1w switch. IGMP/MLD and data 588 snooping is enabled on internal interfaces to discover local 589 receivers and sources in the site. Additionally, traffic received on 590 internal interfaces may trigger oURP/oMRP advertisements and/or pMRP 591 group joins as described earlier. 593 Traffic received on an internal interface will be forwarded according 594 to the MAC and multicast tables either onto other internal interfaces 595 (regular bridging) or onto the overlay (OTV forwarding). This is 596 explained in detail in the Forwarding section. 598 2.3.3. Overlay Interface Behavior 600 An overlay interface is a logical interface which is associated with 601 an IP address in the provider/core address space. Traffic out of 602 these interfaces is encapsulated with an IP header, and traffic 603 received on these interfaces must be de-capsulated to produce a L2 604 frame. The encapsulated packets exit the Edge Device on one or more 605 underlying physical or logical L3 interfaces. 607 STP BPDUs are not sourced from overlay interfaces, therefore there 608 should not be STP BPDUs in the core, nor do the overlay interfaces 609 participate in the spanning tree protocol. 611 The IP addresses assigned to the overlay interfaces are used as next- 612 hop addresses by the overlay-URP, therefore the MAC table for the 613 overlay interface will include a remote IP address as the next-hop 614 information for remote MAC addresses. 616 3. Data Plane 618 3.1. Encapsulation 620 The overlay encapsulation format is a Layer-2 ethernet frame 621 encapsulated in UDP inside of IPv4 or IPv6. 623 The format of OTV UDP IPv4 encapsulation is as follows: 625 1 2 3 626 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 627 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 628 |Version| IHL |Type of Service| Total Length | 629 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 630 | Identification |Flags| Fragment Offset | 631 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 632 | Time to Live | Protocol = 17 | Header Checksum | 633 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 634 | Source-site OTV Edge Device IP Address | 635 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 636 | Destination-site OTV Edge Device (or multicast) Address | 637 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 638 | Source Port (Random) | Dest Port (8472) | 639 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 640 | UDP length | UDP Checksum = 0 | 641 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 642 |R|R|R|R|I|R|R|R| Overlay ID | 643 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 644 | Instance ID | Reserved | 645 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 646 | | 647 | Frame in Ethernet or 802.1Q Format | 648 | | 649 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 651 IPv4 Header: 653 Version: Set to value 4 in decimal. 655 IHL: Set to value 5 in decimal meaning there are no IP options 656 present in an OTV encapsulated packet. 658 Type of Service: The 802.1P bits from the Ethernet Frame are copied 659 to this field. 661 Total Length: The total length of the IP datagram in bytes. This 662 includes the IP header, the UDP header, the OTV header, and the L2 663 frame without the preamble and CRC fields. 665 Identification: Set randomly by the OTV Edge Device. 667 Flags: The DF bit should be set to 1. 669 Time to Live: Set by the OTV Edge Device and is configurable. 671 Protocol: Since the packet is UDP encapsulated, this field is set to 672 17 decimal. 674 Header Checksum: Must be computed by the OTV Edge Device over the IP 675 header fields. 677 Source Address: The IP address of the OTV Edge Device doing the 678 encapsulation of the L2 frame. 680 Destination Address: The IP unicast or multicast address set by the 681 OTV Edge Device which is encapsulating the L2 frame. The Edge Device 682 decides when the address is set to a unicast or multicast addresss. 684 UDP Header: 686 Source Port: Is chosen by the OTV Edge Device which is encapsulating 687 the L2 frame based on a hash of the L2 frame. This allows packets to 688 be load-split evenly over LAGs on routers in the core, responsible 689 for delivering these IP encapsulated packets. 691 Destination Port: This is an IANA assigned well-known user port 692 number. Packets encapsulated by an OTV Edge Device put value 8472 in 693 the destination port field. 695 UDP Length: Is the length in bytes of the UDP header, the OTV header, 696 and the L2 frame without the preamble and CRC fields. 698 UDP Checksum: This is set to 0 by the OTV Edge Device when doing 699 encapsulation and ignored by the OTV Edge Device which is 700 decapsulating at the destination site. 702 OTV Header: 704 Flags: 706 'I' - Instance-ID bit. When set to 1, it indicates the Instance ID 707 should be used in the forwarding lookup. 709 'R' - Reserved bits. 711 Overlay ID: Is used only for control plane packets such as the URP/ 712 MRP (IS-IS) to identify packets for a specific overlay. 714 Instance ID: Set by the OTV Edge Device doing the encapsulation to 715 specify a logical table that should be used for lookup by the OTV 716 Edge Device at the destination site. 718 L2 Ethernet Frame: 720 The L2 Frame minus the preamble and CRC received on an internal link 721 by an OTV Edge Device. 723 The addition of OTV encapsulation headers increases the size of an L2 724 packet received on an internal interface such that the core uplinks 725 on the Edge Device as well as the routers in the core need to support 726 an appropriately larger MTU. OTV encapsulated packets must not get 727 fragmented as they traverse the core, and hence the IP header is 728 marked to not fragment by the Edge Device. The Edge Device drops 729 packets that exceed the core uplink MTU. 731 The following tables enumerates how MAC level packets are 732 encapsulated in the OTV header. 734 MAC-level Frame OTV IP Encapsulation 735 --------------- -------------------- 736 Unicast Frame IP unicast packet 737 Broadcast Frame ASM/Bidir IP multicast packet 738 Link-local Multicast Frame ASM/Bidir IP multicast packet 739 Data Multicast Frame SSM IP multicast packet 741 3.2. Forwarding Process 743 Most of the interesting forwarding cases happen when a packet comes 744 from the Overlay Link to be forwarded to an Internal Link, or vice 745 versa. But for completeness, forwarding between internal links is 746 also described 748 3.2.1. Forwarding between Internal Links 750 When an Edge Device has internal links, it operates like a 751 traditional L2 switch. That is, it will send unicast packets on a 752 port where the MAC was learned; it will send multicast packets on the 753 ports it has IGMP/MLD-snooped; and it will send broadcast packets out 754 all ports for a given VLAN or layer-2 bridge domain 756 3.2.2. Forwarding from an Internal Link to the Overlay 758 An Edge Device will decide to forward a Layer-2 unicast, multicast, 759 or broadcast packet over the overlay interface when the overlay 760 control plane has put the logical port of the overlay interface in 761 the forwarding table, such as for the corresponding unicast or 762 multicast address. When a packet is sent over the overlay interface, 763 it is first prepended with an OTV header that includes the IP address 764 of the overlay next-hop. The packet as received from the internal 765 interface is not touched other than to remove the preamble and FCS 766 from the frame. The IP address, outer MAC address and other 767 encapsulation information are all installed in the forwarding 768 hardware by the control plane so the OTV header can be prepended and 769 the packet forwarded at high rate. 771 The Edge Device has to be eligible to forward this packet as per the 772 control plane, such as being the Authoritative Edge Device. Multi- 773 homing of sites imposes additional rules on the forwarding of traffic 774 as described later in this document. 776 3.2.3. Forwarding from the Overlay to an Internal Link 778 When a packet is received on the overlay interface, it will need to 779 be IP decapsulated to reveal the inner MAC header for forwarding. 780 The inner MAC header SA and DA addresses and VLAN-ID will used for 781 forwarding actions. For any type of packet received on the overlay 782 interface, it will be accepted only if the Edge Device is the 783 Authoritative Edge Device as determined by an inspection of the 784 received packet header. 786 When a unicast packet is received on the overlay interface, the outer 787 OTV IP header is removed, and the VLAN-ID and the MAC DA from the 788 inner header is used to do the MAC table lookup. Here onwards, this 789 is a regular bridging operation, whether the MAC address entry is 790 present or not. 792 When a multicast packet is received on the overlay interface, the 793 outer OTV IP header is removed. The VLAN-ID and inner MAC header SA 794 and DA or inner IP header SA and DA are used to do a Layer-2 795 multicast table lookup and forward the packet on the right internal 796 interfaces. A multicast packet received from the overlay will not be 797 sent back out on the overlay. 799 When a broadcast packet is received on the overlay interface, the 800 outer OTV IP header is removed and the packet is then flooded on all 801 internal interfaces. 803 3.2.4. Unicast Packet Flows 805 Hosts typically generate ARP requests and learn the MAC addresses of 806 other hosts from ARP requests and replies. Switches learn the source 807 MACs from packet headers and store this state to optimally forward 808 traffic destined to these MACs. The OTV Edge Devices will also learn 809 the MACs locally on their site facing interfaces, and will install 810 remote MACs received over the overlay control plane into the local 811 MAC table with the appropriate remote Edge Devices as next-hops. 813 Once these actions take place, every switch will forward the L2 814 packet based on the MAC table entry. The OTV Edge Device at the 815 source site will also do a MAC table lookup which will yield a next- 816 hop entry pointing to a remote Edge Device. Once the OTV header with 817 the IP address is prepended, the packet is then forwarded to the 818 destination Edge Device at Layer-3 as a regular IP packet. 820 The Edge Device as well as the core routers may load-balance these 821 encapsulated packets among equal-cost multiple Layer-3 paths, with 822 packets belonging to a single Layer-2 flow being hashed to a specific 823 equal-cost path. 825 3.2.5. Unknown Unicast Packet Handling 827 When the switched network at an OTV site has no state for a MAC 828 address, it will flood the unicast packet on the spanning tree 829 throughout the site. The Edge Devices are on the spanning tree (like 830 any other switch at the site) so they will receive these unknown 831 unicast packets. 833 It is imperative that the Edge Devices hold previously learned MAC 834 addresses for an extended period of time so that remote Edge Devices 835 can get reachability to these local MACs. So the cache timers will 836 be longer than the traditional MAC aging timers on switches. In 837 fact, the Edge Device MAC aging timers generally need to be greater 838 than the ARP request interval from any host. Either an unknown flood 839 or a broadcast packet could cause an update of the MAC entries in the 840 Edge Device. And when MACs go inactive, an Authoritative Edge Device 841 must withdraw the MAC address from the overlay control plane. 842 Traffic to these unknown destinations will not be forwarded onto the 843 overlay. Thus, OTV does not flood unknown unicasts. In an OTV 844 network unknown destinations become known the moment the host emits 845 at least one packet. The assumption is that no host on the network 846 is completely silent. 848 3.2.6. Multicast Packet Flows 850 A multicast receiver host sends out IGMP/MLD reports for the 851 multicast groups it wants to join. The sites may use either IGMPv2 852 or IGMPv3. A multicast capable switch will forward these reports to 853 router ports and querier ports. The OTV Edge Device behaves as 854 either a querier or a router in the network and hence receives these 855 reports. 857 A host in a site may be a source for an (S,G) group and sends data. 858 This data is flooded or forwarded along IGMP/MLD snooped links by the 859 site switches. When an Edge Device receives this packet, it does a 860 Layer-2 multicast table lookup which may yield several OIFs. If the 861 overlay interface is part of the OIF-list, then the Edge Device 862 encapsulates the packet in an OTV IP header which includes the 863 delivery group (DS, DG) IP addresses. It then emits the resulting IP 864 multicast packet into the core which is forwarded along a core 865 multicast tree to the receiver site edge devices. 867 The receiver site Edge Device also joins one or more (DS, DG) core 868 multicast trees as directed by various source site Edge Devices. 869 This allows it to receive data from other sites. The core multicast 870 trees may either be SSM or ASM though this document focusses on the 871 SSM case. 873 3.2.7. Broadcast Packet Flows 875 A broadcast packet originated at an OTV site needs to be delivered to 876 all sites of the same VPN. This is typically done with the ASM/Bidir 877 group encapsulation which is the same group used for the oURP/oMRP 878 (pMG). A different data group can also be used to forward broadcast 879 traffic. 881 A broadcast packet, sourced in a site, gets to all Edge Devices 882 because each Edge Device is on the site spanning tree. However, 883 duplicates must not be allowed to appear on the overlay network when 884 there are multiple Edge Devices, so the Authoritative Edge Device for 885 the VLAN is the only Edge Device that forwards the packet on the 886 overlay network. All edge devices at a remote site will receive the 887 broadcast packet over the core multicast group. To prevent 888 duplicates going into the site, only the Authoritative Edge Device in 889 that site will forward the packet into the site. And once sent into 890 the site, the packet gets to all switches on the site spanning tree. 891 Because only the AED can forward broadcast packets in or out of the 892 site, broadcast loops are avoided. 894 Other types of packets such as link-local multicast packets and 895 non-IP Layer-2 packets may also be sent along the pMG or on a 896 dedicated data group. 898 3.3. STP BPDU Handling 900 Since the Edge Device acts as an L2 switch it does participate in the 901 Spanning Tree Protocol if the site has been configured to use it. 902 However, there is no STP activity on the overlay interface. The 903 following are the rules an OTV Edge Device will follow: 905 o When STP is configured at a site, an Edge Device will send and 906 receive BPDUs on internal interfaces. An OTV Edge Device will not 907 originate or forward BPDUs on the overlay network. 909 o An OTV Edge Device can become a root of one or more spanning trees. 911 o An OTV Edge Device will take the typical action when receiving 912 Topology Change Notification (TCNs) messages. 914 o When on OTV Edge Device detects another Edge Device in it's site 915 has come up or gone down, it may send a TCN so it can gather new 916 state for when its authoritative status changes for a VLAN. 918 To allow the L2 switch network to scale to larger number of nodes and 919 MAC addresses, it is considered a feature of OTV to maintain and keep 920 the spanning trees small and per site. 922 4. MAC Address Mobility 924 In a traditional layer-2 switched network, mobility of a host is 925 easily achievable because each switch in the network tracks the 926 source MAC address in each packet and the interface the last packet 927 was received on. So if that MAC is later seen on another interface, 928 the new interface can be updated at the same time the packet is 929 forwarded. These fast MAC moves need to be achieved when a MAC moves 930 from one OTV site to another. The Authoritative Edge Device for a 931 VLAN determines a MAC move in combination with traditional learning 932 on the internal interfaces and explicit MAC advertisements on the 933 overlay. 935 If an Authoritative Edge Device has a MAC address stored in the MAC 936 forwarding table which points to the overlay interface, it means that 937 an Edge Device in another site has explicitly advertised the MAC as 938 being local to it's site. Therefore, any packets coming from the MAC 939 will be coming from the overlay. Once that MAC is heard on an 940 internal interface, it has moved into the site. Since it has moved 941 into a new site, the Authoritative Edge Device in the new site is 942 responsible for advertising it. 944 When a MAC appears in a new site, the Authoritative Edge Device will 945 advertise the new MAC address with a metric value of 0. When the 946 Edge Device in the site the MAC has moved from hears the 947 advertisement, it will withdraw the MAC address that it had 948 previously advertised. Once the MAC address is withdrawn, the Edge 949 Device where the MAC has moved to will change the metric value to 1. 950 All remote sites sending to this MAC address will start using the new 951 Edge Device as soon as they hear it's MAC advertisement with metric 952 0. 954 5. Multi-homing 956 A site typically will be multi-homed with multiple Edge Devices 957 connecting to the overlay. This provides the site with increased 958 network redundancy and resilience to failures. 960 When sites are multi-homed, there is a potential for loops to be 961 created between the OTV overlay and the layer-2 domains at different 962 sites. One option to address such loops is to transport STP BPDUs on 963 the overlay and rely on STP to break any loops that may form when 964 multi-homed sites connect to the overlay. However, this is not 965 desirable as it leads to very large or complex STP domains. OTV 966 multi-homing avoids loops through a combination of techniques in the 967 control plane and data plane. 969 OTV does not transport STP BPDUs over the core. As a result, each 970 site will have its own STP domain, which is separate and independent 971 from the STP domains in other sites, even though all sites will be 972 part of a common broadcast or Layer-2 domain. It also does not flood 973 unknown unicast traffic on the overlay. 975 5.1. Authoritative Edge Device Selection 977 An Authoritative Edge Device is an Edge Device that forwards Layer-2 978 frames in and out of a site from and to the overlay network. When a 979 site is multi-homed to the overlay, a proper Authoritative Edge 980 Device selection ensures that traffic crossing the site-overlay 981 boundary does not get duplicated, create loops or cause any churn in 982 the MAC tables of switches within the local and remote sites. 984 The Authoritative Edge Device (AED) may be statically assigned or 985 determined via an election among the devices in the same site. A 986 unique AED may be selected for each VLAN or it may be on a finer MAC- 987 level granularity. In either case, for a given MAC-level flow, the 988 data path will be symmetric. 990 An Authoritative Edge Device has the primary responsibility to 991 advertise locally learned source MAC addresses and IGMP/MLD-snooped 992 multicast addresses in the oURP and oMRP. 994 When done per-VLAN, an AED will be authoritative for all unicast and 995 multicast addresses within a single VLAN. The authoritative 996 responsibility can be shared with other Edge Devices for other VLANs 997 so traffic can be load balanced among all Edge Devices across 998 different VLANs. 1000 For the particular scenario of all-active multi-homing and load 1001 balancing, AEDs may be elected on a finer granularity. Thus there 1002 may be several AEDs in any given VLAN in this case and different 1003 flows can use different Edge Devices. 1005 Protocol adjacencies are set up among the Edge Devices in the same 1006 site. The AED is selected from this list of Edge Devices in the same 1007 site. The AED selection algorithm tries to ensures an even spread of 1008 VLANs across the Edge Devices. A simple mechanism may be via a hash 1009 of the VLAN-ID. Alternatively, a static AED assignment may be to use 1010 a VLAN range division among all Edge Devices in the site. The local 1011 VLAN/AED specific information may be advertised to other Edge 1012 Devices. 1014 Each Edge Device keeps track of the other Edge Devices in the same 1015 site. If an Edge Device has a failure such that it is incapable of 1016 forwarding traffic for its authorized VLANs, other Edge Devices in 1017 the same site will detect or be notified of this event and run the 1018 AED selection procedure to reassign authority for the failed device's 1019 VLANs. 1021 5.2. Site Identifier 1023 All Edge Devices that belong to a single Layer-2 site will advertise 1024 a Site-ID on the overlay control plane. This information is used by 1025 remote Edge Devices to identify the members of the same site. The 1026 Site-ID influences the AED election and path selection from remote 1027 Edge Devices to the local site. The Site-ID may be statically 1028 assigned or dynamically computed by the devices in the same site. 1030 6. IS-IS as an Overlay Control Protocol 1032 This section describes the use of the IS-IS protocol to serve as the 1033 Overlay URP and MRP. The details of the IS-IS PDUs and TLVs defined 1034 for OTV are described in [IS-IS-OTV]. 1036 It is highly desired to leverage the native and existing IS-IS 1037 protocol functionality where feasible. There are some protocol 1038 extensions specific to OTV which are described in this document. 1040 The overlay network serves as a logical multi-access Ethernet LAN 1041 connecting the various Edge Devices. Hence, IS-IS hellos and LSPs 1042 can be exchanged directly over the overlay network similar to IS-IS 1043 operation on a LAN. These IS-IS packets are encapsulated in the OTV 1044 IP multicast header and reach other Edge Devices on the core 1045 multicast tree. In addition, OTV IS-IS packets use a distinct 1046 Layer-2 multicast destination address. Therefore, OTV IS-IS packets 1047 do not conflict with IS-IS packets used for other technologies even 1048 if they may be sent over the same links in the core or arrive at an 1049 Edge Device on the same core uplink interfaces. 1051 IS-IS packets belonging to different overlay VPNs are mutually 1052 isolated and distinguished by the OTV control packet header and the 1053 use of distinct multicast groups in the core. Standard IS-IS 1054 authentication mechanisms may additionally be used to provide further 1055 isolation and authentication of VPN membership. 1057 OTV IS-IS employs IS-IS LAN procedures on the overlay network. It 1058 forms IS-IS adjacencies with all other Edge Devices in the overlay 1059 and elects a Designated Router (DIS). The IS-IS system ID uniquely 1060 identifies an Edge Device in the IS-IS control plane. 1062 IS-IS IIHs are sent and received on the overlay by all Edge Devices. 1063 The IP addresses assigned to the overlay on an Edge Device is 1064 advertised in the IIHs and provides the IP reachability information 1065 to the edge device through the core. 1067 CSNPs are sent on the overlay by the DIS and used to achieve reliable 1068 delivery of the link state database. This link state database holds 1069 LSPs that describe the Edge Device connectivity to the pseudo-node 1070 (or the multi-access overlay network). The LSPs also hold the 1071 unicast MAC information that is advertised by a site Edge Device. 1072 CSNPs are also used to reliably deliver the Group Membership link 1073 state database that holds LSPs describing the multicast MAC group 1074 addresses. OTV IS-IS only maintains the Level-1 link state database. 1076 Unicast MAC address information is carried in LSPs in the MAC- 1077 Reachability (MAC-RI) TLV defined in [IS-IS-Layer2]. All MAC 1078 addresses are typically advertised with a metric of 1. When using 1079 the MAC move procedures, the metric will be set to 0. Definition of 1080 the fields used by OTV is specified in [IS-IS-OTV]. 1082 Multicast related information is carried in LSPs in several different 1083 TLVs specified in [IS-IS-OTV]. The multicast groups that a site has 1084 receivers for are carried in the sub-TLVs of the Group Address TLV. 1085 Multicast sources discovered in a site are advertised in a Group 1086 Membership Active Source TLV. This TLV includes the list of groups 1087 for which the source is sending data along with the core Delivery 1088 Groups to which the advertising Edge Device will map the site data 1089 groups. 1091 When an Adjacency Server is being used, all Edge Devices inform the 1092 Adjacency Server regarding their reachability and capability 1093 information by including in their hellos the Adjacency Server TLV. 1094 The Adjacency Server includes a list of all the Edge Devices it has 1095 heard from, and their capabilities, in its hello PDUs. 1097 The Site-ID information is contained in the Site Identifier TLV and 1098 sent in IS-IS IIHs. 1100 7. Acknowledgements 1102 The authors would like to thank many for their careful review. They 1103 include Venu Nair, Victor Moreno, Ashok Chippa, Sameer Merchant, Tony 1104 Speakman, Raghava Sivaramu, Nataraj Batchu, Sreenivas Duvvuri, Gaurav 1105 Badoni, Veena Raghavan, Marc Woolward and Tim Stevenson. 1107 Many have received individual presentations of OTV and provided 1108 critical feedback early in the design process. These reviewers 1109 include Vince Fuller, Peter Lothberg, Dorian Kim, Peter Schoenmaker, 1110 Mark Berly, Scott Kirby, Dana Blair, Tom Edsall, Dinesh Dutt, 1111 Parantap Lahiri, and Jeff Jensen. 1113 8. Security Considerations 1115 The specifications in this document do not add any new security 1116 issues to Layer-2 bridging technologies. Existing security 1117 mechanisms may be used both in the control plane and in data 1118 forwarding to achieve any security requirements. 1120 This document specifies the use of IS-IS as a control protocol for 1121 OTV. It adds no additional security risks to IS-IS, nor does it 1122 provide any additional security for IS-IS. 1124 9. IANA Considerations 1126 There are new IS-IS PDUs and TLVs being proposed for OTV, and are 1127 defined in [IS-IS-OTV]. 1129 10. Normative References 1131 [IS-IS] ISO/IEC 10589, "Intermediate System to Intermediate System 1132 Intra-Domain Routing Exchange Protocol for use in 1133 Conjunction with the Protocol for Providing the 1134 Connectionless-mode Network Service (ISO 8473)", 2005. 1136 [IS-IS-Layer-2] 1137 Banerjee, A., "Extensions to IS-IS for Layer-2 Systems", 1138 2010. 1140 [IS-IS-OTV] 1141 Rao, D., "IS-IS Extensions to support OTV", 2010. 1143 Authors' Addresses 1145 Hasmit Grover 1146 Cisco Systems 1147 170 W Tasman Drive 1148 San Jose, CA 95138 1149 US 1151 Email: hasmit@cisco.com 1153 Dhananjaya Rao 1154 Cisco Systems 1155 170 W Tasman Drive 1156 San Jose, CA 95138 1157 US 1159 Email: dhrao@cisco.com 1161 Dino Farinacci 1162 Cisco Systems 1163 170 W Tasman Drive 1164 San Jose, CA 95138 1165 US 1167 Email: dino@cisco.com