idnits 2.17.1 draft-hasmit-otv-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (July 08, 2011) is 4676 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'IS-IS' is defined on line 1176, but no explicit reference was found in the text Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group H. Grover 3 Internet-Draft D. Rao 4 Intended status: Informational D. Farinacci 5 Expires: January 9, 2012 V. Moreno 6 Cisco Systems 7 July 08, 2011 9 Overlay Transport Virtualization 10 draft-hasmit-otv-03 12 Abstract 14 In today's networking environment most enterprise networks span 15 multiple physical sites. Overlay Transport Virtualization (OTV) 16 provides a scalable solution for L2/L3 connectivity across different 17 sites using the currently deployed service provider and enterprise 18 networks. It is a very cost-effective and simple solution requiring 19 deployment of a one or more OTV functional device at each of the 20 enterprise sites. This solution is agnostic to the technology used 21 in the service provider network and connectivity between the 22 enterprise and the service provider network. This document provides 23 an overview of this technology. 25 Status of this Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on January 9, 2012. 42 Copyright Notice 44 Copyright (c) 2011 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 61 2. Control Plane . . . . . . . . . . . . . . . . . . . . . . . . 8 62 2.1. Provider Control Plane . . . . . . . . . . . . . . . . . . 9 63 2.2. Overlay Control Plane . . . . . . . . . . . . . . . . . . 9 64 2.2.1. Edge Device Discovery and Adjacency setup . . . . . . 10 65 2.2.2. Extended VLANs . . . . . . . . . . . . . . . . . . . . 10 66 2.2.3. Multiple Instances . . . . . . . . . . . . . . . . . . 11 67 2.2.4. Advertising Unicast MAC Routes . . . . . . . . . . . . 11 68 2.2.5. Advertising Multicast Routes . . . . . . . . . . . . . 11 69 2.2.6. Adjacency Server . . . . . . . . . . . . . . . . . . . 12 70 2.3. Connecting an Edge Device to the Overlay . . . . . . . . . 12 71 2.3.1. Edge Devices as MAC Routers . . . . . . . . . . . . . 13 72 2.3.2. Internal Interface Behavior . . . . . . . . . . . . . 13 73 2.3.3. Overlay Interface Behavior . . . . . . . . . . . . . . 13 74 3. Data Plane . . . . . . . . . . . . . . . . . . . . . . . . . . 14 75 3.1. Encapsulation . . . . . . . . . . . . . . . . . . . . . . 14 76 3.2. Forwarding Process . . . . . . . . . . . . . . . . . . . . 17 77 3.2.1. Forwarding between Internal Links . . . . . . . . . . 18 78 3.2.2. Forwarding from an Internal Link to the Overlay . . . 18 79 3.2.3. Forwarding from the Overlay to an Internal Link . . . 18 80 3.2.4. Unicast Packet Flows . . . . . . . . . . . . . . . . . 19 81 3.2.5. Unknown Unicast Packet Handling . . . . . . . . . . . 19 82 3.2.6. Multicast Packet Flows . . . . . . . . . . . . . . . . 20 83 3.2.7. Broadcast Packet Flows . . . . . . . . . . . . . . . . 20 84 3.3. STP BPDU Handling . . . . . . . . . . . . . . . . . . . . 21 85 4. MAC Address Mobility . . . . . . . . . . . . . . . . . . . . . 21 86 5. Multi-homing . . . . . . . . . . . . . . . . . . . . . . . . . 22 87 5.1. Authoritative Edge Device Selection . . . . . . . . . . . 22 88 5.2. Site Identifier . . . . . . . . . . . . . . . . . . . . . 23 89 6. IS-IS as an Overlay Control Protocol . . . . . . . . . . . . . 23 90 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 91 8. Security Considerations . . . . . . . . . . . . . . . . . . . 25 92 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 93 10. Normative References . . . . . . . . . . . . . . . . . . . . . 26 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26 96 1. Overview 98 OTV is a new "MAC in IP" technique for supporting L2 VPNs over an 99 L2/L3 infrastructure. OTV provides an "over-the-top" method of doing 100 virtualization among a large number of sites where the routing and 101 forwarding state is maintained at the network edges, but not within 102 the site or in the core. 104 OTV can be incrementally deployed and reside in a small number of 105 devices at the edge between sites and the core. We call these 106 devices "Edge Devices" which perform typical layer-2 learning and 107 forwarding functions on their site facing interfaces (internal 108 interfaces) and perform IP-based virtualization functions on their 109 core facing interfaces (for which an overlay network is realized). 111 Traditional L2VPN technologies rely heavily on tunnels. Rather than 112 creating stateful tunnels, OTV encapsulates layer 2 traffic with an 113 IP header ("MAC in IP"), but does not create any fixed tunnels. 114 Based on the IP header, traffic is forwarded natively in the core 115 over which OTV is being deployed. This is an important feature as 116 the native IP treatment of the encapsulated packet allows optimal 117 multi-point connectivity as well as optimal broadcast and multicast 118 forwarding, plus any other benefits the routed core may provide to 119 native IP traffic. OTV virtualization is independent of the 120 technology deployed in the core; the core network may be a layer-2 121 metro Ethernet core, a layer-3 IP network core, or an MPLS network 122 core. 124 Layer-2 traffic which requires traversing the overlay to reach its 125 destination, is prepended with an IP header which ensures the packet 126 is delivered to the edge boxes that provide connectivity to the 127 Layer-2 destination in the original MAC header. As shown in figure 128 1, if a destination is reachable via Edge Device X2 (with a core 129 facing IP address of IPB), other Edge Devices forwarding traffic to 130 such destination will add an IP header with a destination IP address 131 of IPB and forward the traffic into the core. The core will forward 132 traffic based on IP address IPB, once the traffic makes it to Edge 133 Device X2 it will be stripped of the overlay IP header and it will be 134 forwarded into the site in the same way a regular bridge would 135 forward a packet at layer-2. Broadcast or multicast traffic is 136 encapsulated with a multicast header and follows a similar process. 138 +----+ +----+ 139 | H1 |------- ------------ -------| H2 | 140 +----+ \ / \ / +----+ 141 \+----+IPA / L3 Core \ IPB+----+/ 142 ---------| X1 |----< >---| X2 |-------- 143 /+----+ \ Network / +----+\ 144 / \ / \ 145 ------------ 147 +------------+ 148 | DA = IPB | 149 +------------+ 150 | SA = IPA | 151 +-----------+ +------------+ +-----------+ 152 | DMAC = H2 | | DMAC = H2 | | DMAC = H2 | 153 +-----------+ +------------+ +-----------+ 154 | SMAC = H1 | | SMAC = H1 | | SMAC = H1 | 155 +-----------+ +------------+ +-----------+ 156 | VLAN-ID | | VLAN-ID | | VLAN-ID | 157 +-----------+ +------------+ +-----------+ 158 | Payload | | Payload | | Payload | 159 +-----------+ +------------+ +-----------+ 161 Figure 1. Traffic flow from H1 to H2 with encapsulation in the core. 163 The key piece that OTV adds is the state to map a given destination 164 MAC address in the L2 VPN to an IP address of the OTV Edge Device 165 behind which that MAC address is located. OTV forwarding is a 166 function of mapping a destination MAC address in the VPN site to an 167 Edge Device IP address in the overlay network. 169 To achieve all this, a control plane is required to exchange the 170 reachability information among the different OTV Edge Devices. We 171 will refer to this control plane as the oURP and oMRP (Overlay 172 Unicast Routing Protocol and Overlay Multicast Routing Protocol). 173 OTV does not flood unknown unicast traffic among Edge Devices and 174 therefore precludes data-plane learning on the "overlay interface". 175 Data-plane learning continues to happen on the "internal interfaces" 176 to provide compatibility and transparency within the layer-2 sites 177 connecting to the OTV overlay. The Edge Devices appear to each VPN 178 site to be providing L2 switched network connectivity amongst those 179 sites. 181 This document describes the use of IS-IS as an IGP capable of 182 carrying both MAC unicast and multicast and IP multicast group 183 addresses, thereby serving as both the oURP and oMRP. However, any 184 other suitable routing protocol can be used as the OTV control 185 protocol. The information carried in IS-IS LSPs will be MAC unicast 186 addresses and multicast addresses with their associated VLAN IDs and 187 IP next hops. The MAC addresses are those of the hosts connecting to 188 the network and the IP next hops are the addresses of the Edge 189 Devices through which these are reachable in the core. Figure 2 190 shows what the resulting tables would look like in a simple two site 191 example. 193 +----+ +----+ 194 | H1 |------- ------------ -------| H2 | 195 +----+ \ / \ / +----+ 196 E1\+----+IPA / L3 Core \ IPB+----+/E1 197 ---------| X1 |----< >---| X2 |-------- 198 /+----+ \ Network / +----+\ 199 / Overlay1 \ /Overlay1 \ 200 ------------ 202 At X1 At X2 203 +----------------------------+ +----------------------------+ 204 | Destination | Interface/NH | | Destination | Interface/NH | 205 |----------------------------| |----------------------------| 206 | H1 | E1 | | H1 | Overlay1:IPA | 207 | H2 | Overlay1:IPB | | H2 | E1 | 208 +----------------------------+ +----------------------------+ 210 Figure 2. OTV Forwarding Tables. 212 Edge Devices will have an IP address reachable through their core 213 facing interface(s), and these nodes join a configured ASM/Bidir 214 multicast group in the core transport network. The core or the 215 provider network relies on a provider Unicast Routing Protocol (pURP) 216 and a provider Multicast Routing Protocol (pMRP) to connect the Edge 217 Devices to one another. It is not strictly required that the Edge 218 Devices participate in the pURP/pMRP. They typically connect as 219 hosts to the core network. This is compatible and consistent with 220 today's interconnection policies. However, the solution also 221 supports the scenario where the Edge Devices do actively participate 222 at Layer-3 in the pURP/pMRP. 224 The multicast group that the Edge Devices join is referred to as the 225 "Provider Multicast Group (pMG)". The pMG will be used for Edge 226 Devices to become adjacent with each other to exchange their IS-IS 227 Hellos, LSPs and CSNPs. Thus, by virtue of the pMG, all Edge Devices 228 will see each other as if they were directly connected to the same 229 multi-access multicast-capable segment for the purposes of IS-IS 230 peering. The pMG also defines a VPN; thus, when an Edge Device joins 231 a pMG the site becomes part of a VPN. Multiple pMGs can be defined 232 to define multiple VPNs. 234 The pMG can also be used to broadcast data traffic to all Edge 235 Devices when necessary. Broadcast transmission will not incur head- 236 end replication overhead. OTV allows the pMRP to efficiently 237 distribute broadcast traffic by the provider ASM/Bidir group. 239 When forwarding of VPN multicast is required, new multicast state 240 will be used in order to tailor the distribution trees to the optimal 241 group of receivers, these multicast groups are to be created in the 242 provider control plane (pMRP). For instance, each core device will 243 resort to using SSM multicast in the core by having the Edge Device 244 IGMPv3/ MLDv2 join a {source, group} pair. 246 Edge Devices must combine data-plane learning on their bridged 247 internal interfaces with control-plane learning on their overlay 248 interfaces. The key to this combination is a series of rules through 249 which data-plane events can trigger control-plane advertisements 250 and/or learning events. 252 OTV supports L2 multi-homing for sites where one or more of the 253 bridge domains may be connected to multiple Edge Devices. It 254 supports both active-backup and active-active multi-homing 255 capabilities to sites. OTV provides loop elimination for multi-homed 256 "sites" and does not require the extension of STP across sites. This 257 means each site can run it own STP rather than have to create one 258 large STP domain across sites. 260 1.1. Terminology 262 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 263 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 264 document are to be interpreted as described in RFC 2119. 266 Site - A Site is a single or multi-homed connected network which 267 is typically under the control of a single organization. Sites 268 are connected together via Edge Devices that operate in an overlay 269 network. The Edge Devices provide layer-2 connectivity among the 270 sites. A site will not be used by IS-IS as a transit network. A 271 layer-2 site is one that is mostly made up of hosts and switches. 272 Routers may exist but the majority of the topology to the Edge 273 Devices are L2 switched. The MAC addresses advertised on the 274 overlay network are all the hosts and routers connected to the L2 275 devices at the site. The site typically has several VLANs or 276 bridging domains being actively used. A layer-3 site is one that 277 is mostly made up of routers connecting to hosts via switches. 278 The majority of the topology to the Edge Devices are L3 routed. 280 The number of MAC addresses advertised on the overlay network are 281 limited to the router devices at the site. 283 VPN - A VPN is a collection of sites which are controlled by a 284 single administration. The addressing plan, router and switch 285 configuration is consistent as it would be if the sites were 286 physically at the same location. There is one overlay network per 287 VPN which connects all sites. Each VPN uses a dedicated ASM/Bidir 288 provider multicast group allocated by the core network, which 289 provides the separation from other VPNs for the control plane, as 290 well as in the data plane. 292 Edge Device - A modified L2 switch that performs OTV functions. 293 It will run as an L2 device on the site side, but performs L3 294 functions on the core facing interfaces. When OTV functionality 295 is described, this functionality only occurs in an Edge Device. 297 Internal Interface - These are Layer-2 interfaces connected to 298 site based switches or site based routers. The internal interface 299 is layer-2 regardless if it connects to a switch or a router. 301 Overlay Interface - This is a logical multi-access multicast- 302 capable interface. The overlay interface can replicate broadcast 303 and multicast packets efficiently. The overlay interface provides 304 an IP unicast or multicast encapsulation for L2 frames transmitted 305 from the site. The overlay interface is realized by one or more 306 physical core facing interfaces. The core facing interfaces are 307 assigned IP addresses out of the core provider's address space. 309 MAC Table - This is a forwarding table of 48-bit MAC addresses. 310 The table can contain unicast or multicast MAC addresses. The 311 table is populated by two sources. One being traditional data- 312 plane learning on internal interfaces and the other by the URP/MRP 313 at the control-plane on the overlay interface. A MAC table is 314 scoped by VLAN therefore allowing the same MAC address to be used 315 in different VLANs, and potentially in different VPNs. 317 Authoritative Edge Device (AED) - This is an Edge Device that 318 forwards Layer-2 frames in and out of a site from and to the 319 overlay interface. Depending on the multi-homing granularity in 320 use, there will be a single AED in the site for a given VLAN or 321 for a given MAC-level flow. 323 Site-ID - Each Edge Device which resides in an OTV site will 324 advertise over the overlay network the same site-id. The site-id 325 may be determined dynamically or by static configuration. 327 (VLAN, uMAC) - This is the designation of layer-2 network 328 reachability information as encoded in the URP and as stored in 329 the MAC table. This notation describes a given unicast MAC 330 address within a particular VLAN. 332 (VLAN, mMAC, mIP) - This is the designation of layer-2 network 333 reachability information as encoded in the MRP and as stored in 334 the MAC/IP table. This notation describes a given multicast 335 MAC/IP address within a particular VLAN. The 'mIP' part of the 336 3-tuple is provided so both Layer-2 switching and the SSM based 337 tree joins can occur based on the IP group address (since 32-to-1 338 aliasing can happen for IPv4 group address to MAC mappings and 339 worse for IPv6). 341 2. Control Plane 343 This section discusses the control plane hierarchy. At the very base 344 of the hierarchy we find the provider control plane, which enables 345 unicast reachability among the edge boxes and also provides the 346 multicast group that makes edge boxes adjacent from the overlay 347 control plane perspective. The provider control plane also provides 348 the multicast trees in the core that will be used for optimal 349 forwarding of the layer-2 site data traffic. 351 At the next level, the overlay control plane provides discovery of 352 the Edge Devices that are part of the overlay and conveys client-MAC- 353 address reachability and client-multicast group information between 354 the edge devices. 356 In general, the control planes are independent of each other. 357 However, in order to optimize multicasting, multicast control-plane 358 events (reports, joins, leaves) that occur in one MRP may initiate 359 events in another MRP so that the optimal tree is always being used 360 to forward traffic. Also, events in the overlay control plane are 361 triggered by forwarding events in the client data plane (however both 362 client and overlay control planes remain independent of each other). 364 |<------------------------ cURP/cMRP ------------------------>| 365 | | 366 | | 367 | |<--------- oURP/oMRP --------->| | 368 | | | | 369 | | | | 370 | | |<--- pURP/pMRP -->| | | 371 | | | (pMG) | | | 372 | | | | | | 373 | | | | | | 374 +----+ +--+ | | | | +--+ +----+ 375 | R1 |----|S1| | | ------------ | | |S2|----| R2 | 376 +----+ +--+ | | / \ | | +--+ +----+ 377 \+----+IPA | / L3 Core \ | IPB+----+/ 378 ------| X1 |-----< >-----| X2 |----- 379 /+----+ \ Network / +----+\ 380 \ / 381 ------------ 383 Figure 3. OTV Control Plane Hierarchy 385 2.1. Provider Control Plane 387 The provider control plane is the set of routing protocols which run 388 in the core infrastructure to be able to deliver packets sourced from 389 the site networks. There is no required coordination of routing 390 protocols between the site and the core. That is, no more than 391 typically necessary to connect to a core service. In terms of 392 addressing, the Edge Device is allocated an IP address out of the 393 core block of addresses. 395 For each VPN the Edge Device is to support, a multicast group is 396 required to be allocated from the provider core at a minimum. This 397 multicast group is typically ASM/BiDir. In addition, the multicast 398 state created in the client site network will map to some amount of 399 state in the core network. However, it is not required to provision 400 a unique group for every client data group. The Edge Device takes a 401 client multicast packet and encapsulates it in a core-deliverable 402 multicast packet. 404 2.2. Overlay Control Plane 406 The overlay control plane provides auto-discovery of the Edge Devices 407 that are members of an Overlay VPN. It also conveys Layer-2 unicast 408 and multicast reachability information from a site to Edge Devices in 409 other sites and the VLANs or layer-2 bridge domains being extended. 411 The MAC addresses that are locally connected to an Edge Device are 412 advertised in the overlay URP to other Edge Devices in the VPN. 413 Thus, MAC learning on the overlay is not based on data plane 414 flooding, but is based on explicit advertisements of MAC addresses 415 done by the overlay control plane. Similarly, the multicast groups 416 that a site has receivers or sources for are advertised in the 417 overlay MRP to other Edge Devices in the VPN. 419 2.2.1. Edge Device Discovery and Adjacency setup 421 The overlay URP establishes adjacencies only between Edge Devices 422 that are in the same VPN. Edge Devices become part of a VPN when 423 they join a multicast group defined in the core (provider MRP); 424 devices using the same group are members of the same VPN. Thus, the 425 adjacency setup provides a very simple mechanism to automatically 426 discover members of the VPN. The hellos and updates between overlay- 427 URP peers travel over the multicast group defined in the pMRP. Thus, 428 Edge Devices peer with each other as if they were directly connected 429 at layer-2. This peering is possible as all the traffic for the oURP 430 is encapsulated with the pMRP group address and sent into the core. 431 Thus, all Edge Devices in a given VPN receive the oURP multicast 432 traffic as if they were all on the same segment. Similarly, the 433 overlay MRP packets are encapsulated with the pMRP group address 434 corresponding to the VPN. The overlay MRP is used to inform all the 435 Edge Devices that the subscribers to a particular group are reachable 436 over the overlay network. 438 An Edge Device can support multiple overlay VPNs. Each overlay has 439 its own dedicated provider-multicast group address and a distinct set 440 of adjacencies. There may be multiple overlay adjacencies between 441 the same set of Edge Devices, or the membership may be disjoint for 442 each overlay. 444 2.2.2. Extended VLANs 446 Each overlay basically extends a set of VLANs or layer-2 bridge 447 domains among the member sites. On a given Edge Device, a set of 448 VLANs is uniquely extended on a specific overlay. Other VLANs may be 449 extended on other overlays. This entails both advertising and 450 accepting information in the control plane such as VLANs and their 451 associated MAC and group information, as well as forwarding unicast, 452 multicast and broadcast traffic for these VLANs. 454 To allow scalability of connecting large L2 sites together via the 455 overlay, by default, an Edge Device will not advertise any 456 information for any VLANs. To avoid inadvertent merging of VLANs 457 among sites, Edge Devices will be required to configure the VLANs for 458 which Edge Devices will advertise reachability information for. 460 2.2.3. Multiple Instances 462 An Edge Device may support bridging of multiple distinct layer-2 463 domains with overlapping VLANs which are to be treated as distinct. 464 These VLANs may be extended on the overlay by treating them as 465 separate instances both in advertising control plane information and 466 while forwarding in the data plane. A single overlay VPN can support 467 more than one instance among the Edge Devices in that overlay. 469 2.2.4. Advertising Unicast MAC Routes 471 When a MAC address is learned by arrival of a data packet on an 472 internal interface, the Edge Device advertises the MAC address on the 473 overlay URP. In addition to conveying the MAC address reachability 474 to other edge devices, it also provides a mapping to one of the IP 475 addresses of the advertising Edge Device; i.e., the IP next-hop and 476 encapsulation for that MAC address. Typically, even if a site is 477 multi-homed, a unicast MAC address is advertised by a single Edge 478 device, that is the Authoritative Edge Device. Hence, remote Edge 479 Devices will see a single path to reach a given MAC address. 480 However, when active-active multihoming is being used, there will be 481 equal-cost paths to reach a MAC address in a site and the sender Edge 482 Device will load-balance flows among the paths. 484 2.2.5. Advertising Multicast Routes 486 An Edge Device learns about the multicast groups that hosts in the 487 site are interested in by snooping IGMP/MLD reports on the internal 488 interfaces. When a multicast MAC or group address is learned, the 489 Edge Device notifies other Edge Devices about it by placing a 490 (VLAN,mMAC,mIP) entry in a multicast control PDU. Thus, the overlay 491 MRP informs all the Edge Devices that the subscribers to a particular 492 group are reachable over the overlay network. This information is 493 used by Edge Devices to populate their multicast oif-list at the 494 source site. As long as there is one site that has a receiver for a 495 multicast group, the Edge Devices at the source site will forward 496 traffic for that group onto the overlay. Edge Devices at the 497 receiving sites will also join the corresponding multicast group in 498 the provider plane (pMRP). Thus, multicast trees are built natively 499 in the core, not on the overlay, and provide optimal delivery of 500 multicast data. 502 2.2.5.1. Delivery Groups 504 Delivery groups are multicast groups used in the core network to 505 transport site multicast traffic. Multicast data for various 506 customer data groups are aggregated into a typically smaller set of 507 core multicast trees, without requiring extensive coordination 508 between OTV edge boxes. Delivery group selection is centralized at 509 each source OTV Edge Device which controls the mapping of a (S,G) to 510 a (DS, DG). It exports this mapping to other Edge Devices so that 511 they can join the (DS, DG) in the core. Link-local site multicast 512 groups may also map to a specific delivery group instead of the 513 provider multicast group used for control packets. Delivery group 514 mapping allows for fair amount of flexibility for the customer sites 515 and the provider to decide control of state versus bandwidth tradeoff 516 in the core. 518 When a receiver site Edge Device learns a (S, G) to (DS, DG) mapping, 519 it joins the (DS, DG) tree in the core. As an optimization, this 520 join may be done only if there are local receivers for the group. It 521 also installs a layer-3 multicast route for (DS,DG) to decapsulate 522 incoming packets with the appropriate core uplink interface as the 523 RPF interface. 525 2.2.5.2. Active Source Discovery 527 An OTV Edge Device will advertise a delivery group mapping for a 528 (*,G) or (S,G) route only when there is an active source sending data 529 in its site. For this, the Edge Device will learn the active sources 530 by snooping multicast data received on the internal interfaces. If a 531 remote receiver interested in this group, a (VLAN, S,G) entry is 532 installed with the overlay as an OIF and the (DS,DG) as outer 533 encapsulation. When IGMP/MLD is being used on the core uplink, the 534 (DS,DG) encapsulated packet may be emitted directly on the uplink 535 interface. The first-hop router on the other end of the core uplink 536 will then forward this packet along the core multicast tree. 538 2.2.6. Adjacency Server 540 In case the provider core does not support ASM/Bidir multicast, there 541 is an alternate mechanism to discover the remote Edge Devices which 542 are part of a VPN. In this scenario, an Edge Device is configured as 543 an Adjacency Server. All other Edge Devices inform the Adjacency 544 Server regarding their reachability and capability information via 545 the overlay control plane. Adjacency Server is responsible for 546 informing all the other existing Edge Devices regarding addition or 547 loss of an Edge Device. Based on the reachability information, the 548 Edge Devices can further communicate with one another directly using 549 unicast or multicast data path. 551 2.3. Connecting an Edge Device to the Overlay 553 In order to successfully connect to the overlay, the Edge Device has 554 several functions on its different interfaces. These are summarized 555 in this section. 557 2.3.1. Edge Devices as MAC Routers 559 The Edge Device need not participate in the provider URP (pURP) as a 560 router, but can simply behave as a host. This keeps its requirements 561 and functionality simple. In this mode, the Edge Device has an IP 562 address which is significant in the core/provider addressing space. 563 The Edge Device joins the multicast groups in the core by issuing 564 IGMPv3/MLDv2 reports, just like a host would. Thus the Edge Device 565 does not have an IGP relationship with the core. This allows for 566 simpler insertion into any type of core network. 568 However, the Edge Device does participate in the overlay URP and its 569 IP address is used as a router ID and a next-hop address for unicast 570 traffic by the overlay URP. However, the Edge Device does not build 571 an IP routing table with the information received from the oURP, but 572 rather builds a hybrid table where MAC address destinations are 573 reachable via IP next-hop addresses. This may be termed as a MAC 574 router because it can route packets based on MAC addresses. 576 Thus, Edge Devices are IP hosts in the provider plane, MAC routers in 577 the overlay plane and bridges in the client bridging plane. It 578 should be noted that Edge Devices can also support full IP routing 579 functionality and participate in the pURP/pMRP as routers. 581 2.3.2. Internal Interface Behavior 583 The internal interfaces on an Edge Device are bridged interfaces and 584 are indifferent to whether the site itself is L2 or L3. These 585 interfaces behave as regular switch interfaces and learn the source 586 MAC addresses of traffic they receive. Spanning tree BPDUs are 587 received, processed and sourced on internal interfaces as they would 588 on a regular 802.1d, 802.1s and 802.1w switch. IGMP/MLD and data 589 snooping is enabled on internal interfaces to discover local 590 receivers and sources in the site. Additionally, traffic received on 591 internal interfaces may trigger oURP/oMRP advertisements and/or pMRP 592 group joins as described earlier. 594 Traffic received on an internal interface will be forwarded according 595 to the MAC and multicast tables either onto other internal interfaces 596 (regular bridging) or onto the overlay (OTV forwarding). This is 597 explained in detail in the Forwarding section. 599 2.3.3. Overlay Interface Behavior 601 An overlay interface is a logical interface which is associated with 602 an IP address in the provider/core address space. Traffic out of 603 these interfaces is encapsulated with an IP header, and traffic 604 received on these interfaces must be de-capsulated to produce a L2 605 frame. The encapsulated packets exit the Edge Device on one or more 606 underlying physical or logical L3 interfaces. 608 STP BPDUs are not sourced from overlay interfaces, therefore there 609 should not be STP BPDUs in the core, nor do the overlay interfaces 610 participate in the spanning tree protocol. 612 The IP addresses assigned to the overlay interfaces are used as next- 613 hop addresses by the overlay-URP, therefore the MAC table for the 614 overlay interface will include a remote IP address as the next-hop 615 information for remote MAC addresses. 617 3. Data Plane 619 3.1. Encapsulation 621 The overlay encapsulation format is a Layer-2 ethernet frame 622 encapsulated in UDP inside of IPv4 or IPv6. 624 The format of OTV UDP IPv4 encapsulation is as follows: 626 1 2 3 627 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 628 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 629 |Version| IHL |Type of Service| Total Length | 630 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 631 | Identification |Flags| Fragment Offset | 632 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 633 | Time to Live | Protocol = 17 | Header Checksum | 634 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 635 | Source-site OTV Edge Device IP Address | 636 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 637 | Destination-site OTV Edge Device (or multicast) Address | 638 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 639 | Source Port = xxxx | Dest Port = 8472 | 640 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 641 | UDP length | UDP Checksum = 0 | 642 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 643 |R|R|R|R|I|R|R|R| Overlay ID | 644 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 645 | Instance ID | Reserved | 646 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 647 | | 648 | Frame in Ethernet or 802.1Q Format | 649 | | 650 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 652 The format of OTV UDP IPv6 encapsulation is as follows: 654 0 1 2 3 655 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 656 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 657 |Version| Traffic Class | Flow Label | 658 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 659 | Payload Length | Next Header=17| Hop Limit | 660 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 661 | | 662 + + 663 | | 664 + Source-site OTV Edge Device IPv6 Address + 665 | | 666 + + 667 | | 668 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 669 | | 670 + + 671 | | 672 + Destination-site OTV Edge Device (or multicast) Address + 673 | | 674 + + 675 | | 676 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 677 | Source Port = xxxx | Dest Port = 8472 | 678 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 679 | UDP Length | UDP Checksum | 680 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 681 |R|R|R|R|I|R|R|R| Overlay ID | 682 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 683 | Instance ID | Reserved | 684 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 685 | | 686 | Frame in Ethernet or 802.1Q Format | 687 | | 688 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 690 Outer IPv4 (or IPv6) Header: 692 Version: Set to value 4 (or 6) in decimal. 694 IHL: Set to value 5 in decimal meaning there are no IP options 695 present in an OTV encapsulated packet. 697 Type of Service/Traffic Class: The 802.1P bits from the Ethernet 698 Frame are copied to this field. 700 Total Length: The total length of the IPv4 datagram in bytes. This 701 includes the IPv4 header, the UDP header, the OTV header, and the L2 702 frame without the preamble and CRC fields. 704 Payload length: The length of the IPv6 payload in bytes. This 705 includes the UDP header, the OTV header, and the L2 frame without the 706 preamble and CRC fields. 708 Identification: Set randomly by the OTV Edge Device. 710 Flags: The DF bit should be set to 1. 712 Time to Live/Hop Limit: Set by the OTV Edge Device and is 713 configurable. 715 Protocol/Next Header: Since the packet is UDP encapsulated, this 716 field is set to 17 decimal. 718 Header Checksum: Must be computed by the OTV Edge Device over the IP 719 header fields. 721 Source Address: The IPv4 (or IPv6) address of the OTV Edge Device 722 doing the encapsulation of the L2 frame. 724 Destination Address: The IPv4 (or IPv6) unicast or multicast address 725 set by the OTV Edge Device which is encapsulating the L2 frame. The 726 Edge Device decides when the address is set to a unicast or multicast 727 addresss. 729 UDP Header: 731 Source Port: Is chosen by the OTV Edge Device which is encapsulating 732 the L2 frame based on a hash of the L2 frame. This allows packets to 733 be load-split evenly over LAGs on routers in the core, responsible 734 for delivering these IP encapsulated packets. 736 Destination Port: This is an IANA assigned well-known user port 737 number. Packets encapsulated by an OTV Edge Device put value 8472 in 738 the destination port field. 740 UDP Length: Is the length in bytes of the UDP header, the OTV header, 741 and the L2 frame without the preamble and CRC fields. 743 UDP Checksum: This is set to 0 by the OTV Edge Device when doing 744 encapsulation and ignored by the OTV Edge Device which is 745 decapsulating at the destination site. 747 OTV Header: 749 Flags: 751 'I' - Instance-ID bit. When set to 1, it indicates the Instance ID 752 should be used in the forwarding lookup. 754 'R' - Reserved bits. 756 Overlay ID: Is used only for control plane packets such as the URP/ 757 MRP (IS-IS) to identify packets for a specific overlay. 759 Instance ID: Set by the OTV Edge Device doing the encapsulation to 760 specify a logical table that should be used for lookup by the OTV 761 Edge Device at the destination site. 763 L2 Ethernet Frame: 765 The L2 Frame minus the preamble and CRC received on an internal link 766 by an OTV Edge Device. 768 The addition of OTV encapsulation headers increases the size of an L2 769 packet received on an internal interface such that the core uplinks 770 on the Edge Device as well as the routers in the core need to support 771 an appropriately larger MTU. OTV encapsulated packets must not get 772 fragmented as they traverse the core, and hence the IP header is 773 marked to not fragment by the Edge Device. The Edge Device drops 774 packets that exceed the core uplink MTU. 776 The following tables enumerates how MAC level packets are 777 encapsulated in the OTV header. 779 MAC-level Frame OTV IP Encapsulation 780 --------------- -------------------- 781 Unicast Frame IP unicast packet 782 Broadcast Frame ASM/Bidir IP multicast packet 783 Link-local Multicast Frame ASM/Bidir IP multicast packet 784 Data Multicast Frame SSM IP multicast packet 786 3.2. Forwarding Process 788 Most of the interesting forwarding cases happen when a packet comes 789 from the Overlay Link to be forwarded to an Internal Link, or vice 790 versa. But for completeness, forwarding between internal links is 791 also described 793 3.2.1. Forwarding between Internal Links 795 When an Edge Device has internal links, it operates like a 796 traditional L2 switch. That is, it will send unicast packets on a 797 port where the MAC was learned; it will send multicast packets on the 798 ports it has IGMP/MLD-snooped; and it will send broadcast packets out 799 all ports for a given VLAN or layer-2 bridge domain 801 3.2.2. Forwarding from an Internal Link to the Overlay 803 An Edge Device will decide to forward a Layer-2 unicast, multicast, 804 or broadcast packet over the overlay interface when the overlay 805 control plane has put the logical port of the overlay interface in 806 the forwarding table, such as for the corresponding unicast or 807 multicast address. When a packet is sent over the overlay interface, 808 it is first prepended with an OTV header that includes the IP address 809 of the overlay next-hop. The packet as received from the internal 810 interface is not touched other than to remove the preamble and FCS 811 from the frame. The IP address, outer MAC address and other 812 encapsulation information are all installed in the forwarding 813 hardware by the control plane so the OTV header can be prepended and 814 the packet forwarded at high rate. 816 The Edge Device has to be eligible to forward this packet as per the 817 control plane, such as being the Authoritative Edge Device. Multi- 818 homing of sites imposes additional rules on the forwarding of traffic 819 as described later in this document. 821 3.2.3. Forwarding from the Overlay to an Internal Link 823 When a packet is received on the overlay interface, it will need to 824 be IP decapsulated to reveal the inner MAC header for forwarding. 825 The inner MAC header SA and DA addresses and VLAN-ID will used for 826 forwarding actions. For any type of packet received on the overlay 827 interface, it will be accepted only if the Edge Device is the 828 Authoritative Edge Device as determined by an inspection of the 829 received packet header. 831 When a unicast packet is received on the overlay interface, the outer 832 OTV IP header is removed, and the VLAN-ID and the MAC DA from the 833 inner header is used to do the MAC table lookup. Here onwards, this 834 is a regular bridging operation, whether the MAC address entry is 835 present or not. 837 When a multicast packet is received on the overlay interface, the 838 outer OTV IP header is removed. The VLAN-ID and inner MAC header SA 839 and DA or inner IP header SA and DA are used to do a Layer-2 840 multicast table lookup and forward the packet on the right internal 841 interfaces. A multicast packet received from the overlay will not be 842 sent back out on the overlay. 844 When a broadcast packet is received on the overlay interface, the 845 outer OTV IP header is removed and the packet is then flooded on all 846 internal interfaces. 848 3.2.4. Unicast Packet Flows 850 Hosts typically generate ARP requests and learn the MAC addresses of 851 other hosts from ARP requests and replies. Switches learn the source 852 MACs from packet headers and store this state to optimally forward 853 traffic destined to these MACs. The OTV Edge Devices will also learn 854 the MACs locally on their site facing interfaces, and will install 855 remote MACs received over the overlay control plane into the local 856 MAC table with the appropriate remote Edge Devices as next-hops. 858 Once these actions take place, every switch will forward the L2 859 packet based on the MAC table entry. The OTV Edge Device at the 860 source site will also do a MAC table lookup which will yield a next- 861 hop entry pointing to a remote Edge Device. Once the OTV header with 862 the IP address is prepended, the packet is then forwarded to the 863 destination Edge Device at Layer-3 as a regular IP packet. 865 The Edge Device as well as the core routers may load-balance these 866 encapsulated packets among equal-cost multiple Layer-3 paths, with 867 packets belonging to a single Layer-2 flow being hashed to a specific 868 equal-cost path. 870 3.2.5. Unknown Unicast Packet Handling 872 When the switched network at an OTV site has no state for a MAC 873 address, it will flood the unicast packet on the spanning tree 874 throughout the site. The Edge Devices are on the spanning tree (like 875 any other switch at the site) so they will receive these unknown 876 unicast packets. 878 It is imperative that the Edge Devices hold previously learned MAC 879 addresses for an extended period of time so that remote Edge Devices 880 can get reachability to these local MACs. So the cache timers will 881 be longer than the traditional MAC aging timers on switches. In 882 fact, the Edge Device MAC aging timers generally need to be greater 883 than the ARP request interval from any host. Either an unknown flood 884 or a broadcast packet could cause an update of the MAC entries in the 885 Edge Device. And when MACs go inactive, an Authoritative Edge Device 886 must withdraw the MAC address from the overlay control plane. 887 Traffic to these unknown destinations will not be forwarded onto the 888 overlay. Thus, OTV does not flood unknown unicasts. In an OTV 889 network unknown destinations become known the moment the host emits 890 at least one packet. The assumption is that no host on the network 891 is completely silent. 893 3.2.6. Multicast Packet Flows 895 A multicast receiver host sends out IGMP/MLD reports for the 896 multicast groups it wants to join. The sites may use either IGMPv2 897 or IGMPv3. A multicast capable switch will forward these reports to 898 router ports and querier ports. The OTV Edge Device behaves as 899 either a querier or a router in the network and hence receives these 900 reports. 902 A host in a site may be a source for an (S,G) group and sends data. 903 This data is flooded or forwarded along IGMP/MLD snooped links by the 904 site switches. When an Edge Device receives this packet, it does a 905 Layer-2 multicast table lookup which may yield several OIFs. If the 906 overlay interface is part of the OIF-list, then the Edge Device 907 encapsulates the packet in an OTV IP header which includes the 908 delivery group (DS, DG) IP addresses. It then emits the resulting IP 909 multicast packet into the core which is forwarded along a core 910 multicast tree to the receiver site edge devices. 912 The receiver site Edge Device also joins one or more (DS, DG) core 913 multicast trees as directed by various source site Edge Devices. 914 This allows it to receive data from other sites. The core multicast 915 trees may either be SSM or ASM though this document focusses on the 916 SSM case. 918 3.2.7. Broadcast Packet Flows 920 A broadcast packet originated at an OTV site needs to be delivered to 921 all sites of the same VPN. This is typically done with the ASM/Bidir 922 group encapsulation which is the same group used for the oURP/oMRP 923 (pMG). A different data group can also be used to forward broadcast 924 traffic. 926 A broadcast packet, sourced in a site, gets to all Edge Devices 927 because each Edge Device is on the site spanning tree. However, 928 duplicates must not be allowed to appear on the overlay network when 929 there are multiple Edge Devices, so the Authoritative Edge Device for 930 the VLAN is the only Edge Device that forwards the packet on the 931 overlay network. All edge devices at a remote site will receive the 932 broadcast packet over the core multicast group. To prevent 933 duplicates going into the site, only the Authoritative Edge Device in 934 that site will forward the packet into the site. And once sent into 935 the site, the packet gets to all switches on the site spanning tree. 936 Because only the AED can forward broadcast packets in or out of the 937 site, broadcast loops are avoided. 939 Other types of packets such as link-local multicast packets and 940 non-IP Layer-2 packets may also be sent along the pMG or on a 941 dedicated data group. 943 3.3. STP BPDU Handling 945 Since the Edge Device acts as an L2 switch it does participate in the 946 Spanning Tree Protocol if the site has been configured to use it. 947 However, there is no STP activity on the overlay interface. The 948 following are the rules an OTV Edge Device will follow: 950 o When STP is configured at a site, an Edge Device will send and 951 receive BPDUs on internal interfaces. An OTV Edge Device will not 952 originate or forward BPDUs on the overlay network. 954 o An OTV Edge Device can become a root of one or more spanning trees. 956 o An OTV Edge Device will take the typical action when receiving 957 Topology Change Notification (TCNs) messages. 959 o When on OTV Edge Device detects another Edge Device in it's site 960 has come up or gone down, it may send a TCN so it can gather new 961 state for when its authoritative status changes for a VLAN. 963 To allow the L2 switch network to scale to larger number of nodes and 964 MAC addresses, it is considered a feature of OTV to maintain and keep 965 the spanning trees small and per site. 967 4. MAC Address Mobility 969 In a traditional layer-2 switched network, mobility of a host is 970 easily achievable because each switch in the network tracks the 971 source MAC address in each packet and the interface the last packet 972 was received on. So if that MAC is later seen on another interface, 973 the new interface can be updated at the same time the packet is 974 forwarded. These fast MAC moves need to be achieved when a MAC moves 975 from one OTV site to another. The Authoritative Edge Device for a 976 VLAN determines a MAC move in combination with traditional learning 977 on the internal interfaces and explicit MAC advertisements on the 978 overlay. 980 If an Authoritative Edge Device has a MAC address stored in the MAC 981 forwarding table which points to the overlay interface, it means that 982 an Edge Device in another site has explicitly advertised the MAC as 983 being local to it's site. Therefore, any packets coming from the MAC 984 will be coming from the overlay. Once that MAC is heard on an 985 internal interface, it has moved into the site. Since it has moved 986 into a new site, the Authoritative Edge Device in the new site is 987 responsible for advertising it. 989 When a MAC appears in a new site, the Authoritative Edge Device will 990 advertise the new MAC address with a metric value of 0. When the 991 Edge Device in the site the MAC has moved from hears the 992 advertisement, it will withdraw the MAC address that it had 993 previously advertised. Once the MAC address is withdrawn, the Edge 994 Device where the MAC has moved to will change the metric value to 1. 995 All remote sites sending to this MAC address will start using the new 996 Edge Device as soon as they hear it's MAC advertisement with metric 997 0. 999 5. Multi-homing 1001 A site typically will be multi-homed with multiple Edge Devices 1002 connecting to the overlay. This provides the site with increased 1003 network redundancy and resilience to failures. 1005 When sites are multi-homed, there is a potential for loops to be 1006 created between the OTV overlay and the layer-2 domains at different 1007 sites. One option to address such loops is to transport STP BPDUs on 1008 the overlay and rely on STP to break any loops that may form when 1009 multi-homed sites connect to the overlay. However, this is not 1010 desirable as it leads to very large or complex STP domains. OTV 1011 multi-homing avoids loops through a combination of techniques in the 1012 control plane and data plane. 1014 OTV does not transport STP BPDUs over the core. As a result, each 1015 site will have its own STP domain, which is separate and independent 1016 from the STP domains in other sites, even though all sites will be 1017 part of a common broadcast or Layer-2 domain. It also does not flood 1018 unknown unicast traffic on the overlay. 1020 5.1. Authoritative Edge Device Selection 1022 An Authoritative Edge Device is an Edge Device that forwards Layer-2 1023 frames in and out of a site from and to the overlay network. When a 1024 site is multi-homed to the overlay, a proper Authoritative Edge 1025 Device selection ensures that traffic crossing the site-overlay 1026 boundary does not get duplicated, create loops or cause any churn in 1027 the MAC tables of switches within the local and remote sites. 1029 The Authoritative Edge Device (AED) may be statically assigned or 1030 determined via an election among the devices in the same site. A 1031 unique AED may be selected for each VLAN or it may be on a finer MAC- 1032 level granularity. In either case, for a given MAC-level flow, the 1033 data path will be symmetric. 1035 An Authoritative Edge Device has the primary responsibility to 1036 advertise locally learned source MAC addresses and IGMP/MLD-snooped 1037 multicast addresses in the oURP and oMRP. 1039 When done per-VLAN, an AED will be authoritative for all unicast and 1040 multicast addresses within a single VLAN. The authoritative 1041 responsibility can be shared with other Edge Devices for other VLANs 1042 so traffic can be load balanced among all Edge Devices across 1043 different VLANs. 1045 For the particular scenario of all-active multi-homing and load 1046 balancing, AEDs may be elected on a finer granularity. Thus there 1047 may be several AEDs in any given VLAN in this case and different 1048 flows can use different Edge Devices. 1050 Protocol adjacencies are set up among the Edge Devices in the same 1051 site. The AED is selected from this list of Edge Devices in the same 1052 site. The AED selection algorithm tries to ensures an even spread of 1053 VLANs across the Edge Devices. A simple mechanism may be via a hash 1054 of the VLAN-ID. Alternatively, a static AED assignment may be to use 1055 a VLAN range division among all Edge Devices in the site. The local 1056 VLAN/AED specific information may be advertised to other Edge 1057 Devices. 1059 Each Edge Device keeps track of the other Edge Devices in the same 1060 site. If an Edge Device has a failure such that it is incapable of 1061 forwarding traffic for its authorized VLANs, other Edge Devices in 1062 the same site will detect or be notified of this event and run the 1063 AED selection procedure to reassign authority for the failed device's 1064 VLANs. 1066 5.2. Site Identifier 1068 All Edge Devices that belong to a single Layer-2 site will advertise 1069 a Site-ID on the overlay control plane. This information is used by 1070 remote Edge Devices to identify the members of the same site. The 1071 Site-ID influences the AED election and path selection from remote 1072 Edge Devices to the local site. The Site-ID may be statically 1073 assigned or dynamically computed by the devices in the same site. 1075 6. IS-IS as an Overlay Control Protocol 1077 This section describes the use of the IS-IS protocol to serve as the 1078 Overlay URP and MRP. The details of the IS-IS PDUs and TLVs defined 1079 for OTV are described in [IS-IS-OTV]. 1081 It is highly desired to leverage the native and existing IS-IS 1082 protocol functionality where feasible. There are some protocol 1083 extensions specific to OTV which are described in this document. 1085 The overlay network serves as a logical multi-access Ethernet LAN 1086 connecting the various Edge Devices. Hence, IS-IS hellos and LSPs 1087 can be exchanged directly over the overlay network similar to IS-IS 1088 operation on a LAN. These IS-IS packets are encapsulated in the OTV 1089 IP multicast header and reach other Edge Devices on the core 1090 multicast tree. In addition, OTV IS-IS packets use a distinct 1091 Layer-2 multicast destination address. Therefore, OTV IS-IS packets 1092 do not conflict with IS-IS packets used for other technologies even 1093 if they may be sent over the same links in the core or arrive at an 1094 Edge Device on the same core uplink interfaces. 1096 IS-IS packets belonging to different overlay VPNs are mutually 1097 isolated and distinguished by the OTV control packet header and the 1098 use of distinct multicast groups in the core. Standard IS-IS 1099 authentication mechanisms may additionally be used to provide further 1100 isolation and authentication of VPN membership. 1102 OTV IS-IS employs IS-IS LAN procedures on the overlay network. It 1103 forms IS-IS adjacencies with all other Edge Devices in the overlay 1104 and elects a Designated Router (DIS). The IS-IS system ID uniquely 1105 identifies an Edge Device in the IS-IS control plane. 1107 IS-IS IIHs are sent and received on the overlay by all Edge Devices. 1108 The IP addresses assigned to the overlay on an Edge Device is 1109 advertised in the IIHs and provides the IP reachability information 1110 to the edge device through the core. 1112 CSNPs are sent on the overlay by the DIS and used to achieve reliable 1113 delivery of the link state database. This link state database holds 1114 LSPs that describe the Edge Device connectivity to the pseudo-node 1115 (or the multi-access overlay network). The LSPs also hold the 1116 unicast MAC information that is advertised by a site Edge Device. 1117 CSNPs are also used to reliably deliver the Group Membership link 1118 state database that holds LSPs describing the multicast MAC group 1119 addresses. OTV IS-IS only maintains the Level-1 link state database. 1121 Unicast MAC address information is carried in LSPs in the MAC- 1122 Reachability (MAC-RI) TLV defined in [RFC6165]. All MAC addresses 1123 are typically advertised with a metric of 1. When using the MAC move 1124 procedures, the metric will be set to 0. Definition of the fields 1125 used by OTV is specified in [IS-IS-OTV]. 1127 Multicast related information is carried in LSPs in several different 1128 TLVs specified in [IS-IS-OTV]. The multicast groups that a site has 1129 receivers for are carried in the sub-TLVs of the Group Address TLV. 1130 Multicast sources discovered in a site are advertised in a Group 1131 Membership Active Source TLV. This TLV includes the list of groups 1132 for which the source is sending data along with the core Delivery 1133 Groups to which the advertising Edge Device will map the site data 1134 groups. 1136 When an Adjacency Server is being used, all Edge Devices inform the 1137 Adjacency Server regarding their reachability and capability 1138 information by including in their hellos the Adjacency Server TLV. 1139 The Adjacency Server includes a list of all the Edge Devices it has 1140 heard from, and their capabilities, in its hello PDUs. 1142 The Site-ID information is contained in the Site Identifier TLV and 1143 sent in IS-IS IIHs. 1145 7. Acknowledgements 1147 The authors would like to thank many for their careful review. They 1148 include Venu Nair, Victor Moreno, Ashok Chippa, Sameer Merchant, Tony 1149 Speakman, Raghava Sivaramu, Nataraj Batchu, Sreenivas Duvvuri, Gaurav 1150 Badoni, Veena Raghavan, Marc Woolward and Tim Stevenson. 1152 Many have received individual presentations of OTV and provided 1153 critical feedback early in the design process. These reviewers 1154 include Vince Fuller, Peter Lothberg, Dorian Kim, Peter Schoenmaker, 1155 Mark Berly, Scott Kirby, Dana Blair, Tom Edsall, Dinesh Dutt, 1156 Parantap Lahiri, and Jeff Jensen. 1158 8. Security Considerations 1160 The specifications in this document do not add any new security 1161 issues to Layer-2 bridging technologies. Existing security 1162 mechanisms may be used both in the control plane and in data 1163 forwarding to achieve any security requirements. 1165 This document specifies the use of IS-IS as a control protocol for 1166 OTV. It adds no additional security risks to IS-IS, nor does it 1167 provide any additional security for IS-IS. 1169 9. IANA Considerations 1171 There are new IS-IS PDUs and TLVs being proposed for OTV, and are 1172 defined in [IS-IS-OTV]. 1174 10. Normative References 1176 [IS-IS] ISO/IEC 10589, "Intermediate System to Intermediate System 1177 Intra-Domain Routing Exchange Protocol for use in 1178 Conjunction with the Protocol for Providing the 1179 Connectionless-mode Network Service (ISO 8473)", 2005. 1181 [IS-IS-OTV] 1182 Rao, D., "IS-IS Extensions to support OTV", 2011. 1184 [RFC6165] Banerjee, A. and D. Ward, "Extensions to IS-IS for Layer-2 1185 Systems", RFC 6165, April 2011. 1187 Authors' Addresses 1189 Hasmit Grover 1190 Cisco Systems 1191 170 W Tasman Drive 1192 San Jose, CA 95138 1193 US 1195 Email: hasmit@cisco.com 1197 Dhananjaya Rao 1198 Cisco Systems 1199 170 W Tasman Drive 1200 San Jose, CA 95138 1201 US 1203 Email: dhrao@cisco.com 1205 Dino Farinacci 1206 Cisco Systems 1207 170 W Tasman Drive 1208 San Jose, CA 95138 1209 US 1211 Email: dino@cisco.com 1212 Victor Moreno 1213 Cisco Systems 1214 170 W Tasman Drive 1215 San Jose, CA 95138 1216 US 1218 Email: vimoreno@cisco.com