idnits 2.17.1 draft-ietf-bfd-vxlan-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC3849-compliant IPv6 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 1, 2019) is 1636 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 7348 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 BFD S. Pallagatti, Ed. 3 Internet-Draft VMware 4 Intended status: Standards Track S. Paragiri 5 Expires: May 4, 2020 Individual Contributor 6 V. Govindan 7 M. Mudigonda 8 Cisco 9 G. Mirsky 10 ZTE Corp. 11 November 1, 2019 13 BFD for VXLAN 14 draft-ietf-bfd-vxlan-08 16 Abstract 18 This document describes the use of the Bidirectional Forwarding 19 Detection (BFD) protocol in point-to-point Virtual eXtensible Local 20 Area Network (VXLAN) tunnels forming up an overlay network. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on May 4, 2020. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Conventions used in this document . . . . . . . . . . . . . . 3 58 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.2. Requirements Language . . . . . . . . . . . . . . . . . . 3 60 3. Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 4. BFD Packet Transmission over VXLAN Tunnel . . . . . . . . . . 5 62 5. Reception of BFD Packet from VXLAN Tunnel . . . . . . . . . . 7 63 5.1. Demultiplexing of the BFD Packet . . . . . . . . . . . . 8 64 6. Use of the Specific VNI . . . . . . . . . . . . . . . . . . . 8 65 7. Echo BFD . . . . . . . . . . . . . . . . . . . . . . . . . . 8 66 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 67 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 68 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 9 69 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 70 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 71 12.1. Normative References . . . . . . . . . . . . . . . . . . 9 72 12.2. Informational References . . . . . . . . . . . . . . . . 10 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 75 1. Introduction 77 "Virtual eXtensible Local Area Network" (VXLAN) [RFC7348] provides an 78 encapsulation scheme that allows building an overlay network by 79 decoupling the address space of the attached virtual hosts from that 80 of the network. 82 One use of VXLAN is in data centers interconnecting virtual machines 83 (VMs) of a tenant. VXLAN addresses requirements of the Layer 2 and 84 Layer 3 data center network infrastructure in the presence of VMs in 85 a multi-tenant environment by providing a Layer 2 overlay scheme on a 86 Layer 3 network [RFC7348]. Another use is as an encapsulation for 87 Ethernet VPN [RFC8365]. 89 This document is written assuming the use of VXLAN for virtualized 90 hosts and refers to VMs and VXLAN Tunnel End Points (VTEPs) in 91 hypervisors. However, the concepts are equally applicable to non- 92 virtualized hosts attached to VTEPs in switches. 94 In the absence of a router in the overlay, a VM can communicate with 95 another VM only if they are on the same VXLAN segment. VMs are 96 unaware of VXLAN tunnels as a VXLAN tunnel is terminated on a VTEP. 98 VTEPs are responsible for encapsulating and decapsulating frames 99 exchanged among VMs. 101 Ability to monitor path continuity, i.e., perform proactive 102 continuity check (CC) for point-to-point (p2p) VXLAN tunnels, is 103 important. The asynchronous mode of BFD, as defined in [RFC5880], is 104 used to monitor a p2p VXLAN tunnel. 106 In the case where a Multicast Service Node (MSN) (as described in 107 Section 3.3 of [RFC8293]) resides behind a Network Virtualization 108 Endpoint (NVE), the mechanisms described in this document apply and 109 can, therefore, be used to test the connectivity from the source NVE 110 to the MSN. 112 This document describes the use of Bidirectional Forwarding Detection 113 (BFD) protocol to enable monitoring continuity of the path between 114 VXLAN VTEPs, performing as Network Virtualization Endpoints, and/or 115 availability of a replicator multicast service node. 117 2. Conventions used in this document 119 2.1. Terminology 121 BFD Bidirectional Forwarding Detection 123 CC Continuity Check 125 p2p Point-to-point 127 MSN Multicast Service Node 129 NVE Network Virtualization Endpoint 131 VFI Virtual Forwarding Instance 133 VM Virtual Machine 135 VNI VXLAN Network Identifier (or VXLAN Segment ID) 137 VTEP VXLAN Tunnel End Point 139 VXLAN Virtual eXtensible Local Area Network 141 2.2. Requirements Language 143 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 144 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 145 "OPTIONAL" in this document are to be interpreted as described in BCP 146 14 [RFC2119] [RFC8174] when, and only when, they appear in all 147 capitals, as shown here. 149 3. Deployment 151 Figure 1 illustrates the scenario with two servers, each of them 152 hosting two VMs. The servers host VTEPs that terminate two VXLAN 153 tunnels with VXLAN Network Identifier (VNI) number 100 and 200 154 respectively. Separate BFD sessions can be established between the 155 VTEPs (IP1 and IP2) for monitoring each of the VXLAN tunnels (VNI 100 156 and 200). An implementation that supports this specification MUST be 157 able to control the number of BFD sessions that can be created 158 between the same pair of VTEPs. BFD packets intended for a VTEP MUST 159 NOT be forwarded to a VM as a VM may drop BFD packets leading to a 160 false negative. This method is applicable whether the VTEP is a 161 virtual or physical device. 163 +------------+-------------+ 164 | Server 1 | 165 | +----+----+ +----+----+ | 166 | |VM1-1 | |VM1-2 | | 167 | |VNI 100 | |VNI 200 | | 168 | | | | | | 169 | +---------+ +---------+ | 170 | VTEP (IP1) | 171 +--------------------------+ 172 | 173 | +-------------+ 174 | | Layer 3 | 175 +---| Network | 176 +-------------+ 177 | 178 +-----------+ 179 | 180 +------------+-------------+ 181 | VTEP (IP2) | 182 | +----+----+ +----+----+ | 183 | |VM2-1 | |VM2-2 | | 184 | |VNI 100 | |VNI 200 | | 185 | | | | | | 186 | +---------+ +---------+ | 187 | Server 2 | 188 +--------------------------+ 190 Figure 1: Reference VXLAN Domain 192 At the same time, a service layer BFD session may be used between the 193 tenants of VTEPs IP1 and IP2 to provide end-to-end fault management. 194 In such case, for VTEPs BFD Control packets of that session are 195 indistinguishable from data packets. 197 As per Section 4, the inner destination IP address SHOULD be set to 198 one of the loopback addresses (127/8 range for IPv4 and 199 0:0:0:0:0:FFFF:7F00:0/104 range for IPv6). There could be a firewall 200 configured on VTEP to block loopback addresses if set as the 201 destination IP in the inner IP header. It is RECOMMENDED to allow 202 addresses from the loopback range through a firewall only if it is 203 used as the destination IP address in the inner IP header, and the 204 destination UDP port is set to 3784 [RFC5881]. 206 4. BFD Packet Transmission over VXLAN Tunnel 208 BFD packet MUST be encapsulated and sent to a remote VTEP as 209 explained in this section. Implementations SHOULD ensure that the 210 BFD packets follow the same lookup path as VXLAN data packets within 211 the sender system. 213 BFD packets are encapsulated in VXLAN as described below. The VXLAN 214 packet format is defined in Section 5 of [RFC7348]. The Outer IP/UDP 215 and VXLAN headers MUST be encoded by the sender as defined in 216 [RFC7348]. 218 0 1 2 3 219 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 220 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 221 | | 222 ~ Outer Ethernet Header ~ 223 | | 224 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 225 | | 226 ~ Outer IPvX Header ~ 227 | | 228 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 229 | | 230 ~ Outer UDP Header ~ 231 | | 232 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 233 | | 234 ~ VXLAN Header ~ 235 | | 236 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 237 | | 238 ~ Inner Ethernet Header ~ 239 | | 240 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 241 | | 242 ~ Inner IPvX Header ~ 243 | | 244 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 245 | | 246 ~ Inner UDP Header ~ 247 | | 248 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 249 | | 250 ~ BFD Control Packet ~ 251 | | 252 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 253 | FCS | 254 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 256 Figure 2: VXLAN Encapsulation of BFD Control Packet 258 The BFD packet MUST be carried inside the inner Ethernet frame of the 259 VXLAN packet. The choice of Destination MAC and Destination IP 260 addresses for the inner Ethernet frame MUST ensure that the BFD 261 Control packet is not forwarded to a tenant but is processed locally 262 at the remote VTEP. The inner Ethernet frame carrying the BFD 263 Control packet- has the following format: 265 Ethernet Header: 267 Destination MAC: This MUST NOT be of one of tenant's MAC 268 addresses. The destination MAC address MAY be the address 269 associated with the destination VTEP. The MAC address MAY be 270 configured, or it MAY be learned via a control plane protocol. 271 The details of how the MAC address is obtained are outside the 272 scope of this document. 274 Source MAC: MAC address associated with the originating VTEP 276 IP header: 278 Destination IP: IP address MUST NOT be of one of tenant's IP 279 addresses. The IP address SHOULD be selected from the range 280 127/8 for IPv4, for IPv6 - from the range 281 0:0:0:0:0:FFFF:7F00:0/104. Alternatively, the destination IP 282 address MAY be set to VTEP's IP address. 284 Source IP: IP address of the originating VTEP. 286 TTL or Hop Limit: MUST be set to 1 to ensure that the BFD 287 packet is not routed within the Layer 3 underlay network. This 288 addresses the scenario when the inner IP destination address is 289 of VXLAN gateway and there is a router in underlay which 290 removes the VXLAN header, then it is possible to route the 291 packet as VXLAN gateway address is routable address. 293 The fields of the UDP header and the BFD Control packet are 294 encoded as specified in [RFC5881]. 296 5. Reception of BFD Packet from VXLAN Tunnel 298 Once a packet is received, VTEP MUST validate the packet. If the 299 Destination MAC of the inner Ethernet frame matches one of the MAC 300 addresses associated with the VTEP the packet MUST be processed 301 further. If the Destination MAC of the inner Ethernet frame doesn't 302 match any of VTEP's MAC addresses, then the processing of the 303 received VXLAN packet MUST follow the procedures described in 304 Section 4.1 [RFC7348]. If the BFD session is using the Management 305 VNI (Section 6), BFD Control packets with unknown MAC address MUST 306 NOT be forwarded to VMs. 308 The UDP destination port and the TTL of the inner IP packet MUST be 309 validated to determine if the received packet can be processed by 310 BFD. 312 5.1. Demultiplexing of the BFD Packet 314 Demultiplexing of IP BFD packet has been defined in Section 3 of 315 [RFC5881]. Since multiple BFD sessions may be running between two 316 VTEPs, there needs to be a mechanism for demultiplexing received BFD 317 packets to the proper session. For demultiplexing packets with Your 318 Discriminator equal to 0, a BFD session MUST be identified using the 319 logical link over which the BFD Control packet is received. In the 320 case of VXLAN, the VNI number identifies that logical link. If BFD 321 packet is received with non-zero Your Discriminator, then BFD session 322 MUST be demultiplexed only with Your Discriminator as the key. 324 6. Use of the Specific VNI 326 In most cases, a single BFD session is sufficient for the given VTEP 327 to monitor the reachability of a remote VTEP, regardless of the 328 number of VNIs. When the single BFD session is used to monitor the 329 reachability of the remote VTEP, an implementation SHOULD choose any 330 of the VNIs. An implementation MAY support the use of the Management 331 VNI as control and management channel between VTEPs. The selection 332 of the VNI number of the Management VNI MUST be controlled through 333 management plane. An implementation MAY use VNI number 1 as the 334 default value for the Management VNI. All VXLAN packets received on 335 the Management VNI MUST be processed locally and MUST NOT be 336 forwarded to a tenant. 338 7. Echo BFD 340 Support for echo BFD is outside the scope of this document. 342 8. IANA Considerations 344 This specification has no IANA action requested. This section may be 345 deleted before the publication. 347 9. Security Considerations 349 The document requires setting the inner IP TTL to 1, which could be 350 used as a DDoS attack vector. Thus the implementation MUST have 351 throttling in place to control the rate of BFD Control packets sent 352 to the control plane. On the other hand, over-aggressive throttling 353 of BFD Control packets may become the cause of the inability to form 354 and maintain BFD session at scale. Hence, throttling of BFD Control 355 packets SHOULD be adjusted to permit BFD to work according to its 356 procedures. 358 If the implementation supports establishing multiple BFD sessions 359 between the same pair of VTEPs, there SHOULD be a mechanism to 360 control the maximum number of such sessions that can be active at the 361 same time. 363 Other than inner IP TTL set to 1 and limit the number of BFD sessions 364 between the same pair of VTEPs, this specification does not raise any 365 additional security issues beyond those of the specifications 366 referred to in the list of normative references. 368 10. Contributors 370 Reshad Rahman 371 rrahman@cisco.com 372 Cisco 374 11. Acknowledgments 376 Authors would like to thank Jeff Haas of Juniper Networks for his 377 reviews and feedback on this material. 379 Authors would also like to thank Nobo Akiya, Marc Binderberger, 380 Shahram Davari, Donald E. Eastlake 3rd, and Anoop Ghanwani for the 381 extensive reviews and the most detailed and helpful comments. 383 12. References 385 12.1. Normative References 387 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 388 Requirement Levels", BCP 14, RFC 2119, 389 DOI 10.17487/RFC2119, March 1997, 390 . 392 [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection 393 (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, 394 . 396 [RFC5881] Katz, D. and D. Ward, "Bidirectional Forwarding Detection 397 (BFD) for IPv4 and IPv6 (Single Hop)", RFC 5881, 398 DOI 10.17487/RFC5881, June 2010, 399 . 401 [RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, 402 L., Sridhar, T., Bursell, M., and C. Wright, "Virtual 403 eXtensible Local Area Network (VXLAN): A Framework for 404 Overlaying Virtualized Layer 2 Networks over Layer 3 405 Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014, 406 . 408 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 409 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 410 May 2017, . 412 12.2. Informational References 414 [RFC8293] Ghanwani, A., Dunbar, L., McBride, M., Bannai, V., and R. 415 Krishnan, "A Framework for Multicast in Network 416 Virtualization over Layer 3", RFC 8293, 417 DOI 10.17487/RFC8293, January 2018, 418 . 420 [RFC8365] Sajassi, A., Ed., Drake, J., Ed., Bitar, N., Shekhar, R., 421 Uttaro, J., and W. Henderickx, "A Network Virtualization 422 Overlay Solution Using Ethernet VPN (EVPN)", RFC 8365, 423 DOI 10.17487/RFC8365, March 2018, 424 . 426 Authors' Addresses 428 Santosh Pallagatti (editor) 429 VMware 431 Email: santosh.pallagatti@gmail.com 433 Sudarsan Paragiri 434 Individual Contributor 436 Email: sudarsan.225@gmail.com 438 Vengada Prasad Govindan 439 Cisco 441 Email: venggovi@cisco.com 442 Mallik Mudigonda 443 Cisco 445 Email: mmudigon@cisco.com 447 Greg Mirsky 448 ZTE Corp. 450 Email: gregimirsky@gmail.com