idnits 2.17.1 draft-ietf-bfd-vxlan-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 4, 2020) is 1445 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 7348 Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 BFD S. Pallagatti, Ed. 3 Internet-Draft VMware 4 Intended status: Standards Track S. Paragiri 5 Expires: November 5, 2020 Individual Contributor 6 V. Govindan 7 M. Mudigonda 8 Cisco 9 G. Mirsky 10 ZTE Corp. 11 May 4, 2020 13 BFD for VXLAN 14 draft-ietf-bfd-vxlan-11 16 Abstract 18 This document describes the use of the Bidirectional Forwarding 19 Detection (BFD) protocol in point-to-point Virtual eXtensible Local 20 Area Network (VXLAN) tunnels used to form an overlay network. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on November 5, 2020. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Conventions used in this document . . . . . . . . . . . . . . 3 58 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.2. Requirements Language . . . . . . . . . . . . . . . . . . 4 60 3. Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 4. Use of the Management VNI . . . . . . . . . . . . . . . . . . 6 62 5. BFD Packet Transmission over VXLAN Tunnel . . . . . . . . . . 6 63 6. Reception of BFD Packet from VXLAN Tunnel . . . . . . . . . . 8 64 7. Echo BFD . . . . . . . . . . . . . . . . . . . . . . . . . . 8 65 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 66 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 67 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 9 68 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 69 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 12.1. Normative References . . . . . . . . . . . . . . . . . . 9 71 12.2. Informational References . . . . . . . . . . . . . . . . 10 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 74 1. Introduction 76 "Virtual eXtensible Local Area Network" (VXLAN) [RFC7348] provides an 77 encapsulation scheme that allows building an overlay network by 78 decoupling the address space of the attached virtual hosts from that 79 of the network. 81 One use of VXLAN is in data centers interconnecting virtual machines 82 (VMs) of a tenant. VXLAN addresses requirements of the Layer 2 and 83 Layer 3 data center network infrastructure in the presence of VMs in 84 a multi-tenant environment by providing a Layer 2 overlay scheme on a 85 Layer 3 network [RFC7348]. Another use is as an encapsulation for 86 Ethernet VPN [RFC8365]. 88 This document is written assuming the use of VXLAN for virtualized 89 hosts and refers to VMs and VXLAN Tunnel End Points (VTEPs) in 90 hypervisors. However, the concepts are equally applicable to non- 91 virtualized hosts attached to VTEPs in switches. 93 In the absence of a router in the overlay, a VM can communicate with 94 another VM only if they are on the same VXLAN segment. VMs are 95 unaware of VXLAN tunnels as a VXLAN tunnel is terminated on a VTEP. 97 VTEPs are responsible for encapsulating and decapsulating frames 98 exchanged among VMs. 100 The ability to monitor path continuity, i.e., perform proactive 101 continuity check (CC) for point-to-point (p2p) VXLAN tunnels, is 102 important. The asynchronous mode of BFD, as defined in [RFC5880], is 103 used to monitor a p2p VXLAN tunnel. 105 In the case where a Multicast Service Node (MSN) (as described in 106 Section 3.3 of [RFC8293]) participates in VXLAN, the mechanisms 107 described in this document apply and can, therefore, be used to test 108 the connectivity from the source NVE to the MSN. 110 This document describes the use of Bidirectional Forwarding Detection 111 (BFD) protocol to enable monitoring continuity of the path between 112 VXLAN VTEPs, performing as Network Virtualization Endpoints, and/or 113 availability of a replicator MSN using a Management VNI (Section 4). 114 All other uses of the specification to test toward other VXLAN 115 endpoints are out of the scope. 117 2. Conventions used in this document 119 2.1. Terminology 121 BFD Bidirectional Forwarding Detection 123 CC Continuity Check 125 p2p Point-to-point 127 MSN Multicast Service Node 129 NVE Network Virtualization Endpoint 131 VFI Virtual Forwarding Instance 133 VM Virtual Machine 135 VNI VXLAN Network Identifier (or VXLAN Segment ID) 137 VTEP VXLAN Tunnel End Point 139 VXLAN Virtual eXtensible Local Area Network 141 2.2. Requirements Language 143 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 144 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 145 "OPTIONAL" in this document are to be interpreted as described in BCP 146 14 [RFC2119] [RFC8174] when, and only when, they appear in all 147 capitals, as shown here. 149 3. Deployment 151 Figure 1 illustrates the scenario with two servers, each of them 152 hosting two VMs. The servers host VTEPs that terminate two VXLAN 153 tunnels with VXLAN Network Identifier (VNI) number 100 and 200 154 respectively. Separate BFD sessions can be established between the 155 VTEPs (IP1 and IP2) for monitoring each of the VXLAN tunnels (VNI 100 156 and 200). Using a BFD session to monitor a set of VXLAN VNIs between 157 the same pair of VTEPs might help to detect and localize problems 158 caused by misconfiguration. An implementation that supports this 159 specification MUST be able to control the number of BFD sessions that 160 can be created between the same pair of VTEPs. BFD packets intended 161 for a VTEP MUST NOT be forwarded to a VM, as a VM may drop BFD 162 packets, leading to a false negative. This method is applicable 163 whether the VTEP is a virtual or physical device. 165 +------------+-------------+ 166 | Server 1 | 167 | +----+----+ +----+----+ | 168 | |VM1-1 | |VM1-2 | | 169 | |VNI 100 | |VNI 200 | | 170 | | | | | | 171 | +---------+ +---------+ | 172 | VTEP (IP1) | 173 +--------------------------+ 174 | 175 | +-------------+ 176 | | Layer 3 | 177 +---| Network | 178 +-------------+ 179 | 180 +-----------+ 181 | 182 +------------+-------------+ 183 | VTEP (IP2) | 184 | +----+----+ +----+----+ | 185 | |VM2-1 | |VM2-2 | | 186 | |VNI 100 | |VNI 200 | | 187 | | | | | | 188 | +---------+ +---------+ | 189 | Server 2 | 190 +--------------------------+ 192 Figure 1: Reference VXLAN Domain 194 At the same time, a service layer BFD session may be used between the 195 tenants of VTEPs IP1 and IP2 to provide end-to-end fault management 196 (this use case is outside the scope of this document). In such a 197 case, for VTEPs BFD Control packets of that session are 198 indistinguishable from data packets. 200 For BFD Control packets encapsulated in VXLAN (Figure 2), the inner 201 destination IP address SHOULD be set to one of the loopback addresses 202 from 127/8 range for IPv4 or to one of IPv4-mapped IPv4 loopback 203 addresses from ::ffff:127.0.0.0/104 range for IPv6. There could be a 204 firewall configured on VTEP to block loopback addresses if set as the 205 destination IP in the inner IP header. It is RECOMMENDED to allow 206 addresses from the loopback range through a firewall only if they are 207 used as the destination IP addresses in the inner IP header and the 208 destination UDP port is set to 3784 [RFC5881]. 210 4. Use of the Management VNI 212 In most cases, a single BFD session is sufficient for the given VTEP 213 to monitor the reachability of a remote VTEP, regardless of the 214 number of VNIs. When the single BFD session is used to monitor the 215 reachability of the remote VTEP, an implementation SHOULD choose any 216 of the VNIs. An implementation that supports this specification MUST 217 support the use of the Management VNI as control and management 218 channel between VTEPs. The selection of the VNI number of the 219 Management VNI MUST be controlled through a management plane. An 220 implementation MAY use VNI number 1 as the default value for the 221 Management VNI. All VXLAN packets received on the Management VNI 222 MUST be processed locally and MUST NOT be forwarded to a tenant. 224 5. BFD Packet Transmission over VXLAN Tunnel 226 BFD packets MUST be encapsulated and sent to a remote VTEP as 227 explained in this section. Implementations SHOULD ensure that the 228 BFD packets follow the same forwarding path as VXLAN data packets 229 within the sender system. 231 BFD packets are encapsulated in VXLAN as described below. The VXLAN 232 packet format is defined in Section 5 of [RFC7348]. The value in the 233 VNI field of the VXLAN header MUST be set to the value selected as 234 the Management VNI. The Outer IP/UDP and VXLAN headers MUST be 235 encoded by the sender as defined in [RFC7348]. 237 0 1 2 3 238 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 239 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 240 | | 241 ~ Outer Ethernet Header ~ 242 | | 243 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 244 | | 245 ~ Outer IPvX Header ~ 246 | | 247 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 248 | | 249 ~ Outer UDP Header ~ 250 | | 251 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 252 | | 253 ~ VXLAN Header ~ 254 | | 255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 256 | | 257 ~ Inner Ethernet Header ~ 258 | | 259 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 260 | | 261 ~ Inner IPvX Header ~ 262 | | 263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 264 | | 265 ~ Inner UDP Header ~ 266 | | 267 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 268 | | 269 ~ BFD Control Packet ~ 270 | | 271 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 272 | Outer FCS | 273 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 275 Figure 2: VXLAN Encapsulation of BFD Control Packet 277 The BFD packet MUST be carried inside the inner Ethernet frame of the 278 VXLAN packet. The choice of Destination MAC and Destination IP 279 addresses for the inner Ethernet frame MUST ensure that the BFD 280 Control packet is not forwarded to a tenant but is processed locally 281 at the remote VTEP. The inner Ethernet frame carrying the BFD 282 Control packet- has the following format: 284 Ethernet Header: 286 Destination MAC: since a Management VNI is the VNI that does 287 not have any tenants, the value of this field is not analyzed 288 by the receiving VTEP. 290 Source MAC: MAC address associated with the originating VTEP. 292 IP header: 294 Destination IP: IP address MUST NOT be of one of tenant's IP 295 addresses. The IP address SHOULD be selected from the range 296 127/8 for IPv4, for IPv6 - from the range ::ffff:127.0.0.0/104. 297 Alternatively, the destination IP address MAY be set to VTEP's 298 IP address. 300 Source IP: IP address of the originating VTEP. 302 TTL or Hop Limit: MUST be set to 255 in accordance with the 303 Generalized TTL Security Mechanism [RFC5881]. 305 The fields of the UDP header and the BFD Control packet are 306 encoded as specified in [RFC5881]. 308 6. Reception of BFD Packet from VXLAN Tunnel 310 Once a packet is received, the VTEP MUST validate the packet. If the 311 packet is received on the management VNI and is identified as BFD 312 control packet addressed to the VTEP, and then the packet can be 313 processed further. Processing of BFD control packets received on 314 non-management VNI is outside the scope of this specification. 316 Validation of TTL or Hop Limit of the inner IP packet is performed as 317 described in Section 5 [RFC5881]. 319 7. Echo BFD 321 Support for echo BFD is outside the scope of this document. 323 8. IANA Considerations 325 This specification has no IANA action requested. This section may be 326 deleted before the publication. 328 9. Security Considerations 330 This document recommends using an address from the Internal host 331 loopback addresses 127/8 range for IPv4 or an IP4-mapped IPv4 332 loopback address from ::ffff:127.0.0.0/104 range for IPv6 as the 333 destination IP address in the inner IP header. Using such an address 334 prevents the forwarding of the encapsulated BFD control message by a 335 transient node in case the VXLAN tunnel is broken as according to 336 [RFC1812]: 338 A router SHOULD NOT forward, except over a loopback interface, any 339 packet that has a destination address on network 127. A router 340 MAY have a switch that allows the network manager to disable these 341 checks. If such a switch is provided, it MUST default to 342 performing the checks. 344 If the implementation supports establishing multiple BFD sessions 345 between the same pair of VTEPs, there SHOULD be a mechanism to 346 control the maximum number of such sessions that can be active at the 347 same time. 349 Other than requiring control of the number of BFD sessions between 350 the same pair of VTEPs, this specification does not raise any 351 additional security issues beyond those discussed in [RFC5880], 352 [RFC5881], and [RFC7348]. 354 10. Contributors 356 Reshad Rahman 357 rrahman@cisco.com 358 Cisco 360 11. Acknowledgments 362 Authors would like to thank Jeff Haas of Juniper Networks for his 363 reviews and feedback on this material. 365 Authors would also like to thank Nobo Akiya, Marc Binderberger, 366 Shahram Davari, Donald E. Eastlake 3rd, and Anoop Ghanwani for the 367 extensive reviews and the most detailed and helpful comments. 369 12. References 371 12.1. Normative References 373 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 374 RFC 1812, DOI 10.17487/RFC1812, June 1995, 375 . 377 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 378 Requirement Levels", BCP 14, RFC 2119, 379 DOI 10.17487/RFC2119, March 1997, 380 . 382 [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection 383 (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, 384 . 386 [RFC5881] Katz, D. and D. Ward, "Bidirectional Forwarding Detection 387 (BFD) for IPv4 and IPv6 (Single Hop)", RFC 5881, 388 DOI 10.17487/RFC5881, June 2010, 389 . 391 [RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, 392 L., Sridhar, T., Bursell, M., and C. Wright, "Virtual 393 eXtensible Local Area Network (VXLAN): A Framework for 394 Overlaying Virtualized Layer 2 Networks over Layer 3 395 Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014, 396 . 398 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 399 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 400 May 2017, . 402 12.2. Informational References 404 [RFC8293] Ghanwani, A., Dunbar, L., McBride, M., Bannai, V., and R. 405 Krishnan, "A Framework for Multicast in Network 406 Virtualization over Layer 3", RFC 8293, 407 DOI 10.17487/RFC8293, January 2018, 408 . 410 [RFC8365] Sajassi, A., Ed., Drake, J., Ed., Bitar, N., Shekhar, R., 411 Uttaro, J., and W. Henderickx, "A Network Virtualization 412 Overlay Solution Using Ethernet VPN (EVPN)", RFC 8365, 413 DOI 10.17487/RFC8365, March 2018, 414 . 416 Authors' Addresses 418 Santosh Pallagatti (editor) 419 VMware 421 Email: santosh.pallagatti@gmail.com 422 Sudarsan Paragiri 423 Individual Contributor 425 Email: sudarsan.225@gmail.com 427 Vengada Prasad Govindan 428 Cisco 430 Email: venggovi@cisco.com 432 Mallik Mudigonda 433 Cisco 435 Email: mmudigon@cisco.com 437 Greg Mirsky 438 ZTE Corp. 440 Email: gregimirsky@gmail.com