Skip to main content

Secure EVPN

Document Type Expired Internet-Draft (bess WG)
Expired & archived
Authors Ali Sajassi , Ayan Banerjee , Samir Thoria , David Carrel , Brian Weis , John Drake
Last updated 2023-12-29 (Latest revision 2023-06-22)
Replaces draft-sajassi-bess-secure-evpn
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The applications of EVPN-based solutions (BGP MPLS-based Ethernet VPN and Network Virtualization Overlay Solution using EVPN) have become pervasive in Data Center, Service Provider, and Enterprise segments. It is being used for fabric overlays and inter-site connectivity in the Data Center market segment, for Layer-2, Layer-3, and IRB VPN services in the Service Provider market segment, and for fabric overlay and WAN connectivity in Enterprise networks. For Data Center and Enterprise applications, there is a need to provide inter-site and WAN connectivity over public Internet in a secured manner with same level of privacy, integrity, and authentication for tenant's traffic as IPsec tunneling using IKEv2. This document presents a solution where BGP point-to-multipoint signaling is leveraged for key and policy exchange among PE devices to create private pair-wise IPsec Security Associations without IKEv2 point-to-point signaling or any other direct peer-to-peer session establishment messages.


Ali Sajassi
Ayan Banerjee
Samir Thoria
David Carrel
Brian Weis
John Drake

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)