EVPN First Hop Security
draft-sajassi-bess-evpn-first-hop-security-01
Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
Expired & archived
|
|
---|---|---|---|
Authors | Ali Sajassi , Lukas Krattiger , Krishnaswamy Ananthamurthy , Samir Thoria | ||
Last updated | 2024-01-26 (Latest revision 2023-07-26) | ||
RFC stream | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
DHCP Snoop database stores valid IPv4-to-MAC and IPv6-to-MAC bindings by snooping on Dynamic Host Configuration Protocol (DHCP) messages. These bindings are used by security functions like Dynamic ARP Inspection (DAI), Neighbor Discovery Inspection (NDI), IPv4 Source Guard, and IPv6 Source Guard to safeguard against traffic received with a spoofed address. These functions are collectively referred to as First Hop Security (FHS). This document proposes BGP extensions and new procedures to Ethernet VPN (EVPN) [RFC7432] for distribution and synchronization of DHCP snoop database to support FHS. Such synchronization is needed to support EVPN host mobility and multi- homing.
Authors
Ali Sajassi
Lukas Krattiger
Krishnaswamy Ananthamurthy
Samir Thoria
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)