Secure EVPN

The information below is for an old version of the document
Document Type Expired Internet-Draft (individual)
Authors Ali Sajassi  , Ayan Banerjee  , Samir Thoria  , David Carrel  , Brian Weis  , John Drake 
Last updated 2021-01-14 (latest revision 2020-07-13)
Stream (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


The applications of EVPN-based solutions ([RFC7432] and [RFC8365]) have become pervasive in Data Center, Service Provider, and Enterprise segments. It is being used for fabric overlays and inter- site connectivity in the Data Center market segment, for Layer-2, Layer-3, and IRB VPN services in the Service Provider market segment, and for fabric overlay and WAN connectivity in Enterprise networks. For Data Center and Enterprise applications, there is a need to provide inter-site and WAN connectivity over public Internet in a secured manner with same level of privacy, integrity, and authentication for tenant's traffic as IPsec tunneling using IKEv2. This document presents a solution where BGP point-to-multipoint signaling is leveraged for key and policy exchange among PE devices to create private pair-wise IPsec Security Associations without IKEv2 point-to-point signaling or any other direct peer-to-peer session establishment messages.


Ali Sajassi (
Ayan Banerjee (
Samir Thoria (
David Carrel (
Brian Weis (
John Drake (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)