BFD S. Pallagatti, Ed.
Internet-Draft Rtbrick
Intended status: Standards Track S. Paragiri
Expires: November 18, 2019 Individual Contributor
V. Govindan
M. Mudigonda
Cisco
G. Mirsky
ZTE Corp.
May 17, 2019
BFD for VXLAN
draft-ietf-bfd-vxlan-07
Abstract
This document describes the use of the Bidirectional Forwarding
Detection (BFD) protocol in point-to-point Virtual eXtensible Local
Area Network (VXLAN) tunnels forming up an overlay network.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 18, 2019.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Pallagatti, et al. Expires November 18, 2019 [Page 1]
Internet-Draft BFD for VXLAN May 2019
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions used in this document . . . . . . . . . . . . . . 3
2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Requirements Language . . . . . . . . . . . . . . . . . . 3
3. Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. BFD Packet Transmission over VXLAN Tunnel . . . . . . . . . . 5
4.1. BFD Packet Encapsulation in VXLAN . . . . . . . . . . . . 6
5. Reception of BFD Packet from VXLAN Tunnel . . . . . . . . . . 7
5.1. Demultiplexing of the BFD Packet . . . . . . . . . . . . 7
6. Use of the Specific VNI . . . . . . . . . . . . . . . . . . . 8
7. Echo BFD . . . . . . . . . . . . . . . . . . . . . . . . . . 8
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
9. Security Considerations . . . . . . . . . . . . . . . . . . . 8
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 8
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
12.1. Normative References . . . . . . . . . . . . . . . . . . 9
12.2. Informational References . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
"Virtual eXtensible Local Area Network" (VXLAN) [RFC7348] provides an
encapsulation scheme that allows building an overlay network by
decoupling the address space of the attached virtual hosts from that
of the network.
One use of VXLAN is in data centers interconnecting virtual machines
(VMs) of a tenant. VXLAN addresses requirements of the Layer 2 and
Layer 3 data center network infrastructure in the presence of VMs in
a multi-tenant environment by providing a Layer 2 overlay scheme on a
Layer 3 network [RFC7348]. Another use is as an encapsulation for
Ethernet VPN [RFC8365].
This document is written assuming the use of VXLAN for virtualized
hosts and refers to VMs and VXLAN Tunnel End Points (VTEPs) in
hypervisors. However, the concepts are equally applicable to non-
virtualized hosts attached to VTEPs in switches.
In the absence of a router in the overlay, a VM can communicate with
another VM only if they are on the same VXLAN segment. VMs are
Pallagatti, et al. Expires November 18, 2019 [Page 2]
Internet-Draft BFD for VXLAN May 2019
unaware of VXLAN tunnels as a VXLAN tunnel is terminated on a VTEP.
VTEPs are responsible for encapsulating and decapsulating frames
exchanged among VMs.
Ability to monitor path continuity, i.e., perform proactive
continuity check (CC) for point-to-point (p2p) VXLAN tunnels, is
important. The asynchronous mode of BFD, as defined in [RFC5880],
can be used to monitor a p2p VXLAN tunnel.
In the case where a Multicast Service Node (MSN) (as described in
Section 3.3 of [RFC8293]) resides behind an NVE, the mechanisms
described in this document apply and can, therefore, be used to test
the connectivity from the source NVE to the MSN.
This document describes the use of Bidirectional Forwarding Detection
(BFD) protocol to enable monitoring continuity of the path between
VXLAN VTEPs, performing as Network Virtualization Endpoints, and/or
availability of a replicator multicast service node.
2. Conventions used in this document
2.1. Terminology
BFD Bidirectional Forwarding Detection
CC Continuity Check
p2p Point-to-point
MSN Multicast Service Node
VFI Virtual Forwarding Instance
VM Virtual Machine
VTEP VXLAN Tunnel End Point
VXLAN Virtual eXtensible Local Area Network
2.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Pallagatti, et al. Expires November 18, 2019 [Page 3]
Internet-Draft BFD for VXLAN May 2019
3. Deployment
Figure 1 illustrates the scenario with two servers, each of them
hosting two VMs. The servers host VTEPs that terminate two VXLAN
tunnels with VNI number 100 and 200 respectively. Separate BFD
sessions can be established between the VTEPs (IP1 and IP2) for
monitoring each of the VXLAN tunnels (VNI 100 and 200). An
implementation that supports this specification MUST be able to
control the number of BFD sessions that can be created between the
same pair of VTEPs. BFD packets intended for a Hypervisor VTEP MUST
NOT be forwarded to a VM as a VM may drop BFD packets leading to a
false negative. This method is applicable whether the VTEP is a
virtual or physical device.
Pallagatti, et al. Expires November 18, 2019 [Page 4]
Internet-Draft BFD for VXLAN May 2019
+------------+-------------+
| Server 1 |
| |
| +----+----+ +----+----+ |
| |VM1-1 | |VM1-2 | |
| |VNI 100 | |VNI 200 | |
| | | | | |
| +---------+ +---------+ |
| Hypervisor VTEP (IP1) |
+--------------------------+
|
|
|
| +-------------+
| | Layer 3 |
|---| Network |
| |
+-------------+
|
|
+-----------+
|
|
+------------+-------------+
| Hypervisor VTEP (IP2) |
| +----+----+ +----+----+ |
| |VM2-1 | |VM2-2 | |
| |VNI 100 | |VNI 200 | |
| | | | | |
| +---------+ +---------+ |
| Server 2 |
+--------------------------+
Figure 1: Reference VXLAN Domain
4. BFD Packet Transmission over VXLAN Tunnel
BFD packet MUST be encapsulated and sent to a remote VTEP as
explained in Section 4.1. Implementations SHOULD ensure that the BFD
packets follow the same lookup path as VXLAN data packets within the
sender system.
Pallagatti, et al. Expires November 18, 2019 [Page 5]
Internet-Draft BFD for VXLAN May 2019
4.1. BFD Packet Encapsulation in VXLAN
BFD packets are encapsulated in VXLAN as described below. The VXLAN
packet format is defined in Section 5 of [RFC7348]. The Outer IP/UDP
and VXLAN headers MUST be encoded by the sender as defined in
[RFC7348].
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Outer Ethernet Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Outer IPvX Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Outer UDP Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ VXLAN Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Inner Ethernet Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Inner IPvX Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Inner UDP Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ BFD Control Message ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FCS |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: VXLAN Encapsulation of BFD Control Message
Pallagatti, et al. Expires November 18, 2019 [Page 6]
Internet-Draft BFD for VXLAN May 2019
The BFD packet MUST be carried inside the inner MAC frame of the
VXLAN packet. The inner MAC frame carrying the BFD payload has the
following format:
Ethernet Header:
Destination MAC: This MUST be the dedicated MAC TBA (Section 8)
or the MAC address of the destination VTEP. The details of how
the MAC address of the destination VTEP is obtained are outside
the scope of this document.
Source MAC: MAC address of the originating VTEP
IP header:
Source IP: IP address of the originating VTEP.
Destination IP: IP address of the terminating VTEP.
TTL: MUST be set to 1 to ensure that the BFD packet is not
routed within the L3 underlay network.
The fields of the UDP header and the BFD control packet are
encoded as specified in [RFC5881].
5. Reception of BFD Packet from VXLAN Tunnel
Once a packet is received, VTEP MUST validate the packet. If the
Destination MAC of the inner MAC frame matches the dedicated MAC or
the MAC address of the VTEP the packet MUST be processed further.
The UDP destination port and the TTL of the inner IP packet MUST be
validated to determine if the received packet can be processed by
BFD. BFD packet with inner MAC set to VTEP or dedicated MAC address
MUST NOT be forwarded to VMs.
5.1. Demultiplexing of the BFD Packet
Demultiplexing of IP BFD packet has been defined in Section 3 of
[RFC5881]. Since multiple BFD sessions may be running between two
VTEPs, there needs to be a mechanism for demultiplexing received BFD
packets to the proper session. The procedure for demultiplexing
packets with Your Discriminator equal to 0 is different from
[RFC5880]. For such packets, the BFD session MUST be identified
using the inner headers, i.e., the source IP, the destination IP, and
the source UDP port number present in the IP header carried by the
payload of the VXLAN encapsulated packet. The VNI of the packet
SHOULD be used to derive interface-related information for
Pallagatti, et al. Expires November 18, 2019 [Page 7]
Internet-Draft BFD for VXLAN May 2019
demultiplexing the packet. If BFD packet is received with non-zero
Your Discriminator, then BFD session MUST be demultiplexed only with
Your Discriminator as the key.
6. Use of the Specific VNI
In most cases, a single BFD session is sufficient for the given VTEP
to monitor the reachability of a remote VTEP, regardless of the
number of VNIs in common. When the single BFD session is used to
monitor the reachability of the remote VTEP, an implementation SHOULD
choose any of the VNIs but MAY choose VNI = 0.
7. Echo BFD
Support for echo BFD is outside the scope of this document.
8. IANA Considerations
IANA has assigned TBA as a dedicated MAC address from the IANA 48-bit
unicast MAC address registry to be used as the Destination MAC
address of the inner Ethernet of VXLAN when carrying BFD control
packets.
9. Security Considerations
The document requires setting the inner IP TTL to 1, which could be
used as a DDoS attack vector. Thus the implementation MUST have
throttling in place to control the rate of BFD control packets sent
to the control plane. Throttling MAY be relaxed for BFD packets
based on port number.
The implementation SHOULD have a reasonable upper bound on the number
of BFD sessions that can be created between the same pair of VTEPs.
Other than inner IP TTL set to 1 and limit the number of BFD sessions
between the same pair of VTEPs, this specification does not raise any
additional security issues beyond those of the specifications
referred to in the list of normative references.
10. Contributors
Reshad Rahman
rrahman@cisco.com
Cisco
Pallagatti, et al. Expires November 18, 2019 [Page 8]
Internet-Draft BFD for VXLAN May 2019
11. Acknowledgments
Authors would like to thank Jeff Haas of Juniper Networks for his
reviews and feedback on this material.
Authors would also like to thank Nobo Akiya, Marc Binderberger,
Shahram Davari, Donald E. Eastlake 3rd, and Anoop Ghanwani for the
extensive reviews and the most detailed and helpful comments.
12. References
12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection
(BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010,
<https://www.rfc-editor.org/info/rfc5880>.
[RFC5881] Katz, D. and D. Ward, "Bidirectional Forwarding Detection
(BFD) for IPv4 and IPv6 (Single Hop)", RFC 5881,
DOI 10.17487/RFC5881, June 2010,
<https://www.rfc-editor.org/info/rfc5881>.
[RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger,
L., Sridhar, T., Bursell, M., and C. Wright, "Virtual
eXtensible Local Area Network (VXLAN): A Framework for
Overlaying Virtualized Layer 2 Networks over Layer 3
Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014,
<https://www.rfc-editor.org/info/rfc7348>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
12.2. Informational References
[RFC8293] Ghanwani, A., Dunbar, L., McBride, M., Bannai, V., and R.
Krishnan, "A Framework for Multicast in Network
Virtualization over Layer 3", RFC 8293,
DOI 10.17487/RFC8293, January 2018,
<https://www.rfc-editor.org/info/rfc8293>.
Pallagatti, et al. Expires November 18, 2019 [Page 9]
Internet-Draft BFD for VXLAN May 2019
[RFC8365] Sajassi, A., Ed., Drake, J., Ed., Bitar, N., Shekhar, R.,
Uttaro, J., and W. Henderickx, "A Network Virtualization
Overlay Solution Using Ethernet VPN (EVPN)", RFC 8365,
DOI 10.17487/RFC8365, March 2018,
<https://www.rfc-editor.org/info/rfc8365>.
Authors' Addresses
Santosh Pallagatti (editor)
Rtbrick
Email: santosh.pallagatti@gmail.com
Sudarsan Paragiri
Individual Contributor
Email: sudarsan.225@gmail.com
Vengada Prasad Govindan
Cisco
Email: venggovi@cisco.com
Mallik Mudigonda
Cisco
Email: mmudigon@cisco.com
Greg Mirsky
ZTE Corp.
Email: gregimirsky@gmail.com
Pallagatti, et al. Expires November 18, 2019 [Page 10]
