BESS Working Group W. Wang
Internet-Draft A. Wang
Intended status: Standards Track China Telecom
Expires: August 23, 2021 February 19, 2021
Layer-3 Accessible EVPN Services
draft-wang-bess-l3-accessible-evpn-00
Abstract
This draft describes a new mechanism called "Layer-3 accessible EVPN
services", which extends the EVPN Service Interfaces in [RFC7432].
This mechanism allows Layer-3 network to run between CE and PE, and
defines Logical Session Identifier(LSI) for traffic isolation.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 23, 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Wang & Wang Expires August 23, 2021 [Page 1]
Internet-Draft L3 Accessible EVPN February 2021
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions used in this document . . . . . . . . . . . . . . 2
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Logical Session Identifier (LSI) . . . . . . . . . . . . . . 3
4.1. The generation of LSI in VxLAN usecase . . . . . . . . . 3
4.2. The generation of LSI in IPSec usecase . . . . . . . . . 4
4.3. The generation of LSI in GRE usecase . . . . . . . . . . 4
5. Service Interfaces . . . . . . . . . . . . . . . . . . . . . 4
5.1. LSI-Based Service Interface . . . . . . . . . . . . . . . 4
5.2. LSI-Bundled Service Interface . . . . . . . . . . . . . . 5
5.3. LSI-Aware Bundled Service Interface . . . . . . . . . . . 5
6. The transmission of LSI . . . . . . . . . . . . . . . . . . . 5
6.1. Data Plane . . . . . . . . . . . . . . . . . . . . . . . 5
6.1.1. Extensions to VxLAN . . . . . . . . . . . . . . . . . 5
6.2. Control Plane . . . . . . . . . . . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
9. Normative References . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
[RFC7432]defines three service interfaces: VLAN-Based Service
Interface, VLAN-Bundled Service Interface and VLAN-Aware Bundled
Service Interface. These three types of interfaces are suitable for
different scenarios, and can realize the isolation of layer-2 and
layer-3 routing and traffic of customers with different granularity.
In the scenarios corresponding to these service interfaces, CE-PE
should be placed in the same Layer-2 network. However, the condition
usually cannot be met in the current network deployment, because CE-
PE often need to cross a Layer-3 network.
This draft defines a new identifier called Logical Session
Indentifier (LSI) and describes the transmission mechanism of LSI.
By using LSI, CE can access to EVPN with VxLAN encapsulation through
layer-3 network.
2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] .
Wang & Wang Expires August 23, 2021 [Page 2]
Internet-Draft L3 Accessible EVPN February 2021
3. Terminology
The following terms are defined in this draft:
o CE: Client Edge
o PE: Provider Edge
o EVPN: BGP/MPLS Ethernet VPN, defined in [RFC7432]
o VxLAN: Virtual eXtensible Local Area Network, defined in [RFC7348]
o IPSec: Internet Protocol Security, defined in [RFC4301]
o GRE: Generic Routing Encapsulation, defined in [RFC2890]
4. Logical Session Identifier (LSI)
When there is a layer-3 network between CE and PE, service interfaces
defined in [RFC7432] cannot be used for the isolation of traffic.
Instead, we can use several tunnel encapsulation technologies (i.e.
VxLAN or IPSec) to achieve the goal.
In this draft, we define Logical Session Identifier(LSI) to
distinguish the packets from different tunnels, its length is 16
bits. For VxLAN, IPsec and GRE, their headers contain the
corresponding fields to distinguish sessions. LSI can be generated
according to them.
4.1. The generation of LSI in VxLAN usecase
The format of VxLAN Generic Protocol Encapsulation (GPE) header is
shown in Figure 1, where VNI field can be used for distinguishing
different tunnels. LSI can be generated according to it.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|R|R|Ver|I|P|B|O| Reserved |Next Protocol |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VXLAN Network Identifier (VNI) | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: The format of VxLAN GPE header
Wang & Wang Expires August 23, 2021 [Page 3]
Internet-Draft L3 Accessible EVPN February 2021
4.2. The generation of LSI in IPSec usecase
The format of IPSec AH header is shown in Figure 2, where SPI field
can be used for distinguishing different tunnels (SPI field in ESP
header has the same effect). LSI can be generated according to it.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Payload Len | RESERVED |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Security Parameters Index (SPI) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number Field |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Integrity Check Value-ICV (variable) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: The format of IPSec AH header
4.3. The generation of LSI in GRE usecase
The format of GRE header is shown in Figure 3, where Key field can be
used for distinguishing different tunnels. LSI can be generated
according to it.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|C| |K|S| Reserved0 | Ver | Protocol Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum (optional) | Reserved1 (Optional) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key (optional) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number (Optional) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: The format of GRE header
5. Service Interfaces
5.1. LSI-Based Service Interface
With this service interface, EVIs and LSIs are one-to-one mapping.
Each LSI corresponding to a VNI/SPI/Key and its address space, and
there is no interactive between different LSIs. PEs maintain the
Wang & Wang Expires August 23, 2021 [Page 4]
Internet-Draft L3 Accessible EVPN February 2021
mapping table of LSI and VNI/SPI/Key, which ensure that a PE has the
ability to restore the original tunnel information and transmit the
packet to the correct destination.
5.2. LSI-Bundled Service Interface
With this service interface, EVIs and LSIs are one-to-many mapping,
which means a VNI/SPI/Key and its address table corresponding to all
LSIs related to the same EVI. The address space between different
LSIs (MAC/IP address) MUST not overlap. LSIs related to the same EVI
can communicate with each other. When a PE receives a packet
contains a certain LSI, PE can determine which destination to forward
by the MAC/IP address of the packet.
5.3. LSI-Aware Bundled Service Interface
With this service interface, EVIs and LSIs are one-to-many mapping.
LSIs related to the same EVI corresponding to one VNI/SPI/Key and its
address table, where LSI information are maintained, The address
space between different LSIs (MAC/IP address) can overlap. LSIs
related to the same EVI can communicate with each other. When PE
receives a packet contains a certain LSI, it can determine the
destination by the LSI information in VNI's address table.
To carry the LSI information in VNI/SPI/Key and transmit it in
layer-3 network, several extensions are defined in Section 6.
6. The transmission of LSI
6.1. Data Plane
6.1.1. Extensions to VxLAN
This solution only consider EVPN with VxLAN encapsulation. We extend
the VxLAN GPE header to carry the LSI information, the extentions to
the VxLAN GPE header is shown in Figure 4:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|R|S|Ver|I|P|B|O| LSI |Next Protocol |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VXLAN Network Identifier (VNI) | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: The extentions to VxLAN GPE header
Wang & Wang Expires August 23, 2021 [Page 5]
Internet-Draft L3 Accessible EVPN February 2021
If S is set to 1, it means the field after Flag contains LSI
identification.
6.2. Control Plane
PEs need to maintain the mapping table between LSI and VNI/SPI/Key,
control plane should transmit the related information in layer-3
network. For example, packets of multiple sessions can be
transmitted between PE1 and PE2, if PE2 can tell PE1 through EVPN
control signaling that a certain session's LSI is 12, then PE1 will
encapsulate this information in the corresponding packets. After
receiving the encapsulated packet, PE2 can extract the LSI
information, look up the mapping table, find the corresponding tunnel
type and logical identification, and then repackage it and send it to
its destination.
In [RFC7432], Ethernet Segment Identifier (ESI) is defined to
identify the different Ethernet Segment (ES) in multihomed scenario.
The fomat of ESI is shown in Figure 5:
+---+---+---+---+---+---+---+---+---+---+
| T | ESI Value |
+---+---+---+---+---+---+---+---+---+---+
Figure 5: The format of ESI
There are several ESI Types, all of them are used for layer-2
network. For the layer-3 access network, we define a new ESI Type to
carry the corresponding LSI. The format of the new ESI Type is shown
in Figure 6:
+---+---+---+---+---+---+---+---+---+---+
| T | Reserved | CE Identifier | LSI |
+---+---+---+---+---+---+---+---+---+---+
Figure 6: The format of the new ESI Type
Where:
o T (1 octet): specifys the ESI Type. The recommended value is
0x06.
o CE Identifier (3 octets): the route ID/IPv4 address of CE.
o LSI (2 octets): the LSI information associated with PE-CE.
Wang & Wang Expires August 23, 2021 [Page 6]
Internet-Draft L3 Accessible EVPN February 2021
7. Security Considerations
TBD
8. IANA Considerations
This draft extends the VxLAN GPE header, S bit of Flag and LSI field
are added:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|R|S|Ver|I|P|B|O| LSI |Next Protocol |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VXLAN Network Identifier (VNI) | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: The extentions to VxLAN GPE header
This draft defines a new ESI type, the recommended value of its T
field is 0x06.
9. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC2890] Dommety, G., "Key and Sequence Number Extensions to GRE",
RFC 2890, DOI 10.17487/RFC2890, September 2000,
<https://www.rfc-editor.org/info/rfc2890>.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
December 2005, <https://www.rfc-editor.org/info/rfc4301>.
[RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger,
L., Sridhar, T., Bursell, M., and C. Wright, "Virtual
eXtensible Local Area Network (VXLAN): A Framework for
Overlaying Virtualized Layer 2 Networks over Layer 3
Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014,
<https://www.rfc-editor.org/info/rfc7348>.
[RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A.,
Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based
Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February
2015, <https://www.rfc-editor.org/info/rfc7432>.
Wang & Wang Expires August 23, 2021 [Page 7]
Internet-Draft L3 Accessible EVPN February 2021
Authors' Addresses
Wei Wang
China Telecom
Beiqijia Town, Changping District
Beijing, Beijing 102209
China
Email: weiwang94@foxmail.com
Aijun Wang
China Telecom
Beiqijia Town, Changping District
Beijing, Beijing 102209
China
Email: wangaj3@chinatelecom.cn
Wang & Wang Expires August 23, 2021 [Page 8]