BFD for VXLAN
Rtbricksantosh.pallagatti@gmail.comIndividual Contributorsudarsan.225@gmail.comCiscovenggovi@cisco.comCiscommudigon@cisco.comZTE Corp.gregimirsky@gmail.com
Routing
BFDBFDBFD for VXLANThis document describes the use of the Bidirectional Forwarding Detection (BFD) protocol
in point-to-point Virtual eXtensible Local Area Network (VXLAN) tunnels
forming up an overlay network.
"Virtual eXtensible Local Area Network" (VXLAN) provides
an encapsulation scheme that allows building an overlay network by
decoupling the address space of the attached virtual hosts from that of the network.
One use of VXLAN is in data centers interconnecting virtual machines (VMs)
of a tenant. VXLAN addresses requirements of the Layer 2 and
Layer 3 data center network infrastructure in the presence of VMs in a multi-tenant environment by
providing a Layer 2 overlay scheme on a Layer 3 network .
Another use is as an encapsulation for Ethernet VPN .
This document is written assuming the use of VXLAN for virtualized
hosts and refers to VMs and VXLAN Tunnel End Points (VTEPs) in hypervisors. However, the
concepts are equally applicable to non-virtualized hosts attached to
VTEPs in switches.
In the absence of a router in the overlay, a VM can communicate with another VM only if they are on the same VXLAN segment.
VMs are unaware of VXLAN tunnels as a VXLAN tunnel is terminated on a VTEP.
VTEPs are responsible for encapsulating and decapsulating frames exchanged among
VMs.
Ability to monitor path continuity, i.e., perform proactive continuity check (CC) for point-to-point (p2p) VXLAN tunnels, is important.
The asynchronous mode of BFD, as defined in , can be used to monitor a p2p VXLAN tunnel.
In the case where a Multicast Service Node (MSN) (as described in Section 3.3
of ) resides behind an NVE, the mechanisms described in this
document apply and can, therefore, be used to test the connectivity from
the source NVE to the MSN.
This document describes the use of Bidirectional Forwarding Detection (BFD) protocol
to enable monitoring continuity of the path between VXLAN VTEPs,
performing as Network Virtualization Endpoints,
and/or availability of a replicator multicast service node.
BFD Bidirectional Forwarding Detection CC Continuity Checkp2p Point-to-pointMSN Multicast Service NodeVFI Virtual Forwarding InstanceVM Virtual MachineVTEP VXLAN Tunnel End PointVXLAN Virtual eXtensible Local Area Network
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
illustrates the scenario with two servers, each of them hosting two VMs.
The servers host VTEPs that terminate two VXLAN tunnels with VNI number 100
and 200 respectively. Separate BFD sessions can be
established between the VTEPs (IP1 and IP2) for monitoring each of the VXLAN tunnels (VNI 100 and 200).
An implementation that supports this specification MUST be able to control the number of BFD sessions
that can be created between the same pair of VTEPs.
BFD packets intended for a Hypervisor VTEP MUST NOT be forwarded to a VM as a VM may drop BFD packets
leading to a false negative. This method is applicable whether the VTEP is a virtual or physical device. BFD packet MUST be encapsulated and sent to a remote VTEP as explained in .
Implementations SHOULD ensure that the BFD packets follow the same
lookup path as VXLAN data packets within the sender system.
BFD packets are encapsulated in VXLAN as described below.
The VXLAN packet format is defined in Section 5 of .
The Outer IP/UDP and VXLAN headers MUST
be encoded by the sender as defined in .The BFD packet MUST be carried inside the inner MAC frame of the VXLAN packet. The inner MAC frame carrying the
BFD payload has the following format:
Ethernet Header:
Destination MAC: This MUST be the dedicated MAC TBA ()
or the MAC address of the destination VTEP. The
details of how the MAC address of the destination VTEP is obtained
are outside the scope of this document. Source MAC: MAC address of the originating VTEP IP header:
Source IP: IP address of the originating VTEP.Destination IP: IP address of the terminating VTEP.TTL: MUST be set to 1 to ensure that the
BFD packet is not routed within the L3 underlay network.
The fields of the UDP header and the BFD control packet are encoded as specified
in .
Once a packet is received, VTEP MUST validate the packet.
If the Destination MAC of the inner MAC frame matches the
dedicated MAC or the MAC address of the VTEP the packet
MUST be processed further.
The UDP destination port and the TTL of the inner IP packet MUST be validated to determine if the received packet
can be processed by BFD. BFD packet with inner MAC set to VTEP or dedicated MAC address MUST NOT be forwarded to VMs.Demultiplexing of IP BFD packet has been defined in Section 3 of .
Since multiple BFD sessions may be running between two VTEPs, there
needs to be a mechanism for demultiplexing received BFD packets to
the proper session. The procedure for demultiplexing packets with Your Discriminator equal to 0 is
different from . For such packets, the BFD session MUST be identified using the
inner headers, i.e., the source IP, the destination IP, and the source UDP port number
present in the IP header carried by the payload of
the VXLAN encapsulated packet. The VNI of the packet SHOULD be used to derive interface-related information
for demultiplexing the packet. If BFD packet is received with non-zero Your Discriminator, then BFD session MUST
be demultiplexed only with Your Discriminator as the key.
In most cases, a single BFD session is sufficient for the given VTEP to monitor
the reachability of a remote VTEP, regardless of the number of VNIs in common.
When the single BFD session is used to monitor the reachability of the remote VTEP,
an implementation SHOULD choose any of the VNIs but MAY choose VNI
= 0.
Support for echo BFD is outside the scope of this document.
IANA has assigned TBA as a dedicated MAC address from the IANA
48-bit unicast MAC address registry to be used as the Destination MAC address of the inner Ethernet
of VXLAN when carrying BFD control packets.
The document requires setting the inner IP TTL to 1, which could be used as a DDoS attack vector.
Thus the implementation MUST have throttling in place to control the rate of BFD control packets sent to the control plane.
Throttling MAY be relaxed for BFD packets based on port number.
The implementation SHOULD have a reasonable upper bound on the number of BFD sessions
that can be created between the same pair of VTEPs.
Other than inner IP TTL set to 1 and limit the number of BFD sessions between the same pair of VTEPs,
this specification does not raise any additional security issues
beyond those of the specifications referred to in the list of normative references.
Authors would like to thank Jeff Haas of Juniper Networks for his reviews and feedback on this material.Authors would also like to thank Nobo Akiya, Marc Binderberger, Shahram Davari,
Donald E. Eastlake 3rd, and Anoop Ghanwani for the extensive reviews
and the most detailed and helpful comments.